Privacy Policy
Last updated: 16 June 2026
This Privacy Policy explains how Opti (“Opti”, “we”, “us”) collects, uses, and protects your personal data when you use optieducation.app (the “Service”). We handle your data in line with the EU General Data Protection Regulation (GDPR).
Who we are (data controller)
Opti is an independent ESAT study tool operated by an individual based in Belgium. For the purposes of the GDPR, we are the “data controller” for the personal data described here. You can contact us about privacy at optiapp.business@gmail.com, and our full controller identity is available on request.
What data we collect
- Account data — your email address and a securely hashed password. If you choose “Continue with Google”, we receive your name and email from your Google account.
- Onboarding data — your self-reported preparation stage, the study methods you currently use, and how you heard about Opti.
- Study & practice data — the subjects you study; your practice session settings; the questions you attempt, the answers you select, whether they were correct, and how long you took; optional self-diagnosis tags and short notes you add when reviewing; and spaced-repetition data we derive to schedule your practice.
- Reflections— free-text reflections you choose to write at the end of a session, which are processed to generate a short study summary for you (see “Automated processing & third parties”).
- Technical data — your IP address, device and browser information, and standard server logs, used for security, rate-limiting, and keeping the Service running.
We do not intentionally collect special-category data (such as health or political data). Please don’t put such information into free-text fields or uploads.
Cookies & analytics
We use strictly-necessary cookies — those required to log you in and keep your session secure. Because these are essential to a service you’ve asked for, they don’t require consent.
We also use privacy-friendly product analytics (PostHog) to understand how Opti is used and improve it — for example, which steps people complete and where they drop off. These analytics load only if you agree via the consent banner; if you decline, no analytics cookies are set and no usage events are collected. We record events such as page views and key actions (for example, starting or finishing a session), linked to your account identifier once you are signed in. We do not send your answers, reflections, name, email, or date of birth to our analytics provider, and your analytics data is processed in the European Union. You can change your choice at any time by clearing it in your browser.
Why we use your data and our legal basis
- To create and run your account and deliver the practice Service — performance of a contract with you.
- To personalise your practice (spaced repetition, resurfacing questions you got wrong, and similar) — performance of a contract and our legitimate interest in making the Service effective.
- To generate your reflection summary when you submit a reflection — performance of a contract (a feature you request).
- To keep the Service secure, prevent abuse, enforce rate limits, and moderate access — our legitimate interest in protecting the Service and its users.
- To measure how the Service is used so we can improve it (product analytics) — your consent, which you can withdraw at any time.
- To comply with our legal obligations — legal obligation.
We do not make decisions producing legal or similarly significant effects about you by solely automated means.
Automated processing & third parties (sub-processors)
To run the Service we share the minimum data necessary with carefully chosen providers who process it on our behalf, under data-processing agreements:
- Supabase — database hosting, authentication, and file storage.
- Cloudflare — application hosting and content delivery.
- PostHog (EU Cloud) — product analytics, used only with your consent and processed in the European Union. We send product events and your account identifier, never your answers, reflections, or other content.
- Anthropic — when you submit a reflection, the text of that reflection is sent to Anthropic’s language model to generate your study summary. Anthropic processes it to return the result and does not use it to train its models.
- Voyage AI — generates mathematical “embeddings” of your study content so we can find related questions.
- Upstash — temporary storage of identifiers used for rate-limiting and abuse prevention.
- Google — only if you choose to sign in with Google.
We do not sell your personal data, and we do not share it for advertising.
International transfers
Some of our providers (including Anthropic and Voyage AI) are based in the United States, so your data may be transferred outside the European Economic Area. Where it is, the transfer is protected by appropriate safeguards — such as the European Commission’s Standard Contractual Clauses and/or the EU–US Data Privacy Framework. You can ask us for more detail.
How long we keep your data
We keep your data for as long as your account is active. If you delete your account or ask us to erase your data, we will delete it within 30 days, except where we must keep certain records to comply with the law. Backups are overwritten on a rolling basis. Data from sessions used without an account (“guest” sessions) is not linked to your identity.
Your rights
Under the GDPR you have the right to: access your data; correct it; delete it; restrict or object to processing; data portability; and, where we rely on consent, to withdraw it at any time. To exercise any of these, email optiapp.business@gmail.com and we’ll respond within one month.
You also have the right to lodge a complaint with your local data-protection authority. In Belgium this is the Data Protection Authority (Gegevensbeschermingsautoriteit / Autorité de protection des données), Rue de la Presse 35, 1000 Brussels — autoriteprotectiondonnees.be.
Children
You must be at least 13 to use Opti. The age at which you can consent to online services on your own varies by country (between 13 and 16). If you are under 16, you confirm that a parent or guardian has given permission for you to use Opti and for us to process your data as described here. If we learn that we have collected data from a child below the applicable age without the required permission, we will delete it. Parents or guardians can contact us at optiapp.business@gmail.com.
Security
We protect your data with measures including hashed passwords, encryption in transit, and restricted access. No online service can be guaranteed 100% secure, but we work to protect your information and will notify you and the relevant authority of a data breach where the law requires.
Changes to this policy
We may update this policy from time to time. We’ll change the “Last updated” date above and, for significant changes, take reasonable steps to let you know.
Contact
Questions or requests: optiapp.business@gmail.com.