Examo Logo

Privacy Policy

Last Updated: 16 May 2026 · Effective Date: 16 May 2026

Examo.me ("Examo", "we", "our", "us") is committed to protecting your personal data. This Privacy Policy explains how we collect, use, share, and protect your information when you visit examo.me, sign up for an account, or use our AI-powered study services. It is written to comply with the EU General Data Protection Regulation (Regulation (EU) 2016/679, "GDPR"), the UK GDPR, and the EU ePrivacy Directive.

1. Data Controller

The data controller responsible for your personal data is Examo. For all privacy-related questions, requests, or to exercise any of the rights described below, contact us at [email protected]. If you are based in the EU/EEA and believe we are not handling your data lawfully, you also have the right to lodge a complaint with your local supervisory authority.

2. Information We Collect

Account & Identity Data: name, email address, password (hashed), university, programme, and profile preferences you provide on sign-up or in settings.

Payment Data: if you upgrade to a paid plan, billing details (last 4 digits of card, billing country, VAT status, transaction IDs) are processed by our payment provider Stripe. We do not store full card numbers on our servers.

Referral Data: referral codes, referral clicks, signups attributed to a referral link or shared course, course-share attribution details, discount eligibility, commission amounts, manual payout verification status, and payout notes needed to operate the Examo referral programme.

Study Content You Submit: course materials, lecture notes, PDFs, slide decks, essay drafts, AI-tutor chat messages, flashcards, and other content you upload or generate while using the platform.

AI Interaction Data: the prompts you send to the AI tutor, the model outputs returned to you, token counts, model selection, request timestamps, and usage metrics needed to enforce rate limits.

Usage & Device Data: IP address (last octet truncated for analytics), browser type, operating system, language, referrer URL, pages viewed, time spent, feature interactions, and approximate location (country level) derived from your IP.

Cookies & Similar Technologies:strictly necessary cookies for authentication and session management, plus optional analytics cookies (Hotjar, Vercel Analytics, Microsoft Clarity) which only run after you opt in via our cookie banner.

Communications: messages you send to support, feedback submissions, and survey responses.

3. Lawful Basis for Processing (GDPR Art. 6)

  • Contract (Art. 6(1)(b)): to create and maintain your account, deliver the AI study tools you request, process payments, and provide customer support.
  • Legitimate interests (Art. 6(1)(f)): to detect and prevent abuse, enforce rate limits, secure our infrastructure, debug issues, and improve our models and product. We balance these interests against your rights and freedoms.
  • Consent (Art. 6(1)(a)): for non-essential cookies, analytics, marketing emails, and any optional personalisation. You can withdraw consent at any time without affecting prior processing.
  • Legal obligation (Art. 6(1)(c)): for tax, accounting, fraud-prevention and other statutory requirements.

4. How We Use Your Information

  • Service delivery: generate summaries, smart notes, cheat sheets, flashcards, AI tutor replies, practice questions, and essay assistance.
  • Account management: authentication, password resets, subscription billing, plan upgrades and downgrades.
  • Referral programme: applying referral discounts for the first Pro billing period only, attributing signups, course-share upgrades and first Pro payments, calculating one-time 20% referral commission, and verifying manual payout eligibility once the minimum withdrawal threshold is met.
  • Rate-limit enforcement: we count tokens, requests, generations and other usage metrics tied to your user ID to enforce the limits associated with your plan (see our Terms & Conditions for current quotas).
  • Safety & abuse prevention: detecting scraping, prompt-injection, payment fraud, account sharing, and academic-misconduct patterns.
  • Product improvement: aggregated, often pseudonymised analytics to understand which features work and where users get stuck.
  • Communications: transactional emails (receipts, password resets, security alerts) and, only with consent, occasional product updates.

We do not use your study content, chat messages, or uploaded materials to train third-party foundation models. Where we fine-tune internal models, we do so on aggregated and anonymised data only and you may opt out at any time by emailing [email protected].

5. AI Processing & Sub-processors

Examo uses third-party AI providers to power the AI tutor, summaries, smart notes, flashcards, cheat sheets, and essay tools. When you use these features, the relevant prompt and related course context are transmitted to the provider strictly to generate a response. Providers act as sub-processors under written data-processing agreements. Current sub-processors include:

  • AI infrastructure providers: AI generation (summaries, smart notes, flashcards, cheat-sheet images, AI tutor responses). Providers are contractually prohibited from using your prompts or responses to train their foundation models.
  • Stripe Payments Europe: subscription billing and payment processing.
  • Amazon Web Services / Hetzner: hosting, databases, file storage in the EU.
  • Vercel: frontend hosting and edge delivery.
  • Resend / Postmark: transactional email delivery.
  • Hotjar, Microsoft Clarity, Vercel Analytics: opt-in product analytics.

A current list of sub-processors and their data-processing roles is available on request at [email protected].

