Student OS

Privacy Policy

Last updated: 26 June 2026

1. Who We Are

This Privacy Policy explains how Dan Bokete, operating as Student OS (a sole trader) (“we”, “us”, “our”), the data controller, collects and processes your personal data when you use the Student OS application (the “App”). We are based in Ireland, and you can contact us about privacy matters at privacy@studentos.co. A postal address is available on request.

We process your data in accordance with the EU General Data Protection Regulation (GDPR) and the Irish Data Protection Act 2018.

2. What Data We Collect

Depending on how you use the App, we may collect:

  • Account data: when you sign up, you authenticate through Google. We receive your name, email address, profile picture, and Google account identifier from Google. We do not collect or store a password — sign-in is handled via Google and our authentication provider, Better Auth.
  • User content: the notes, flashcards, tasks, boards, calendar entries, deadlines, and resources (such as PDFs and links) you create or upload, including images you add to your notes and the clips and highlights you take from them. Uploaded files may contain whatever personal data you choose to include in them.
  • Study activity data: records of your study, focus, and flashcard review sessions — for example when they started, how long they lasted, what subject or item they related to, and your flashcard review ratings. We use this to power the App’s spaced repetition scheduling, time tracking, and analytics features for you.
  • Usage and technical data: device and browser information, IP address, log data, and interactions with the App.
  • AI settings: if you choose to use our server-side AI features (flashcard generation and understanding questions), you provide your own OpenRouter API key. We store this key on our servers in encrypted form so we can use it, on your behalf, to generate flashcards and understanding questions from your material and to grade your answers (see section 4). We also store the last four characters of the key so we can show you which key is saved. You can remove your key at any time.
  • Diagnostic data: error reports, crash logs, and performance data used to fix bugs and improve stability.

Note: uploads and content may include personal data about you or others. You are responsible for ensuring you have a lawful basis to upload content concerning other people. The App is currently free to use and we do not collect payment information.

3. Signing In With Google

The only way to access the App is by signing in with your Google account. When you do, Google shares certain information with us — typically your name, email address, profile picture, and a unique Google account identifier. We use this solely to create and identify your account. We never receive your Google password, and we do not store one. Your use of Google Sign-In is also subject to Google’s own privacy policy. You can review the permissions you have granted in your Google account settings at any time.

4. AI Features

The App offers two kinds of AI feature, which handle your data differently: a browser-side hand-off and server-side generation. Both rely on third-party AI providers and your own account or key with them, and AI output can be inaccurate or incomplete.

(a) “Explain with AI” hand-off. When you select text (for example, a passage from a PDF) and choose to have it explained, the App opens your own AI assistant — currently Claude, ChatGPT, or Perplexity, whichever you pick — in a new browser tab with the selected text prefilled as a prompt. This happens directly between your browser and the assistant you choose: for this feature we do not send your content to the provider ourselves, we do not receive the assistant’s responses, and the provider is not our sub-processor. The text is processed by that provider under its own privacy policy and terms, using your own account with them. Your choice of preferred assistant is stored locally in your browser, not on our servers.

(b) Server-side AI generation (flashcards and understanding questions). If you save your own OpenRouter API key (see section 2), you can ask the App to generate flashcards or understanding questions from your notes or study material, and to grade the free-text answers you write to those questions. Unlike the hand-off above, this runs on our servers: we send the relevant source text from your material — and, when grading, the answer you typed — together with your OpenRouter key, to OpenRouter on your behalf, and we receive the generated questions, flashcards, or feedback back so we can save them to your account. For these features, OpenRouter acts as our sub-processor (see section 6), and OpenRouter processes the data you send under its own privacy policy and terms. We use your key only to make these requests for you; it is stored encrypted and is never shown back to you in full.

5. How and Why We Use Your Data (Legal Bases)

We process your personal data on the following legal bases under Article 6 GDPR:

  • Performance of a contract: to create and manage your account and provide the App’s core features (notes, flashcards and spaced repetition scheduling, tasks and boards, calendar and deadlines, study and focus session tracking, analytics, and uploads).
  • Legitimate interests: to keep the App secure, prevent abuse, debug errors, and improve the service — balanced against your rights.
  • Legal obligation: to comply with applicable laws, including responding to lawful requests.
  • Consent: where required, for example for any non-essential cookies or optional communications. You can withdraw consent at any time.

