Privacy Policy

Last updated: May 17, 2026

Coursly ("we", "our", "the app") is a student productivity app that connects to your university's Moodle™ learning management system. This policy explains what data we collect, why, and how we protect it.

1. Data Controller

The data controller responsible for your personal data is Andres Goncalves, Luxembourg. Contact: adonapp@proton.me. We are not required to appoint a Data Protection Officer under GDPR Article 37. For all data protection inquiries, contact us at the email above.

2. Data We Collect

Account data. When you sign in via your university Moodle™, we create a Supabase account using your Moodle email address. We store your email and a hashed authentication token. We never store your Moodle password.

Moodle course data. With your permission, we sync your course list, assignments, deadlines, grades, and uploaded course documents from your Moodle account. This data is stored locally on your device and in our Supabase database.

AI-processed data. Course documents and syllabi are sent to our AI service (via our Supabase edge functions) to extract deadlines, generate study plans, create revision quizzes, and process voice tasks. We use the Groq API with the openai/gpt-oss-20b model. Document content is sent for processing only and is not stored by our AI provider beyond the duration of the request.

Usage data. We track AI feature usage counts (course analyses, study plans, quizzes, voice tasks) to enforce free-tier quotas. Premium subscription status is tracked via Apple StoreKit.

Calendar data. If you grant calendar access, we read your calendar events to avoid scheduling conflicts and to provide smarter study suggestions around your real schedule.

Device motion data. We access device motion sensors solely for a decorative parallax effect during onboarding. This data is not stored or transmitted.

Voice data. If you use the voice task feature, you will be prompted to grant microphone and speech recognition permission before any recording begins. Audio is processed entirely on-device using Apple's Speech framework for transcription. Only the resulting text transcript is sent to our server for task extraction. Raw audio is never transmitted to or stored on our servers. No voiceprints, biometric identifiers, or audio recordings are created, stored, or shared. You may revoke microphone permission at any time through your device Settings.

Referral data. If you participate in our referral program, we store your referral code, the number of successful referrals, and the duration of any referral reward (free Premium access).

Notifications. With your permission, Coursly sends local notifications to remind you of upcoming deadlines and revision quizzes. No notification content is transmitted to our servers.

3. How We Use Your Data

Sync and organize your university course data
Generate personalized AI study plans and revision quizzes
Track your grades and deadlines
Process voice input into tasks
Enforce usage quotas and manage subscriptions
Prevent abuse (e.g., re-signup quota evasion via archived records)

4. Legal Basis for Processing (GDPR Article 6)

We process your personal data on the following legal bases:

Performance of a contract (Art. 6(1)(b)): Account creation, Moodle data sync, AI study plan generation, grade tracking, task management, subscription management, and referral program administration — these are necessary to provide the service you signed up for.
Legitimate interest (Art. 6(1)(f)): Retention of a one-way hashed email and usage counts after account deletion to prevent free-tier quota abuse. Our legitimate interest in preventing abuse is balanced against the minimal nature of the retained data (an irreversible hash, not the email itself).
Consent (Art. 6(1)(a)): Calendar access, voice input processing, notification delivery, and device motion data. You may withdraw consent at any time by revoking the relevant iOS permission or contacting us.

5. Data Sharing

We do not sell, rent, or share your personal data with advertisers or data brokers.

We share data with these service providers solely to operate the app:

Supabase (database, authentication, storage) — hosted in the EU (AWS EU-West / Ireland). No cross-border transfer.
Groq (AI model provider) — course documents and task descriptions are sent to Groq's API for processing via our Supabase edge functions. Groq does not retain data beyond the request duration.
Groq (AI model inference) — based in the United States. Course document text is sent for processing and is not stored beyond the request.
Apple (StoreKit for subscription management) — Apple acts as an independent controller for payment data.

We have entered into data processing agreements with our service providers in accordance with GDPR Article 28.

Your Moodle credentials are authenticated directly with your university's Moodle server. They are never transmitted to or stored on our servers.

International transfers. When your course data is processed by Groq, it is transferred to the United States. This transfer is protected by the EU-US Data Privacy Framework and/or Standard Contractual Clauses, as applicable. You can request a copy of the applicable safeguards by contacting us.

Legal obligations. We may disclose your personal information if required to do so by law, regulation, legal process (such as a court order or subpoena), or governmental request. We will attempt to notify you before disclosing your information unless prohibited by law or court order. We may also disclose information if we believe in good faith that disclosure is necessary to protect our rights, investigate fraud, or respond to a government request.

6. Data Storage and Security

Server-side data is stored in Supabase (hosted in AWS EU-West / Ireland). Data is encrypted in transit (TLS) and at rest. Row-level security policies restrict each user to their own data. Edge functions use verified JWT authentication.

Local data is stored on your device using a SQLite database (GRDB) within the app's iOS sandbox. iOS Data Protection encrypts all app data at rest when your device is locked.

