Privacy Policy

Data controller name: Lajos Toldi. Legal form: natural person (individual), educational researcher. Correspondence address: Eszterházy Károly Catholic University, 3300 Eger, Eszterházy tér 1, Hungary. Registration number / tax number: Not applicable (individual, non-commercial activity). Contact: contact@ai24tutors.com. Research context: Eszterházy Károly Catholic University (Eger, Hungary), doctoral research project.

Given the non-systemic nature of the data processing and the limited amount of data handled in this research POC, no formal Data Protection Officer (DPO) is required under Article 37(1) GDPR. For data protection inquiries, the data controller is directly reachable at: contact@ai24tutors.com.

(a) Providing adaptive learning paths, measuring learning performance and giving feedback within the "Quantitative Data Analysis" course. (b) Scientific research: single-group pre-post quasi-experimental study with N=32 university students on changes in self-regulated learning (OSLQ) before vs. after platform use. (c) System auditability, bug fixing and security incident handling.

Article 6(1)(a) GDPR — freely given, specific, informed and unambiguous consent (through acceptance of the Informed Consent document). For special categories (if any): Article 9(2) (a) (explicit consent) and 9 (2) (j) (scientific research). No contractual basis is applicable — access is exclusively based on voluntary research participation.

Identification: pseudonymised username (student hash), initial password until first change. Profile: preferred language (hu/en/de), role (student). Usage: course interactions, time on lessons, task correctness, BKT mastery estimates. Questionnaire (optional): OLA, CSES, OSLQ, TIPI, NCS-6, TRI 2.0, CLS, SIMS, SUS, UEQ-S, PLG, BI-UTAUT responses. LLM context: audit of prompts + responses linked to questions (prompt hash + optional full-content flag). Technical: Flask session cookie, IP address (only in short-lived security logs). Principle: data minimisation — only data essential for testing the research hypotheses.

Active pilot phase: Spring semester 2026 (expected through 2026-09-30). Pseudonymised research data retained for publication: 5 years (Article 5(1)(e) GDPR — scientific research). Anonymised aggregate data (articles, preregistration): indefinite. Upon withdrawal of consent, the pseudonymised record is deleted within 30 days; data already included in anonymised aggregates cannot be retroactively extracted. Security logs (IP, session): 90 days. LLM audit (full prompt + response): 180 days.

Hosting: Google Cloud EMEA Limited (70 Sir John Rogerson's Quay, Dublin 2, D02 R296, Ireland) — Cloud Run application + Cloud SQL PostgreSQL 16. Region: europe-west4 (Netherlands). LLM providers: OpenAI Ireland Limited (Dublin), Google Ireland Limited (Dublin, Gemini), Anthropic PBC (San Francisco, USA). Basis for transfer to a third country (USA): EU-U.S. Data Privacy Framework (Implementing Decision 2023/1795/EU). E-mail delivery: no separate email service provider is used. The platform currently does not send transactional emails; contact occurs solely via the browser mailto link to contact@ai24tutors.com.

The platform uses only functional cookies: Flask session cookie (login persistence), language preference. NO analytics, marketing or third-party tracking cookies are set. Functional cookies are used under Article 6(1)(f) GDPR (legitimate interest) — the browser session is essential for course access.

The data subject may request: (a) information about processing (Art. 15), (b) rectification (Art. 16), (c) erasure („right to be forgotten", Art. 17) — pseudonymised record deleted within 30 days, (d) restriction (Art. 18), (e) portability (Art. 20) — JSON/CSV export, (f) objection (Art. 21), (g) withdrawal of consent at any time (Art. 7(3)). Requests: contact@ai24tutors.com. Response deadline: 30 days (Art. 12 GDPR).

Technical: HTTPS (TLS 1.3) on all traffic, password hashing (scrypt/Argon2), pseudonymisation of research data (3-tier hash), row-level encryption on sensitive fields, automated backups (Cloud SQL PITR 7 days). Organisational: least-privilege access, audit log for every processing operation (`LLMCallAudit`, `InteractionLog`, `security_audit_log`), incident response procedure. Incident: 72-hour breach notification to NAIH (Art. 33 GDPR), data subject notification if high risk (Art. 34).

Data subjects may lodge a complaint with the supervisory authority: Hungarian National Authority for Data Protection and Freedom of Information (NAIH). Address: Falk Miksa utca 9-11, 1055 Budapest, Hungary. Postal: 1363 Budapest, Pf. 9. Phone: +36 1 391 1400. E-mail: ugyfelszolgalat@naih.hu. Web: https://naih.hu. Alternatively, the data subject may seek judicial remedy at the competent court of their residence.

The controller reserves the right to unilaterally modify this notice. Material changes will be communicated by e-mail or an on-platform notice at first login. The current version is always available at /privacy. Current version: v1.0, 2026-04-15.