Privacy Policy

Last updated: March 5, 2026

1. Data Controller

DeltaLearn ("we," "us," or "our") operates the deltalearn.app platform. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our service. We are committed to protecting your privacy and handling your data transparently.

2. Information We Collect

2.1 Account Information

When you create an account, we collect:

• Email address
• Name (if provided)
• Workspace name
• Authentication credentials (managed by Supabase Auth)

2.2 Content You Upload

To structure your training materials, you provide source documents. These may include:

• PDF and DOCX files uploaded to our platform
• Content fetched from Notion pages you connect
• Structured training materials (course outlines, checklists, quizzes)

2.3 Payment Information

Payment processing is handled entirely by Paddle, our Merchant of Record. We do not store, process, or have access to your credit card details or payment information. Paddle's privacy policy applies to all payment data and is available at paddle.com/legal/privacy.

2.4 Usage Data

We collect anonymized usage data to improve our service, including: pages visited, features used, training material metrics, quiz completion rates, and general interaction patterns. We use Plausible Analytics, a privacy-friendly analytics tool that does not use cookies and does not collect personal data. We do not use third-party advertising trackers.

2.5 Adoption & Completion Data

When learners complete training and quizzes within your workspace, we record: completion status, quiz scores, and timestamps. This data is visible to workspace administrators and is used to provide adoption dashboards.

3. Legal Basis for Processing (GDPR Article 6)

We process your personal data on the following legal bases:

• Contract performance (Art. 6(1)(b)): Processing your account data and uploaded content is necessary to provide you with the DeltaLearn service as agreed in our Terms of Service.
• Legitimate interest (Art. 6(1)(f)): We process anonymized usage data to improve our platform, ensure security, and detect fraud. Our legitimate interest does not override your fundamental rights.
• Legal obligation (Art. 6(1)(c)): We may process data to comply with applicable legal requirements, such as tax obligations or law enforcement requests.
• Consent (Art. 6(1)(a)): Where applicable, we obtain your explicit consent before processing (e.g., for optional marketing communications). You may withdraw consent at any time.

4. How We Use Your Information

We use the information we collect to:

• Provide, maintain, and improve our platform
• Structure training materials from your source documents
• Track training completion and adoption metrics
• Send transactional emails (account, billing, security)
• Detect and prevent fraud or abuse
• Comply with legal obligations

We do not sell your personal information. We do not use your content for advertising. We do not use your uploaded documents to train AI models.

5. Sub-Processors & Third-Party Services

DeltaLearn uses the following sub-processors to provide the service. Each sub-processor has been vetted for GDPR compliance:

6. International Data Transfers

Your primary data is stored on servers located in the European Union (AWS eu-west-1, Ireland). Some sub-processors are based in the United States. For all transfers of personal data outside the EEA, we rely on:

• Standard Contractual Clauses (SCCs) approved by the European Commission
• The sub-processor's own GDPR compliance measures and data processing agreements

We only transfer the minimum data necessary for each sub-processor to perform its function. Full source documents are never transferred in their entirety to sub-processors — only the relevant text excerpts needed for processing.

7. Data Storage & Security

We implement appropriate technical and organizational measures to protect your data:

• All data is encrypted in transit (TLS 1.2+) and at rest (AES-256)
• Workspace data is logically isolated — users in one workspace cannot access another's content
• Authentication tokens are managed by Supabase with JWT signing keys
• Access to production systems is restricted and logged
• We conduct regular security reviews of our infrastructure

8. Data Retention

We retain your data as follows:

• Account data: retained for the duration of your account, plus 30 days after deletion
• Uploaded documents: retained while the associated source is active; deleted within 30 days of source deletion
• Structured content: retained while the associated training material exists; deleted within 30 days of deletion
• Usage logs: anonymized after 90 days, deleted after 12 months
• Payment data: retained by Paddle according to their data retention policy and applicable tax laws

9. Your Rights (GDPR)

If you are located in the European Economic Area (EEA), you have the following rights under the General Data Protection Regulation (GDPR):

• Access (Art. 15): Request a copy of the personal data we hold about you.
• Rectification (Art. 16): Request correction of inaccurate or incomplete data.
• Erasure (Art. 17): Request deletion of your personal data ("right to be forgotten").
• Restriction (Art. 18): Request that we restrict the processing of your data.
• Portability (Art. 20): Request your data in a structured, machine-readable format.
• Objection (Art. 21): Object to processing based on legitimate interests.
• Withdraw Consent (Art. 7): Withdraw consent where processing is based on consent.
• Lodge a Complaint: You have the right to lodge a complaint with a supervisory authority. In Spain, this is the Agencia Española de Protección de Datos (AEPD).

To exercise any of these rights, contact us at privacy@deltalearn.app. We will respond within 30 days. If you are a business customer and require a Data Processing Agreement (DPA), please contact us at the same address.

10. Cookies

DeltaLearn uses only essential cookies required for authentication and session management. We do not use advertising cookies or tracking pixels. Our analytics tool (Plausible) does not use cookies and is fully GDPR-compliant without requiring a cookie consent banner.

11. Children's Privacy

DeltaLearn is a business-to-business service and is not directed at children under the age of 18. We do not knowingly collect personal data from children. If you believe a child has provided us with personal data, please contact us and we will promptly delete it.

12. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of material changes by email or by posting a prominent notice on our platform at least 15 days before they take effect. Your continued use of DeltaLearn after changes take effect constitutes acceptance of the revised policy.

13. Contact Us

If you have questions about this Privacy Policy or our data practices, contact us: