Witan
ImprintTermsPrivacyAUPWithdrawal Soon

Privacy Policy

Last updated: May 19, 2026

This Privacy Policy explains how Witan ("we", "us") processes your personal data when you use the Witan platform. It is written under the General Data Protection Regulation (Regulation (EU) 2016/679, "GDPR") and the Austrian Data Protection Act (DSG).

1. Controller

The controller responsible for processing your personal data (Art. 4 (7) GDPR) is:

Leo Rafael Pritz 1160 Vienna, Austria Email: usewitan@gmail.com

Full provider details are in our Imprint. We have not appointed a Data Protection Officer; Art. 37 GDPR does not require us to.

2. Scope

This policy applies to usewitan.com and the Witan platform. It covers all processing carried out under our control. The OAuth sign-in flow at Google or Discord is governed by their respective privacy policies until you return to Witan.

3. Data we process

We process the following categories of personal data. Each category has a single, named legal basis under Art. 6 (1) GDPR.

CategoryWhat we processPurposeLegal basis
Account identityEmail, display name, avatar URL, OAuth provider ID, localeSign-in, account management, in-app displayArt. 6 (1) (b) — contract
Authentication stateSessions, refresh tokens, MFA factors, IP and User-Agent on loginKeep you signed in; detect login fraudArt. 6 (1) (b) — contract; Art. 6 (1) (f) — security
Consent recordsTimestamp and version of the Terms you accepted, granular settings (analytics, data-usage, personalization toggles)Demonstrate consent and your preferencesArt. 7 (1) GDPR (records of consent); Art. 6 (1) (c) — legal obligation
Learning contentFiles you upload (PDF, DOCX, PPTX, audio, video, images), extracted text, prompts you type, custom AI instructions, vector embeddings derived from your materialGenerate quizzes, hints, explanations, summaries; enable semantic search across your sourcesArt. 6 (1) (b) — contract
Learning progress and profilingQuiz answers verbatim, ratings, reaction times, error types, FSRS scheduler state (stability, difficulty, lapses), concept-mastery scores, Bloom/Dreyfus levels, daily-stats rollupsAdaptive spaced-repetition scheduling, error-pattern detection, progress feedbackArt. 6 (1) (b) — contract
Vector-based learning indexMathematical embedding vectors derived from your tested facts, your answers, and the canonical correct answers (no human-readable copy of the underlying content; the original text lives only in the categories above). The vectors are used to detect duplicate questions before you see them and — once enough data has accumulated — to spot recurring mistake-patterns in your learning history.Cross-set deduplication of generated questions; vector-based detection of recurring misunderstandingsArt. 6 (1) (b) — contract
Generation telemetryItem drafts that the system produced but did not show you (skeletons of failed generations) together with the reason the internal quality filter rejected them. Linked to your account so we can spot if generation quality drifts on your content; aggregated and pseudonymised after 30 days, full record deleted by deleting your account.Internal quality monitoring of the question pipeline; iterative improvement of generation promptsArt. 6 (1) (f) — legitimate interests (service quality)
AI outputHints, explanations, session summaries, error-pattern narratives, chat history with the in-app assistantProvide the AI features you requestedArt. 6 (1) (b) — contract
Service usagePer-call token counts, model name, edge function name, latency, current rate-limit window, ban records on repeated abuseEnforce fair-use limits, control costs, keep the service availableArt. 6 (1) (f) — legitimate interests (cost control, abuse prevention)
Support ticketsFree-text bug reports and feedback you submit through the in-app "Report Issue" flowTriage and respond to your reportsArt. 6 (1) (b) — contract; Art. 6 (1) (f) — service improvement

We do not process special-category data under Art. 9 GDPR (health, biometrics, political opinions, religion, sexual orientation, trade-union membership, genetic data). You must not upload such data about third parties either — see our Acceptable Use Policy § 3.

4. OAuth providers (independent controllers)

When you sign in via Google or Discord, the OAuth provider transmits your email, display name, avatar URL, and provider-side user ID to us. Google LLC and Discord Inc. act as independent controllers for the sign-in itself; they are not our sub-processors. Their privacy policies apply to the OAuth interaction. The data they pass to us then enters our processing under Section 3.

