Last updated: May 19, 2026
This Privacy Policy explains how Witan ("we", "us") processes your personal data when you use the Witan platform. It is written under the General Data Protection Regulation (Regulation (EU) 2016/679, "GDPR") and the Austrian Data Protection Act (DSG).
The controller responsible for processing your personal data (Art. 4 (7) GDPR) is:
Leo Rafael Pritz 1160 Vienna, Austria Email: usewitan@gmail.com
Full provider details are in our Imprint. We have not appointed a Data Protection Officer; Art. 37 GDPR does not require us to.
This policy applies to usewitan.com and the Witan platform. It covers all processing carried out under our control. The OAuth sign-in flow at Google or Discord is governed by their respective privacy policies until you return to Witan.
We process the following categories of personal data. Each category has a single, named legal basis under Art. 6 (1) GDPR.
| Category | What we process | Purpose | Legal basis |
|---|---|---|---|
| Account identity | Email, display name, avatar URL, OAuth provider ID, locale | Sign-in, account management, in-app display | Art. 6 (1) (b) — contract |
| Authentication state | Sessions, refresh tokens, MFA factors, IP and User-Agent on login | Keep you signed in; detect login fraud | Art. 6 (1) (b) — contract; Art. 6 (1) (f) — security |
| Consent records | Timestamp and version of the Terms you accepted, granular settings (analytics, data-usage, personalization toggles) | Demonstrate consent and your preferences | Art. 7 (1) GDPR (records of consent); Art. 6 (1) (c) — legal obligation |
| Learning content | Files you upload (PDF, DOCX, PPTX, audio, video, images), extracted text, prompts you type, custom AI instructions, vector embeddings derived from your material | Generate quizzes, hints, explanations, summaries; enable semantic search across your sources | Art. 6 (1) (b) — contract |
| Learning progress and profiling | Quiz answers verbatim, ratings, reaction times, error types, FSRS scheduler state (stability, difficulty, lapses), concept-mastery scores, Bloom/Dreyfus levels, daily-stats rollups | Adaptive spaced-repetition scheduling, error-pattern detection, progress feedback | Art. 6 (1) (b) — contract |
| Vector-based learning index | Mathematical embedding vectors derived from your tested facts, your answers, and the canonical correct answers (no human-readable copy of the underlying content; the original text lives only in the categories above). The vectors are used to detect duplicate questions before you see them and — once enough data has accumulated — to spot recurring mistake-patterns in your learning history. | Cross-set deduplication of generated questions; vector-based detection of recurring misunderstandings | Art. 6 (1) (b) — contract |
| Generation telemetry | Item drafts that the system produced but did not show you (skeletons of failed generations) together with the reason the internal quality filter rejected them. Linked to your account so we can spot if generation quality drifts on your content; aggregated and pseudonymised after 30 days, full record deleted by deleting your account. | Internal quality monitoring of the question pipeline; iterative improvement of generation prompts | Art. 6 (1) (f) — legitimate interests (service quality) |
| AI output | Hints, explanations, session summaries, error-pattern narratives, chat history with the in-app assistant | Provide the AI features you requested | Art. 6 (1) (b) — contract |
| Service usage | Per-call token counts, model name, edge function name, latency, current rate-limit window, ban records on repeated abuse | Enforce fair-use limits, control costs, keep the service available | Art. 6 (1) (f) — legitimate interests (cost control, abuse prevention) |
| Support tickets | Free-text bug reports and feedback you submit through the in-app "Report Issue" flow | Triage and respond to your reports | Art. 6 (1) (b) — contract; Art. 6 (1) (f) — service improvement |
We do not process special-category data under Art. 9 GDPR (health, biometrics, political opinions, religion, sexual orientation, trade-union membership, genetic data). You must not upload such data about third parties either — see our Acceptable Use Policy § 3.
When you sign in via Google or Discord, the OAuth provider transmits your email, display name, avatar URL, and provider-side user ID to us. Google LLC and Discord Inc. act as independent controllers for the sign-in itself; they are not our sub-processors. Their privacy policies apply to the OAuth interaction. The data they pass to us then enters our processing under Section 3.
We use the following sub-processors under written Art. 28 GDPR data processing agreements:
| Sub-processor | Role | Where it processes | Transfer safeguard |
|---|---|---|---|
| Supabase, Inc. | Database, authentication, file storage, edge functions | AWS Frankfurt (eu-central-1) | EU-internal; Standard Contractual Clauses for any incidental US sub-processing |
| Vercel Inc. | Hosting and content delivery (CDN) | Global edge network including the US | EU-U.S. Data Privacy Framework (Art. 45 GDPR) + Standard Contractual Clauses |
| OpenAI, LLC — contracted via OpenAI Ireland Limited for EEA customers | AI inference: question generation, answer validation, hints, explanations, summaries, embeddings, speech-to-text (Whisper) | US, with EU access points | EU-U.S. Data Privacy Framework (Art. 45 GDPR) + Standard Contractual Clauses |
We do not use any analytics, advertising, or tracking sub-processors.
Some processing involves transfers to providers in the United States. We rely on two mechanisms, applied per recipient:
10 July 2023 (Art. 45 GDPR) for certified recipients;
together with a Transfer Impact Assessment as required by the Court of Justice ruling C-311/18 ("Schrems II").
We use TLS 1.3 encryption in transit and send only the data needed for each call to a third-country provider.
