1. Who we are
October AI ("we", "us") is a study platform operated by the founder based in the United Arab Emirates. This Privacy Policy applies to octoberai.net, our web app, and any related services.
For privacy questions or data requests, contact: support@octoberai.net.
2. What we collect
2.1 Information you provide directly
- Account data: email address, username, password (one-way hashed), full name (optional).
- Profile data: avatar URL, bio, communication preferences (all optional).
- User Content: documents, slides, notes, text, or other files you upload.
- Generated content: quizzes, results, scores, analytics tied to your account.
- Payment data: if you upgrade, your card details are collected directly by Stripe — we receive only customer ID and last-4 digits / brand for display.
- Communications: support emails, feedback, contact-form submissions.
2.2 Information collected automatically
- Authentication data: session cookies, device tokens, JWT identifiers.
- Technical data: IP address, browser type, OS, language, timezone, referrer, time of access.
- Usage data: page views, button clicks, quiz-generation events, error logs.
- Telemetry data: aggregate counters of pipeline events — never the actual content.
2.3 Information from third parties
- Stripe sends payment status, subscription state, customer ID — no card numbers.
- Email-verification providers confirm whether email addresses are valid format.
- Sentry receives error stack traces (may include email addresses if errors happen during authenticated sessions).
2.4 What we do NOT collect
- Your full payment-card number, CVV, or expiry (Stripe holds these);
- Government ID or biometric data;
- Precise GPS location (we may infer rough geolocation from IP);
- Browsing on other websites — no cross-site tracking;
- Audio or video — October AI does not access your microphone or camera.
3. How we use your information
We use your data only for:
| Purpose | Examples |
|---|---|
| Operating the Service | Authenticating you, generating quizzes, storing results, delivering paid features |
| Communicating with you | Account verification, password reset, billing notifications, security alerts |
| Securing the Service | Detecting and preventing fraud, abuse, prompt injection, unauthorised access |
| Improving the Service | Aggregate analytics (anonymous), error monitoring, performance tuning |
| Legal compliance | Responding to lawful requests, enforcing our Terms, protecting our rights |
We do not use your data for: targeted advertising on third-party platforms; selling to data brokers; training or fine-tuning AI models we own.
4. Legal bases
If you are in the EU/EEA, UK, or another GDPR-style jurisdiction, our legal bases are: performance of a contract; legitimate interests (security, fraud prevention, product improvement); consent (for marketing); and legal obligation.
If you are in the UAE, processing is conducted under Federal Decree-Law No. 45 of 2021 on the Protection of Personal Data (PDPL), relying on contract, legitimate interest, and consent as applicable.
5. Who we share data with
We share data only with the third parties needed to run the Service. We do not sell personal data.
5.1 Sub-processors
| Provider | Purpose | What they receive |
|---|---|---|
| OpenAI (USA) | LLM generation | Your uploaded text + prompts |
| Stripe (USA / EU) | Payment processing | Email, customer ID, billing address, card data |
| Railway (USA) | Hosting + Postgres + Redis | Everything we store |
| SendGrid / Resend | Transactional email | Email address, name, message content |
| Sentry (USA) | Error monitoring | Stack traces, request metadata |
| Cloudflare / DNS | DNS, CDN, DDoS protection | IP address, request metadata |
5.2 Other disclosures
- Legal requests. We may disclose data in response to lawful requests by public authorities.
- Mergers / acquisitions. If October AI is acquired, your data may be transferred to the successor entity. You will be notified.
- Protection of rights. We may disclose data to protect our rights, property, safety, our users, or the public.
5.3 No selling
We do not sell, rent, or trade your personal information to data brokers, advertisers, or marketing platforms.
6. International data transfers
Our hosting is in the United States (Railway). Our LLM provider (OpenAI) processes in the United States. Email delivery may route through the US or EU. Stripe operates globally.
By using the Service, you acknowledge and consent to the transfer of your data to these jurisdictions. Where required, we rely on Standard Contractual Clauses or equivalent transfer safeguards.
7. How long we keep data
| Category | Retention |
|---|---|
| Account data | While active + 30 days after deletion |
| Uploaded files | While retained in your account; deletable on request |
| Generated quizzes & results | While retained in your account; deletable on request |
| Billing records | Up to 7 years (tax, accounting, anti-fraud) |
| Audit logs | Up to 2 years |
| Backups | Up to 90 days |
| Telemetry events | 90 days |
| Sentry error logs | 90 days |
After retention periods, data is permanently deleted or anonymised.
8. Your rights
Depending on your jurisdiction, you may have:
- Access — request a copy of the personal data we hold about you;
- Correction — fix inaccurate or incomplete data;
- Deletion — delete your account and associated data;
- Restriction / objection — limit or object to certain processing;
- Portability — receive a copy of your data in a structured, machine-readable format;
- Withdraw consent at any time;
- Lodge a complaint with a data-protection authority.
To exercise these rights, email support@octoberai.net. We respond within 30 days, faster where required by law. We may need to verify your identity before acting on a request.
Children
October AI is not intended for users under 18. If you believe a minor has created an account, contact us and we will investigate and delete the account.
9. Security
- HTTPS / TLS encryption in transit;
- Bcrypt password hashing — we never store your password in readable form;
- JWT-based session tokens with short expiry, set as HttpOnly cookies;
- Rate limiting on authentication and upload endpoints;
- CSP, CORS, and other security headers;
- Encrypted database connections;
- Founder audit logs for any administrative action.
No system is completely secure. If we discover a breach affecting your data, we will notify you and competent authorities as required by applicable law (GDPR: 72 hours; PDPL: without undue delay).
10. Cookies & tracking
We use functional cookies required to operate the Service:
october_token— your authentication session (HttpOnly, Secure);- UI preferences (theme, dismissed banners) stored locally.
We do not use third-party advertising cookies, cross-site tracking pixels, or behavioural-advertising profiles.
11. AI providers and your uploaded content
When you generate a quiz, the text content of your uploaded material is transmitted to a third-party LLM provider (currently OpenAI) for processing.
We:
- Choose providers with no-training-by-default settings where available;
- Send only the text content needed for the requested generation — not the binary file;
- Do not send your account email, username, or other identifiers in the generation prompt;
- Apply prompt-injection defences to limit what the LLM treats as instructions.
Note: Once content reaches the LLM provider, it is processed under that provider's policies. If you do not consent to your content being processed by third-party LLMs, do not upload it.
12. Marketing communications
We currently do not send marketing emails. Account-related transactional emails (verification, password reset, payment receipts, security alerts, terms changes) are not "marketing" and cannot be opted out of without closing your account.
If we add a marketing newsletter in the future, it will be opt-in only.
13. Changes to this policy
We may update this Privacy Policy. The "Last updated" date at the top reflects the most recent version. Material changes will be communicated by email and/or in-app notification.
14. Contact
Privacy questions / data requests: support@octoberai.net
By using October AI, you acknowledge you have read this Privacy Policy and consent to the practices described.