Account
Privacy Policy
v3.0February 2026
Your data, protected

We believe privacy is a fundamental right

This document explains what TEETETO collects, how we use it, and the rights you have over your information.

EncryptedTLS 1.3 + AES-256-GCM
MinimalOnly what we need
Never soldYour data stays yours
01

Information We Collect

What you provide

AccountName, email address
ContentFiles you upload for processing
Educational dataSchool or university name, academic years, subjects, grades, credits, and import files you choose to review
FeedbackCorrections and ratings on AI outputs
PaymentBilling via Stripe (card details held by Stripe)

Collected automatically

UsageFeatures accessed, session duration
DeviceBrowser type and operating system
LogsIP address, access times, pages visited
Checkout tax evidenceIP country and, where available, billing country and payment method country to determine tax residency for invoicing compliance

Providing account and payment data is necessary to use the service. If you choose not to provide it, you will not be able to create an account or use paid features.

02

How We Use It

We process your data for the following purposes, each with a specific legal basis under Art. 13(1)(c) GDPR:

Service deliveryContract (Art. 6(1)(b))
Academic Profile & insightsConsent (Art. 6(1)(a)): learning history, grade normalization, and profile-based insights
Account managementContract (Art. 6(1)(b))
Service emailsContract (Art. 6(1)(b))
AnalyticsLegitimate interest (Art. 6(1)(f)): service improvement
Security & fraud preventionLegitimate interest (Art. 6(1)(f)): protecting users
Marketing communicationsConsent (Art. 6(1)(a))
Non-essential cookiesConsent (Art. 6(1)(a))
AdvertisingConsent (Art. 6(1)(a))
Tax & billing recordsLegal obligation (Art. 6(1)(c))
Tax and invoicing complianceLegal obligation (Art. 6(1)(c)): applying place-of-supply rules and retaining fiscal evidence/audit trails for VAT and e-invoicing laws
Our commitment: We do not sell your data. We do not use your content to train AI models.

We do not use checkout tax evidence for advertising profiling and retain it only for the period required by applicable law.

School search suggestions are served from copies of open government datasets that we ingest into our own systems. We do not send your school-search queries or profile data back to those public registries.

03

Legal Basis for Processing

Under GDPR, every processing activity requires a lawful basis. Here is a detailed mapping:

Contract Performance — Art. 6(1)(b)

Account creation and management, file processing and AI-assisted analysis, service-related emails (e.g., password resets, billing confirmations), and payment processing via Stripe.

Consent — Art. 6(1)(a)

Marketing communications, non-essential cookies (analytics, advertising), and personalised advertising. You may withdraw consent at any time without affecting the lawfulness of processing performed before withdrawal.

Legitimate Interests — Art. 6(1)(f)

Analytics: Interest pursued: understanding usage patterns to improve the service. Security: Interest pursued: detecting and preventing fraud, abuse, and unauthorised access. You may object to processing based on legitimate interests at any time (see §08).

Legal Obligation — Art. 6(1)(c)

Tax and billing records retained as required by Italian fiscal law (10 years per Art. 2220 Codice Civile).

04

Cookies

In accordance with the Garante per la Protezione dei Dati Personali guidelines (Provvedimento n. 231, 10 June 2021), we classify cookies as follows:

Essential

Authentication, security, preferences. Required — no consent needed.

Analytics

Usage patterns and performance. Optional — consent required.

Marketing

Advertising and campaign measurement. Optional — consent required.

Cookie consent is re-requested every 6 months. You can change your preferences at any time via the cookie settings accessible from the footer.

05

Data Sharing

We never sell your personal data.

AI & cloud infrastructure (Processors)

We use third-party AI and cloud infrastructure providers to deliver the service. Governed by Data Processing Addendums. Your content is not used for model training under the providers' terms.

Stripe (Dual role)

Processor for payment processing on TEETETO's behalf. Independent controller for fraud prevention, compliance, and Stripe's own legal obligations (see Stripe Privacy Center).

Email delivery (Processor)

We use a third-party provider for transactional and service email delivery. Bound by a Data Processing Agreement.

Legal requirements

When required by law, court order, or to protect rights and safety.

06

International Transfers

Providers may process data in the EU and, where applicable, in third countries. These transfers are protected by:

EU-US Data Privacy Framework

The European Commission adopted an adequacy decision for the EU-US Data Privacy Framework (Implementing Decision (EU) 2023/1795). Where providers transfer data to the US, they are certified under the DPF.

Standard Contractual Clauses

As a supplementary safeguard, Standard Contractual Clauses (SCCs) are in place via our processors' Data Processing Agreements.

To obtain a copy of the safeguards in place for international transfers, or a list of the specific providers we use, contact [email protected].

07

Retention

PromptlyProfile data (on deletion request)
30 daysUploaded files (after account closure or request)
12 monthsUsage logs (IP, access times)
Until withdrawnMarketing preferences
10 yearsPayment & tax records (Art. 2220 CC)
90 daysBackups (rolling deletion)

Account deletion: all active data removed within 30 days. Backups purged within 90 days.

