Privacy Policy

Effective April 14, 2026 · Last updated April 14, 2026

1. Introduction

Ztudy ("we," "us," or "our") is committed to respecting your privacy and safeguarding the personal information you share with us when you use our website, subdomains, and any related online services (collectively, the "Services"). This Privacy Policy describes how we collect, use, disclose, and protect your personal data, as well as the rights you may have regarding your information.

This Privacy Policy is intended to comply with applicable privacy laws, including the European Union General Data Protection Regulation (GDPR), the ePrivacy Directive, and other applicable data protection legislation. If you have any questions or concerns, please contact us at mikkel@ytting.dev.

By accessing or using our Services, or by otherwise providing personal information to us, you consent to the collection, use, disclosure, and handling of your personal information as described in this Privacy Policy and agree to be bound by its terms. If you do not agree with these terms, please do not use the Services.

2. Scope of This Privacy Policy

  • Applicability: This Privacy Policy applies to personal information we collect through the Services, as well as through any related online or offline interactions (such as emails or customer support) that reference or link to this policy.
  • Third-Party Links & Services: Our Services may include links to third-party websites or integrate with third-party tools. These third parties have their own privacy practices, and we do not control or assume responsibility for their actions, privacy policies, or content. We encourage you to review the privacy policies of any third-party websites or services you visit.

3. Definitions

  • "Personal Information" or "Personal Data": Any information about an identifiable individual, or information that could reasonably be used to identify an individual, either on its own or when combined with other data.
  • "Processing": Any operation performed on personal data, such as collection, storage, use, disclosure, or deletion.
  • "You" / "User": An individual who accesses or uses our Services.

4. Information We Collect

A. Information You Provide Directly

  • Account Registration: When you create an account, we collect your name, email address, and password (stored in hashed form using industry-standard algorithms).
  • Communications: If you contact us (e.g., via email or support forms), we may collect the content of your communications, your contact details, and any other information you choose to provide.
  • Study Materials / User Content: When you upload or submit study materials (e.g., PDF, Word documents, PowerPoint files, text, YouTube URLs, or website links), we collect and process this content for the purpose of providing the Services (e.g., generating flashcards, quizzes, notes, practice exercises, and AI-powered tutoring sessions).
  • Payment Information: If you purchase a subscription or otherwise engage in a financial transaction, we may collect billing information such as your name, payment method details, and any other data necessary to process payments. We do not store full payment card details on our servers; payment processing is handled by our third-party payment processor.

B. Information Collected Automatically

  • Usage Data: We may automatically collect information about your interaction with our Services, such as features used and time spent on the Services.
  • Device & Log Information: We may collect information about the device and browser you use to access the Services (e.g., IP address, browser type, operating system).
  • Cookies: We use only strictly necessary session cookies for authentication purposes. We do not use analytics, advertising, or tracking cookies. See Section 6 for details.

C. Information From Third Parties

  • Social Media & Single Sign-On: If you choose to register or log in using a third-party single sign-on service (e.g., Google), we may receive certain profile information from that third party in accordance with their privacy policy and your account settings.

5. How We Use Your Information

We use the personal information we collect for various legitimate business purposes, including:

  • Service Provision & Account Management: To create, maintain, and administer your account, and to provide, operate, and improve the functionality of the Services, including generating AI-powered study materials, quizzes, flashcards, notes, practice exercises, podcasts, and personalized tutor sessions.
  • AI Processing: Your uploaded study materials are processed by third-party AI service providers to generate educational content. Only the text content extracted from your materials is sent to these providers — original files are not retained after text extraction. AI providers process data as data processors under contractual obligations.
  • Communication: To respond to your inquiries, comments, and support requests, and to send you administrative or transactional messages (e.g., service announcements, password reset notifications).
  • Payment Processing & Subscription Management: To facilitate payment transactions, subscriptions, and billing processes.
  • Security & Compliance: To protect the security and integrity of our Services, detect and prevent fraud or abuse, and comply with our legal obligations.
  • Business Operations: To conduct audits, data analysis, or troubleshooting, to fulfill legal obligations, and to enforce our Terms of Service or other legal rights.

