Privacy Policy

We collect the following categories of information when you use EdChat on our website, web app, or linked clients:

Account Information: Email address and display name provided during sign-up. Your EdChat account is linked with your BMR EDUCATION account identity for authentication and service access. Passwords are hashed and never stored in plain text.

Chat Data: Messages you send and AI responses generated within your conversations, including quiz answers, study plans, interview responses, flashcards, and DSA practice.

Usage Data: Feature interactions, mode usage frequency, credit consumption, and session timing - used to improve the service.

Technical Data: IP address (for security and abuse prevention), browser type, and device information when you use the web. We do not sell personal data to third parties for their marketing.

Your data is used solely to provide and improve EdChat:

• Service Delivery: Processing your messages through AI models to generate responses, quizzes, plans, and code.
• Personalization: Storing your AI Memory, custom instructions, and personalization settings to improve response quality.
• Security: Detecting and preventing fraud, unauthorized access, and abuse.
• Analytics: If you accept analytics cookies, we record anonymous session heartbeats on our own infrastructure (EdChat web only while opted in)—not third-party trackers. No message content or account linkage in those metrics.
• Communication: Sending account-related emails (password reset, billing notifications). We do not send marketing emails without explicit consent.

We take security seriously and implement multiple layers of protection:

• Encryption in Transit: Data between your browser and our services uses TLS 1.2 or higher.
• Encryption at Rest: Database storage is encrypted (e.g., AES-256) where supported by our infrastructure.
• Row-Level Security: Our database enforces per-user isolation policies. Your data is inaccessible to other users at the database level.
• Authentication: Secure session tokens with automatic expiration. Passwords are hashed using industry-standard algorithms.
• Access Controls: Only authorized engineers can access production systems, with audit logging for administrative actions where applicable.

We do not sell your personal data. We share data only in the following limited circumstances:

• AI Processing: Your chat messages are sent to AI model providers (e.g., Google, Anthropic) to generate responses. Providers are contractually required to handle data according to our agreements and applicable law.
• Infrastructure: Hosting and database services (for example Supabase, Vercel) process data as subprocessors to run the Service.
• Legal Requirements: When required by law, court order, or to protect the rights and safety of our users.
• Business Transfer: In the event of a merger or acquisition, your data may be transferred with appropriate notice.

You have the following rights regarding your personal data:

• Access: Request a copy of the personal data we hold about you.
• Correction: Update inaccurate or incomplete information directly in your account settings.
• Deletion: Delete individual chats at any time. Use the profile panel to start a verified full account deletion request.
• Portability: Use the profile panel to download your data in a machine-readable format where technically feasible.
• Opt-Out: Disable AI Memory and personalization features at any time.

You can also contact us at [email protected]. We will respond within 30 days where required by law.

On the web, EdChat uses cookies and similar technologies only as needed to run the product:

• Session / auth: Required for authentication and maintaining your logged-in state. These expire when you sign out or after a limited period.
• Preferences: Storing your theme preference (dark/light mode) until you clear site data.

We do not use advertising cookies, cross-site tracking pixels, or third-party analytics cookies for behavioral ads. If we only use strictly necessary cookies in your region, a cookie banner may not be shown.

We retain your data as long as your account is active:

• Chats: Stored until you delete them or request account deletion, unless a longer period is required by law.
• Temporary Chats: Automatically deleted after 7 days.
• Account Data: Deleted within 30 days of a verified account deletion request, subject to legal holds.
• Aggregated Analytics: Anonymized metrics may be retained for product improvement.

After deletion, your data may persist in encrypted backups for up to 90 days before being permanently removed.

EdChat is intended for users aged 13 and older. We do not knowingly collect personal information from children under 13. If you believe a child under 13 has created an account, please contact us immediately at [email protected] and we will take appropriate steps, including deletion where appropriate.

We may update this Privacy Policy periodically. When we do, we will update the "Last updated" date on this page and, for material changes, notify registered users by email or an in-product notice where practical. Continued use of EdChat after changes constitutes acceptance of the revised policy where permitted by law.

For privacy-related questions, requests, or concerns, contact us at:

Email: [email protected]
Response Time: Within 30 days for data rights requests where applicable; as soon as practicable for urgent security reports.