Privacy Policy

Effective: March 12, 2026

Data Controller

Entendi is operated by Tomás Korenblit. For any privacy-related questions, email tomas@entendi.dev.

Data We Collect

• Account information: email address and display name provided during registration
• Probe responses: your text answers to comprehension probes
• Behavioral biometrics: response patterns (word count, typing speed, vocabulary complexity) and anomaly scores used for integrity detection
• Concept and mastery data: concepts you have encountered and your assessed understanding levels
• Payment information: if you subscribe to a paid plan, payment is processed by Stripe. We do not store credit card numbers, bank account details, or other payment credentials on our servers. Stripe provides us with a customer ID, subscription status, and billing metadata (plan type, billing period). See Stripe's privacy policy for how they handle payment data.
• IP addresses: recorded in server logs for security and abuse prevention
• Session cookies: a single authentication cookie used to keep you signed in, expiring after 7 days

Legal Basis for Processing

• Contract performance: we process your data to provide the Entendi service you signed up for, including tracking concepts, generating probes, computing mastery scores, and managing your subscription.
• Legitimate interest: we process IP addresses and behavioral biometrics for fraud detection, anomaly detection, and service improvement. We balance these interests against your privacy and limit processing to what is necessary.

Data Processors

We use the following third-party services to operate Entendi:

• Neon (database hosting): stores all application data including accounts, concepts, probe responses, and mastery scores. Data is hosted in the US-East region. See Neon's privacy policy.
• Cloudflare (CDN, compute, DNS): serves the application and processes requests through Cloudflare Workers. See Cloudflare's privacy policy.
• Stripe (payment processing): handles all payment transactions for paid subscriptions. See Stripe's privacy policy.
• Resend (transactional email): sends account-related emails such as password resets, payment failure notices, and contact form confirmations. See Resend's privacy policy.

Organization Data Sharing

If you join an organization on Entendi, the following data is visible to organization administrators:

• Your mastery scores and assessed understanding levels for each concept
• Your assessment history (which probes you received, when, and your scores)
• Aggregate statistics about your learning progress

The text of your individual probe responses is not shared with organization administrators. By joining an organization, you consent to the visibility described above. You can leave an organization at any time to stop sharing this data going forward.

Data Retention

• Active accounts: your data is retained for as long as your account exists.
• Deleted accounts: when you delete your account, all associated data (mastery scores, probe responses, behavioral profiles, assessment history) is permanently removed within 30 days.
• Payment records: Stripe retains payment and transaction records according to their own retention policy and applicable financial regulations. We cannot delete those records on your behalf.
• Server logs: IP addresses in server logs are retained for up to 90 days for security purposes, then deleted.

Your Rights

You have the right to:

• Access: request a copy of all personal data we hold about you.
• Correction: update or correct inaccurate information in your account.
• Deletion: delete your account and all associated data via the account deletion endpoint (DELETE /api/me) or by contacting us.
• Data portability: request your data in a machine-readable format (JSON).
• Objection: object to processing based on legitimate interest.

We respond to all rights requests within 30 days. Email tomas@entendi.dev to submit a request.

Children

Entendi is not intended for users under 16 years of age. We do not knowingly collect personal data from anyone under 16. If you believe a child under 16 has created an account, please contact us and we will delete it.

Cookies

Entendi uses a single session cookie for authentication. We do not use tracking cookies, advertising cookies, or third-party analytics cookies. The session cookie expires after 7 days of inactivity. A theme preference may be stored in your browser's local storage, but this is not a cookie and is never sent to our servers.

International Data Transfers

Your data is stored in the United States (Neon US-East region) and processed through Cloudflare's global network. If you are located outside the United States, your data will be transferred to and processed in the US. We do not currently offer EU-specific data residency options, but we will update this policy if that changes.

Changes to This Policy

If we make material changes to this privacy policy, we will notify you by email at least 30 days before the changes take effect. Non-material changes (clarifications, formatting) may be made without notice. The effective date at the top of this page always reflects the latest version.

Contact

For privacy inquiries, data requests, or questions about this policy, email tomas@entendi.dev.