6. Cookies and Similar Technologies

Ztudy uses only strictly necessary session cookies for authentication and security purposes. These cookies are essential for the Services to function — they maintain your logged-in session and protect against cross-site request forgery.

We do not use analytics cookies, advertising cookies, tracking pixels, or any third-party tracking technologies. Because our cookies are strictly necessary for the provision of the service you have requested, they are exempt from consent requirements under Article 5(3) of the ePrivacy Directive.

You can manage or disable cookies via your browser settings, though blocking essential cookies will prevent you from using the Services.

7. Legal Bases for Processing (GDPR Article 6)

We rely on the following legal bases to process your personal information:

  • Performance of Contract (Art. 6(1)(b)): We process your personal data as necessary to provide the Services you have requested under our Terms of Service. This includes account creation, study material processing, and AI-generated content delivery.
  • Consent (Art. 6(1)(a)): We process your personal data when you have given us consent, such as when you agree to our Terms of Service and Privacy Policy during registration. You may withdraw consent at any time by deleting your account.
  • Legitimate Interests (Art. 6(1)(f)): We process your personal data where necessary for our legitimate interests (e.g., improving the Services, ensuring security, preventing abuse), provided these interests are not overridden by your fundamental rights and freedoms.
  • Compliance with Legal Obligations (Art. 6(1)(c)): We may process your personal data to comply with legal obligations or respond to lawful requests from governmental authorities.

8. Disclosure of Your Information

We may share or disclose personal information in the following circumstances:

  • Service Providers & Partners: We engage third-party companies and individuals to facilitate our Services (e.g., AI service providers, cloud hosting providers, payment processors, content delivery services). These parties have access to personal information only to perform tasks on our behalf and are contractually obligated not to disclose or use it for any other purpose.
  • Business Transfers: In the event of a merger, acquisition, reorganization, bankruptcy, or sale of all or a portion of our assets, we may transfer your personal information as part of the transaction. Any acquiring entity will adhere to the commitments in this Privacy Policy.
  • Legal Compliance & Protection: We may disclose personal information if required to do so by law, or in response to a lawful request by public authorities. We may also disclose personal information when we believe it is necessary to protect our rights, property, or safety, or to investigate fraud, abuse, or security issues.
  • Aggregated or De-Identified Data: We may share data that has been aggregated or de-identified in such a way that it can no longer be associated with a specific individual.

9. International Data Transfers

Ztudy operates within the European Union. However, some of our third-party service providers (including AI processing services and cloud infrastructure providers) may process data in countries outside the European Economic Area (EEA), including the United States.

Where personal data is transferred outside the EEA, we ensure that appropriate safeguards are in place in accordance with GDPR Articles 44–49, such as Standard Contractual Clauses (SCCs) approved by the European Commission, or reliance on the service provider's participation in recognized data protection frameworks.

By using the Services, you acknowledge that your data may be processed in countries with different data protection laws than your country of residence.

10. Data Retention

We retain personal information for as long as necessary to fulfill the purposes outlined in this Privacy Policy, unless a longer retention period is required or permitted by law. When determining the retention period, we consider factors such as the nature of the data, the purpose for which it was collected, and any regulatory or legal obligations.

  • Account Data: Retained for as long as your account is active. Upon account deletion, all personal data is permanently removed.
  • Uploaded Files: Original files are not retained — text is extracted and the original file is immediately deleted. Only the extracted text is stored for the duration of your account.
  • Usage Logs: Activity logs and usage data are retained for a limited period for security and operational purposes, and are periodically purged.

11. Security Measures

We are committed to protecting the security of your personal data. We implement a variety of administrative, technical, and physical safeguards, including:

  • Encryption: We use industry-standard encryption (TLS) to protect data in transit. Passwords are hashed using Argon2id with strong parameters.
  • Access Controls: We limit access to personal information to authorized personnel who need it to operate the Services.
  • Secure Hosting: We host our Services with reputable providers that maintain high security standards.
  • Security Headers: We implement comprehensive security headers including HSTS, Content Security Policy, and X-Frame-Options to protect against common web attacks.

No method of transmission over the internet or electronic storage is completely secure. While we strive to protect your personal data, we cannot guarantee its absolute security.

