How we protect your data and your students' data.
A practical summary for teachers, school leaders and data protection officers.
Executive summary
Aulify is a European education platform built under GDPR. Teacher and student data (documents, conversations, progress, students) is stored on servers located in the European Union. Tutor responses are generated using AI models from leading providers (Google and OpenAI) under contractual agreements that prohibit using this data for training. Any teacher can export or delete all their data at any time from their profile.
What data we store
We only store what's strictly necessary for the assistant to work and for you to track progress.
- Documents you upload (PDFs, slides, notes) and the indexed chunks (embeddings) the assistant uses to answer.
- Teacher's student list: only the name or nickname the student types when entering the chat (no password is chosen by the student; technical credentials are derived internally and stored hashed). We don't request student email.
- Conversations between students and assistant, and progress metrics per mini-objective.
- Your teacher account data (email, language, plan) and billing data managed by Stripe.
Subprocessors
These are the providers involved in running Aulify. All operate under a Data Processing Agreement (DPA).
| Provider | Purpose | Data shared | Processing location | DPA |
|---|---|---|---|---|
| Lovable Cloud (Supabase) | Primary storage: database, files, authentication. | Documents, students, conversations, progress, teacher account. | European Union | View DPA → |
| Google (Gemini) | Tutor response generation (AI models). | Material chunks and student messages required to generate the response. | Varies by provider endpoint | View DPA → |
| OpenAI (GPT) | Tutor response generation (AI models). | Material chunks and student messages required to generate the response. | Mainly United States | View DPA → |
| Stripe | Payment processing and invoicing. | Teacher email, billing data. We never see card data. | European Union / United States | View DPA → |
Google's and OpenAI's AI models process prompts on infrastructure that may not be in the EU. By contract, they don't use this data to train their models. The rest of your data (documents, students, stored conversations) stays in the EU.
Data retention
- Documents and embeddings: kept while the assistant exists. Deleting the assistant deletes them immediately.
- Student conversations and progress: kept while the assistant exists. You can reset any student's conversation from the dashboard at any time.
- Teacher account: kept until the teacher deletes it. Deletion permanently removes all assistants, students and conversations.
- Technical logs and billing data: up to 6 years for accounting obligations under Spanish law.
Permissions and access
- A teacher only sees their own students and the conversations of their own assistants.
- A student only sees their own conversation. They never see other students or their messages.
- The Aulify team does not access teacher content unless strictly required to resolve a support issue, and always with prior consent.
- We enforce Row Level Security at the database layer: each user can only access their own data.
Export and deletion
You have the right to access, rectify, export and delete your data at any time. From your profile you can delete your full account in one click, which cascades to assistants, students, documents and conversations.
Encryption
All communication uses TLS 1.2+ (HTTPS). Data at rest is encrypted with AES-256 at the storage layer. Passwords are stored only as hashes using modern algorithms.
No training on your data
Neither Aulify nor the AI providers we use (Google Gemini, OpenAI) use your material or your students' conversations to train models. This is explicitly forbidden by the contracts we have signed with them.
Full legal documents
For deeper review by your DPO or legal team:
Data controller contact
For any privacy enquiry, rights request or audit, write to: