Last Updated: June 1, 2026
Effective Date: June 1, 2026
Sukrat AI (“Sukrat,” “we,” “us,” or “our”) provides an AI-powered Intelligent Tutoring System designed to help students master academic subjects. This Privacy Policy explains what data we collect, why we collect it, how we protect it, who we share it with, and what rights you have.
We take privacy seriously — especially because our users are students. We collect the minimum data necessary to run the product. We do not sell your data. We do not use student data to train AI models.
If you have questions, contact us at privacy@sukrat.ai.
1. Who This Policy Applies To
This policy applies to:
- Students using Sukrat directly (B2C) or through a school deployment (B2B)
- Teachers and school administrators accessing institutional dashboards
- Visitors to sukrat.ai
Sukrat's services are intended for users aged 13 and older. Our core target age range is 15–19 (Cambridge O/A Level and IB Diploma students). We are implementing an age verification step in the sign-up flow. If you believe a user under 13 has created an account without parental consent, please contact privacy@sukrat.ai immediately. For school deployments that may include students under 13, the school must confirm that appropriate parental consent has been obtained before enrolling those students.
2. What We Collect and Why
2.1 Account and Identity Data
| Data | Purpose |
|---|---|
| Name and institutional email | Account creation, authentication, and access control |
| School affiliation | Curriculum routing, institutional access control, and teacher dashboard scoping |
| Role (student, teacher, admin) | Feature access and reporting views |
2.2 Learning and Assessment Data
| Data | Purpose | Retention |
|---|---|---|
| Assessment responses | Gap identification and mastery model input | Active enrollment + 90 days after account closure, then anonymized |
| Mastery graph state | Personalized learning path sequencing and adaptive practice | Active enrollment + 90 days after account closure, then anonymized |
| Session transcripts (AI interaction logs) | Content quality review, safety audit, and debugging | 90 days after session, then deleted |
| Session metadata (timestamp, duration, module) | Adaptive sequencing, teacher dashboard | Active enrollment + 90 days after account closure, then anonymized |
2.3 Technical and Device Data
| Data | Purpose | Retention |
|---|---|---|
| Device type, browser, OS | Session debugging | 90 days |
| IP address | Security, fraud prevention, approximate country routing | Retained by Cloudflare under their DPA |
| Usage events (pages visited, features used) | Product improvement (anonymized, no PII transmitted) | 90 days |
2.4 Payment Data
Payments are processed by Stripe. Sukrat does not store card numbers, CVVs, or bank account details. We receive only the billing metadata Stripe provides (subscription status, invoice records).
3. What We Do Not Collect
- Government ID or national ID numbers
- Biometric data of any kind
- Location data beyond country-level routing
- Social media profiles or external account identifiers
- Behavioral signals not related to learning (scroll patterns, idle time, mouse movement)
- Raw AI interaction logs stored indefinitely — all session transcripts are deleted at 90 days
4. How We Use Your Data
We use your data only to operate and improve the Sukrat service:
- Providing adaptive tutoring, practice, and assessment
- Personalizing your learning path through our mastery model
- Generating teacher and admin reports scoped to your institution
- Communicating with you about your account, platform updates, and support
- Detecting abuse, fraud, and security incidents
- Improving the product using anonymized, aggregated analytics (never linked to individual students)
We do not use your data for advertising, behavioral profiling, or any purpose outside providing the educational service.
5. AI and LLM Processing — How We Protect Your Privacy
Sukrat uses external AI model providers to generate tutoring content and explanations. We operate a strict No-PII LLM Policy:
- Student names, email addresses, school affiliations, and any other personally identifiable information are never included in prompts sent to external AI providers.
- Prompts sent to AI providers contain only curriculum content (question text, syllabus reference, mark scheme context) and anonymized session context (mastery state for the relevant topic).
- No student data — whether identifiable or anonymized — is used to train third-party AI models. This is enforced at the architectural level and required by contract with every AI provider we use.