12. Children's Privacy

  • Minimum Age Requirements: Our Services are not directed to individuals under the age of majority in their jurisdiction (often 18) without parental or guardian consent. We do not knowingly collect personal information from individuals under 13 years of age.
  • Parental Consent: If you are under the legal age of majority and wish to use the Services, you may do so only with the involvement and consent of a parent or legal guardian.
  • Account Termination: If we become aware that a child under 13 has provided personal information to us without parental consent, we will delete such information and terminate the child's account.

13. Your Rights and Choices

Depending on your location and applicable laws (including the GDPR), you may have the following rights regarding your personal information:

  • Right of Access (Art. 15): You have the right to request a copy of the personal information we hold about you.
  • Right to Rectification (Art. 16): You can ask us to correct or update any inaccuracies in your personal data.
  • Right to Deletion / Erasure (Art. 17): You may request the deletion of your personal information. You can delete your account and all associated data from your account settings at any time.
  • Right to Withdraw Consent (Art. 7(3)): Where processing is based on your consent, you have the right to withdraw that consent at any time. You may do so by deleting your account.
  • Right to Restrict Processing (Art. 18): In certain circumstances, you may have the right to request that we limit or restrict our processing of your personal information.
  • Right to Data Portability (Art. 20): Where legally applicable, you can request a structured, commonly used, and machine-readable copy of certain personal data you have provided to us.
  • Right to Object (Art. 21): You may object to the processing of your personal data in certain circumstances, including processing based on legitimate interests.

To exercise these rights, please contact us at mikkel@ytting.dev. We will respond to your request within a reasonable timeframe, and no later than one month as required by GDPR Article 12.

14. Managing Your Personal Information

  • Account Settings: You can access, update, or delete certain personal information by logging into your account settings within the Services.
  • Account Deletion: You can permanently delete your account and all associated data from the Settings page. This action is irreversible.
  • Contact Us: If you have any difficulties accessing or managing your personal information, please email us at mikkel@ytting.dev.

15. Third-Party Services and Integrations

In order to offer a comprehensive learning experience, our Services may integrate with or link to third-party platforms and services (e.g., YouTube for video content, payment gateways for subscriptions). We do not control and are not responsible for the data practices of these third parties. We encourage you to review their respective privacy policies to understand how they handle your personal information.

16. Changes to This Privacy Policy

  • Updates: We reserve the right to modify or update this Privacy Policy at any time to reflect changes in our practices, technologies, legal requirements, or other factors.
  • Notification: If we make any material changes, we will notify you by posting the updated policy on our website or by other appropriate means, such as email or notifications within the Services.
  • Effective Date: The "Effective Date" at the top of this Privacy Policy indicates when the latest version went into effect. Your continued use of the Services after any changes take effect signifies your acceptance of the revised Privacy Policy.

17. Dispute Resolution

  • Contact Us First: If you have any concerns about our privacy practices, we encourage you to reach out to us at mikkel@ytting.dev so we can address your concerns directly and promptly.
  • Supervisory Authority: If you are located in the European Economic Area, you have the right to lodge a complaint with your local data protection supervisory authority if you believe your data protection rights have been violated.
  • Governing Law: Any disputes arising under this Privacy Policy or related to our privacy practices will be governed by the laws of the European Union and the applicable member state, and the dispute resolution provisions outlined in our Terms of Service.

18. Additional Provisions

  • Severability: If any provision of this Privacy Policy is found unenforceable or invalid, that provision shall be enforced to the maximum extent permissible, and the remaining provisions will remain in full force and effect.
  • Language: This Privacy Policy may be provided in multiple languages. In the event of any conflict or inconsistency between the English version and any translation, the English version shall prevail.

19. Contact Us

If you have any questions, comments, or concerns about this Privacy Policy or our privacy practices, please feel free to contact us:

Ztudy
Email: mikkel@ytting.dev

A note from the developer

Hey — I'm Mikkel, a software developer from Denmark. I built Ztudy because I'm genuinely passionate about making studying less painful and more effective. Your privacy matters to me — I only collect what's needed to make the product work, nothing more. If you have questions or concerns, reach out anytime at mikkel@ytting.dev.