Data Security
How Spinzy Academy protects your data and privacy.
Security Principles
- Minimal collection: We only collect data needed to deliver learning features.
- Explicit consent: You control microphone/speech features and can disable anytime.
- Privacy by design: Role-based access and least privilege across systems.
Storage & Encryption
- Database: Hosted PostgreSQL via managed provider; connections use TLS.
- At rest: Provider-backed encryption for database and object storage.
- In transit: All traffic over HTTPS with HSTS; OAuth flows via `next-auth`.
AI Processing
- OpenAI API: Requests are sent securely using server-side API keys.
- Redaction: We avoid sending personally identifiable information (PII) in prompts.
- Opt-out: You can disable AI features in settings if preferred.
Access Controls
- Authentication: Secure sessions via `next-auth` with JWT/secure cookies.
- Authorization: Admin routes protected in middleware; student data is scoped per user.
- Logging: Structured audit logs for critical operations and API usage.
Data Retention
- Chats & notes: Retained to personalize learning; you can delete at any time.
- Tests & results: Stored to show progress history; removable on request.
- Backups: Managed backups with limited retention windows.
Your Rights
- Access: View and export your data via the profile/export tools.
- Deletion: Delete chats, notes, and account data from settings or by contacting support.
- Consent: Manage language, speech, and AI personalization preferences.
Contact & Reporting
If you have security questions or wish to report a vulnerability, please reach out via the contact page.