Privacy Policy

1. WHO WE ARE
   LastingLearn Inc. ("LastingLearn", "we", "us", or "our") is a Delaware corporation that provides websites, mobile/desktop applications, APIs and related services (the "Service"). This Privacy Policy explains how we collect, use, disclose, and safeguard personal information when you use the Service. By using the Service, you agree to this Policy.
   

If you access the Service under an institutional or enterprise agreement, your organization may control certain account settings and associated data and its privacy terms may also apply.

2. INFORMATION WE COLLECT
   We collect the following categories of information:
   • Identification & Account Data: name, email address, username, authentication identifiers, organization/role (optional).
   • Content You Provide: documents, images, datasets, code and other files you upload; prompts and messages; AI‑generated outputs (together, "Conversation History & Outputs").
   • Payment & Transaction Data (if you purchase): billing contact details and transaction metadata processed by our payment processor. We do not store full card numbers.
   • Usage & Device Data: IP address, device identifiers, operating system, browser type, settings, pages viewed, referring/exit pages, and interactions collected via cookies, SDKs and similar technologies.
   • Third‑Party Sources: data from single sign‑on (SSO), identity services, integration partners you choose to connect, and (for enterprise accounts) your administrator.
   Please avoid uploading sensitive personal information unless necessary and permitted by your organization or applicable law.
   
3. WHY WE PROCESS PERSONAL INFORMATION
   We use personal information to:
   • Provide, operate and maintain the Service (including account creation, authentication and content hosting).
   • Personalize learning experiences and tailor features, content and recommendations.
   • Research, develop and improve the Service and our models (including analytics and quality assurance).
   • Communicate about updates, security alerts and administrative messages; provide support.
   • Monitor, detect and prevent security incidents, abuse and policy violations.
   • Comply with legal obligations and enforce our Terms; protect our rights, users and the public.
   • With your consent, for additional purposes described at the time of collection.
   
4. LEGAL BASES (EEA/UK)
   Where the EU/EEA or UK GDPR applies, we rely on: (i) performance of a contract; (ii) legitimate interests (e.g., service improvement, security and anti‑fraud); (iii) consent (for optional features, certain cookies or marketing); and (iv) compliance with legal obligations. We are the controller unless otherwise stated for an enterprise deployment. If required, we will appoint an EU/UK representative; details available on request.
   
5. COOKIES & SIMILAR TECHNOLOGIES
   We use essential cookies to run the Service and may use analytics/functionality cookies to understand usage and improve features. You can manage cookies through your browser settings and any in‑product controls. Where legally required, we honor user‑enabled opt‑out preference signals (e.g., Global Privacy Control) for relevant activities and jurisdictions.
   
6. HOW WE SHARE INFORMATION
   We do not sell personal information and we do not "share" it for cross‑context behavioral advertising as defined by California law. We disclose personal information to:
   • Service Providers (Processors): cloud hosting, storage, analytics, communications, security and support providers under contracts requiring confidentiality and processing only on our instructions.
   • Integrations You Authorize: third‑party tools or services you connect.
   • Legal, Safety & Rights Protection: to comply with law or lawful requests; to protect the rights, safety and property of you, us and others; to detect, prevent or address fraud, abuse or security issues.
   • Business Transfers: in connection with a merger, acquisition, financing, restructuring or asset sale, subject to appropriate safeguards.
   • Aggregated/De‑identified Information: insights that do not identify individuals.
   
7. INTERNATIONAL TRANSFERS
   We and our service providers may process data in the United States and other countries. When transferring personal data internationally, we implement appropriate safeguards such as the European Commission’s Standard Contractual Clauses and, where applicable, participation in recognized transfer frameworks.
   
8. RETENTION
   We retain personal information as long as necessary for the purposes above, including to provide the Service, comply with legal obligations, resolve disputes and enforce agreements. Typical schedules:
   • Account & Identification Data: retained for the life of the account; deleted from active systems within ~30 days after deletion; limited encrypted backups may persist up to ~90 days.
   • User‑Uploaded Materials: retained until you delete them or your account; then removed from active systems within ~30 days (backups up to ~90 days).
   • Conversation History & Outputs: retained to provide and improve the Service, support safety and audit, and maintain product continuity. Where required by law or your account settings/contract, we will delete or anonymize this data upon request, subject to legitimate business needs and legal obligations.
   
