Privacy Policy

Last updated: June 2026 · Effective: June 2026

Plain English first: We collect your email to keep you updated about Stavlos. We collect basic usage data to make the product better. We don't sell your data. Ever.

1. Who We Are

Stavlos is an AI-powered study tool built and operated as a sole proprietorship registered in the Netherlands.

Business address: Netherlands (full address provided upon KVK registration)

Contact: privacy@stavlos.com

2. What Data We Collect

2.1 Waitlist Data

When you join the Stavlos waitlist, we collect:

  • Your email address
  • Your waitlist position and sign-up timestamp
  • Your referral code and how many people you referred
  • The referral code of whoever referred you (if any)

2.2 Product Data (When App Launches)

  • Account information (email, password hash — never plain text)
  • Messages you send to the AI (to provide the service)
  • Files you upload (syllabuses, documents)
  • Usage data (how often you use features, session duration)
  • Payment information (processed by Stripe — we never see your card details)

2.3 Automatic Data

  • IP address (for security and fraud prevention)
  • Browser type and device information
  • Pages visited and time spent on them
  • Referral source (how you found us)

2.4 What We Don't Collect

  • Your real name (unless you give it to us)
  • Your phone number
  • Your location (beyond country, for tax purposes)

3. Why We Collect It

Email address

To send you waitlist updates, launch notifications, and product emails. You can unsubscribe anytime.

Messages & uploaded files

To provide the AI study service. Your messages are sent to our AI provider (Groq/OpenRouter) to generate responses. They are not used to train AI models.

Usage data

To understand how people use Stavlos and make it better. We look at patterns, not individual users.

Payment data

To process your subscription. Handled entirely by Stripe. We only see that you paid and when.

Referral data

To track referrals and apply your €5 price lock or free month bonus reward. That's it.

4. Who We Share Data With

We don't sell your data. We only share with services that help us run Stavlos:

Supabase

Database hosting

EU

Vercel

Website hosting

EU/US

Resend

Sending emails to you

US

Stripe

Processing payments

US

Groq

AI responses for chat

US

OpenRouter

AI responses for syllabus analysis

US

Upstash

Caching (speeds up the app)

EU

All US-based services are covered by Standard Contractual Clauses (SCCs) as required by GDPR.

5. Your GDPR Rights

Right to Access

Ask us what data we have about you. We'll send it within 30 days.

Right to Correction

Ask us to fix incorrect data about you.

Right to Deletion

Ask us to delete all your data ('right to be forgotten').

Right to Portability

Ask for your data in a machine-readable format.

Right to Object

Object to how we process your data.

Right to Restrict

Ask us to stop processing your data temporarily.

Right to Withdraw Consent

Unsubscribe from emails or delete your account anytime.

To exercise any of these rights, email privacy@stavlos.com. We respond within 30 days. You can also file a complaint at autoriteitpersoonsgegevens.nl.

6. How Long We Keep Your Data

Waitlist data

Until launch + 90 days, or until you ask us to delete it

Account data

As long as you have an account, plus 30 days after deletion

Payment records

7 years (required by Dutch tax law)

AI chat messages

90 days, then automatically deleted

Uploaded files (syllabuses)

Until you delete them, or when you close your account

Usage/analytics data

12 months, then anonymized

7. Cookies

We use minimal cookies. No advertising cookies, no tracking pixels, no Google Analytics.

Session cookie

Keeps you logged in

Required

Preference cookie

Remembers your settings

Required

Analytics cookie

Understands how you use the app (anonymized)

Optional

8. Security

  • All data is encrypted in transit (HTTPS/TLS)
  • Passwords are hashed using bcrypt (we never store plain text)
  • Database access is restricted and monitored
  • We use Row Level Security (RLS) in our database
  • API keys are never exposed to the frontend

Found a vulnerability? Report it to security@stavlos.com.

9. Age Requirements

Stavlos is designed for students aged 13 and older. If you are under 16, you may need parental consent depending on your country's laws.

We do not knowingly collect data from children under 13. Contact us at privacy@stavlos.com if you believe this has happened.

10. Changes to This Policy

For significant changes, we'll email you at least 14 days in advance. The date at the top of this page always shows when it was last updated.

11. Contact Us

Email: privacy@stavlos.com

Response time: Within 5 business days

Language: Dutch or English

© 2026 Stavlos. All rights reserved.

Terms of ServiceAdminBack to Stavlos