6. Sharing Your Information

We never sell, rent or trade your personal data. We share data only with:

Sub-processors (see Section 5) under binding data-processing agreements that include EU Standard Contractual Clauses where required.

Universities and programme leaders if you have explicitly enrolled in a course managed by them, and only the data they need to administer that course.

Authorities or legal advisors when required by law, court order, or to protect the rights, safety, and property of Examo or its users.

Successors in the event of a merger, acquisition, or asset sale, in which case we will notify you and give you the option to delete your data.

7. International Data Transfers

Examo is headquartered in the European Union and stores primary data within the EU. Some sub-processors (notably our payment processor and cloud infrastructure providers) may process data in the United States or other countries outside the EEA. Where this happens, we rely on appropriate safeguards under GDPR Chapter V, including the European Commission's Standard Contractual Clauses (SCCs), adequacy decisions where available (e.g. EU-US Data Privacy Framework for self-certified providers), and supplementary technical measures such as encryption in transit and at rest.

8. Data Retention

  • Account data: retained for as long as your account is active. After account deletion, limited account records may be retained for up to 6 months to handle disputes and refund requests. If you do not log in for 6 months and do not have an active paid or trial subscription, we may automatically delete your inactive account and courses you created or owned. Shared access for other users to those courses will also end.
  • Study content (summaries, notes, flashcards): retained while your account is active. You may delete individual items at any time. On account deletion, including automatic deletion for inactivity, associated personal study content and user-created course materials are removed or de-identified within 30 days from primary systems and within 90 days from encrypted backups.
  • AI tutor chat history: retained for up to 12 months to maintain conversation context, then automatically purged. You can delete chats earlier from the AI tutor interface.
  • Payment records: retained for 7 years to comply with EU/UK tax and accounting law, even if an inactive account is deleted.
  • Server & security logs: retained for 90 days, then deleted or anonymised.
  • Marketing preferences: retained until you withdraw consent or unsubscribe.

9. Your Rights Under GDPR

If you are located in the EU, EEA, UK or Switzerland you have the following rights, free of charge, in respect of your personal data:

  • Right of access (Art. 15): a copy of the personal data we hold about you.
  • Right to rectification (Art. 16):correction of inaccurate or incomplete data.
  • Right to erasure / “right to be forgotten” (Art. 17): deletion of your personal data, subject to legal retention obligations.
  • Right to restrict processing (Art. 18):pause processing in defined circumstances.
  • Right to data portability (Art. 20):receive your data in a structured, machine-readable format and have it transmitted to another controller where technically feasible.
  • Right to object (Art. 21): object to processing based on legitimate interests, including profiling.
  • Right not to be subject to automated decision-making (Art. 22): we do not use your data for solely automated decisions producing legal or similarly significant effects on you.
  • Right to withdraw consent: for any processing based on consent, at any time.
  • Right to lodge a complaint: with your local data-protection supervisory authority.

To exercise any of these rights, email [email protected]. We will respond within one month, as required by Art. 12 GDPR. We may need to verify your identity before acting on a request.

10. Cookies & Tracking Technologies

We use the following categories of cookies:

  • Strictly necessary: session cookies, CSRF tokens, and authentication cookies. These cannot be disabled because the platform will not function without them.
  • Functional: remember your sidebar state, dark mode, language and other preferences.
  • Analytics (opt-in): Hotjar, Microsoft Clarity and Vercel Analytics help us understand how the product is used.
  • Marketing (opt-in): only if explicitly enabled in our cookie banner.

You can adjust your preferences at any time through the public cookie banner, Dashboard Settings when signed in, or your browser settings. More detail is available in our Cookie Policy.

11. Security

We use TLS (HTTPS) for all data in transit, AES-256 encryption at rest for stored content, hashed and salted password storage (bcrypt), short-lived JWT access tokens with refresh tokens, role-based access controls, least-privilege database accounts, and continuous logging and monitoring. No system is 100% secure; if we become aware of a personal data breach we will notify the relevant supervisory authority within 72 hours and affected users without undue delay, as required by Art. 33 and 34 GDPR.

12. Children

Examo is intended for university students and adults aged 16 and over. We do not knowingly collect personal data from children under 16. If you believe a child has provided us with personal data, contact us at [email protected] and we will delete it.

13. Third-Party Websites

Examo may contain links to third-party websites. We are not responsible for the privacy practices of those sites and encourage you to read their privacy policies before providing any personal data.

14. Changes to this Policy

We may update this Privacy Policy from time to time. Material changes will be communicated by email and/or by posting a notice in the product at least 14 days before they take effect. The “Last Updated” date at the top of this page indicates when the policy was last revised.

15. Contact

For all enquiries — including privacy, data subject requests, and security matters — contact us at [email protected].
Social: Instagram @examo.me

By using Examo, you acknowledge that you have read, understood, and agree to this Privacy Policy.