Privacy Policy

Last updated: 2026-04-30 · Pasito (operated from Poland, EU)

1. Who we are

Pasito is an AI lesson recap tool for language tutors. Data controller: Radosław Wandzel, contact: hola@pasito.app. Subject to EU GDPR and Polish UODO.

2. What we collect

• Tutor account: email, optional display name, plan + billing data via Stripe (we never see card numbers).
• Student records: name, level, language, optional email/Telegram/WhatsApp — added by the tutor with the student's consent.
• Lesson inputs: audio, PDFs, images, and notes uploaded by the tutor. These temporary files are stored in a private Supabase Storage bucket during processing.
• Transcripts & AI-generated recaps: derived from lesson inputs. After successful processing, temporary input files are deleted and only a transcript TXT is retained in storage alongside the database recap.
• Usage logs: IP, user-agent, timestamps for security & abuse prevention. 90-day retention.

3. Sub-processors

• Vercel (hosting, EU region) — DPA
• Supabase (auth + Postgres, EU region) — DPA
• Supabase Storage (temporary lesson inputs + retained transcript TXT) — DPA
• Groq (transcription, US) — Standard Contractual Clauses
• Anthropic (recap generation, US) — SCCs, no model training on customer data
• Stripe (billing) — DPA
• Telegram & (later) Twilio (delivery) — DPA

4. Tutor obligation: student consent

Tutors confirm at onboarding that they have written consent from each student to record lessons and process recap data. Pasito provides a consent template in 3 languages.

5. Your rights (GDPR)

Access, rectification, erasure, portability, restriction, objection. Email privacy@pasito.app — we respond within 30 days.

6. Retention

• Account data — until account deletion + 90 days for legal claims.
• Temporary lesson inputs — deleted after successful processing; only transcript TXT is retained.
• Recap text — until tutor or student deletes the lesson.
• Usage logs — 90 days.

7. Security

TLS 1.2+ in transit, AES-256 at rest, RLS isolation per tutor, MFA for admin access, no service-role keys in client code, security headers (HSTS, CSP, X-Frame-Options), rate limiting on public endpoints.

8. Changes

We notify by email 30 days before any material change.

This policy is a baseline draft — review with a licensed lawyer before production launch in your jurisdiction.