1. Introduction
Onbridger ("we", "our", "the Service") is an adaptive exam readiness platform operated by Onbridger, based in Sweden. This Privacy Policy describes how we collect, use, store, and protect your personal data in accordance with the General Data Protection Regulation (EU) 2016/679 ("GDPR") and applicable Swedish data protection law. By creating an account or using Onbridger, you agree to the practices described in this policy.
2. Data we collect
Account information: When you register, we collect your email address, name, and university affiliation. If you sign in via Google OAuth, we receive your name and email from Google.
Course material: You may upload syllabi, lecture notes, and past exam papers. These are stored in your account and processed to generate personalized study content.
Usage data: We collect study session data including questions answered, answer correctness, mastery scores, time spent, and learning velocity. This data drives the adaptive learning engine.
Technical data: We collect standard web server logs including IP address, browser type, and device information for security and service operation purposes.
3. How we use your data
We use your data exclusively for the following purposes:
- Generating personalized questions, explanations, and study plans
- Tracking mastery and scheduling spaced repetition reviews
- Computing exam readiness assessments
- Improving the Service through aggregate, anonymized analytics
- Communicating with you about your account and the Service
We do not sell, rent, or license your personal data to third parties. We do not use your data for advertising purposes.
4. Third-party AI services
Onbridger uses third-party AI services (Anthropic Claude, Google Gemini) to generate questions and evaluate answers. Your uploaded material may be sent to these services for processing. Under the commercial API terms of both Anthropic and Google, data submitted via their APIs is not used to train or improve their AI models. No persistent copies of your data are retained by these providers beyond the duration of the API request.
5. Data storage and security
Your data is stored on Supabase (PostgreSQL) with infrastructure hosted in the European Union (Frankfurt, Germany). We employ industry-standard security measures including encryption in transit (TLS 1.2+), encryption at rest, and role-based access controls. Authentication is managed through Supabase Auth with support for email/password and Google OAuth.
6. Course sharing
When you share a course, the course structure (topic names, chapter names, exam type) and uploaded course material (lecture notes, syllabi, past exams) are made accessible to recipients via the share link. This enables classmates to benefit from the same material-grounded study experience. Your mastery data, study history, and personal information are never included in shared courses. By sharing a course, you confirm you have the right to distribute the uploaded material.
7. Data retention and account deletion
We retain your personal data for as long as your account is active. When you delete your account:
- Removed immediately: your name, email is replaced with an irreversible anonymous identifier, uploaded material (lecture notes, syllabi, past exams), parsed material, professor names, daily briefings, and personalized study plans.
- Anonymized and retained: aggregated study behavior, including mastery progressions, evaluation outcomes, learning events, session check-ins, and API usage rows. These are no longer linked to identifying personal data and are used for cohort analytics, item calibration, and product improvement.
Under GDPR Article 4(1) and Recital 26, data that is anonymized in such a way that the natural person is no longer identifiable falls outside the scope of personal data and may be retained indefinitely. If you want full erasure of all rows including the anonymized derivatives, contact us at the address below and we will handle it within 30 days.
8. Your rights under GDPR
If you are located in the European Economic Area, you have the following rights under the General Data Protection Regulation (GDPR):
- Right of access: Request a copy of your personal data
- Right to rectification: Request correction of inaccurate data
- Right to erasure: Request deletion of your data
- Right to data portability: Request your data in a machine-readable format
- Right to restriction: Request limitation of processing
- Right to object: Object to processing of your data
To exercise any of these rights, contact us at the address below.
9. Cookies
We use essential cookies strictly necessary for authentication and session management. We do not use tracking cookies, advertising cookies, or third-party analytics cookies.
10. Changes to this policy
We may update this Privacy Policy from time to time. Material changes will be communicated via email or in-app notification at least 14 days before taking effect. Continued use of the Service after changes constitutes acceptance of the updated policy.
11. Contact
Data controller: Onbridger, Sweden.
For privacy inquiries, data access requests, or complaints, contact us at:
You also have the right to lodge a complaint with the Swedish Authority for Privacy Protection (IMY) at imy.se.