Privacy Policy

Last updated: May 23, 2026

This Privacy Policy explains what information Eduro (“we”, “us”) collects when you use eduro.pages.dev and our apps (collectively, the “Service”), why we collect it, how we store it, and your rights. We aimed for plain English — if anything is unclear, write to privacy@eduro.app.

1. Who we are

Eduro is a friendly AI mastery app — tiny daily lessons, mini-games, certificates, and a personalised mentor. The Service is operated by Eduro (referred to as “the operator” below). Our data controller contact: privacy@eduro.app.

2. What we collect

We try to collect as little as possible. Here's the full list.

2.1 Account information

• Email address (required for sign-in and password resets).
• Display name (optional; defaults to a friendly placeholder).
• Profile photo URL (only if you sign in with Google and choose to share it).
• A Firebase-issued unique user ID (UID) we use to look up your account internally.

2.2 Learning progress

• Lessons, units, courses, mini-games, and challenges you complete.
• Your XP, daily streak, engaged-day history, and chosen mentor.
• Per-lesson ratings, course ratings, and any feedback text you submit.
• Practice playground completions and inline quiz responses.

For guests (people not signed in), this data lives only in your browser's localStorage under the key coursiv-user-state-v1. When you sign in, we sync it up to your account so it travels across devices.

2.3 Subscription & payment information

• A Stripe customer ID linked to your account (so we can match webhooks).
• Your subscription status, plan (monthly or annual), and renewal date.
• We never see or store your card details. Stripe handles all payment data on PCI-compliant servers we don't have access to.

2.4 Files you upload (Pro feature)

Pro subscribers can upload personal voice-over audio files (MP3, WAV, M4A, OGG; up to 25 MB) to attach to lessons. Files are stored in your private prefix in Cloudflare R2 and indexed in Firestore as users/{uid}/voiceovers/{lessonId}. You can delete them anytime from your profile.

2.5 AI chat content (Pro feature)

When you use /ai-tools, the messages you type are sent to OpenRouter (and from there to the model you selected — Claude, GPT, Gemini, etc.). We do not log the bodies of these messages. OpenRouter and the upstream model providers have their own privacy policies governing their handling of the request.

2.6 Technical information

• IP address (transient — used by Cloudflare for routing and DDoS protection; not stored by us).
• Basic browser metadata (User-Agent) seen by Cloudflare logs for ~24 hours.
• Firebase Authentication automatically records sign-in timestamps for security.

3. Cookies and local storage

We use exactly two kinds of client-side storage:

• Functional localStorage: coursiv-user-state-v1 stores your progress; eduro-onboarding-v1 stores your quiz answers. No third-party access.
• Firebase authentication cookies (set on the firebaseapp.com domain): hold your session so you don't have to sign in repeatedly. Strictly necessary; cannot be disabled while signed in.

We do not use analytics, advertising, or third-party tracking cookies.

4. Where your data lives

• Authentication: Google Firebase Authentication (United States).
• Database: Google Cloud Firestore (region you can request).
• Files: Cloudflare R2 (multi-region edge storage).
• Payments: Stripe (United States / Ireland for EU customers).
• Hosting + edge functions: Cloudflare Pages (global anycast).

By using Eduro you agree that data may be transferred and processed in these regions. We rely on the Standard Contractual Clauses where required by EU/UK law.

5. How we use your information

• To sign you in and keep your session secure.
• To sync your progress, mentor choice, and certificates across devices.
• To handle billing, send receipts, and unlock Pro features.
• To improve the product (aggregated, non-personally-identifiable counters in stats/global — total subscribers, total certificates).
• To respond to support emails you send us.

We do not use your data to train AI models.

6. Sharing your information

We don't sell your data. We share only what's needed with the sub-processors below, each governed by their own enterprise terms:

• Google (Firebase Auth, Firestore) — account & progress storage.
• Stripe — payment processing.
• Cloudflare (Pages, Workers, R2) — hosting and file storage.
• OpenRouter — Pro AI chat routing.

If we are required by law (subpoena, court order) to disclose your information, we will limit disclosure to exactly what is compelled and, where lawful, notify you first.

7. Your rights

You have, at any time, the right to:

• Access all data we hold about you.
• Correct any inaccurate data.
• Delete your account and associated data permanently.
• Export your data in machine-readable JSON.
• Object to certain processing.
• Withdraw consent at any time.

To exercise any of these, email privacy@eduro.appfrom the email address on your account. We respond within 30 days as required by GDPR/CCPA.

8. How long we keep your data

• While your account is active: indefinitely (we need it to run the Service).
• After account deletion: removed from production within 30 days; from backups within 90 days.
• Billing records: 7 years (legal requirement in most jurisdictions).

9. Children

Eduro is not directed at children under 13. We do not knowingly collect data from anyone under 13. If you become aware that a child has provided us data, contact us and we will delete it immediately.

10. Security

We protect your data with HTTPS in transit, Firebase's encrypted storage at rest, strict Firestore security rules limiting reads/writes to your own document, and access controls on R2 buckets. No system is perfect — if we discover a breach affecting you, we will notify affected users within 72 hours.

11. Changes to this policy

When we update this policy, we'll change the “Last updated” date and, for material changes, email you. Continued use after the change means you accept it.

12. Contact

Questions or requests: privacy@eduro.app.