Privacy Notice

The controller is НЕКСУВОУЛТ ЕООД, Plovdiv, Bulgaria. Privacy queries: privacy@chernata.ai. You may also lodge a complaint with the Bulgarian Commission for Personal Data Protection (CPDP): cpdp.bg.

• Identifiers: email, name, profile photo (if provided via OAuth).
• Account & learning data: preferred AI model, verticals, level, locale, lesson progress, saved prompts, votes, streaks, exercise responses, 28-day challenge submissions.
• Payment data: processed entirely by Stripe; we store only the Stripe customer ID, last-4 digits, card brand (received via webhook).
• AI usage: request count, tokens, model, latency — for quotas and credit accounting.
• Technical data: IP (rate-limit only, purged after 24h), user-agent, error logs.
• Cookies: see the separate Cookie Policy.

• Contract — to provide the service (Art. 6(1)(b)).
• Legitimate interest — security, fraud prevention, basic analytics (Art. 6(1)(f)).
• Consent — marketing email, analytics and marketing cookies (Art. 6(1)(a)). Withdrawable anytime from your profile.
• Legal obligation — invoices retained for 10 years under Bulgarian tax law.

• Stripe Payments Europe Ltd. — payment processing (Ireland, EU).
• Anthropic PBC — Claude API. Trans-Atlantic DPF / SCCs. Zero-retention API mode.
• OpenAI Ireland Ltd. — ChatGPT API. EU subprocessor with SCCs; API data not used for training.
• Google Ireland Ltd. — Gemini API and OAuth.
• Vercel Inc. — hosting. SCCs + EU data region.
• Apple Inc. — Sign in with Apple (when enabled).
• Database hosting (PostgreSQL, EU region).

We do not sell personal data. We do not perform automated decision-making with legal effect (Art. 22 GDPR).

Where a processor processes data outside the EEA (e.g. backup regions), we rely on the EU Commission's Standard Contractual Clauses (2021/914) plus supplementary measures (encryption in transit and at rest).

• Active account — while the account exists.
• After deletion — immediate anonymisation; full erasure after 30 days (legal-claims window).
• Invoices / accounting records — 10 years (Bulgarian tax law).
• Security audit log — 12 months.
• Rate-limit IPs — 24 hours.

• Access — Profile → Export.
• Rectification — edit your profile directly.
• Erasure — Profile → Delete account (executes in real time).
• Portability — JSON export from Profile.
• Restriction / objection — email privacy@chernata.ai.
• Withdraw consent — toggle marketing + cookie categories from Profile.
• Complaint — lodge with CPDP (Bulgaria) or your national authority.

We respond within 30 days (extendable by 60 days for complex requests).

Encryption at rest and in transit (TLS 1.2+), bcrypt password hashing, JWT with rotation on sensitive changes, audit logging, role-based access control. We notify CPDP within 72 hours of a personal-data breach (Art. 33 GDPR).

The Service is not directed at persons under 16 and we do not knowingly collect their data.

Contact for all privacy matters: privacy@chernata.ai. We are not currently required to designate a DPO under Art. 37 GDPR, but we handle requests to the same standard.