Privacy Policy
Last updated: March 31, 2026
Sylly ("Sylly," "we," "us," or "our") is committed to protecting the privacy of our users. This Privacy Policy explains what personal information we collect, why we collect it, how we use and share it, and your rights regarding that information.
This policy applies to the Sylly website, applications, and services (the "Service"). By using the Service, you agree to the collection and use of information as described in this Privacy Policy. Please also review our Terms of Service.
1. Who We Are
Sylly is a Canadian company that operates an AI-powered student operating system for post-secondary students. For privacy inquiries, you can reach us at:
- Email: privacy@sylly.ca
- Website: sylly.ca
The person accountable for our privacy practices is Sylly's founder and can be reached at the email address above.
2. Information We Collect
2.1 Information You Provide
When you create an account and use the Service, you may provide:
| Category | Specific Data |
|---|---|
| Account information | First name, last name, email address, username, password |
| Profile information | Phone number, age, country, state/province, school name, education level (college/university), degree level (undergraduate/graduate/other), program of study |
| Class information | Class names, course codes, schedules, locations, professor names, semesters, goal grades |
| Academic content | Evaluations (assignments, quizzes, tests, projects, exams) with names, descriptions, requirements, due dates, weights, grades |
| Documents | Uploaded files (syllabi, rubrics, slides, readings, assignments — DOCX and PDF formats), including extracted text content |
| Recordings | Audio recordings of lectures, including duration and recording date |
| Notes | Study notes (manually created or AI-generated), including key terms, summaries, and practice questions |
| Flashcards | Flashcard sets with front/back content |
| Practice tests | Practice test questions, answers, and your test attempt responses and scores |
| Messages | Direct messages and group chat messages sent to other users |
| AI conversations | Your messages to the AI study assistant and the AI's responses |
| Payment information | Billing details are collected by Stripe (our payment processor) — we do not store your credit card number. We store your Stripe customer ID, subscription ID, subscription status, and billing period dates. |
| Notification preferences | Your push and email notification settings, including quiet hours |
2.2 Information Collected Automatically
When you use the Service, we may automatically collect:
- Usage data: Feature usage counts tracked through our rate-limiting and tier enforcement system (e.g., number of AI chat messages per day, AI generations per month, recording minutes used). This data is stored temporarily in Redis and resets on a daily or monthly basis.
- Log data: Our hosting infrastructure may collect IP addresses, browser type, and access timestamps as part of standard server operations.
- Authentication tokens: Supabase (our authentication provider) uses secure HTTP-only cookies to manage your login session.
2.3 Information We Do Not Collect
- We do not use cookies for advertising or tracking purposes
- We do not use third-party analytics or tracking pixels
- We do not collect precise geolocation data
- We do not collect biometric data
- We do not sell or share your data for advertising purposes
3. How We Use Your Information
We use your personal information for the following purposes:
| Purpose | Description |
|---|---|
| Provide the Service | Create and manage your account, display your classes and content, enable social features (friends, messaging) |
| AI features | Send relevant portions of your content (class materials, documents, notes, recordings) to AI providers to generate study notes, flashcards, practice tests, and chat responses |
| Transcription | Send your audio recordings to OpenAI's Whisper API for speech-to-text transcription |
| Study planning | Use your class schedules, evaluations, and grades to generate personalized study plans and session recommendations |
| Payment processing | Process subscription payments through Stripe, manage your billing status |
| Usage enforcement | Track feature usage to enforce free-tier limits and prevent abuse |
| Communication | Send you account-related emails (password resets, subscription confirmations) and, with your consent, notification emails |
| Security | Rate limiting, fraud prevention, and protecting against unauthorized access |
| Service improvement | Diagnose technical issues and improve the Service (using aggregated, de-identified data only) |
4. How We Share Your Information
We do not sell, rent, or trade your personal information. We share your data only with the following categories of service providers, solely for the purposes of operating the Service:
| Provider | What We Share | Purpose | Data Training |
|---|---|---|---|
| Anthropic (Claude API) | Portions of your class materials, documents, notes, and chat messages as context for AI prompts | AI-powered study chat, note generation, flashcard generation, practice test generation, grading | API data is not used for model training. Logs are retained for 7 days for abuse monitoring, then deleted. |
| OpenAI (Whisper API) | Audio recording files | Speech-to-text transcription of lecture recordings | API data is not used for model training. Audio transcription endpoints have no retention for abuse monitoring. |
| Supabase | All account data, content, and files | Authentication, database storage, file storage (documents and recordings) | Acts as our data processor; does not use your data for its own purposes. |
| Stripe | Email address, name (for customer record); payment details are collected directly by Stripe | Subscription billing and payment processing | Processes data per its own privacy policy; does not use for training. |
| Upstash | User ID and feature usage counts (no content) | Rate limiting and tier usage tracking | Stores only counters with automatic expiration (daily/monthly). |
We may also disclose your information if required by law, legal process, or government request, or if necessary to protect the rights, property, or safety of Sylly, our users, or the public.