6. Service Providers and Sub-Processors

We use trusted third-party providers to operate the App. Each processes personal data only on our instructions under a data processing agreement. Our current providers are:

ProviderPurposeProcessing location / safeguard
Google Sign-InAuthentication — we receive your name, email, profile picture and Google ID when you sign inGoogle Ireland / global; transfers covered by SCCs / Data Privacy Framework
Better AuthAuthentication and session management frameworkRuns within our own infrastructure
CloudflareDomain management, DNS, CDN, security and bot protection, traffic routingGlobal edge network; transfers covered by SCCs / Data Privacy Framework
VercelApplication hosting and deliveryUS-based; transfers covered by SCCs / Data Privacy Framework
SupabaseDatabase for account data, user content (notes, flashcards, tasks, boards, calendar entries, metadata) and study activity records (sessions, reviews, time logs)EU region
Cloudflare R2Object storage for uploaded files, resources, and images you embed in your notesEU region
OpenRouterServer-side AI generation (flashcards and understanding questions) — when you use these features, we send the relevant source text from your material, and any answer you write for grading, to OpenRouter using your own API key, and receive the generated flashcards, questions, or feedback backUS-based; transfers covered by SCCs / Data Privacy Framework
SentryError monitoring, crash and performance diagnosticsUS-based; transfers covered by SCCs / Data Privacy Framework

7. International Data Transfers

Some of our providers process data outside the European Economic Area (EEA), including in the United States. Where this happens, we rely on appropriate safeguards such as the European Commission’s Standard Contractual Clauses or, where applicable, the provider’s certification under the EU–US Data Privacy Framework. You can request more information about these safeguards using the contact details above.

8. How Long We Keep Your Data

We keep your personal data only as long as necessary for the purposes described in this policy:

  • Account and user content: for as long as your account is active.
  • After account deletion: removed within 30 days, except where we must retain certain data to meet legal obligations.
  • Diagnostic and log data: retained for a limited period for security and debugging, then deleted or anonymised.

9. Your Rights

Under the GDPR, you have the right to:

  • access the personal data we hold about you;
  • request correction of inaccurate data;
  • request erasure of your data (“right to be forgotten”);
  • restrict or object to certain processing;
  • data portability — receive your data in a structured, machine-readable format;
  • withdraw consent at any time, where processing is based on consent.

To exercise any of these rights, contact us at privacy@studentos.co. You also have the right to lodge a complaint with your local data protection authority — in Ireland, this is the Data Protection Commission (dataprotection.ie).

10. Security

We take reasonable technical and organisational measures to protect your data, including encryption in transit, access controls, and use of reputable infrastructure providers. Because sign-in is handled through Google, we do not store passwords, which removes one common category of security risk. However, no system is completely secure, and we cannot guarantee absolute security. Please keep your Google account secure and enable two-factor authentication where possible.

11. Cookies and Similar Technologies

The App uses strictly necessary cookies and similar technologies to operate — in particular, to keep you securely signed in and to maintain your session (handled by our authentication provider, Better Auth). These essential cookies do not require consent. We do not currently use advertising or third-party marketing cookies.

We also use your browser’s local storage to remember in-app preferences on your device, such as your preferred AI assistant for the “Explain with AI” feature. This data stays in your browser and is not transmitted to us.

12. Children’s Privacy

The App is intended for users aged 16 and over. The age of digital consent varies across EU member states (between 13 and 16). Where a user is below the applicable age, we require verifiable consent from a parent or guardian before processing their personal data. If you believe a child has provided us data without appropriate consent, contact us and we will take steps to delete it.

13. Changes to This Policy

We may update this Privacy Policy from time to time. If we make material changes, we will notify you (for example, in-app or by email) and update the “Last updated” date above. We encourage you to review this policy periodically.

14. Contact Us

For any questions or requests about this Privacy Policy or your personal data, contact us at privacy@studentos.co.