Privacy Policy

1. Introduction

Structura ("we," "our," or "us") is an academic performance platform built by two student founders based in Canada. We operate the Structura web application (the "Service") available at our website.

This Privacy Policy explains how we collect, use, disclose, and safeguard your personal information when you use our Service. We are committed to protecting the privacy of our users — particularly students — and we designed Structura with privacy in mind from the start.

By creating an account or using the Service, you agree to the collection and use of information in accordance with this policy. If you do not agree with our practices, please do not use the Service.

2. Information We Collect

We collect the following categories of information:

2.1 Information You Provide Directly

• Account information: email address and display name provided during registration
• Assessment responses: your answers to our 25-question academic sustainability assessment, including the resulting dimension scores (Workload Density, Recovery, Efficiency, Compression, and Stability)
• Academic data: subjects, deadlines, grades, and schedule information you enter into the platform
• Study session data: Pomodoro timer sessions, session tags, duration, and associated metadata
• AI chat conversations: messages you send when interacting with our AI coaching features
• Schedule and context data: daily routine information you optionally provide to personalise AI recommendations
• Study group participation: group membership and invite codes you create or use
• Payment information: when you subscribe to Structura Pro, payment details are collected and processed directly by Stripe; we do not store your full credit card number

2.2 Information Collected Automatically

• Streak data: consecutive-day usage streaks calculated from your study sessions
• Leaderboard metrics: aggregated scores derived from streaks, study hours, and weekly session counts
• Authentication tokens: session cookies set by Supabase to keep you signed in

2.3 Information We Do Not Collect

• We do not collect precise geolocation data
• We do not use tracking pixels, advertising cookies, or analytics cookies
• We do not collect data from social media profiles
• We do not access your device contacts, camera, or microphone

3. How We Use Your Information

We use the information we collect for the following purposes:

• Provide and operate the Service: authenticate your identity, display your dashboard, track your progress, and deliver all core features
• Generate AI-powered recommendations: send your assessment scores and optional context to our AI provider to produce personalised study plans, feedback, and coaching responses
• Display leaderboard rankings: calculate and show your ranking relative to other users (anonymously by default)
• Facilitate study groups: enable group creation, invite-code sharing, and anonymous member scoring within groups
• Process payments: manage Pro subscriptions, handle billing events, and apply or revoke premium features
• Send transactional communications: account confirmation, password reset, and subscription-related emails
• Maintain and improve the Service: diagnose technical issues, analyse aggregated usage trends, and develop new features
• Enforce our terms: detect, prevent, and address fraud, abuse, or violations of our Terms of Service

4. AI Data Processing

Structura uses OpenAI's GPT-4 models to power two core features: the AI Optimization Plan and the AI Coach Chat. When you use these features, the following data may be sent to OpenAI:

• Your assessment dimension scores and risk levels
• Your optional schedule and daily routine information
• Your chat messages when interacting with the AI Coach
• Subject and deadline context relevant to generating advice

Important safeguards:

• We use OpenAI's API, which means your data is not used to train OpenAI's models under their current API data usage policy
• We send only the minimum data necessary to generate useful recommendations
• Your email address and display name are not included in AI prompts unless you type them yourself in a chat message
• AI-generated plans are stored in your Structura account so you can revisit them without re-sending data to OpenAI
• Free users are limited to 3 AI generations per day and Pro users to 50, which also limits the volume of data processed

5. Data Sharing and Disclosure

We do not sell, rent, or trade your personal information. We share data only with the following categories of service providers, and only to the extent necessary for them to perform services on our behalf:

• Supabase — provides our database infrastructure (PostgreSQL), user authentication, and serverless edge functions. Your account data, assessment results, study sessions, and all other platform data are stored in Supabase-managed databases.
• OpenAI — processes your assessment data and chat messages to generate AI-powered study plans and coaching responses, as described in Section 4.
• Stripe — handles all payment processing for Pro subscriptions. Stripe receives your payment method details directly; we only receive confirmation of payment status and subscription identifiers.

We may also disclose your information if required to do so by law, regulation, legal process, or governmental request, or if we believe disclosure is necessary to protect the rights, property, or safety of Structura, our users, or the public.