5. Sub-processors

We use the following sub-processors under written Art. 28 GDPR data processing agreements:

Sub-processorRoleWhere it processesTransfer safeguard
Supabase, Inc.Database, authentication, file storage, edge functionsAWS Frankfurt (eu-central-1)EU-internal; Standard Contractual Clauses for any incidental US sub-processing
Vercel Inc.Hosting and content delivery (CDN)Global edge network including the USEU-U.S. Data Privacy Framework (Art. 45 GDPR) + Standard Contractual Clauses
OpenAI, LLC — contracted via OpenAI Ireland Limited for EEA customersAI inference: question generation, answer validation, hints, explanations, summaries, embeddings, speech-to-text (Whisper)US, with EU access pointsEU-U.S. Data Privacy Framework (Art. 45 GDPR) + Standard Contractual Clauses

We do not use any analytics, advertising, or tracking sub-processors.

6. International transfers

Some processing involves transfers to providers in the United States. We rely on two mechanisms, applied per recipient:

  1. the EU-U.S. Data Privacy Framework adequacy decision of

10 July 2023 (Art. 45 GDPR) for certified recipients;

  1. the EU Standard Contractual Clauses (Art. 46 (2) (c) GDPR)

together with a Transfer Impact Assessment as required by the Court of Justice ruling C-311/18 ("Schrems II").

We use TLS 1.3 encryption in transit and send only the data needed for each call to a third-country provider.

7. Retention

We keep your personal data while your account exists. The specifics:

CategoryRetention
Account, learning content, learning progress, AI output, consent recordsUntil you delete your account
Vector-based learning index (per-item embeddings, per-answer embeddings)Tied to the underlying item and review respectively — deleted automatically when the item or the review is deleted; deleting your account removes everything via cascade
Generation telemetry (item drafts)Full record kept for 30 days, then aggregated to anonymised statistics for an additional 11 months (count of rejects per reason category, no skeleton text), monthly rollups thereafter. Full delete on account deletion.
Database rows and file blobs after account deletionRemoved within 30 days (atomic cascade across all owned tables plus all four storage buckets)
Per-call token usage logsDetail rows are pruned after 90 days by a weekly cron job; aggregate usage totals stay in our long-term audit table
Rate-limit countersAuto-deleted after 10 minutes
Rate-limit violation recordsAuto-deleted after 1 hour
Authentication audit (IP, User-Agent)Managed by our processor Supabase under their platform retention policy

We do not sell your data, we do not use it for marketing, and we do not use it to train any AI model — neither ours nor anyone else's (see Section 9).

8. Profiling and automated decisions

We use your inputs and your learning history to schedule reviews (FSRS spaced repetition), to detect recurring error patterns, and to adapt question difficulty. This is profiling within the meaning of Art. 4 (4) GDPR, but it produces only learning recommendations — it has no legal effect on you and does not significantly affect you in a comparable way. You therefore have no Art. 22 GDPR opt-out from the profiling itself, but you can stop it at any time by deleting your account (Section 10).

9. AI processing

We use the OpenAI API for AI features (quiz generation, answer validation, hints, explanations, session summaries, embeddings, speech-to-text). The generation pipeline uses several OpenAI models in sequence: a small reasoning model (gpt-5-nano) for planning, quality-checking and writing each question, a low-dimensional embedding model (text-embedding-3-small) to index your source chunks and questions, and a higher-dimensional embedding model (text-embedding-3-large) to index your answers for the optional adaptive pattern-detection feature. Under our contract with OpenAI:

  • **Your inputs and the AI's outputs are not used to train OpenAI

models.** OpenAI's standard API data processing agreement excludes API content from training by default, and we have that DPA in force.

  • OpenAI may retain API content for up to 30 days for abuse

monitoring, after which it is deleted (source: OpenAI API Data Usage Policies).

  • We do not train any AI model of our own with your data.
  • We do not share your data with any third party for AI training

purposes.

AI-generated content is labelled as such in the UI (Art. 50 EU AI Act). AI output can be inaccurate or incomplete — treat it as a study aid, not as a definitive answer. The full disclaimer is in our Terms of Service § 5.