On-device storage. Coursly stores data locally on your device to provide its core features:

Local database (SQLite/GRDB): Courses, grades, tasks, study plans, and quiz data for offline access. Protected by iOS Data Protection.
Preferences (UserDefaults): App settings, usage counters, onboarding state (including selected study goals), and sync timestamps. This data remains on-device and is not transmitted to our servers.
Keychain: Authentication tokens are stored securely in the iOS Keychain.
Downloaded files: Course documents from Moodle are cached locally and deleted on sign-out or account deletion.

Data breach notification. In the event of a data breach that poses a risk to your rights and freedoms, we will notify the relevant supervisory authority within 72 hours and inform affected users without undue delay, in accordance with GDPR Articles 33-34 and applicable US state breach notification laws.

7. Data Retention and Deletion

You can delete your account at any time from Settings. Account deletion:

Permanently removes your Supabase auth record and all associated data (courses, grades, tasks, subscriptions, referrals)
Deletes all uploaded files from cloud storage
Clears all local data from your device
Cancels all pending notifications

Retention periods:

Active account data: Retained for as long as your account is active.
Post-deletion archive: A one-way hashed (irreversible) record of your email and aggregate AI usage counts are retained indefinitely to prevent quota abuse. This data cannot be used to identify you, contact you, or reconstruct your account.
AI processing: Document content sent to Groq is processed in real time and not stored after the response is returned.
Subscription records: Apple manages subscription billing records per their own retention policies.

8. Your Rights (GDPR / EU)

If you are in the European Union, you have the right to:

Access your personal data
Rectify inaccurate data
Delete your data (via in-app account deletion)
Port your data in a structured, machine-readable format (JSON export of your courses, grades, tasks, and study plans — contact us)
Object to processing
Withdraw consent at any time
Lodge a complaint with a supervisory authority. If you are in Luxembourg, the relevant authority is the Commission Nationale pour la Protection des Données (CNPD), cnpd.public.lu. You may also contact the supervisory authority in your country of residence.

AI-generated content is supplementary and does not produce legal effects or similarly significant effects on you. No automated decisions are made regarding your academic standing, grades, or access to educational services.

To exercise these rights, contact us at adonapp@proton.me. We will respond within 30 days.

9. Your Rights (US State Privacy Laws)

California (CCPA/CPRA). If you are a California resident, you have the right to:

Know what categories of personal information we collect, the purposes for collection, and whether we sell or share your data
Delete your personal information (via in-app account deletion or by contacting us)
Correct inaccurate personal information
Opt out of the sale or sharing of your personal information
Non-discrimination for exercising your privacy rights

Categories of personal information we collect (per Cal. Civ. Code § 1798.140):

Identifiers: email address, Moodle user ID, account ID, Apple transaction IDs, referral codes
Education information: course names, assignment titles, grades, deadlines, uploaded course documents
Commercial information: subscription purchase history, product IDs, referral reward status
Internet/electronic activity: AI feature usage counts
Audio information: voice transcripts (processed on-device; only the text transcript is transmitted)
Inferences: AI-generated study plans, task suggestions, and quiz content derived from your course data

We do not sell or share your personal information as those terms are defined under the CCPA/CPRA. We do not use your data for cross-context behavioral advertising.

We do not collect sensitive personal information as defined by the CPRA (Social Security numbers, precise geolocation, racial/ethnic origin, etc.).

Virginia (VCDPA), Colorado (CPA), Connecticut (CDPA), and other US states. If you reside in a US state with a comprehensive privacy law, you may have similar rights to access, delete, correct, and opt out of targeted advertising, profiling, and sale of personal data. We do not engage in targeted advertising, profiling for decisions that produce legal effects, or sale of personal data. To exercise any rights, contact us at adonapp@proton.me. We will respond within 45 days. If we deny your request, you may appeal by emailing us with the subject line "Privacy Rights Appeal."

Do Not Track / Global Privacy Control. Coursly does not track users across third-party websites or services and does not serve targeted advertising. We honor the Global Privacy Control (GPC) signal as a valid opt-out request.

10. Children's Privacy

Coursly is designed for university students aged 16 and older. We do not knowingly collect personal information from children under 13 as defined by the U.S. Children's Online Privacy Protection Act (COPPA), or from anyone under 16. If you believe a child under 16 has provided us data, contact us at adonapp@proton.me and we will promptly delete it.

11. Third-Party AI Disclosure

AI-generated content. Coursly uses artificial intelligence to analyze course materials and generate study plans, revision quizzes, deadline detection, and voice task extraction. You should be aware that:

AI outputs are generated by a third-party model (currently Groq, using the openai/gpt-oss-20b model) via our Supabase edge functions
Your course data (document text, syllabus content, grade structures, voice transcripts) is sent to this AI service for processing
This data is used solely to generate your personalized study content and is not used to train AI models
Our AI provider does not retain your data after processing the request
AI-generated content may contain errors, omissions, or inaccuracies. Always verify deadlines, grade calculations, and academic requirements with your university's official sources
No automated decisions with legal or similarly significant effects are made about you based on AI processing

We may change AI service providers in the future. The same data protection commitments described in this policy will apply to any new provider.

12. Changes to This Policy

We may update this policy from time to time. Material changes will be communicated via an in-app notice. The "last updated" date at the top reflects the most recent revision.

13. Contact

For questions or concerns about this privacy policy:

Email: adonapp@proton.me