Privacy Policy

1. Introduction

Welcome to LACO AI ("we," "our," or "us"). This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our educational AI research platform.

This project is developed under the Apache License 2.0 and is intended solely for educational, research, and experimental purposes. We are committed to protecting your privacy and handling your data responsibly.

2. Educational and Experimental Nature

This platform is:

• A beta version for educational and research purposes
• Not intended for commercial or production use
• Provided "as-is" without any warranties
• Subject to changes, updates, or discontinuation without notice
• Not designed to handle sensitive, confidential, or personal data

3. Information We Collect

3.1 Account Information

• Email address (used as unique identifier)
• Full name
• Password (encrypted using industry-standard hashing)
• User role (Admin, Teacher, or Student)
• Year level (for students)
• Profile picture (optional)
• Account creation date and timestamps
• Account status (active/inactive)
• Email verification status

3.2 Usage Data

• PDF file uploads (name, size, file path)
• Chat conversations with AI (prompts and responses)
• Selected PDF documents for chat context
• Search queries within PDF lists
• API request logs and response times
• User activity timestamps
• Profile updates and password changes
• File deletion activities

3.3 Technical Data

• IP address (for rate limiting and security)
• Browser type and version
• Device information
• JWT authentication tokens (stored in cookies)
• Local storage data (email for session recovery)
• Request headers and origin validation

3.4 Admin and Teacher Data

• Admin users have access to user management features
• Teachers can monitor and filter content for assigned students
• Admin activity logs (user creation, status updates, deletions)
• API usage logs accessible by admins

4. How We Use Your Information

We use collected information for:

• User authentication via JWT tokens and email verification
• Role-based access control (Admin, Teacher, Student)
• Processing PDF documents with OpenAI for educational chat
• Generating AI-powered responses to user questions
• Storing and managing profile pictures
• Enabling search and filtering of uploaded PDFs
• Teacher supervision and content filtering for students under 13
• Admin features: user management, API logs, and system monitoring
• Rate limiting to prevent spam and abuse (1 request per second per IP)
• CSRF protection and origin validation
• Research and educational analysis
• Debugging and system performance monitoring

5. Data Storage and Security

• User data stored in Supabase PostgreSQL database with row-level security
• Profile pictures stored in Supabase public storage buckets
• PDF files stored temporarily in Supabase storage buckets
• Passwords encrypted using bcrypt or similar industry-standard hashing
• JWT tokens with secret key encryption for session management
• API endpoints protected with JWT authentication and rate limiting
• CSRF protection via origin header validation
• Rate limiting: 1 request per second per IP address to prevent spam
• Cooldown mechanism tracks requests using in-memory maps
• Old profile pictures automatically deleted when updating
• We implement reasonable security measures but cannot guarantee absolute security
• HTTPS encryption for all data transmission

6. Third-Party Services

We use the following third-party services:

• Supabase: PostgreSQL database, authentication, and file storage services
• OpenAI: AI-powered chat responses and PDF document analysis
• Render: Python API hosting for backend services
• Vercel/GitHub Pages: Next.js application deployment
• Next.js: React framework for the web application

These services have their own privacy policies and terms of service. We are not responsible for their data handling practices, security measures, or service availability.

7. Data Retention

• Account data: Retained until manual account deletion by user or admin
• Profile pictures: Stored permanently until replaced or account deleted
• PDF files: Stored in database and storage bucket until manually deleted via context menu
• Chat history: Stored indefinitely in your account until manually cleared
• API logs: Retained for debugging, research, and admin monitoring purposes
• Authentication tokens: JWT tokens expire based on configured session duration
• Rate limit data: Stored temporarily in memory; old entries auto-cleaned
• Verification codes: Email codes for password reset and verification

8. Your Rights

You have the right to:

• Access your personal data through your profile settings
• Update your name and profile picture
• Change your password via email verification
• View your uploaded PDFs and chat history
• Delete individual PDFs via right-click context menu
• Request correction of inaccurate account data
• Request deletion of your account and all associated data
• Export your data (contact us for manual export requests)
• Opt-out of data collection by not using the service
• Be informed of data breaches affecting your information

Note: Profile updates, password changes, and PDF deletions can be performed directly through the application interface.

9. User Roles and Permissions

9.1 Students

• Can upload and manage their own PDF documents
• Can chat with AI about their PDFs
• Can search and filter their PDF library
• Can update their profile and password
• Students under 13 require teacher supervision

9.2 Teachers

• Have all student permissions
• Can be assigned by administrators to supervise students
• Responsible for monitoring and filtering content for assigned students under 13
• Can review student interactions and manage their access

9.3 Administrators

• Full access to user management features
• Can create, update, and delete user accounts
• Can view and manage API usage logs
• Can assign teacher roles to users
• Can monitor system health and performance
• Access to all administrative dashboards and logs

10. Children's Privacy

When users under 13 years of age access this educational platform, their data and interactions are supervised and filtered by teachers who have been assigned by the administrator.

• Teachers assigned by administrators are responsible for managing and monitoring content for underage users
• Data filtering and content moderation for children under 13 is handled through teacher oversight
• Teachers can review, filter, and control the AI interactions of their assigned students
• Parental consent is required and should be obtained by the educational institution or teacher before allowing underage users to access the platform
• We do not directly collect data from children without appropriate teacher supervision and institutional approval

11. No Illegal Activities

This platform is strictly for educational and research purposes. We:

• Do not engage in any illegal activities
• Do not support or facilitate illegal content or actions
• Reserve the right to terminate accounts engaged in illegal activities
• Will cooperate with law enforcement if required by law

12. Changes to This Privacy Policy

As this is a beta educational project, we may update this Privacy Policy at any time. Changes will be posted on this page with an updated revision date.

13. Contact Information

For questions about this Privacy Policy, please contact:

Project Owner: cordyStackX

License: Apache License 2.0

GitHub: github.com/cordyStackX/lccb_ai_2