Privacy Policy

Last updated: 2026-05-11 · Language: English · Deutsche Version

Tuba is operated from Austria (EU) and available worldwide. Regardless of where you live, we apply the EU General Data Protection Regulation (GDPR, 2016/679) as our baseline. This document is our full Article 13/14 notice.

1. Data controller

Christian Fischer
Austria (full address: see Imprint)
Email: c.fischer@gebenfuerleben.at

2. What data we process

• Account: email, optionally Apple/Google sign-in identifier, timestamps. Legal basis: Art. 6(1)(b) GDPR — contract performance.
• Images of student work: Uploaded photos are sent to an AI provider (Anthropic or OpenAI, depending on your model choice) for transcription and analysis. Original images are not stored permanently — neither by us nor by Supabase. Legal basis: Art. 6(1)(b) + explicit consent at registration.
• Correction results: transcribed text, error analysis, grading, feedback. Stored in Supabase (EU) until you delete them.
• Credit balance & purchases: balance and transaction history. Purchases run through Apple App Store / Google Play — we only learn that a purchase happened and its credit amount (via RevenueCat webhook). Legal basis: Art. 6(1)(b).
• Server logs: truncated IP address, user-agent, timestamp, status code — kept up to 30 days for abuse detection. Legal basis: Art. 6(1)(f) — legitimate interest in security.

3. Data residency & encryption

• Database (Supabase): EU region (Frankfurt, Germany). Encryption at rest (AES-256) and in transit (TLS 1.3).
• API server (Vercel): pinned to fra1 (Frankfurt) — see vercel.json.
• Mobile app storage: auth tokens stored in iOS Keychain / Android Keystore.

4. International transfers (US AI providers)

For AI correction, we transmit image content and task context to one of:

• Anthropic PBC (USA) — Claude Haiku, Claude Sonnet
• OpenAI OpCo, LLC (USA) — GPT-4o-mini

Both providers have a Data Processing Agreement (DPA) with us and commit to the EU Commission's Standard Contractual Clauses (Decision 2021/914). Under their API terms, neither Anthropic nor OpenAI uses submitted API data to train their models. Data is retained for up to 30 days for abuse monitoring and then deleted.

Full processor list: /en/legal/processors (GDPR Art. 30 record).

5. Retention

• Original images: not stored permanently (deleted right after analysis)
• Corrections & profile: until account deletion
• Credit transactions: 7 years (Austrian tax retention obligation, § 132 BAO)
• Server logs: max. 30 days

6. Your rights (GDPR Art. 15–22)

• Access (Art. 15): in-app via Settings → Download data export
• Rectification (Art. 16): by email
• Erasure (Art. 17): in-app via Settings → Delete account irreversibly — takes effect immediately
• Restriction (Art. 18) / Objection (Art. 21): by email to c.fischer@gebenfuerleben.at
• Data portability (Art. 20): JSON export inside the app
• Withdraw consent: delete account — past processing remains lawful

7. Right to lodge a complaint (Art. 77)

You can file a complaint with the Austrian Data Protection Authority: dsb.gv.at. Outside Austria: with the supervisory authority of your residence.

8. Automated decisions

AI corrections are recommendations, not binding assessments — the final decision is made by the teacher. No automated decision-making with legal effect within the meaning of Art. 22 GDPR takes place.

9. Student data / special responsibility

Teachers are the data controllers with respect to student work they upload. We strongly recommend redacting student names and personal details before uploading. The app actively reminds you of this at upload time.

10. Contact

Questions about privacy: c.fischer@gebenfuerleben.at. Reply within 14 days.

← back to home