Your Data,
Our Responsibility
Last updated: March 13, 2026 · Effective: March 13, 2026
We believe in radical transparency about how we handle your data. This document is a plain-language, complete account of every category of data Nexumi collects, why, and what rights you have over it.
Overview
Nexumi ("we", "us", or "our") operates the Nexumi platform — an AI-powered personalised learning ecosystem. This Privacy Policy explains what personal data we collect when you use our services, why we collect it, how we use it, and your rights regarding that data.
By accessing or using Nexumi, you agree to this Privacy Policy. If you do not agree, please do not use our services. We last updated this policy on March 13, 2026.
Data We Collect
| Category | What We Collect | How It Is Collected | Why |
|---|---|---|---|
| Account Identity | Full name, email address, profile picture (avatar URL) | Automatically via Google OAuth when you sign in | To create and identify your account |
| Profile Settings | Username (optional), daily XP goal | You enter these in your account settings | To personalise your dashboard and learning experience |
| Subscription Plan | Plan tier: Free or Pro | Set by our system; upgraded by admin or payment | To gate features and enforce plan limits |
| Learning Preferences | Learning goal, experience level, daily study hours, curriculum duration | You provide these when creating a curriculum | To generate your personalised AI curriculum |
| Learning Progress | Module and lesson completion status, timestamps | Auto-recorded as you progress through content | To track and resume your learning journey |
| Quiz & Assessment Data | Quiz answers, scores, pass/fail status, time taken | Auto-recorded on quiz submission | To evaluate knowledge and unlock next stages |
| Gamification Data | XP points, streaks, active days, earned badges | Auto-recorded through platform activity | To motivate learning and display progress |
| AI Session Data | Feynman evaluation inputs/outputs, interview session Q&A, mentor chat messages | Auto-saved during AI-powered sessions | To provide personalised AI feedback and review history |
| Flashcard & SRS Data | Card reviews, difficulty ratings, scheduled review dates | Auto-recorded during flashcard sessions | To run the spaced-repetition algorithm |
| Certificates | Certificate type, issue date, curriculum reference | Auto-generated on milestone completion | To provide verifiable proof of learning |
| Technical & Usage Data | IP address, browser type, device OS, page views, session duration | Automatically via Supabase and Google Analytics (GA4) | Security, analytics, and platform improvement |
| Analytics Events | Page visits, feature interactions (anonymised aggregates) | Google Analytics 4 (GA4) tracking script | To understand how the platform is used and improve it |
What We Do NOT Collect
We want to be clear about what we deliberately do not collect:
• **Passwords** — We use Google OAuth exclusively. We never store or see your password.
- • Payment card or bank details — We do not process payments directly on the platform. Plan upgrades are handled separately.
- • Phone number — We do not ask for or store phone numbers.
- • Date of birth or age — We do not currently collect age data. Nexumi is intended for users aged 13 and above.
- • Physical address — We do not collect home or billing addresses.
- • Government-issued ID — We do not require identity verification documents.
- • Sensitive special-category data — We do not collect racial or ethnic origin, political opinions, health data, biometric data, or religious beliefs.
How We Use Your Data
We process your personal data for the following purposes:
Service Delivery To operate your account, generate AI curricula, track learning progress, run quizzes, issue certificates, and provide all platform features.
Personalisation To adapt content difficulty, surface knowledge gaps, recommend weak-spot reviews, and tailor the AI tutor to your level and goals.
Gamification & Engagement To calculate XP, maintain streaks, award badges, and display leaderboards. This data is derived from your in-platform activity.
Security & Fraud Prevention IP addresses and session data are used to detect unusual access patterns and protect your account.
Platform Analytics & Improvement Aggregated and anonymised usage data helps us understand which features are valuable and where the experience can be improved. We use Google Analytics 4 for this purpose.
Legal Compliance We may process data where required by applicable law or to enforce our Terms of Service.
Data Retention
We retain your data for as long as your account is active or as needed to provide our services.
• **Account data** (name, email, progress, gamification): retained while your account exists.
- • AI session data (chat, Feynman, interview): retained for 12 months after the session, then deleted.
- • Analytics data (GA4): retained for 14 months per Google's default setting.
- • Deleted accounts: upon account deletion request, we purge all personal data within 30 days except where legally required to retain it.
To request account deletion, contact us at gnanasampathbatchu2003@gmail.com.
Your Rights
Depending on your location, you may have the following rights:
Access — Request a copy of all personal data we hold about you.
Correction — Update inaccurate or incomplete data via your account Settings page, or by contacting us.
Erasure ("Right to be Forgotten") — Request deletion of your account and all associated personal data.
Restriction — Ask us to stop actively processing your data while keeping it stored.
Portability — Request your learning data in a machine-readable format (JSON/CSV).
Objection — Object to processing based on legitimate interest, including for analytics.
Withdraw Consent — Where processing is based on consent, you can withdraw it at any time without affecting prior processing.
To exercise any of these rights, email gnanasampathbatchu2003@gmail.com. We will respond within 30 days.
GDPR (EU/EEA users): We act as data controller. Legal bases for processing include contract performance (account/service), legitimate interest (analytics, security), and consent (optional features).
CCPA (California residents): We do not sell personal information. You have the right to know, delete, and opt-out of sale (which does not apply here).
Security
We implement the following technical and organisational measures to protect your data:
• **Row-Level Security (RLS)** on all Supabase tables — each user can only access their own data.
- • JWT validation via getUser() — every authenticated request validates the token server-side.
- • HTTPS — all data in transit is encrypted with TLS.
- • Rate limiting — all AI endpoints are rate-limited via Redis to prevent abuse.
- • No password storage — authentication is delegated entirely to Google OAuth.
- • Admin access control — admin routes require a verified is_admin database flag; email-based fallback is explicitly prohibited.
Despite these measures, no system is 100% secure. Please notify us immediately at gnanasampathbatchu2003@gmail.com if you suspect a breach.
Contact & DPO
For any privacy-related queries, data subject requests, or to report a data breach, contact us:
Email: gnanasampathbatchu2003@gmail.com
Platform: nexumi.in
Project: Nexumi