Legal

Privacy Policy

Effective date: May 24, 2026 ·  Pheyn AI, Inc.

Pheyn AI, Inc. ("Pheyn", "we", "us", or "our") operates pheyn.ai and the Pheyn application (the "Service"). This Privacy Policy explains what personal information we collect, how we use it, and your rights with respect to it.

By using the Service you agree to this Privacy Policy. If you do not agree, do not use the Service.

Contents

  1. Information We Collect
  2. How We Use Your Information
  3. How We Share Your Information
  4. Data Retention
  5. Security
  6. Children's Privacy
  7. California Residents — CCPA / CPRA
  8. Other U.S. State Residents
  9. EEA & UK Residents — GDPR
  10. Canadian Residents — PIPEDA & CASL
  11. Cookies & Tracking
  12. Changes to This Policy
  13. Contact Us

1. Information We Collect

Account Information

  • Email address and password (hashed) when you create an account
  • Name or display name if you provide one

Content You Upload

  • PDF files and documents you upload to the Service
  • Highlights, annotations, and text selections you make within documents
  • Notes, flashcards, and quiz responses you create or generate
  • Questions and messages you send to the AI assistant

Usage and Technical Data

  • Log data (IP address, browser type, pages visited, timestamps)
  • Device identifiers, operating system, and browser version
  • Feature usage patterns (e.g., which tools you use, study session lengths)
  • Authentication tokens stored in your browser's local storage

Payment Information

If you subscribe to Pheyn Pro, payments are processed by a third-party payment provider. We do not store your full card number or payment credentials.

2. How We Use Your Information

We use the information we collect to:

  • Provide the Service — process your documents, generate AI explanations, flashcards, quizzes, and notes
  • Personalise your experience — adapt AI teaching style based on your study history and preferences
  • Authenticate and secure your account — verify your identity and prevent unauthorised access
  • Process payments — manage subscriptions through our payment processor
  • Communicate with you — send account notifications, product updates, and (with your consent where required) promotional emails
  • Improve and develop the Service — analyse aggregate usage patterns to improve features and performance
  • Comply with legal obligations — respond to lawful requests and enforce our Terms of Service

We do not sell your personal information, and we do not use your uploaded documents or AI conversation content to train our own machine learning models.

Student and Educational Data

Pheyn is used by students and self-learners. We do not use student educational content for advertising profiling, behavioural targeting, or AI model training. We do not share student data with third parties for commercial purposes unrelated to providing the Service. Educational content you upload is used solely to power the features you request — explanations, quizzes, flashcards, and notes.

3. How We Share Your Information

We do not sell or rent your personal information. We share data only in the following circumstances:

Service Providers

We work with trusted third-party service providers to operate, maintain, and improve the Service. Categories of providers include: AI model inference providers, cloud hosting and storage providers, payment processors, email delivery providers, and authentication providers. These providers access your data only as necessary to perform services on our behalf and are contractually prohibited from using it for any other purpose. We do not use your content to train AI models, and our AI inference providers do not retain your inputs beyond what is needed to return a response.

Data Processing Addendum

Organizations — including schools, universities, and businesses — that require a Data Processing Addendum (DPA) governing the processing of personal data under GDPR, CCPA, or other applicable law may request one by contacting us at info@pheyn.ai.

Legal Requirements

We may disclose information if required by law, subpoena, court order, or to protect the rights, property, or safety of Pheyn, our users, or the public.

Business Transfers

In the event of a merger, acquisition, or sale of assets, your data may be transferred. We will notify you by email and/or prominent notice on the Service before your data becomes subject to a different privacy policy.

Aggregated / De-identified Data

We may share aggregated, non-personally identifiable statistics about Service usage (e.g., "X% of users create flashcards after explaining a concept"). This data cannot reasonably be used to identify you.

4. Data Retention

We retain your personal information for as long as your account is active or as needed to provide the Service. Specifically:

  • Account data — retained until you delete your account
  • Uploaded documents — retained until you delete them or delete your account
  • Payment records — retained as required by tax and accounting law (typically 7 years)
  • Log data — retained for up to 90 days for security and debugging purposes

Upon account deletion, we will delete or anonymise your personal data within 30 days, except where retention is required by law.

5. Security

We implement commercially reasonable technical and organisational measures to protect your data, including:

  • TLS encryption for all data in transit
  • Bcrypt-hashed passwords (never stored in plaintext)
  • Server-side file validation (magic-byte checks) before storage
  • Path traversal protections on all file operations
  • CORS restrictions limiting API access to authorised origins

No system is perfectly secure. If you believe your account has been compromised, contact us immediately at info@pheyn.ai.

In the event of a data breach that is likely to result in a risk to your rights or freedoms, we will notify affected users and relevant regulators as required by applicable law (including within 72 hours under GDPR where feasible).

6. Children's Privacy

The Service is not directed to children under the age of 13. We do not knowingly collect personal information from children under 13. If you are a parent or guardian and believe your child has provided us with personal information, please contact us at info@pheyn.ai and we will delete such information promptly.

The Service is intended for users 13 and older. Users under 18 should use the Service only with the permission of a parent or guardian.

