ACTRA Privacy Policy
1. General provisions
This Privacy Policy explains what personal data may be processed when using ACTRA, why it is processed, who it may be shared with, how long it may be stored, and what rights users may have.
This Policy applies to the hosted web application, local application, website, APIs, learning features, AI-assisted features, feedback, support, Premium access, and related ACTRA services.
By using ACTRA, the user confirms that they have read this Policy, the Terms of Service, and the Refund Policy.
2. Controller and contacts
The data controller for ACTRA is: Glushych Valerii Andriiovych, an individual, Ukraine, Dnipro. Contact email: vahlushych@gmail.com.
General support contact: actrafb@proton.me Privacy contact: actrafb@proton.me
If a specific hosted deployment is operated by a separate legal entity, educational organization, partner, or other controller, that entity may act as an independent controller or joint controller within the scope of that deployment.
3. Data we may process
Depending on the selected mode and available features, ACTRA may process account and profile data, authentication data, session data, learning progress, statistics, tasks, answers, uploaded or created materials, settings, feedback, support messages, technical logs, diagnostic data, payment-related records, and AI-related request data.
Account data may include profile name, display name, login, email, avatar or avatar seed, user identifier, profile settings, interface settings, security settings, password status, email verification status, and consent records.
Authentication and security data may include password hashes, session cookies, email confirmation data, password reset tokens, consent versions, consent timestamps, and technical records required for secure login.
Learning data may include progress, sessions, task results, created materials, uploaded materials, cards, tasks, answers, and related metadata.
Feedback and support data may include message text, category, severity, subject, description, and technical details that the user chooses to include.
Technical and operational data may include request route, request method, internal session identifiers, events, feature flags, diagnostics, availability indicators, and operation results.
Payment-related data may include Premium period, order status, payment date, selected plan, billing support correspondence, and payment provider references needed to verify a payment or refund. ACTRA does not intentionally store full card numbers.
AI-related data may include user-provided AI keys, materials, text fragments, instructions, task metadata, prompts, responses, model/provider information, limits, and technical results of AI operations.
4. Sources of data
ACTRA receives data directly from users during registration, sign-in, profile setup, use of the service, upload of materials, payment or support communication, and use of AI-assisted features.
ACTRA may also receive data automatically during use of the web/API functionality, from migrated local data, and from external AI, email, hosting, infrastructure, or payment providers where such providers return service, delivery, technical, or payment status information.
5. Purposes and legal bases
ACTRA processes data for the following purposes and legal bases:
- Account and profile data: contract performance or requested service, consent where required, and legitimate interest in account administration.
- Authentication, session, and security data: contract performance, legal obligations where applicable, and legitimate interest in security, fraud prevention, and abuse prevention.
- Learning data and user materials: contract performance or requested service; consent where the user voluntarily enables optional features; legitimate interest in maintaining and improving service reliability.
- AI-related data: user request or consent for optional AI-assisted functions, contract performance for the requested function, and legitimate interest in security and troubleshooting.
- Feedback and support data: user request, contract performance, and legitimate interest in support, diagnostics, and product improvement.
- Technical logs, telemetry, and diagnostics: legitimate interest in stability, security, troubleshooting, abuse prevention, and service improvement.
- Payment and Premium records: contract performance, legal obligations, and legitimate interest in billing administration, dispute handling, and fraud prevention.
- Consent records and legal document versions: legal obligations and legitimate interest in documenting acceptance.
Where processing is based on consent, the user may withdraw consent to the extent permitted by the service functionality and applicable law. Withdrawal does not affect processing already performed lawfully before withdrawal.
6. Cookies and sessions
In hosted web mode, ACTRA uses technical cookies and session mechanisms required for sign-in, maintaining authenticated sessions, protecting the interface and APIs, and ensuring correct operation of the web service.
These cookies are not intended for advertising targeting.
7. AI-assisted features and external providers
If the user uses AI-assisted features, ACTRA may transmit relevant data to external AI providers. Depending on configuration, current providers may include OpenRouter, Google Gemini, Groq, or other compatible providers. The actual list may change as providers are added, removed, or reconfigured.
Only data needed to perform the requested AI function is transmitted. External AI providers may process data according to their own policies and terms.
If the user saves personal AI keys in ACTRA, those keys are stored in user settings and used to connect to the selected provider at the user's request.
8. Sharing of data
ACTRA may share data with hosting providers, infrastructure providers, database providers, email delivery providers, payment providers, AI providers selected or used for requested functions, support and technical contractors, and competent public authorities where required by law or legal process.
ACTRA does not sell users' personal data.
9. International transfers
Some infrastructure, email, payment, and AI providers may be located outside the user's country or outside the EEA. In such cases, data may be transferred to other jurisdictions to the extent necessary to provide the requested service.
Where required, such transfers are made using standard contractual clauses, adequacy decisions, provider safeguards, the user's explicit request for the relevant function, or another lawful transfer mechanism available under applicable law.
10. Retention
ACTRA stores data no longer than necessary for the purposes for which it was collected, unless a longer period is required for security, dispute resolution, legal compliance, backup integrity, or legitimate operational needs.
Account and profile data are generally stored while the account or profile is active. Learning data and user materials are generally stored while needed for the service or until deleted where deletion is available. Session data and technical cookies are stored for the period needed for authentication and security. Email confirmation and password reset tokens are stored for a limited period needed to complete the relevant operation.
Technical logs, telemetry, and diagnostics are generally stored for no more than 12 months, unless longer retention is needed for security investigations, incident analysis, fraud prevention, legal compliance, or dispute resolution. Consent records, payment records, feedback, and support records may be kept for the period needed to document the relationship, resolve disputes, comply with law, and protect ACTRA's rights.
11. User rights
Depending on applicable law, the user may have the right to know what data is processed, request access, correction, deletion, restriction of processing, objection to processing, portability, withdrawal of consent, and submission of a complaint to a competent supervisory authority.
ACTRA responds to rights requests within 1 month after receiving the request and the information needed to verify it. Where legally permitted and necessary due to complexity or number of requests, this period may be extended by up to 2 additional months, with notice to the user.
Some rights may be available through service functionality, and others may be exercised by contacting support.
12. Automated decisions
ACTRA may use automated processes for authorization, security, technical responses, feature routing, recommendations, progress calculations, and AI-assisted tools. These processes are not intended to make solely automated decisions that produce legal or similarly significant effects for the user.
If ACTRA introduces a feature that makes a legally or similarly significant automated decision, ACTRA will provide appropriate information and a way to request human review or contest the decision where required by law.
13. Security
ACTRA uses reasonable organizational and technical measures to protect data from unauthorized access, alteration, loss, disclosure, or destruction. No method of storage or transmission is absolutely secure.
The user is also responsible for reasonable security measures, including protecting passwords, devices, email accounts, and API keys.
14. Local and hosted modes
ACTRA may operate locally or in hosted web mode. In local mode, some data may be stored on the user's device. In hosted web mode, data may be stored on server infrastructure used to provide the service.
The actual composition and storage location of data depend on the selected mode, deployment configuration, and enabled features.
15. Changes to this Policy
ACTRA may update this Policy. A new version becomes effective from the date indicated in the document unless stated otherwise.
For material changes, ACTRA will notify users at least 14 days before the effective date through the service interface and, where an email address is available, by email. Continued use of ACTRA after the effective date may require renewed acceptance.
16. Contact
For privacy questions: actrafb@proton.me For general support: actrafb@proton.me