Privacy Policy
Last updated: March 2026
This privacy policy explains how Epivo collects, uses, and protects personal data when you use our AI tutoring platform and website. We are committed to protecting your privacy and processing your data in accordance with the EU General Data Protection Regulation (GDPR), the Swedish Data Protection Act, and other applicable privacy laws.
1. Who we are
Epivo is a product of Swedish General Consulting AB, org. nr 556071-0229, Box 647, 114 11 Stockholm, Sweden. Swedish General Consulting AB, trading as Epivo, is the data controller for the personal data processed through the Epivo platform and website.
For privacy-related questions, contact us at [email protected]. We do not currently have a formally appointed Data Protection Officer (DPO). If one is appointed in the future, their contact details will be published here.
2. What data we collect
We collect the following categories of personal data:
- Account data — name, email address, and password when you create an account; parent/guardian information for minor accounts
- Learning data — course progress, quiz responses, knowledge component mastery levels, and learning preferences
- Conversation data — text interactions with the AI tutor, including session transcripts. Voice audio is processed in real time for speech-to-text conversion and is not persistently stored.
- Device and usage data — device type, operating system, app version, IP address, and general usage patterns
- Payment data — processed by our payment provider; we do not store full payment card details
- Acquisition data — how you found us (referral source, article, campaign), used to understand and improve our educational outreach
3. Why we collect it and our legal basis
| Purpose | Legal basis (GDPR) |
|---|---|
| Providing the tutoring service | Contract performance (Art. 6(1)(b)) |
| Personalizing learning and tracking progress | Contract performance (Art. 6(1)(b)) |
| Improving the platform and fixing bugs | Legitimate interest (Art. 6(1)(f)) — our interest in maintaining and improving service quality and reliability |
| Ensuring platform safety and preventing abuse | Legitimate interest (Art. 6(1)(f)) — our interest in protecting the security of the platform and the safety of users, particularly children |
| Processing children's data (under the age of digital consent) | Consent from parent or guardian (Art. 6(1)(a), Art. 8) |
| Sending service-related communications | Contract performance (Art. 6(1)(b)) |
| Complying with legal obligations | Legal obligation (Art. 6(1)(c)) |
| Website analytics (cookie-based visitor tracking) | Consent (Art. 6(1)(a)) — you can accept or reject analytics cookies via the cookie banner, and change your preference at any time via the "Cookie settings" link in the footer |
4. Whether you must provide data
Providing account data (name, email, password) is a contractual requirement necessary to use the Epivo tutoring service. If you do not provide this data, we cannot create your account or deliver the service. No statutory obligation requires you to provide data to us. Device and usage data is collected automatically when you use the platform; you can limit this through your device settings.
5. How AI tutoring works
Epivo uses large language models (LLMs) to provide personalized tutoring. When you interact with the AI tutor, your messages and relevant learning context are sent to our AI infrastructure for processing. The AI generates educational responses based on your input and the curriculum content.
The AI tutor adapts to your learning pace and selects appropriate content based on your demonstrated understanding. This constitutes automated processing of your data to deliver the tutoring service, including profiling for educational personalization. These automated decisions relate solely to educational content delivery and do not produce legal or similarly significant effects. You can contact us at any time to request human review of how the platform assesses your progress.
Your data is not used to train or fine-tune AI models. Conversation data is used solely to deliver the tutoring service in your current session.
6. Who we share data with
We share personal data with the following service providers, all bound by data processing agreements:
- OpenRouter (US) — routes tutoring conversations to AI models
- Deepgram (US) — converts voice audio to text in real time
- ElevenLabs (US) — generates voice responses for the AI tutor
- Stripe (US) — processes subscription payments
- Resend (US) — sends verification and service emails
- Render.com (US) — hosts our application and database
- Cloudflare (US) — serves our website and stores educational media
- Google (US) — provides sign-in authentication
We do not sell personal data. We do not share personal data for advertising purposes. A complete list of our sub-processors, including transfer mechanisms, is available on our sub-processors page. You may also contact us at [email protected].
