Privacy Policy

CatalysPeak processes two categories of data: information about you (the teacher) and information about your students. This policy explains what we collect, why, and who it’s shared with.

• Account: name, email, hashed password.
• Teaching method profile: your preferences (tone, grammar approach, philosophy, etc.).
• Billing: processed by Stripe; we store only the Stripe customer ID and subscription metadata.
• Usage: page views, feature use, errors (for service reliability).

When you add a student, the information you provide (name, language level, goals, notes) is stored on our servers and used solely to generate lessons for you. We do not use student data to train AI models, sell it, or share it outside the providers listed below.

You are the data controller for student data. You are responsible for obtaining any legally-required consents from students or guardians before entering their data.

• To operate and improve CatalysPeak.
• To generate personalized lesson content at your request.
• To send transactional email (account, reset, trial reminders, billing receipts).
• To detect fraud and abuse.

We share minimum necessary data with the following providers:

• Vercel — application hosting (Frankfurt region).
• Supabase — primary database (EU-Central).
• OpenRouter / MiniMax — AI lesson generation. Prompts include the teacher’s method profile and student context. We instruct providers not to retain prompts where configurable.
• Stripe — payment processing.
• Resend — transactional email.
• Upstash — rate-limiting cache.

When you generate a lesson, your method profile and the selected student’s profile are included in the prompt sent to our AI provider. The provider processes the prompt and returns a lesson. We do not consent to our prompts being used for model training by the provider.

Generated lessons are stored in your account under your teacher ID and are only visible to you.

Account data is kept while your account is active. If you delete your account, personal data is deleted within 30 days, except where retention is required by law (e.g. invoices for tax reasons, usually 7 years).

Depending on your jurisdiction, you may have rights to access, correct, export, or delete your personal data. To exercise these rights, email us at privacy@catalyspeak.com.

Passwords are hashed with bcrypt. Sessions use httpOnly, secure cookies. Data in transit is TLS-encrypted. Production database access is limited to the service with audit logging.

Data is primarily processed in the European Union (Frankfurt). Some sub-processors (e.g. Stripe, OpenRouter) may process data in other regions under appropriate contractual safeguards.

We use a single authentication cookie (httpOnly, secure, SameSite=Lax) to keep you signed in. No advertising or analytics cookies.

CatalysPeak is a B2B-style tool used by teachers. We do not knowingly collect information directly from children. If you believe we have received such data, contact us and we will delete it.

We will notify you of material changes to this policy. Contact: privacy@catalyspeak.com.