Privacy Policy

1. Information We Collect

Information you provide directly

• Account details: your full name, email address, grade (e.g. Grade 12), and school name when you sign up.
• Uploaded content: past exam papers (PDF files) you upload to the platform for analysis.
• Practice answers: written answers you submit when practising questions.
• Payment information: billing details are processed directly by Stitch — we do not store your card number or banking details.

Information collected automatically

• Performance data: questions attempted, answers given, scores, topics practised, and progress over time.
• Device and browser information: IP address, browser type and version, operating system, and pages visited, collected via standard web server logs and session cookies.
• Usage patterns: which features you use, how long you study, and when you log in.

2. How We Collect It

• Through the signup form when you create an account.
• Through your use of the app — uploading papers, generating questions, submitting answers.
• Automatically through cookies and web server logs as you navigate the platform.
• Through payment processors when you subscribe to a paid plan.

3. Why We Collect It

We collect and process your personal information for the following legitimate purposes:

• Providing the service: to analyse your exam papers, generate practice questions, mark your answers, and track your progress.
• AI processing: your uploaded papers and answers are sent to Google Gemini to generate model solutions and assess your responses.
• Account management: to identify you, maintain your account, and manage your subscription.
• Communications: to send you account confirmation emails, payment receipts, weekly progress reports (if enabled), and study reminders (if enabled).
• Service improvement: to understand how users interact with the platform and make it better. We use aggregated, anonymised data for this purpose.
• Legal compliance: to meet our obligations under South African law, including tax and financial record-keeping requirements.

4. How Long We Keep It

• Your account and associated data is retained for as long as your account is active.
• If you delete your account, all personal data is permanently deleted within 30 days.
• Accounts with no login activity for 3 consecutive years will be flagged for deletion. We will send a warning email to the address on file 30 days before deletion.
• Payment records may be retained for up to 5 years to comply with South African tax legislation.
• Anonymised, aggregated usage statistics may be retained indefinitely as they cannot identify you.

5. Who We Share It With

We do not sell your personal information to third parties. We share it only with the following service providers, and only to the extent necessary to deliver the service:

• Supabase (supabase.com): our database and authentication provider. Your account data, uploaded questions, and performance data are stored in Supabase's infrastructure.
• Google Gemini (Google LLC): our AI engine. The text content of your uploaded exam papers and your practice answers are sent to Google's Gemini API for processing. Google's data use is governed by their API Terms of Service.
• Resend (Resend Inc.): our email delivery provider. Your name and email address are shared with Resend when we send you transactional or notification emails.
• Stitch Financial Technologies (Pty) Ltd: our payment processor. When you subscribe, you are redirected to Stitch to complete payment. We receive a confirmation but never see your payment credentials.
• Legal obligations: we may disclose your information if required to do so by a court order, subpoena, or applicable South African law.

All third-party service providers are required to handle your data securely and may not use it for their own marketing purposes.

6. POPIA Compliance & Your Rights

As a South African resident, you have the following rights under the Protection of Personal Information Act (POPIA):

Right to access

You may request a copy of all personal information we hold about you. You can download it directly from Account Settings, or email privacy@distinxion.co.za. We will respond within 30 days.

Right to correction

If any information we hold about you is inaccurate or incomplete, you may correct it in Account Settings or request a correction by emailing us.

Right to deletion

You may request that we delete your personal information. You can do this via the "Delete Account" option in Account Settings. We will process the deletion within 30 days. Note that we may retain certain records where required by law (e.g. payment records).

Right to object to processing

You may object to the processing of your personal information for direct marketing purposes at any time by emailing privacy@distinxion.co.za or by toggling off email notifications in Account Settings.

Right to data portability

You may download all your data in a structured, machine-readable format (JSON) from Account Settings.

How to lodge a complaint

If you believe we have violated your rights under POPIA, you may lodge a complaint with the Information Regulator of South Africa at inforegulator.org.za.

7. Parental Consent

Distinxion is designed for matric students, many of whom are under 18. We take the privacy of minors seriously.

• Users under the age of 18 must have the consent of a parent or legal guardian before creating an account.
• By creating an account and ticking the consent checkbox at signup, the user (or their parent/guardian) confirms that consent has been obtained.
• Parents or guardians may request to review, correct, or delete the personal information of their minor child by emailing privacy@distinxion.co.za with proof of relationship.
• We do not knowingly collect data from children under the age of 13. If we become aware that a child under 13 has created an account without parental consent, we will delete the account.

8. Cookies

We use cookies and similar technologies to keep you logged in and to understand how the platform is used. Please see our full Cookie Policy for details.

9. Data Security

We implement the following technical and organisational measures to protect your personal information:

• All data transmitted between your browser and our servers is encrypted using TLS (HTTPS).
• Passwords are never stored in plain text — authentication is handled by Supabase, which uses bcrypt hashing.
• Database access is restricted using Row Level Security (RLS) policies — you can only access your own data.
• API routes require valid authentication tokens before processing any request.
• Server-side API secrets (service role keys, API keys) are stored as environment variables and never exposed to the browser.
• Access to production systems is restricted to authorised personnel only.

No system is completely secure. In the event of a data breach that is likely to result in a risk to your rights and freedoms, we will notify the Information Regulator and affected users within 72 hours of becoming aware of the breach, as required by POPIA.

10. If the Company Closes

In the event that Distinxion ceases operations:

• We will notify all users by email at least 30 days in advance.
• You will be given the opportunity to download your data before the service shuts down.
• All personal data will be permanently and securely deleted within 60 days of closure.
• We will not sell user data to a third party as part of any liquidation or wind-down process.

11. Contact Us

For any privacy-related requests, questions, or complaints, please contact our Information Officer:

We will respond to all legitimate requests within 30 days.