10. Your rights

You have the following rights under the GDPR. To exercise any of them, write to usewitan@gmail.com from the address linked to your Witan account; we respond within one month at no cost (Art. 12 (3) GDPR).

  • Access (Art. 15) — request a copy of the data we hold about you.
  • Rectification (Art. 16) — correct inaccurate data. You can also

edit most fields directly in Settings.

  • Erasure (Art. 17) — delete your account immediately via

Settings → Account → Delete Account, or write to us. Deletion cascades across all 22 owned database tables and all four storage buckets.

  • Restriction (Art. 18) — limit how we process your data.
  • Portability (Art. 20) — receive your data in a structured,

machine-readable format (in-app export or by written request).

  • Objection (Art. 21) — object to processing based on legitimate

interests (Section 3 categories marked Art. 6 (1) (f)).

  • Withdrawal of consent (Art. 7 (3)) — where any processing is

based on your consent, you can withdraw it at any time without affecting prior lawful processing.

If you do not provide the data we need to run the service (the categories in Section 3 marked as "contract"), we cannot create or keep your account.

11. Complaint right

Without prejudice to any other remedy, you can lodge a complaint with a data protection supervisory authority — in particular in your EU member state of habitual residence, place of work, or place of the alleged infringement (Art. 77 GDPR). The competent authority for Witan is:

Österreichische Datenschutzbehörde (DSB) Barichgasse 40-42 1030 Vienna, Austria Email: dsb@dsb.gv.at Phone: +43 1 52 152 - 0 Web: https://www.dsb.gv.at Online complaint form: https://www.dsb.gv.at/eingabe-an-die-dsb/beschwerde

12. Cookies and local browser storage

We use only essential cookies and browser-local storage. No tracking, no analytics, no advertising.

NamePurposeCategoryDuration
sb-*-auth-tokenAuthentication — keeps you signed inEssentialSession
witan_cookies_v2Remembers that you acknowledged the cookie bannerEssential / ConsentPersistent
ai_disclaimer_seenRemembers that you acknowledged the AI noticeConsentPersistent
sr_recent_itemsRecently visited spaced-repetition decksPreferencesPersistent
sr_view_modeYour preferred spaced-repetition viewPreferencesPersistent
pinnedItemsPinned items in the sidebarPreferencesPersistent
planViewModeYour preferred learning-plan viewPreferencesPersistent
quickToolHistoryQuick-tools historyPreferencesPersistent
block_persistence_*Temporary learning-block progressLearning dataSession / transient

Under § 165 TKG 2021 and Art. 5 (3) ePrivacy Directive, only non-essential storage requires consent. The items above are essential to provide the service you have signed up for and therefore do not require separate opt-in. We display the cookie banner once for transparency.

We do not use Google Analytics, Facebook Pixel, or any other tracking service.

13. Minors

Witan is intended for users aged 14 and above. § 4 (4) of the Austrian Data Protection Act (DSG) sets the minimum age for consent to information-society services in Austria at 14 — Austria uses the national reduction permitted by Art. 8 (1) GDPR. We rely on the age representation made by your OAuth provider (Google or Discord). If we become aware that an account was created without the necessary parental consent by a child under 14, we will delete it on discovery.

14. Security

We protect your data with appropriate technical and organisational measures (Art. 32 GDPR), including:

  • Row-Level Security on every user-data table in our database;
  • TLS 1.3 for all client-server traffic;
  • Encryption at rest for database and file storage (AWS-managed);
  • OAuth-only authentication — we never see or store your password;
  • Per-account rate limits and automated abuse detection;
  • Sub-processors contractually bound to equivalent measures.

No system is fully secure. If a personal-data breach occurs, we notify affected users and the Austrian DSB within 72 hours as required by Art. 33–34 GDPR.

15. Changes to this policy

We may update this Privacy Policy when our processing, our sub-processors, or the applicable legal basis changes. We notify registered users at least 30 days before material changes take effect via an in-app notice and, where we hold a working email address, by email. The "Last updated" date at the top of this page reflects the most recent revision. Past versions are available on request to usewitan@gmail.com.

If you do not agree with a change, you may delete your account before the new version takes effect (Section 10).

16. Contact

Privacy questions, rights requests, and any other privacy-related correspondence: usewitan@gmail.com.