Privacy Policy

Last updated: 2026-05-14 · Language: English · Deutsche Version

Tuba is operated from Austria (EU) and available worldwide. Regardless of where you live, we apply the EU General Data Protection Regulation (GDPR, 2016/679) as our baseline. This document is our full Article 13/14 notice.

1. Data controller

Christian Fischer
Austria (full address: see Imprint)
Email: info@tuba.school

2. What data we process

Account: email and timestamps. Registration only requires an email address — no name or other personal details. Legal basis: Art. 6(1)(b) GDPR — contract performance.
Transactional emails: Account confirmation and password reset emails are delivered via Resend (EU region, Ireland). Only your email address and the message content are transmitted. Legal basis: Art. 6(1)(b) GDPR.
Image content (e.g. student texts and other writing samples): Uploaded photos are sent to Anthropic for transcription and analysis. Original images are not stored permanently — neither by us nor by Supabase. Legal basis: Art. 6(1)(b) GDPR and explicit consent at registration; Art. 9(2)(a) where the content may include special-category data.
Correction results: the text transcribed from the uploaded images, the corrected version, the list of errors with explanations, grading and feedback. Stored in Supabase (EU) until you delete them (individually inside your account, or via account deletion). The transcribed text may contain personal data if the source was not anonymised before upload — the app actively reminds you of this at upload time. Legal basis: Art. 6(1)(b) GDPR and explicit consent at upload.
Red-pen balance & purchases (internally: credits): balance and transaction history. Purchases run through Stripe Checkout. Legal basis: Art. 6(1)(b).
Welcome-bonus protection: a SHA-256 hash of the normalised email address is stored to prevent repeated free-bonus claims through account deletion and re-registration. The plain email address is not stored for this purpose. Legal basis: Art. 6(1)(f) GDPR — legitimate interest in abuse prevention.
Server logs: truncated IP address, user-agent, timestamp, status code — kept up to 30 days for abuse detection. Legal basis: Art. 6(1)(f) — legitimate interest in security.

3. Data residency & encryption

Database (Supabase): EU region. Encryption in transit and at rest using industry standards.
API server (Vercel): EU region.
App storage: auth tokens are kept in the device's secure storage.

4. International transfers (US AI provider)

For AI correction, we transmit image content and task context to:

Anthropic PBC (USA) — Claude Sonnet

Anthropic has a Data Processing Agreement (DPA) with us and commits to the EU Commission's Standard Contractual Clauses (Decision 2021/914). Under Anthropic's API terms, submitted API data is not used to train models. Data is retained for up to 30 days for abuse monitoring and then deleted.

Show processors

Supabase Inc.

Purpose: Authentication, storage of profile, corrections, red-pen transactions
Location: USA (database in EU — Frankfurt)
Transfer basis: EU data residency, EU Commission SCCs (2021/914)
Retention: until account deletion; audit logs 30 days
DPA: supabase.com/legal/dpa

Vercel Inc.

Purpose: API hosting (Next.js server)
Location: USA (edge functions in EU)
Transfer basis: EU data residency, SCCs
Retention: request logs 30 days
DPA: vercel.com/legal/dpa

Anthropic PBC

Purpose: AI correction (Claude Sonnet)
Location: USA
Transfer basis: SCCs, Anthropic API Terms §B.5 (no training on API data)
Retention: 30 days for abuse monitoring, then deletion
DPA: anthropic.com/legal/dpa

Stripe Payments Europe, Ltd.

Purpose: Web payments, Stripe Checkout, payment confirmation for red-pen grants
Location: Ireland / USA
Transfer basis: SCCs, Stripe DPA
Retention: purchase and invoice data 7 years (tax retention)
DPA: stripe.com/legal/dpa

Resend (Resend Inc.)

Purpose: Transactional email (account confirmation, password reset)
Location: USA (email delivery in EU — Ireland)
Transfer basis: EU data residency, SCCs
Retention: email logs 30 days
DPA: resend.com/legal/dpa

5. Retention

Original images: not stored permanently (deleted right after analysis)
Corrections & profile: until account deletion
Red-pen transactions: 7 years (Austrian tax retention obligation, § 132 BAO)
Welcome-bonus hash: indefinitely while the free bonus is offered, so the same bonus cannot be claimed repeatedly
Server logs: max. 30 days
Security backups: encrypted database backups may contain deleted correction results for up to 30 days. They are used only to recover from serious operational or security incidents and are overwritten automatically afterwards.

6. Your rights (GDPR Art. 15–22)

Access (Art. 15): in-app via Settings → Download data export
Rectification (Art. 16): by email
Erasure (Art. 17): in-app via Settings → Delete account irreversibly — takes effect immediately in the production database; see retention above for backup copies
Restriction (Art. 18) / Objection (Art. 21): by email to info@tuba.school
Data portability (Art. 20): JSON export inside the app
Withdraw consent: delete account — past processing remains lawful

7. Right to lodge a complaint (Art. 77)

You can file a complaint with the Austrian Data Protection Authority: dsb.gv.at. Outside Austria: with the supervisory authority of your residence.

8. Automated decisions

AI corrections are recommendations, not binding assessments — the final decision is made by the teacher. No automated decision-making with legal effect within the meaning of Art. 22 GDPR takes place.

9. Student data / special responsibility

Teachers are the data controllers with respect to student work they upload. We strongly recommend redacting student names and personal details before uploading. The app actively reminds you of this at upload time.

10. Contact

Questions about privacy: info@tuba.school. Reply within 14 days.