Privacy Policy
Last Updated: 11 July 2026 · Effective Date: 16 May 2026
Examo.me ("Examo", "we", "our", "us") is committed to protecting your personal data. This Privacy Policy explains how we collect, use, share, and protect your information when you visit examo.me, sign up for an account, or use our AI-powered study services. It is written to comply with the EU General Data Protection Regulation (Regulation (EU) 2016/679, "GDPR"), the UK GDPR, and the EU ePrivacy Directive.
1. Data Controller
The data controller responsible for your personal data is Examo. For all privacy-related questions, requests, or to exercise any of the rights described below, contact us at contact@examo.me. If you are based in the EU/EEA and believe we are not handling your data lawfully, you also have the right to lodge a complaint with your local supervisory authority.
2. Information We Collect
Account & Identity Data: name, email address, password (hashed), university, programme, and profile preferences you provide during onboarding or in settings.
Payment Data: if you upgrade to a paid plan, billing details (last 4 digits of card, billing country, VAT status, transaction IDs) are processed by our payment provider Stripe. We do not store full card numbers on our servers.
Referral Data: referral codes, referral clicks, signups attributed to a referral link or shared course, course-share attribution details, discount eligibility, commission amounts, manual payout verification status, and payout notes needed to operate the Examo referral programme.
Study Content You Submit: course materials, lecture notes, PDFs, slide decks, essay drafts, AI-tutor chat messages, flashcards, and other content you upload or generate while using the platform.
Generated Study Files: audio summaries, cheat-sheet images, generated study images, and presentation exports are stored in private object storage under content-derived, pseudonymous account, or course scopes. The database keeps only the object reference and delivery metadata where possible, and protected files are streamed only after the applicable account or course-access check. Images embedded in deliberately shared study markdown use a signed capability URL rather than exposing the private object-storage key.
Loki Browser Extension Data: only after you choose a capture action, the selected text or readable page text, page title, source origin and path, chosen course and week, and any artifact you request. URL query strings and fragments are removed before storage. We also process the extension installation ID and a separate rotating login session to secure that device. The extension does not run an always-on page collector and does not transmit page content merely because it is installed or connected.
Google Workspace Export Data: if you choose to connect Google Drive, Docs, or Sheets, we store the permissions you granted, connection timestamps, file IDs and export status. Google access and refresh tokens are encrypted at rest with a dedicated application key and are never shown in exports or the browser. You can disconnect the integration from the weekly-review controls inside Course AI; Examo then revokes the grant where the provider allows and deletes its stored connection. The Google connection is account-wide, so disconnecting it affects scheduled exports for every course.
AI Interaction Data: the prompts you send to the AI tutor, the model outputs returned to you, token counts, model selection, request timestamps, and usage metrics needed to enforce rate limits.
Usage & Device Data: IP address (last octet truncated for analytics), browser type, operating system, language, referrer URL, pages viewed, time spent, feature interactions, and approximate location (country level) derived from your IP.
Cookies & Similar Technologies:strictly necessary cookies for authentication and session management, plus optional analytics from Hotjar when configured. Analytics remain disabled until you opt in, can be disabled again in Cookie settings, and use content/input suppression where supported.
Communications: messages you send to support, feedback submissions, and survey responses.
3. Lawful Basis for Processing (GDPR Art. 6)
- Contract (Art. 6(1)(b)): to create and maintain your account, deliver the AI study tools you request, process payments, and provide customer support.
- Legitimate interests (Art. 6(1)(f)): to detect and prevent abuse, enforce rate limits, secure our infrastructure, debug issues, and improve product reliability and usability. This basis is not used to train or fine-tune machine-learning models on your personal study content. We balance these interests against your rights and freedoms.
- Consent (Art. 6(1)(a)): for non-essential cookies where required by law, marketing emails, and any optional personalisation. You can withdraw consent at any time without affecting prior processing.
- Legal obligation (Art. 6(1)(c)): for tax, accounting, fraud-prevention and other statutory requirements.
4. How We Use Your Information
- Service delivery: generate summaries, smart notes, cheat sheets, flashcards, AI tutor replies, practice questions, and essay assistance.
- Account management: authentication, password resets, subscription billing, plan upgrades and downgrades.
- Referral programme: applying referral discounts for the first Pro payment only, attributing signups, course-share upgrades and first Pro payments, calculating plan-specific fixed cash rewards, and verifying manual payout eligibility once the minimum withdrawal threshold is met.
- Rate-limit enforcement: we count tokens, requests, generations and other usage metrics tied to your user ID to enforce the limits associated with your plan (see our Terms & Conditions for current quotas).
