Privacy Policy

1. Introduction

IVCT ("we," "us," or "our") is committed to protecting your privacy. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our browser extension and dashboard service (collectively, the "Service"). This policy complies with the General Data Protection Regulation (GDPR), Greek Law 4624/2019, and other applicable privacy laws.

Data Controller: IVCT, a company operating under Greek law

2. Information We Collect

2.1 Personal Information

• Account Information: Email address, profile information when you create an account
• Authentication Data: Login credentials, Google OAuth data (if you choose Google sign-in)
• Subscription Information: Billing details processed through Stripe (we do not store payment card information)

2.2 Usage Information

• Video Content Data: Video titles, URLs, timestamps, and transcript excerpts from YouTube videos you tag
• Tags and Summaries: Content you create, including tags, summaries, and flashcards
• Extension Usage: How you interact with our browser extension features
• Technical Data: Browser type, extension version, IP address, and general usage statistics

2.3 Automatically Collected Information

• Log data including access times, pages viewed, and technical diagnostics
• Device information and browser specifications
• Cookies and similar tracking technologies (see Cookie Policy section below)

3. Legal Basis for Processing

Under GDPR, we process your personal data based on the following legal grounds:

• Contractual Necessity: To provide our services as outlined in our Terms of Service
• Consent: Where you have explicitly consented to processing (e.g., marketing communications)
• Legitimate Interest: For service improvement, security, and business operations
• Legal Obligation: To comply with applicable laws and regulations

4. How We Use Your Information

• Provide, operate, and maintain our Service
• Process and fulfill your requests for features and functionality
• Generate AI-powered summaries and flashcards from your tagged content
• Synchronize data between your browser extension and dashboard
• Process subscription payments and manage your account
• Send administrative communications about your account or service changes
• Improve our Service through analytics and usage monitoring
• Detect, prevent, and address technical issues and security threats
• Comply with legal obligations and enforce our terms

5. Information Sharing and Disclosure

We do not sell, trade, or rent your personal information. We may share information in the following circumstances:

5.1 Service Providers

• Supabase: Database and authentication services (GDPR-compliant data processing)
• OpenAI: AI processing for summaries and flashcards (data processed according to their privacy policy)
• Stripe: Payment processing (PCI DSS compliant)
• Netlify: Hosting and content delivery

5.2 Legal Requirements

We may disclose information if required by law, court order, or government request, or to protect our rights, property, or safety.

5.3 Business Transfers

In the event of a merger, acquisition, or sale of assets, user information may be transferred as part of that transaction.

6. Data Storage and Security

We implement appropriate technical and organizational measures to protect your personal data:

• Data encryption in transit and at rest
• Regular security assessments and updates
• Access controls and authentication requirements
• Secure hosting infrastructure with reputable providers
• Row Level Security (RLS) policies in our database

Your data is primarily stored within the European Union through our service providers. Some processing may occur outside the EU with adequate safeguards in place, including Standard Contractual Clauses.

7. Your Privacy Rights

Under GDPR and Greek law, you have the following rights:

7.1 Access and Portability

• Right to Access: Request copies of your personal data
• Right to Data Portability: Receive your data in a machine-readable format

7.2 Correction and Deletion

• Right to Rectification: Correct inaccurate personal data
• Right to Erasure ("Right to be Forgotten"): Request deletion of your data

7.3 Processing Restrictions

• Right to Restrict Processing: Limit how we use your data
• Right to Object: Object to processing based on legitimate interests
• Right to Withdraw Consent: Withdraw consent for consent-based processing

7.4 Exercising Your Rights

To exercise these rights, contact us at privacy@ivct.app or use the account settings in your dashboard. We will respond within one month of receiving your request.

7.5 Right to Complain

You have the right to file a complaint with the Hellenic Data Protection Authority (HDPA) at www.dpa.gr or your local supervisory authority if you believe we have not handled your data appropriately.

8. Data Retention

We retain your data for as long as necessary to provide our services and comply with legal obligations:

• Account Data: Until you delete your account, plus 30 days for backup deletion
• Usage Data: Aggregated analytics data may be retained for up to 3 years
• Transaction Records: Retained for 5 years as required by Greek tax law
• Support Communications: Retained for 2 years for service quality purposes

9. Cookies and Tracking Technologies

We use cookies and similar technologies to provide and improve our Service:

9.1 Types of Cookies

• Essential Cookies: Required for basic functionality (authentication, security)
• Functional Cookies: Remember your preferences and settings
• Analytics Cookies: Help us understand how you use our Service

9.2 Cookie Consent

You can control cookies through your browser settings. Note that disabling essential cookies may affect the functionality of our Service. We comply with Greek DPA cookie consent guidelines.

10. Children's Privacy

Our Service is not intended for children under 16 years of age. We do not knowingly collect personal information from children under 16. If you become aware that a child has provided us with personal information, please contact us immediately.

11. International Data Transfers

When we transfer your data outside the European Economic Area, we ensure adequate protection through:

• Adequacy decisions by the European Commission
• Standard Contractual Clauses (SCCs)
• Certification schemes and codes of conduct
• Specific authorization from supervisory authorities where necessary

12. Data Breach Notification

In the event of a data breach that is likely to result in a risk to your rights and freedoms, we will notify the relevant supervisory authority within 72 hours and inform affected users without undue delay, as required by GDPR and Greek law.

13. Changes to This Privacy Policy

We may update this Privacy Policy periodically. We will notify you of significant changes by:

• Posting the updated policy on our website
• Sending email notifications to registered users
• Displaying prominent notices in our Service

Continued use of our Service after changes constitutes acceptance of the updated policy.

14. Applicable Law and Jurisdiction

This Privacy Policy is governed by Greek law and EU regulations. Any disputes arising from this policy will be subject to the exclusive jurisdiction of Greek courts, without prejudice to your right to file complaints with data protection authorities.

Data Controller Contact: For privacy-related inquiries and to exercise your data protection rights, please contact us at adam.visual.plus@gmail.com