In the event of a merger, acquisition, or sale of assets, your personal information may be transferred to the successor entity, subject to the same privacy commitments described in this policy.

6. Third-Party Services

Our Service integrates with the third-party providers listed above. Each provider has its own privacy policy governing how they handle your data:

• Supabase Privacy Policy: supabase.com/privacy
• OpenAI Privacy Policy: openai.com/policies/privacy-policy
• Stripe Privacy Policy: stripe.com/privacy

We encourage you to review these policies. We select providers that maintain strong data protection standards, but we are not responsible for their independent privacy practices.

7. Leaderboard and Study Groups

Leaderboard: By default, your identity on the global leaderboard is anonymous. You may choose to display your display name in your account settings. Your leaderboard score is calculated from your streak, study hours, and weekly session count — no sensitive assessment data is exposed.

Study Groups: When you join or create a study group, your membership is tracked in our database. Within a study group, member scoring is anonymous — only you can see your own name, and other members appear anonymously to you. Group chat messages stored via the platform are associated with your account. Group administrators can manage membership but cannot access other members' personal data beyond what is visible within the group interface.

8. Children's Privacy

Structura is designed for students aged 13 and older. We do not knowingly collect personal information from children under the age of 13. If we become aware that we have inadvertently collected data from a child under 13, we will take immediate steps to delete that information from our systems.

Users aged 13 to 18: If you are between 13 and 18 years old, you should review this Privacy Policy with a parent or legal guardian and obtain their consent before creating an account or using the Service. Parents or guardians may contact us at any time to review, modify, or request deletion of their child's personal information.

If you are a parent or guardian and believe your child under 13 has provided personal information to Structura, please contact us immediately at structuraengine@gmail.com and we will promptly delete the data.

9. Data Security

We take reasonable administrative, technical, and physical measures to protect your personal information from unauthorized access, alteration, disclosure, or destruction. Our security practices include:

• Encryption in transit: all data transmitted between your browser and our servers is encrypted using TLS (HTTPS)
• Encryption at rest: your data is stored in Supabase-managed PostgreSQL databases with encryption at rest enabled
• Row-Level Security (RLS): Supabase RLS policies ensure that users can only access their own data at the database level
• Authentication security: passwords are hashed and managed by Supabase Auth; we never store plaintext passwords
• API key protection: all third-party API keys (OpenAI, Stripe, Supabase) are stored as server-side environment variables and are never exposed to the client
• Rate limiting: AI generation endpoints are rate-limited to prevent abuse

While we strive to protect your personal information, no method of transmission over the Internet or electronic storage is 100% secure. We cannot guarantee absolute security, but we are committed to implementing and maintaining industry-standard protections.

10. Data Retention

We retain your personal information according to the following principles:

• Active accounts: your data is retained for as long as your account remains active and as needed to provide the Service
• Account deletion: when you delete your account, your personal data (profile, assessment results, study sessions, AI generations, deadlines, subjects, streak data, and group memberships) is removed from our active database systems
• Backups: deleted data may persist in encrypted database backups for a limited technical retention window (typically up to 30 days) before being permanently purged
• Aggregated data: anonymised, aggregate usage statistics (e.g., total assessments completed, average scores across all users) may be retained indefinitely for product improvement purposes. This data cannot be used to identify you
• Legal obligations: we may retain certain information for longer periods if required by applicable law or to resolve disputes

Stripe may retain payment records independently in accordance with their own data retention policies and applicable financial regulations.

11. Your Rights

Depending on your jurisdiction, you may have the following rights regarding your personal information:

• Right of access: request a copy of the personal data we hold about you
• Right to rectification: request correction of inaccurate or incomplete personal data
• Right to erasure: request deletion of your account and associated personal data
• Right to data portability: request an export of your data in a structured, machine-readable format
• Right to withdraw consent: where processing is based on consent, you may withdraw it at any time without affecting the lawfulness of prior processing
• Right to object: object to processing of your personal data in certain circumstances
• Right to restrict processing: request that we limit how we use your data in certain circumstances

To exercise any of these rights, please email us at structuraengine@gmail.com. We will respond to your request within 30 days (or sooner if required by applicable law). We may ask you to verify your identity before processing your request.

If you believe your privacy rights have been violated, you have the right to lodge a complaint with the applicable data protection authority in your jurisdiction.

