OpenUniversity

Privacy Policy

Last updated: February 25, 2026

Open University Inc. (“Open University,” “we,” “us,” or “our”) is committed to protecting your privacy. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our platform and services.

1. Information We Collect

1.1 Information You Provide

  • Account data: Name, email address, username, profile picture, and password (managed via Clerk authentication).
  • Learning preferences: Experience level, learning goals, time commitments, preferred teaching style, and subject interests.
  • Payment data: Billing address and payment method details (processed securely by Stripe; we do not store full card numbers).
  • User-generated content: Forum posts, course reviews, peer review feedback, study notes, and project submissions.
  • Communications: Support requests, feedback, and other messages you send us.

1.2 Information Collected Automatically

  • Usage data: Pages visited, features used, time spent on lessons, assessment scores, and interaction patterns.
  • Device data: Browser type, operating system, device identifiers, screen resolution, and language settings.
  • Log data: IP address, access times, referring URLs, and error logs.
  • Cookies and similar technologies: See our Cookie Policy for details.

1.3 Information from Third Parties

  • Authentication providers: If you sign in via Google, GitHub, or other providers, we receive your name, email, and profile picture.
  • Payment processor: Stripe provides transaction confirmations and subscription status.

2. How We Use Your Information

We use your information to:

  • Provide the Service: Generate personalized curricula, deliver lesson content, track progress, grade assessments, and issue certificates.
  • Personalize learning: Adapt difficulty, recommend content, schedule spaced repetition reviews, and tailor the AI tutor to your learning style.
  • Process payments: Handle subscriptions, invoicing, and refunds.
  • Communicate: Send account notifications, study reminders, weekly progress reports, and important updates (you can opt out of non-essential communications).
  • Improve the platform: Analyze usage patterns to improve content quality, fix bugs, and develop new features.
  • Ensure safety: Detect fraud, enforce our Terms of Service, and maintain platform security.
  • Legal compliance: Meet our legal obligations and respond to lawful requests.

3. Legal Basis for Processing (GDPR)

If you are in the European Economic Area (EEA), we process your data under the following legal bases:

  • Contract performance: Processing necessary to provide the Service you signed up for (account management, content delivery, assessments).
  • Legitimate interests: Improving our platform, preventing fraud, and marketing (where your rights don't override).
  • Consent: For optional cookies, marketing emails, and certain data processing activities. You can withdraw consent at any time.
  • Legal obligation: When processing is required by law (tax records, regulatory requirements).

4. How We Share Your Information

We do not sell your personal data. We share information only in these circumstances:

  • Service providers: We use trusted third-party services (Clerk for authentication, Stripe for payments, Neon for database hosting, OpenAI for AI features, Resend for email) who process data on our behalf under strict data processing agreements.
  • Public profile: Your username, display name, avatar, and learning achievements are visible on your public profile and leaderboards (configurable in settings).
  • Certificates: Public certificates include your name, course title, grade, and completion date. You can make certificates private.
  • Study groups: When you join a study group, other members can see your name, avatar, and course progress.
  • Legal requirements: We may disclose data if required by law, regulation, or legal process.
  • Business transfers: In the event of a merger, acquisition, or asset sale, your data may be transferred with notice.

5. Data Retention

  • Account data: Retained while your account is active. Upon deletion, personal data is removed within 30 days (some data retained for legal obligations up to 7 years).
  • Learning data: Progress, scores, and certificates are retained to ensure certificate validity. Anonymized learning data may be retained for research.
  • Payment data: Transaction records retained for 7 years per tax law requirements.
  • Log data: Automatically deleted after 90 days.

6. Your Rights (GDPR & CCPA)

Depending on your jurisdiction, you have the right to:

  • Access: Request a copy of your personal data.
  • Rectification: Correct inaccurate or incomplete data.
  • Erasure: Request deletion of your personal data (“right to be forgotten”).
  • Restriction: Request that we limit how we use your data.
  • Portability: Receive your data in a structured, machine-readable format.
  • Objection: Object to processing based on legitimate interests.
  • Withdraw consent: Withdraw consent for consent-based processing at any time.
  • Non-discrimination: We will not discriminate against you for exercising your privacy rights (CCPA).

To exercise any of these rights, email us at privacy@openuniversity.com. We will respond within 30 days (or as required by law).

7. International Data Transfers

Your data may be processed in the United States and other countries where our service providers operate. For transfers from the EEA, we rely on Standard Contractual Clauses (SCCs) approved by the European Commission, and we ensure all processors maintain adequate safeguards.

8. Data Security

We implement industry-standard security measures including:

  • Encryption in transit (TLS 1.3) and at rest (AES-256).
  • Secure authentication via Clerk with multi-factor authentication support.
  • Regular security audits and penetration testing.
  • Role-based access controls for internal systems.
  • Incident response procedures with notification within 72 hours of a breach (per GDPR).

9. Children's Privacy

Open University is not directed at children under 16. We do not knowingly collect personal data from children under 16. If we become aware that we have collected data from a child under 16, we will delete it promptly. If you believe a child has provided us with personal data, contact us at privacy@openuniversity.com.

10. Third-Party Links

Our platform may contain links to third-party websites or services. We are not responsible for the privacy practices of these third parties. We encourage you to read their privacy policies.

11. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of material changes via email or a prominent notice on our platform. Your continued use of the Service after changes constitutes acceptance of the updated policy.

12. Data Protection Officer

For privacy-related inquiries or to exercise your rights, contact our Data Protection Officer at dpo@openuniversity.com.

13. Supervisory Authority

If you are in the EEA and believe we have not adequately addressed your privacy concerns, you have the right to lodge a complaint with your local data protection supervisory authority.

14. Contact

For questions about this Privacy Policy, contact us at: privacy@openuniversity.com

Privacy Policy | Open University