Privacy Policy — Capya
Effective date: November 7, 2025
Website and app: learningcapya.com and related subdomains (the "Service")
This Privacy Policy explains how Capya ("Capya," "we," "us," "our") collects, uses, shares, and safeguards information when you use the Service. It also describes your choices and rights. If you do not agree with this Policy, please do not use the Service.
Note: Where local law requires a specific controller name and address, replace the placeholders below with your legal entity details.
1) Who we are and scope
Controller: [Capya legal entity name], [registered address], [country].
Contact: privacy@learningcapya.com
This Policy applies to visitors, account holders, and end users (collectively, "Users").
Capya offers an AI-assisted learning platform for creators/admins (who build and manage courses) and students (who are invited by a workspace and learn inside courses).
2) Key terms
- Students: users who validate their email in a workspace and can access assigned courses.
- Creators/Admins: users who create, edit, publish, and manage users or settings. Admins have elevated permissions and are billed as creators.
- Workspace: an organization or personal account using Capya.
- AI Features: course generation, AI Tutor, embeddings, and related features.
- BYOK: "Bring Your Own Key," where Business workspaces can connect their own OpenAI API key for AI processing.
3) Information we collect
A. You provide to us
- Account & profile: name, email, password (hashed), role (student/creator/admin), organization name.
- Authentication logs: sign-in timestamps, providers (e.g., Google OAuth).
- Content: documents you upload or connect (e.g., through Google Drive, Notion), course content, comments, notes, quiz items.
- Support & feedback: messages, survey responses, bug reports.
- Billing: when purchasing paid plans, limited billing details (handled by our payment processor; see "Sharing" below).
B. Collected automatically
- Usage data: pages and features used, actions (e.g., course_created, lesson_viewed), time spent, device type, browser, OS.
- Diagnostics: crash logs, performance metrics, API request metadata.
- Cookies & similar tech: required, functional, and analytics cookies. See "Cookies" below.
C. From integrations (at your direction)
- Connected sources: metadata and files from tools you connect (e.g., Google Drive, Notion, Zoom transcripts).
- Access is scoped: we only access items you select or that are needed to deliver the feature (e.g., indexing). You can revoke access at any time.
4) How we use information
Product operation
- Provide, maintain, and improve the Service; personalize learning paths; power social features (comments, notes); operate search, indexing, and retrieval.
AI features
- Generation & Tutor: transform your selected content into course outlines, lessons, quizzes; answer questions using your materials.
- Embeddings & retrieval: convert your content to vector representations to improve relevance.
- BYOK (Business): when enabled, your workspace's OpenAI key is used for AI calls; Capya does not bill you for tokens in that case.
- Caching: we cache outputs and embeddings to improve speed and reduce cost. We re-embed only changed content.
Security & compliance
- Authenticate users, prevent abuse, detect fraud, audit access, and meet legal obligations.
Communications
- Send transactional emails (invites, receipts, critical updates).
- Send product tips and onboarding messages; you can opt out of non-essential emails.
Analytics & improvement
- Analyze aggregate usage to guide product decisions and performance tuning.
Legal bases (GDPR/LGPD)
- Contract necessity: to provide the Service you request.
- Legitimate interests: product analytics, security, fraud prevention, and improvement (balanced against your rights).
- Consent: cookies/marketing where required; connecting integrations; BYOK.
- Legal obligation: to comply with law, tax, and enforcement requests.
5) Sharing and disclosure
We do not sell personal data. We share data only as described:
- Processors (service providers): cloud hosting, databases, logging/monitoring, analytics, email delivery, customer support tooling, payment processing (e.g., Stripe). They may access personal data only to perform services for us under contract.
- AI providers:
- Capya-managed AI: requests may be sent to reputable LLM providers. We instruct providers not to use your content to train their models.
- BYOK: requests are sent with your workspace's OpenAI key; token usage is billed to your provider account.
- Integrations: at your direction, we connect to Google Drive, Notion, Zoom, etc. Those services process data under their terms.
- Legal: to comply with law, enforce agreements, or protect rights, safety, and security.
- Business transfers: in a merger, acquisition, or asset sale, we will provide notice and continue to protect your data.