12. Cookies and Local Storage

Structura uses a minimal approach to cookies and browser storage:

• Authentication cookies: we use cookies set by Supabase solely to manage your authenticated session. These are essential for the Service to function and cannot be disabled while using the platform
• Local storage: we use your browser's local storage to save non-sensitive preferences such as your language setting. This data never leaves your device
• No tracking cookies: we do not use any analytics, advertising, or third-party tracking cookies
• No pixel trackers: we do not embed tracking pixels or similar technologies

Because we use only strictly necessary cookies, a cookie consent banner is not required under most privacy regulations. You can clear cookies through your browser settings, but doing so will sign you out of your account.

13. International Data Transfers

Structura is operated from Canada. Our third-party service providers (Supabase, OpenAI, and Stripe) may process and store data in the United States or other jurisdictions outside of your country of residence.

When your data is transferred to a jurisdiction with different data protection laws, we ensure that appropriate safeguards are in place, including:

• Using service providers that maintain robust security and privacy practices
• Relying on contractual obligations that require providers to protect your data consistent with this Privacy Policy
• Complying with applicable cross-border data transfer mechanisms under Canadian and other applicable privacy laws

14. California and Canadian Privacy Rights

14.1 California Consumer Privacy Act (CCPA)

If you are a California resident, you have additional rights under the California Consumer Privacy Act (CCPA) and the California Privacy Rights Act (CPRA):

• Right to know: you may request disclosure of the categories and specific pieces of personal information we have collected about you, the sources of collection, the business purposes for collection, and the categories of third parties with whom we share it
• Right to delete: you may request deletion of your personal information, subject to certain legal exceptions
• Right to opt out of sale: we do not sell your personal information. We have never sold personal information and have no plans to do so
• Right to non-discrimination: we will not discriminate against you for exercising any of your CCPA rights
• Right to correct: you may request correction of inaccurate personal information
• Right to limit use of sensitive personal information: we only use sensitive personal information (if any) for purposes permitted under the CCPA

To exercise your CCPA rights, please contact us at structuraengine@gmail.com. We will verify your identity and respond within 45 days as required by law. You may designate an authorised agent to make a request on your behalf.

14.2 Canadian Privacy Law (PIPEDA)

As a Canadian company, Structura complies with the Personal Information Protection and Electronic Documents Act (PIPEDA) and applicable provincial privacy legislation. Under PIPEDA:

• Consent: we collect, use, and disclose your personal information only with your knowledge and consent. By creating an account and using the Service, you consent to the collection and use of your information as described in this policy
• Limiting collection: we collect only the personal information necessary for the purposes identified in this policy
• Limiting use, disclosure, and retention: your personal information is used and disclosed only for the purposes for which it was collected and is retained only as long as necessary to fulfil those purposes
• Accuracy: we take reasonable steps to ensure your personal information is accurate, complete, and up to date
• Safeguards: we protect your personal information with security safeguards appropriate to the sensitivity of the data
• Individual access: upon written request, we will inform you of the existence, use, and disclosure of your personal information and provide you with access to it. You may challenge the accuracy and completeness of the information and have it amended as appropriate
• Challenging compliance: you may challenge our compliance with PIPEDA by contacting our privacy contact below. If your concern is not resolved to your satisfaction, you may file a complaint with the Office of the Privacy Commissioner of Canada at priv.gc.ca

If you are a resident of Quebec, British Columbia, or Alberta, you may also have rights under provincial privacy legislation. We comply with all applicable provincial privacy laws in addition to PIPEDA.

15. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors. When we make changes:

• We will update the "Last updated" date at the top of this page
• For material changes, we will notify you via email or a prominent in-app notice before the changes take effect
• We encourage you to review this policy periodically to stay informed about how we protect your data

Your continued use of the Service after any changes to this Privacy Policy constitutes your acceptance of the updated policy.

16. Contact Us

If you have any questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us:

• Email: structuraengine@gmail.com
• Subject line: Privacy Policy Inquiry

We will acknowledge your request within 5 business days and aim to resolve all privacy-related inquiries within 30 days. If your inquiry relates to a formal data rights request (access, deletion, correction, or portability), we will respond within the timeframe required by applicable law.