7. California Residents — CCPA / CPRA

If you are a California resident, the California Consumer Privacy Act (CCPA) as amended by the California Privacy Rights Act (CPRA) grants you the following rights:

Your Rights

  • Right to Know — You may request disclosure of the categories and specific pieces of personal information we have collected about you, the sources, our business purpose, and the third parties we share it with.
  • Right to Delete — You may request that we delete your personal information, subject to certain exceptions (e.g., completing a transaction, legal obligations).
  • Right to Correct — You may request correction of inaccurate personal information.
  • Right to Opt-Out of Sale / Sharing — We do not sell or share personal information for cross-context behavioural advertising. No opt-out is currently required, but you may contact us to confirm.
  • Right to Limit Use of Sensitive Personal Information — We do not use sensitive personal information beyond what is necessary to provide the Service.
  • Right to Non-Discrimination — We will not discriminate against you for exercising any of these rights.

Categories of Personal Information Collected

  • Identifiers (name, email, IP address)
  • Internet or other electronic network activity information (usage logs)
  • Commercial information (subscription status)
  • Inferences drawn from other personal information (study patterns, preferences)

How to Exercise Your Rights

Submit a verifiable consumer request to info@pheyn.ai. We will respond within 45 days (extendable by a further 45 days with notice). We may need to verify your identity before processing the request. You may also designate an authorised agent to submit requests on your behalf — the agent must provide written proof of authorisation. If we decline your request, you may appeal by replying to our response email.

8. Other U.S. State Residents

Residents of certain U.S. states — including Virginia, Colorado, Connecticut, Texas, Oregon, Montana, Utah, and Delaware — may have additional privacy rights under applicable state law. These rights may include the right to access, correct, delete, or obtain a portable copy of your personal data, and the right to opt out of certain processing activities.

To exercise any applicable state privacy rights, contact us at info@pheyn.ai. We will respond in accordance with the requirements of the law applicable to your state. If we decline your request, you may appeal by replying to our response email and we will review the decision.

9. EEA & UK Residents — GDPR

If you are located in the European Economic Area or the United Kingdom, the General Data Protection Regulation (GDPR) or UK GDPR applies to our processing of your data.

Legal Bases for Processing

  • Contract performance — processing necessary to provide the Service you have signed up for
  • Legitimate interests — service security, fraud prevention, and aggregate analytics
  • Consent — marketing communications (you may withdraw at any time)
  • Legal obligation — where required by applicable law

Your Rights

  • Right of access (Article 15)
  • Right to rectification (Article 16)
  • Right to erasure / "right to be forgotten" (Article 17)
  • Right to restriction of processing (Article 18)
  • Right to data portability (Article 20)
  • Right to object (Article 21)
  • Right to withdraw consent at any time without affecting prior lawful processing

International Transfers

Pheyn is based in the United States. When we transfer your data from the EEA/UK to the US, we rely on Standard Contractual Clauses (SCCs) adopted by the European Commission, or other appropriate safeguards as required by law.

How to Exercise Your Rights

Email us at info@pheyn.ai. We will respond within 30 days. You also have the right to lodge a complaint with your local supervisory authority.

10. Canadian Residents — PIPEDA & CASL

PIPEDA (Personal Information Protection and Electronic Documents Act)

Pheyn's collection, use, and disclosure of personal information about Canadian residents is governed by Canada's federal private-sector privacy law, PIPEDA, and applicable provincial laws including Alberta's PIPA, British Columbia's PIPA, and Quebec's Law 25 (Bill 64 / Law modernising privacy protection).

  • Accountability — Pheyn is responsible for all personal information under our control and has designated a privacy officer reachable at info@pheyn.ai.
  • Identifying purposes — We identify the purpose for collecting personal information at or before the time of collection (see Section 2).
  • Consent — We obtain your meaningful consent for the collection, use, and disclosure of personal information, except where law permits otherwise.
  • Limiting collection — We collect only the information necessary for the identified purposes.
  • Accuracy — We keep personal information as accurate, complete, and up-to-date as necessary.
  • Safeguards — We use security measures appropriate to the sensitivity of the information.
  • Access and correction — You may request access to your personal information and correction of inaccuracies.

Quebec's Law 25 — Additional Protections

  • You have the right to be informed about automated decision-making that has a significant impact on you
  • You have the right to data portability (to receive your personal information in a technological format)
  • You have the right to request anonymisation or destruction of your personal information
  • We will notify the Commission d'accès à l'information (CAI) and affected individuals of any privacy incident involving a risk of serious harm

CASL (Canada's Anti-Spam Legislation)

We will only send commercial electronic messages (CEMs) — including promotional emails or newsletters — to Canadian recipients with express or implied consent as defined by CASL. Every CEM we send will include:

  • Clear identification of Pheyn as the sender
  • Our mailing address
  • A functional, easily accessible unsubscribe mechanism

You may withdraw consent at any time by clicking "Unsubscribe" in any email or by contacting us at info@pheyn.ai. We will process unsubscribe requests within 10 business days.

11. Cookies & Tracking

We use a small number of essential cookies and browser storage mechanisms to operate the Service:

  • Authentication tokens — stored in local storage to keep you signed in
  • Session preferences — e.g., last viewed document, UI state

We do not currently use third-party advertising cookies or cross-site tracking. If this changes, we will update this policy and, where required, seek your consent before placing any non-essential cookies.

12. Changes to This Policy

We may update this Privacy Policy from time to time. When we make material changes, we will notify you by email (at the address associated with your account) and by posting a prominent notice on the Service at least 14 days before the changes take effect. Your continued use of the Service after the effective date constitutes acceptance of the updated policy.

13. Contact Us

For privacy-related questions, requests, or complaints, contact our privacy officer:

Pheyn AI, Inc.

Incorporated in Delaware, United States

info@pheyn.ai

We aim to respond to all requests within 30 days (or sooner as required by applicable law).