- Safety & abuse prevention: detecting scraping, prompt-injection, payment fraud, account sharing, and academic-misconduct patterns.
- Product improvement: aggregated, often pseudonymised analytics to understand which features work and where users get stuck. Optional analytics are collected only after the required consent choice and are not used to train AI models.
- Communications: transactional emails (receipts, password resets, security alerts) and, only with consent, occasional product updates.
We do not use your study content, chat messages, uploaded materials, or generated artifacts to train or fine-tune Examo or third-party machine-learning models. Aggregate operational statistics may be used to improve the product, but they are not training examples and are not intended to identify an individual student.
5. AI Processing & Sub-processors
Examo uses third-party AI providers to power the AI tutor, summaries, smart notes, flashcards, cheat sheets, and essay tools. When you use these features, the relevant prompt and related course context are transmitted to the provider strictly to generate a response. Providers act as sub-processors under written data-processing agreements. Current sub-processors include:
- AI infrastructure providers: depending on the requested feature and configured reliability route, this may include Google (Gemini), OpenAI, Xiaomi (MiMo), Alibaba Cloud (Qwen), or DeepSeek for text, image, or live-audio generation. Only the context required for the requested feature is sent. Production provider terms and data-processing settings must prohibit provider training on API content.
- Stripe Payments Europe: subscription billing and payment processing.
- Amazon Web Services / Hetzner: hosting, databases, file storage in the EU.
- Vercel: frontend hosting and edge delivery.
- Resend / Postmark: transactional email delivery.
- Firebase: identity and supporting account infrastructure where configured.
- Google Workspace APIs: optional Drive, Docs, and Sheets delivery that runs only after you connect Google and grant the destination-specific permissions. Examo uses only the limited
drive.filepermission for files it creates or that you explicitly open through the integration. It does not request account-wide Docs, Sheets, or Drive access for these exports. - Mathpix and document-extraction services:extraction of supported documents where the selected upload workflow requires an external parser.
- Hotjar: optional product analytics that loads only after affirmative consent, when configured.
We do not train AI models on your content. Examo does not use your uploads, prompts, essays, generated study materials, or other personal data to train, fine-tune, or otherwise improve any machine-learning model. Examo uses business/API provider configurations intended to prevent provider training on submitted API content; confirming the applicable contract and setting is a production-onboarding gate for every enabled provider.
The configured production subset, processing location, purpose, and transfer safeguard are recorded in Examo's internal processor register. A current copy is available on request at contact@examo.me.
6. Sharing Your Information
We never sell, rent or trade your personal data. We share data only with:
Sub-processors (see Section 5) under binding data-processing agreements that include EU Standard Contractual Clauses where required.
Universities and programme leaders if you have explicitly enrolled in a course managed by them, and only the data they need to administer that course.
Authorities or legal advisors when required by law, court order, or to protect the rights, safety, and property of Examo or its users.
Successors in the event of a merger, acquisition, or asset sale, in which case we will notify you and give you the option to delete your data.
7. International Data Transfers
Examo is headquartered in the European Union and stores primary data within the EU. Some sub-processors (notably our payment processor and cloud infrastructure providers) may process data in the United States or other countries outside the EEA. Where this happens, we rely on appropriate safeguards under GDPR Chapter V, including the European Commission's Standard Contractual Clauses (SCCs), adequacy decisions where available (e.g. EU-US Data Privacy Framework for self-certified providers), and supplementary technical measures such as encryption in transit and at rest.
8. Data Retention
- Account data: retained for as long as your account is active. After account deletion, limited account records may be retained for up to 6 months to handle disputes and refund requests. Automated inactive-user deletion is disabled unless expressly enabled by the service operator and excludes paid or trial accounts, purchasers, creator entitlements, and anyone who owns a course. Account owners may instead request deletion through the available privacy controls.
- Study content (summaries, notes, flashcards): retained while your account is active. You may delete individual items at any time. On account deletion, including automatic deletion for inactivity, associated personal study content and user-created course materials are removed or de-identified within 30 days from primary systems and within 90 days from encrypted backups.
- Generated binary artifacts: retained with the related account, course, or generated item. Deleting or replacing the related record queues its private object for deletion; failed provider deletions are retried with a bounded retention log rather than silently reported as complete.
- Browser-extension clips and artifacts:retained as account-scoped study content until you delete them or your account. Extension access sessions expire and rotate independently from the website session; disconnect, password reset, account-wide logout, or account deletion revokes the applicable extension session.