6. Sub-Processors
These are the external services that receive or process data as part of running Sukrat. Each is bound by a data processing agreement that prohibits AI training on student data.
| Vendor | Data Received | Purpose |
|---|---|---|
| Supabase | Student accounts, mastery state, session data (encrypted at rest) | Database and authentication |
| DigitalOcean | Backend compute and object storage | API hosting and ML pipeline |
| Vercel | Web request metadata | Next.js frontend hosting |
| Cloudflare | Request metadata, IP addresses | CDN, WAF, and DDoS protection |
| Anthropic (Claude API) | Anonymized curriculum prompts only — no student PII | AI tutoring content generation |
| OpenAI (GPT-4o API) | Anonymized curriculum prompts only — no student PII | AI content generation and evaluation |
| Google (Gemini API) | Anonymized curriculum prompts only — no student PII | Visual and diagram content generation |
| PostHog | Anonymized usage events — no PII transmitted | Product analytics |
| Langfuse | Anonymized AI evaluation traces — no PII | AI quality and safety evaluation |
| Sentry | Error logs — PII scrubbed before transmission | Error monitoring and debugging |
| Stripe | Payment and billing metadata only | Subscription billing |
| Resend | Email address and message metadata | Transactional emails (account, notifications) |
Note on DeepSeek: DeepSeek's API is used in Pakistan-only evaluation experiments with anonymized data and no student PII. DeepSeek is contractually excluded from all US-facing deployments and any workflow involving student personally identifiable information, given data residency concerns.
7. Data Sharing
We do not sell your personal data. We share data only:
- With sub-processors listed above, under data processing agreements, solely to provide the service
- With your school's administrators, scoped to aggregate mastery data for their own institution's students only — they do not receive raw session transcripts
- With law enforcement or regulators, only when legally required and, where legally permitted to do so, after notifying you
- In a business transfer, if Sukrat is acquired or merges, with privacy obligations passing to the new entity
8. Data Security
- Encryption at rest: All student data is encrypted at rest (AES-256 via Supabase and DigitalOcean managed encryption)
- Encryption in transit: TLS 1.2+ enforced across all endpoints
- Tenant isolation: Supabase Row-Level Security ensures no student can access another student's data; school admin access is scoped to their own institution
- Access control: Production database access requires multi-factor authentication and is restricted to named team members with a documented need
- No PII in development environments: No student data is accessible in staging or development environments
- Breach notification: If a confirmed breach affects your personal data, we will notify affected schools and users within 72 hours of discovery
- Data residency: Student data is currently stored in the EU region (Supabase EU). US schools and districts that have specific data residency requirements should contact legal@sukrat.ai to discuss their institution's needs.
9. Your Rights
Depending on your jurisdiction, you have the following rights regarding your data:
| Right | How to Exercise |
|---|---|
| Access | Request an export of your mastery data and session history |
| Correction | Request correction of inaccurate account data |
| Deletion | Request account deletion; all PII is removed within 30 days |
| Portability | Request a machine-readable JSON export of your mastery state and assessment history |
| Restriction | Request that we pause processing of your data |
To exercise any of these rights, email privacy@sukrat.ai. School-enrolled students should route requests through their school administrator.
10. Data Retention
| Data Category | Retention Period |
|---|---|
| Account data (name, email, school) | Until account deletion + 90-day grace period |
| Assessment responses and mastery state | Active enrollment + 90 days post-closure, then anonymized |
| Session transcripts (AI logs) | 90 days post-session, then deleted |
| Session metadata | Active enrollment + 90 days post-closure, then anonymized |
| Analytics events | 90 days |
| Billing records | Per Stripe and applicable tax/accounting requirements |
11. Applicable Privacy Frameworks
- Pakistan: We operate under contractual and design-based protections consistent with the Pakistan Personal Data Protection Bill 2023. Pakistan has not enacted a data protection law as of this date; we monitor the bill's progression.
- GDPR: Data minimization, deletion rights, and sub-processor DPAs are implemented. Supabase EU region is active. Users associated with EU/UK-affiliated institutions have full GDPR rights including access, rectification, erasure, and portability. We do not engage in marketing to EU-resident students.
- COPPA: Sukrat's services are intended for users aged 13 and older. We do not knowingly collect personal data from children under 13 without parental consent. If we become aware that a child under 13 has provided personal data without consent, we will delete that data promptly.
- FERPA (US): FERPA obligations apply when US school contracts are signed. Our data architecture is designed to meet FERPA “school official with legitimate educational interest” standards.
12. Cookies
We use cookies and similar technologies to operate the platform. See our Cookie Policy for full details.
13. Changes to This Policy
We may update this policy. When we do, we will update the “Last Updated” date at the top and, for material changes, notify you by email or in-product notification. Continued use of Sukrat after an update means you accept the revised policy.
14. Contact
Sukrat AI
Email: privacy@sukrat.ai
For school-related data requests: include your institution name and the nature of the request.
Last Modified: June 1, 2026
Policy Version: 1.2