08

Your Rights

Under the GDPR and Italian Privacy Code (D.Lgs. 196/2003), you have the following rights. Exercise them by contacting [email protected]. We will respond without undue delay and in any event within one month of receipt (extendable by two further months for complex requests, per Art. 12(3) GDPR).

Access & Portability

  • Access your data (Art. 15)
  • Receive data in portable format (Art. 20)
  • Obtain a copy of safeguards for transfers (Art. 46)

Control

  • Correct inaccuracies (Art. 16)
  • Request erasure (Art. 17)
  • Restrict processing (Art. 18)
  • Object to processing (Art. 21)
  • Withdraw consent at any time (Art. 7(3))

Remedies

  • Not be subject to solely automated decisions (Art. 22)
  • Lodge a complaint with the Garante per la Protezione dei Dati Personali

Supervisory Authority

Garante per la Protezione dei Dati Personali
Piazza Venezia 11, 00187 Roma
Email: [email protected]
PEC: [email protected]
Web: www.garanteprivacy.it

09

Age Requirements & Child Safety

Service Eligibility

This Service is a general audience platform not intended for children. You must meet the minimum age requirements to create an account. Under the GDPR, the minimum age for digital consent varies by EU member state (Art. 8 GDPR, range 13–16):

  • Default / United States: 13+ years old
  • Italy (Art. 2-quinquies D.Lgs. 196/2003): 14+ years old
  • Austria, Bulgaria, Cyprus, Lithuania, Spain: 14+ years old
  • Czech Republic, France, Greece, Slovenia: 15+ years old
  • Croatia, Germany, Hungary, Ireland, Luxembourg, Netherlands, Poland, Romania, Slovakia: 16+ years old
  • South Korea (PIPA): 14+ years old
  • Australia: 16+ years old (Australia uses a capacity-based approach under the Privacy Act 1988; the statutory age of 16 derives from the forthcoming Children's Online Privacy Code and the Online Safety Amendment Act 2024.)

Data Collection

We do not knowingly collect personal data from users under these thresholds. If you are under the relevant age limit, you are prohibited from using the Service. If we discover that an account violates these rules, we will delete the account and associated data immediately.

Academic Profile rollout

Academic Profile currently launches only for high school, university, and postgrad accounts. Elementary and middle-school profile levels remain disabled until we introduce parental consent, parent-email verification, and consent-record storage for countries that require it.

Users Under 18

For users identified as under 18, we process data solely for service delivery and serving Non-Personalised Ads (contextual advertising based on page content, not user behaviour). We do not use behavioural tracking, profiling, or sell/share personal data for cross-context behavioural advertising for these users.

Parental Notice

If you believe a child has provided us personal information, contact us at [email protected]. We will promptly delete such data.

10

Security

Encryption

TLS 1.3 + AES-256-GCM

Access

Role-based controls

Monitoring

Continuous detection

Backups

Encrypted + tested

11

Updates

Material changes: we'll update the date, notify by email, and may provide 30 days notice for significant changes.

12

Contact

General[email protected]Privacy[email protected]PEC[email protected]

Response within one month per Art. 12(3) GDPR. You may lodge a complaint with the Garante per la Protezione dei Dati Personali (see §08).

13

AI Processing

How AI is used

We use third-party AI and cloud infrastructure providers to process uploaded content (transcription, extraction, summarisation). These providers act as data processors under Data Processing Addendums. Your content is not used for model training under the providers' terms.

AI Act transparency

From 2 August 2026, Regulation (EU) 2024/1689 (AI Act) Art. 50 will require transparency about AI-generated content. TEETETO already provides this disclosure voluntarily: outputs produced by the service are AI-assisted and should be reviewed by the user.

14

Automated Decision-Making

Per Art. 22 GDPR, TEETETO does not make decisions based solely on automated processing that produce legal effects or similarly significantly affect you. AI assists in processing (transcription, extraction, summarisation) but does not make autonomous decisions about your rights, access, or contractual terms.

You may request human review of any AI output by contacting [email protected].

15

Data Controller Identity

ControllerTEETETO DI MICHELE DUTTO
TypeDitta Individuale
Codice FiscaleDTTMHL05A10F205I
P.IVA14558810967
Email[email protected]
PEC[email protected]

No Data Protection Officer (DPO) has been designated, as it is not mandatory for this business type under Art. 37 GDPR. For privacy enquiries, contact [email protected].

16

Deceased Persons' Data Rights

Under Art. 2-terdecies of D.Lgs. 196/2003 (Italian Privacy Code), the rights set out in Articles 15–22 of the GDPR regarding the personal data of deceased persons may be exercised by anyone with a legitimate interest, by their authorised representative, or for reasons of family protection — unless the data subject, during their lifetime, expressly prohibited such exercise by notifying TEETETO in writing.

This prohibition does not apply where the exercise of such rights is necessary for the protection of the property interests of third parties or for the defence of a right in court.