- AI tutor conversations: recent context may be retained in your browser to continue the visible conversation. Routine server AI logs are metadata-only and do not intentionally retain full tutor prompts or replies; time-limited incident capture, if enabled, follows the security-log retention and deletion process.
- Payment records: retained for 7 years to comply with EU/UK tax and accounting law, even if an inactive account is deleted.
- Server & security logs: retained for 90 days, then deleted or anonymised.
- Marketing preferences: retained until you withdraw consent or unsubscribe.
9. Your Rights Under GDPR
If you are located in the EU, EEA, UK or Switzerland you have the following rights, free of charge, in respect of your personal data:
- Right of access (Art. 15): a copy of the personal data we hold about you.
- Right to rectification (Art. 16):correction of inaccurate or incomplete data.
- Right to erasure / “right to be forgotten” (Art. 17): deletion of your personal data, subject to legal retention obligations.
- Right to restrict processing (Art. 18):pause processing in defined circumstances.
- Right to data portability (Art. 20):receive your data in a structured, machine-readable format and have it transmitted to another controller where technically feasible.
- Right to object (Art. 21): object to processing based on legitimate interests, including profiling.
- Right not to be subject to automated decision-making (Art. 22): we do not use your data for solely automated decisions producing legal or similarly significant effects on you.
- Right to withdraw consent: for any processing based on consent, at any time.
- Right to lodge a complaint: with your local data-protection supervisory authority.
To exercise any of these rights, email contact@examo.me. We will respond within one month, as required by Art. 12 GDPR. We may need to verify your identity before acting on a request.
10. Cookies & Tracking Technologies
We use the following categories of cookies:
- Strictly necessary: session cookies, CSRF tokens, and authentication cookies. These cannot be disabled because the platform will not function without them.
- Functional: remember your sidebar state, dark mode, language and other preferences.
- Analytics: Hotjar, when configured, helps us understand how the product is used. Analytics remain off until you opt in and can be disabled again in Cookie settings.
- Marketing (opt-in): only if explicitly enabled in our cookie banner.
You can adjust your preferences at any time through the public cookie banner, Dashboard Settings when signed in, or your browser settings. More detail is available in our Cookie Policy.
11. Security
We use TLS (HTTPS) for all data in transit, AES-256 encryption at rest for stored content, hashed and salted password storage (bcrypt), short-lived JWT access tokens with refresh tokens, role-based access controls, least-privilege database and object-storage access, private object buckets with public access disabled, and continuous logging and monitoring. No system is 100% secure; if we become aware of a personal data breach we will notify the relevant supervisory authority within 72 hours and affected users without undue delay, as required by Art. 33 and 34 GDPR.
12. Children
Examo is intended for university students and adults aged 16 and over. We do not knowingly collect personal data from children under 16. If you believe a child has provided us with personal data, contact us at contact@examo.me and we will delete it.
13. Third-Party Websites
Examo may contain links to third-party websites. We are not responsible for the privacy practices of those sites and encourage you to read their privacy policies before providing any personal data.
14. Changes to this Policy
We may update this Privacy Policy from time to time. Material changes will be communicated by email and/or by posting a notice in the product at least 14 days before they take effect. The “Last Updated” date at the top of this page indicates when the policy was last revised.
15. Your U.S. State Privacy Rights (California & Others)
If you are a resident of California or another U.S. state with a comprehensive consumer-privacy law (including Virginia, Colorado, Connecticut, and Utah), you have additional rights regarding your personal information. These rights are in addition to, and consistent with, the rights described above.
We do not sell or share your personal information. Examo does not sell your personal information for money, and we do not “share” it for cross-context behavioural advertising, as those terms are defined under the California Consumer Privacy Act (CCPA, as amended by the CPRA). We have not done so in the preceding 12 months.
Subject to identity verification and legal exemptions, you may request to:
- Know and access the categories and specific pieces of personal information we have collected, the sources, the business purpose, and the categories of recipients.
- Delete personal information we hold about you.
- Correct inaccurate personal information.
- Opt out of any sale or sharing of personal information or targeted advertising (we do none of these).
- Limit the use of sensitive personal information.
To exercise any of these rights, contact us at contact@examo.me. You may use an authorised agent to submit a request on your behalf, and we will not discriminate against you for exercising any of your privacy rights.
16. Contact
For all enquiries — including privacy, data subject requests, and security matters — contact us at contact@examo.me.
Social: Instagram @examo.me
By using Examo, you acknowledge that you have read, understood, and agree to this Privacy Policy.