7. International data transfers
Some of our service providers are based in the United States. When personal data is transferred outside the EU/EEA, we ensure appropriate safeguards are in place. Several of our US-based providers are certified under the EU-US Data Privacy Framework (DPF), providing an adequacy-based transfer mechanism. Where DPF certification is not available, we rely on EU Standard Contractual Clauses (SCCs) with supplementary measures in accordance with the GDPR. Details of the transfer mechanism for each sub-processor are listed on our sub-processors page.
8. How long we keep data
| Data category | Retention period |
|---|---|
| Account data | Duration of account + 30 days after deletion |
| Learning progress | Duration of account |
| Conversation transcripts | Duration of account — retained so learners can demonstrate their achievements; deleted upon account deletion or GDPR erasure request |
| Device and usage data | 12 months |
| Payment records | As required by Swedish accounting law (7 years) |
9. Your rights
Under the GDPR, you have the right to:
- Access — request a copy of your personal data
- Rectification — correct inaccurate data
- Erasure — request deletion of your data ("right to be forgotten")
- Restriction — limit how we process your data
- Data portability — receive your data in a structured, machine-readable format
- Object — object to processing based on legitimate interest, including profiling for educational personalization
- Withdraw consent — where processing is based on consent (including parental consent for children), withdraw it at any time without affecting the lawfulness of prior processing
- Automated decisions — request human review of decisions made solely by automated processing, including educational profiling
To exercise any of these rights, contact us at [email protected]. We will respond within 30 days.
10. Right to lodge a complaint
If you believe we have not handled your data correctly, you have the right to lodge a complaint with the Swedish Authority for Privacy Protection (IMY), or with the supervisory authority in your EU member state of residence:
Integritetsskyddsmyndigheten (IMY)
Box 8114, 104 20 Stockholm, Sweden
www.imy.se (opens in new window)
Email: [email protected]
11. Children's privacy
Epivo is designed for learners of all ages, including children. We take the protection of children's personal data seriously and comply with GDPR Article 8, the Swedish Data Protection Act, and the US Children's Online Privacy Protection Act (COPPA) where applicable.
Parental consent
In Sweden, children aged 13 and older may consent to the use of our service. For children under 13, parental or guardian consent is required before we process their data. The age of digital consent varies by EU member state (ranging from 13 to 16). For users in the United States, parental consent is required for children under 13 in accordance with COPPA.
When a parent or guardian creates an account for a child, parental consent is obtained through email confirmation during account setup. The child's account remains restricted until a parent has confirmed consent.
How we protect children's data
- We collect only the data necessary to provide the educational service
- We do not use children's data for marketing, advertising, or profiling beyond educational purposes
- Children's data is not used to train or fine-tune AI models
- We do not sell children's data or share it for advertising
- Parents and guardians can review, correct, or request deletion of their child's data at any time by contacting [email protected]
- Conversation transcripts involving children are subject to the same retention limits as all user data
- Voice audio from children is processed in real time and is not stored
- We maintain appropriate technical and organizational security measures to protect children's personal data
12. Cookies and analytics
Our website does not use advertising cookies, third-party tracking cookies, or externally hosted resources that transfer your data to third parties. All assets, including fonts, are served directly from our own infrastructure.
With your consent, we use a first-party analytics cookie to understand how visitors find and use our site across visits. This cookie contains a randomly generated identifier — it does not contain your name, email, or any personal information. We also store how you first found our site (e.g., search engine, campaign link) in separate first-party cookies. All analytics data is stored on our own servers and is never shared with third parties.
When you create an account, your anonymous browsing history (pages visited, articles read) is linked to your account so we can understand which content leads to signups. This linking only occurs if you previously accepted analytics cookies.
You can accept or reject analytics cookies when you first visit our site. You can change your preference at any time using the "Cookie settings" link in the footer. If you reject analytics cookies, no tracking cookies are set and no browsing data is collected. The tutoring service works the same regardless of your cookie preference.
For full details on every cookie we set, see our Cookie Policy.
13. Data breach notification
In the event of a personal data breach that poses a high risk to your rights and freedoms, we will notify you without undue delay as required by GDPR Article 34, in addition to notifying the supervisory authority within 72 hours as required by Article 33.
14. Changes to this policy
We may update this privacy policy from time to time. Material changes will be communicated through the platform or by email. The "Last updated" date at the top of this page indicates when the policy was last revised.