Request our current subprocessor list at privacy@learningcapya.com.
6) Data retention
- Account data: kept while your account is active.
- Content: retained until you delete it or your workspace is deleted, subject to admin policies.
- Backups: limited-term backups are retained for disaster recovery.
- Deletion: on account or workspace deletion, we aim to remove active copies promptly and backups within standard cycles.
- Analytics logs: kept for a limited period for security and product improvement, then aggregated or deleted.
7) Your choices and rights
Access & control
- Profile & settings: update name, email, and preferences in the app.
- Content: creators/admins can delete or modify uploaded/connected content; students may request changes through workspace admins.
- Integrations: revoke access in Capya or in the third-party console.
- Email preferences: opt out of non-essential communications.
Privacy rights (where applicable: GDPR, UK GDPR, LGPD, CCPA/CPRA)
- Right to access/portability, correction, deletion, restriction, objection, and consent withdrawal.
- California: right to know, delete, correct, and opt out of certain sharing; we do not sell personal information.
- Brazil (LGPD): rights of confirmation, access, correction, anonymization, portability, deletion, and information about sharing.
To exercise rights, email privacy@learningcapya.com. We may verify your identity. Some requests must be handled by your workspace admin (the controller in many enterprise contexts).
8) Security
We use industry-standard safeguards including encryption in transit and at rest, access controls, least-privilege practices, and monitoring. No system is 100 percent secure; you are responsible for maintaining the confidentiality of your login credentials and restricting access to your devices.
9) International data transfers
We may process data in locations where we or our processors operate. Where required, we use lawful transfer mechanisms such as the EU Standard Contractual Clauses and comparable safeguards for other jurisdictions.
10) Children's privacy
The Service is not directed to children under 13 (or the equivalent age in your jurisdiction). We do not knowingly collect personal data from children. If you believe a child has provided data, contact privacy@learningcapya.com and we will take appropriate action.
11) Cookies and tracking
- Required cookies: authentication, session management, security.
- Functional cookies: preferences and improved features.
- Analytics cookies: to understand usage and improve the product.
- Do Not Track: we currently do not respond to DNT signals.
You can control cookies via your browser settings. Some features may not function without essential cookies.
12) Workspace responsibilities
- Admins decide which integrations to enable and which users to invite or deactivate.
- Student definition: a user is considered active after validating email until deactivated by an admin.
- Content ownership: workspaces are responsible for ensuring they have rights to upload or connect content and share it with students.
- BYOK: when enabled, the workspace is responsible for its AI provider account, key security, and usage charges.
13) Data subject–workspace relationship
For enterprise or team workspaces, Capya may act as a processor on behalf of the workspace (the controller) for content and user data inside that workspace. Capya may act as controller for certain account-level and service operations (e.g., security logs, billing of creators/admins). We make role distinctions clear in our Data Processing Addendum (DPA) upon request.
14) How to contact us
- Email: privacy@learningcapya.com
- Postal mail: [Add registered address]
- EU/UK representative & DPO (if applicable): [Add contact details if required]
15) Changes to this Policy
We may update this Policy from time to time. We will post the updated version on learningcapya.com and update the "Effective date" above. For significant changes, we will provide additional notice (e.g., email or in-app).
16) Annex: Summary of data categories & purposes
| Category | Examples | Purpose | Legal basis |
|---|---|---|---|
| Account & Profile | Name, email, role | Create and manage your account | Contract |
| Authentication | OAuth info, login logs | Secure access, audit | Legitimate interests; Legal obligation |
| Content | Files, course data, comments | Provide features, AI generation | Contract; Consent for integrations |
| Usage & Analytics | Feature usage, events | Improve product, debug | Legitimate interests |
| Billing | Subscription metadata | Process payments (via processor) | Contract; Legal obligation |
| AI Processing | Prompts, retrieved chunks, outputs | Course generation, Tutor | Contract; Legitimate interests; BYOK by consent |
| Integrations | Drive/Notion/Zoom content | Ingest, index, keep fresh | Contract; Consent |
| Support | Tickets, feedback | Assist users, improve | Legitimate interests |