Qonoma

🔒 Privacy Policy

Privacy Policy

📅 Effective: 3 June 2026🔄 Version 1.2 (Active Release)🏛️ Governed by UK Law🇬🇧 UK GDPR & ICO Children's Code Compliant
💡 Plain English Summary for GCSE Students:
Qonoma Revise AI collects only what it needs (your Google email, phone number, and study notes) to deliver AI-powered GCSE quizzes via WhatsApp. We store your data securely in the UK and Europe, we never sell your data, and we do not show ads. You can delete your account whenever you want.
✓ UK GDPR & DPA 2018✓ ICO Children's Code Compliant✓ Data Minimisation Safeguards✓ Zero Ads or Trackers

1. Who We Are & Contact Details

Qonoma Revise AI is provided by Qonoma Ltd ("we", "us", "our"), registered in England and Wales. We act as a Data Controller for student account data and as a Data Processor on behalf of schools and teachers for class-level analytics.

Data Controller & DPO: Abhishek Asthana
Contact Email: ai@qonoma.com

2. Data We Collect

We practice data minimisation: we only collect what is strictly necessary to run the spaced-repetition quiz revision service.

CategoryData ItemSourcePurpose
IdentityDisplay name, email addressGoogle OAuth2 sign-inAccount creation, profile, student dashboard access
ContactMobile phone numberStudent-entered, verified via SMSWhatsApp spaced-repetition quiz delivery
EducationalStudy notes, quiz answers, accuracy scoresStudent submits during revisionSyllabus classification, MCQ generation, score tracking
ConsentTerms acceptance timestamp, WhatsApp opt-in status, parent consentConsent onboarding formUK GDPR legal audit compliance
TechnicalAuthentication tokens, session stateFirebase AuthSecure session lock and account safety
SubscriptionPlan status, trial details, Stripe customer IDGenerated by system and Stripe integrationBilling portal access and trial countdowns
⚠️ What We Do NOT Collect: Precise location history, biometric data, card payment details (handled entirely by Stripe), browsing history, or advertising IDs.

3. How We Use Your Data

  • Core Revision: Building multiple-choice practice quizzes from your notes using secure fine-tuned AI models.
  • Spaced Repetition: Scheduling quiz delivery over WhatsApp at 1, 3, 7, 21, and 60 days following note submissions.
  • Class Analytics: Allowing teachers to view aggregated topic mastery and progress logs on their teacher dashboard (names only, no raw UIDs displayed).
  • Safety & Moderation: Automatically scrubbing personal details (PII) from notes before AI calls using Microsoft Presidio, and filtering profanity.

We process data under the following legal grounds (UK GDPR Article 6):

  • Contract Performance: To create your account and run the revision workflow (Art. 6(1)(b)).
  • Explicit Consent: To send spaced-repetition questions to your phone via WhatsApp (Art. 6(1)(a)).
  • Legal Obligation: To maintain parent consent audit logs for students under 16 (Art. 6(1)(c)).
  • Legitimate Interests: To protect our servers against abuse and show school class analytics (Art. 6(1)(f)).

5. Sub-processors We Use

ProcessorPurposeData SharedLocation
Google FirebaseAuth & Firestore DatabaseEmail, name, study logsEEA (Netherlands)
Google Cloud RunApplication HostingNone (encrypted in transit)EEA (Netherlands)
GitHub Models / AzureGPT AI quiz generationPII-stripped study notesEEA (Netherlands)
TwilioWhatsApp delivery & SMS OTPMobile number, quiz questionsUSA (Standard Clauses)
SendGridTransactional email alertsEmail address onlyUSA (Standard Clauses)
StripeSecure billingStripe customer ID, emailEEA / UK

6. Children & Minors (Under 16)

In alignment with the ICO Children's Code:

  • Students under 16 must provide parent or guardian email details during their onboarding. A notification is sent to verify consent.
  • All privacy settings are set to **high by default** for all users.
  • No user profiling, behavioral advertising, or data monetization is permitted.

7. Data Retention & Auto-Deletion

We retain account data as long as your profile stays active. If you do not log in for 1 year, your account is flagged for deletion. We send an alert email 14 days before permanently purging your data. Once deleted, all notes, answers, and profile fields are irreversibly erased.

8. Security Safeguards

  • TLS 1.2+ Encryption on all data in-transit.
  • AES-256 Database Encryption at-rest on Google Cloud.
  • Mobile number hashing (phone numbers are hashed at rest).
  • Google Cloud Secret Manager to secure API keys.

9. Your Rights Under UK GDPR

You have full control over your data. Email us at ai@qonoma.com to exercise these rights:

Access & Export
Download a complete copy of all study logs and notes stored on Qonoma.
Self-Service Erasure
Instantly delete your account and all data via your Settings panel.
Withdraw Consent
Opt out of WhatsApp alerts at any time by toggling settings or replying STOP.
Lodge Complaint
File a data complaint with the UK Information Commissioner's Office (ICO).

10. Cookies & Tracking

We do not use advertising trackers, cookies, or tracking pixels. The only local storage used is strictly necessary for Google Firebase Auth to keep your session active.

11. International Transfers

Your data is stored within the EU (Netherlands). Where sub-processors handle items internationally (e.g. Twilio APIs in the USA), Standard Contractual Clauses (SCCs) are fully active to safeguard your privacy rights.

12. Contact & Support

For any questions regarding this Privacy Policy, your data rights, or to submit a CCPA/GDPR inquiry, please contact:

📧 Email: ai@qonoma.com
We respond to general queries within 5 business days and data requests within 30 days.