We keep your personal data while your account exists. The specifics:
| Category | Retention |
|---|---|
| Account, learning content, learning progress, AI output, consent records | Until you delete your account |
| Vector-based learning index (per-item embeddings, per-answer embeddings) | Tied to the underlying item and review respectively — deleted automatically when the item or the review is deleted; deleting your account removes everything via cascade |
| Generation telemetry (item drafts) | Full record kept for 30 days, then aggregated to anonymised statistics for an additional 11 months (count of rejects per reason category, no skeleton text), monthly rollups thereafter. Full delete on account deletion. |
| Database rows and file blobs after account deletion | Removed within 30 days (atomic cascade across all owned tables plus all four storage buckets) |
| Per-call token usage logs | Detail rows are pruned after 90 days by a weekly cron job; aggregate usage totals stay in our long-term audit table |
| Rate-limit counters | Auto-deleted after 10 minutes |
| Rate-limit violation records | Auto-deleted after 1 hour |
| Authentication audit (IP, User-Agent) | Managed by our processor Supabase under their platform retention policy |
We do not sell your data, we do not use it for marketing, and we do not use it to train any AI model — neither ours nor anyone else's (see Section 9).
We use your inputs and your learning history to schedule reviews (FSRS spaced repetition), to detect recurring error patterns, and to adapt question difficulty. This is profiling within the meaning of Art. 4 (4) GDPR, but it produces only learning recommendations — it has no legal effect on you and does not significantly affect you in a comparable way. You therefore have no Art. 22 GDPR opt-out from the profiling itself, but you can stop it at any time by deleting your account (Section 10).
We use the OpenAI API for AI features (quiz generation, answer validation, hints, explanations, session summaries, embeddings, speech-to-text). The generation pipeline uses several OpenAI models in sequence: a small reasoning model (gpt-5-nano) for planning, quality-checking and writing each question, a low-dimensional embedding model (text-embedding-3-small) to index your source chunks and questions, and a higher-dimensional embedding model (text-embedding-3-large) to index your answers for the optional adaptive pattern-detection feature. Under our contract with OpenAI:
models.** OpenAI's standard API data processing agreement excludes API content from training by default, and we have that DPA in force.
monitoring, after which it is deleted (source: OpenAI API Data Usage Policies).
purposes.
AI-generated content is labelled as such in the UI (Art. 50 EU AI Act). AI output can be inaccurate or incomplete — treat it as a study aid, not as a definitive answer. The full disclaimer is in our Terms of Service § 5.
You have the following rights under the GDPR. To exercise any of them, write to usewitan@gmail.com from the address linked to your Witan account; we respond within one month at no cost (Art. 12 (3) GDPR).
edit most fields directly in Settings.
Settings → Account → Delete Account, or write to us. Deletion cascades across all 22 owned database tables and all four storage buckets.
machine-readable format (in-app export or by written request).
interests (Section 3 categories marked Art. 6 (1) (f)).
based on your consent, you can withdraw it at any time without affecting prior lawful processing.
If you do not provide the data we need to run the service (the categories in Section 3 marked as "contract"), we cannot create or keep your account.
Without prejudice to any other remedy, you can lodge a complaint with a data protection supervisory authority — in particular in your EU member state of habitual residence, place of work, or place of the alleged infringement (Art. 77 GDPR). The competent authority for Witan is:
Österreichische Datenschutzbehörde (DSB) Barichgasse 40-42 1030 Vienna, Austria Email: dsb@dsb.gv.at Phone: +43 1 52 152 - 0 Web: https://www.dsb.gv.at Online complaint form: https://www.dsb.gv.at/eingabe-an-die-dsb/beschwerde
We use only essential cookies and browser-local storage. No tracking, no analytics, no advertising.
| Name | Purpose | Category | Duration |
|---|---|---|---|
sb-*-auth-token | Authentication — keeps you signed in | Essential | Session |
witan_cookies_v2 | Remembers that you acknowledged the cookie banner | Essential / Consent | Persistent |
ai_disclaimer_seen | Remembers that you acknowledged the AI notice | Consent | Persistent |
sr_recent_items | Recently visited spaced-repetition decks | Preferences | Persistent |
sr_view_mode | Your preferred spaced-repetition view | Preferences | Persistent |
pinnedItems | Pinned items in the sidebar | Preferences | Persistent |
planViewMode | Your preferred learning-plan view | Preferences | Persistent |
quickToolHistory | Quick-tools history | Preferences | Persistent |
block_persistence_* | Temporary learning-block progress | Learning data | Session / transient |
Under § 165 TKG 2021 and Art. 5 (3) ePrivacy Directive, only non-essential storage requires consent. The items above are essential to provide the service you have signed up for and therefore do not require separate opt-in. We display the cookie banner once for transparency.
We do not use Google Analytics, Facebook Pixel, or any other tracking service.
Witan is intended for users aged 14 and above. § 4 (4) of the Austrian Data Protection Act (DSG) sets the minimum age for consent to information-society services in Austria at 14 — Austria uses the national reduction permitted by Art. 8 (1) GDPR. We rely on the age representation made by your OAuth provider (Google or Discord). If we become aware that an account was created without the necessary parental consent by a child under 14, we will delete it on discovery.
We protect your data with appropriate technical and organisational measures (Art. 32 GDPR), including:
No system is fully secure. If a personal-data breach occurs, we notify affected users and the Austrian DSB within 72 hours as required by Art. 33–34 GDPR.
We may update this Privacy Policy when our processing, our sub-processors, or the applicable legal basis changes. We notify registered users at least 30 days before material changes take effect via an in-app notice and, where we hold a working email address, by email. The "Last updated" date at the top of this page reflects the most recent revision. Past versions are available on request to usewitan@gmail.com.
If you do not agree with a change, you may delete your account before the new version takes effect (Section 10).
Privacy questions, rights requests, and any other privacy-related correspondence: usewitan@gmail.com.