9. YOUR RIGHTS & CHOICES
   Depending on your location, your rights may include: access, correction, deletion, restriction, portability and objection; and the right to withdraw consent where processing is based on consent. You may access or update certain information in your account settings or by contacting us.
   

US State Rights (e.g., CA/CO/CT/VA/UT and others): You may have rights to know/access, correct, delete, opt‑out of (a) targeted advertising, (b) sale of personal information and/or (c) certain profiling, and to appeal certain decisions. We will verify requests and respond within the timeframes required by law. If we deny a request, we provide an appeal process and, where required (e.g., Virginia), a method to contact the Attorney General.

California Disclosures (CPRA): In the past 12 months we have collected the following categories of personal information for business purposes: identifiers; California customer records information; internet or similar activity; geolocation (approximate); professional or employment‑related information; inferences; and, where provided, sensitive personal information (e.g., account log‑in with credentials). We do not sell personal information and we do not share personal information for cross‑context behavioral advertising. We disclose the categories listed above to service providers and contractors for business purposes. You may exercise California rights and authorized‑agent submissions by contacting us as described below.

Opt‑Out Preference Signals: Where required by law (e.g., California, Colorado and Connecticut), we honor browser‑ or device‑based opt‑out signals for sale/sharing or targeted advertising. If such a signal conflicts with your account setting or participation in an incentives program, we will explain your options consistent with applicable regulations.

10. SECURITY
    We use administrative, technical and physical safeguards designed to protect personal information, including encryption in transit and at rest, access controls, monitoring and regular reviews. No method of transmission or storage is completely secure; we continuously improve our defenses.
    
11. CHILDREN’S PRIVACY
    The Service is not directed to children under 13, and we do not knowingly collect personal information from them without verifiable parental consent. Where local law sets a higher age threshold (e.g., 16 in parts of the EEA/UK), we comply with those requirements. If you believe a child has provided personal information, contact us and we will take appropriate steps to delete it.
    
12. AUTOMATED DECISION‑MAKING
    We do not make decisions based solely on automated processing that produce legal or similarly significant effects without providing the notices and rights required by applicable law. If we introduce such features, we will provide additional disclosures.
    
13. CHANGES TO THIS POLICY
    We may update this Policy from time to time. If we make material changes, we will provide reasonable advance notice via email, in‑app messages or other conspicuous means. The "Effective date" above indicates the latest revision. Your continued use of the Service after the effective date means you accept the updated Policy.
    
14. CONTACT US
    Email: legal@lastinglearn.com
    Mail: LastingLearn Inc., [Mailing Address], United States
    EEA/UK: If you are in the EEA/UK and wish to contact our representative (if appointed) or our Data Protection Officer (if appointed), email us for details.
    
15. DEFINITIONS
    • "Personal information" / "personal data": information that identifies or relates to an identifiable individual.
    • "Controller" / "Business": entity that determines the purposes and means of processing personal information.
    • "Processor" / "Service provider" / "Contractor": entity that processes personal information on behalf of a controller/business.
    • "Sale" and "Share": as defined by California law.
    • "Targeted advertising": as defined by applicable state privacy laws.
    

REGIONAL SUPPLEMENTS (SUMMARY)

‍
A. EEA/UK: In addition to Sections 4, 7 and 9, you have rights under Articles 13–22 GDPR; you may lodge a complaint with your local supervisory authority. For transfers outside the EEA/UK, we use appropriate safeguards (e.g., SCCs) and will provide copies on request subject to redactions.
B. California: You have the rights to know/access, correct, delete, opt‑out of sale/share, limit use/disclosure of sensitive personal information (where applicable) and non‑discrimination. We honor Global Privacy Control signals where required. Authorized agents may submit requests subject to verification.
C. Virginia/Colorado/Connecticut/Utah (and similar laws): You may opt‑out of targeted advertising, the sale of personal data and certain profiling; you may appeal our response to your request (instructions provided in our response). We recognize legally required universal or global opt‑out preference signals where applicable.

If you have questions about this Policy or our practices, please contact us using the details above.