Privacy Policy

Scope

This Privacy Policy describes how Sukrat AI, Inc. (“Sukrat,” “we,” “us”) collects, uses, discloses, and protects personal data when you visit our websites or use our Services. This policy should be read in conjunction with our Terms of Service. Student‑facing features are additionally governed by the Student Data Privacy Addendum (SDPA) and any applicable institutional agreement. If there is a conflict, the SDPA or institutional agreement controls for Student Data.

1. Data We Collect

   1. Technical & Usage Data

      We automatically collect device identifiers, IP address, browser type, operating system, general location inferred from IP, timestamps, pages viewed, and Service telemetry. We may use first‑ or third‑party analytics in aggregated or de‑identified form (e.g., Google Analytics, Posthog).

   2. Cookies & Similar Technologies

      We use strictly necessary, performance, and functional cookies. You can control cookies via your browser and via our Cookie Preferences Center; some features may not function without them. See the Cookie Policy.

   3. Information You Provide

      If you register, request a demo, subscribe to newsletters, participate in programs, or make purchases, we may collect: name, organization, role/title, email, phone, country/state, billing details (processed by PCI‑DSS compliant processors), and optional profile data.

   4. Combined Data

      We may combine information with data from public sources, partners, or service providers as permitted by law.

2. How We Use Personal Data

   We use personal data to: (1) provide, secure, and improve the Services; (2) create and manage accounts; (3) personalize experiences; (4) send administrative/transactional messages; (5) respond to requests; (6) provide newsletters or surveys; (7) market Services (where permitted); (8) comply with law and enforce terms; (9) protect rights, safety, and property; and (10) generate de‑identified or aggregated analytics (which we may use for benchmarking or model evaluation/training only after de‑identification, in accordance with law and our SDPA/DPA).

   Model/Infrastructure Providers

   We may use third‑party model and infrastructure providers (e.g., OpenAI, Anthropic, Google). Where feasible, we opt out of provider training on customer‑submitted data and minimize retention; providers may retain limited data for abuse monitoring per their policies.

3. Sensitive Personal Information

   We do not require sensitive personal information (e.g., health data, racial or ethnic origin, biometric data). If you submit such data, you consent to our processing it solely as described in this Privacy Policy. If you do not consent, do not submit such data.

4. Automated Decision‑Making and Profiling

   We do not engage in automated decision‑making or profiling that produces legal or similarly significant effects.

5. Sharing & Disclosure

   We may disclose personal data to: (a) Service Providers (hosting, analytics, payments, support) under confidentiality and data protection obligations; (b) Legal & Compliance purposes (to comply with lawful requests and protect users); (c) Corporate Transactions (mergers, acquisitions, financing, asset sales); and (d) with Your Consent or direction. We do not sell personal information.

6. Security

   We implement administrative, technical, and physical safeguards appropriate to the nature of the data (e.g., encryption in transit (TLS) and at rest (AES‑256), access controls, logging, backups). No system is 100% secure. You are responsible for securing your credentials.

7. Student Data

   When an Educational Institution enables Student‑Facing Services, Sukrat processes Student Data solely for educational purposes under the direction and control of the Institution, pursuant to the SDPA and/or a separate student data agreement. Contact the Institution for requests regarding Student Data; Sukrat will support the Institution in fulfilling applicable rights.

8. Your Rights (Europe, UK, and Other Jurisdictions)

   Depending on your location, you may have rights over your personal information: access, correct, delete, portability, restrict, object (including to direct marketing), and withdraw consent.

   Exercising Rights

   Email privacy@sukrat.ai. We may request information to verify identity. We normally respond within 1 month; we may extend by up to 2 months for complex/multiple requests. We will explain any refusal, subject to legal restrictions. No fee unless requests are unfounded, repetitive, or excessive.

   Appeals

   Where permitted (e.g., under U.S. state privacy laws), you may appeal a denied request; instructions will be provided in our response.

   Complaints

   • EEA: Supervisory authorities list: https://edpb.europa.eu/about-edpb/board/members_en
   • UK: ICO: https://ico.org.uk/make-a-complaint/

9. International Transfers

   Sukrat is U.S.-based. Personal data may be processed outside your country, including in the United States.

   1. Adequacy. Where available, we rely on adequacy decisions (e.g., EU‑U.S. Data Privacy Framework and UK Extension, once finalized).
   2. Safeguards. Otherwise, we use Standard Contractual Clauses (SCCs), the UK International Data Transfer Addendum, or equivalent.
   3. Derogations. In limited cases, we may rely on explicit consent or necessity for contract performance.

10. Additional Information for U.S. State Residents

    Certain U.S. state privacy laws (e.g., CCPA/CPRA (CA), CPA (CO), VCDPA (VA), CTDPA (CT), UCPA (UT)) grant additional rights: know, access, delete, correct, portability, opt‑out of sale/sharing/targeted advertising (Sukrat does not sell personal information), limit use of sensitive data, and non‑discrimination.

    Authorized Agents & Appeals

    You may use an authorized agent; and you may appeal denials where required by law.

    “Shine the Light”

    We do not share personal information with third parties for their own direct marketing.

    Do Not Track

    Our Services do not currently respond to DNT signals.

11. Retention

    • API/abuse logs: 30 days.
    • Inactive accounts: 12 months.
    • Backups: 35 days.

    We retain data as long as necessary to provide Services, comply with law, resolve disputes, and enforce agreements.

12. Marketing Choices

    Opt out of marketing emails via unsubscribe links. Transactional/admin emails will continue.

13. Changes

    We may update this Policy. Material changes will be notified via the Services or email at least 30 days before taking effect, where required.

14. Contact

    Sukrat AI, Inc.
    c/o Registered Agent, Tailor Brands
    Wilmington, Delaware, USA

    Contact Information:
    Legal: legal@sukrat.ai
    Privacy: privacy@sukrat.ai
    Security: security@sukrat.ai
    Support: help@sukrat.ai

Last Modified: Last modified: October 1, 2025

Policy Version: 1.0