5. Information Shared With Other Users
Certain information is visible to other Sylly users:
- Profile: Your first name, last name, and username are visible to other users (e.g., in friend search results, messages, group chats).
- Messages: Messages you send in direct messages and group chats are visible to the recipients.
- Shared content: If you share notes, flashcards, or practice tests with other users, they receive a copy of that content.
Your email address, phone number, academic details, documents, recordings, and other private content are not visible to other users.
6. Cross-Border Data Transfers
Sylly is based in Canada. Your personal information may be processed and stored in countries outside of your jurisdiction, including the United States, where our third-party service providers operate. By using the Service, you consent to the transfer of your information to these countries.
We ensure that any cross-border transfers are conducted in compliance with applicable privacy laws, including PIPEDA. We hold our service providers accountable for protecting your information through appropriate contractual and technical safeguards.
7. Data Retention
We retain your personal information as follows:
- Account and content data: Retained for as long as your account is active. When you delete your account, we delete your profile, classes, documents, recordings, notes, flashcards, practice tests, messages, conversations, friend connections, and notification preferences. Due to the cascading deletion structure of our database, deleting your account removes all associated data.
- Uploaded files: Documents and recordings stored in our file storage are deleted when you delete the associated content or your account.
- Usage tracking data: Rate-limiting and usage counters stored in Redis automatically expire on a daily or monthly basis.
- Payment records: Stripe retains transaction records in accordance with its own retention policies and applicable financial regulations. We retain your Stripe customer ID and subscription status for as long as your account is active.
- AI processing: Anthropic retains API logs for up to 7 days. OpenAI's audio transcription endpoints have no retention. After processing, AI-generated content is stored in our database as part of Your Content.
- Backups: Database backups maintained by our hosting provider may contain your data for a limited period after deletion, in accordance with standard data recovery practices.
8. Your Rights
Depending on your jurisdiction, you may have the following rights regarding your personal information:
8.1 All Users
- Access: You can view and export your personal information through the Service at any time.
- Correction: You can update your profile information through the settings page.
- Deletion: You can delete your account and all associated data through the privacy settings in your account. Account deletion is permanent and cannot be undone.
- Withdraw consent: You can withdraw your consent to specific data processing activities by adjusting your settings or contacting us.
8.2 Canadian Users (PIPEDA & Quebec Law 25)
Under Canadian privacy law, you have the right to:
- Know what personal information we hold about you and how it has been used
- Request access to your personal information (we will respond within 30 days)
- Challenge the accuracy and completeness of your information and have it amended
- Withdraw your consent to the collection, use, or disclosure of your personal information (subject to legal or contractual restrictions)
- File a complaint with the Office of the Privacy Commissioner of Canada (priv.gc.ca) or, for Quebec residents, the Commission d'accès à l'information du Québec
- Data portability (Quebec residents): Request your personal information in a structured, commonly used format
Quebec residents should note that we treat the personal information of minors under 14 as sensitive information requiring parental consent for collection.
8.3 California Users (CCPA/CPRA)
If you are a California resident, you have the right to:
- Right to Know: Request what personal information we collect, use, and disclose
- Right to Delete: Request deletion of your personal information
- Right to Correct: Request correction of inaccurate personal information
- Right to Non-Discrimination: We will not discriminate against you for exercising your privacy rights
We do not sell or share your personal information as defined under the CCPA/CPRA. We do not use your data for cross-context behavioral advertising. Therefore, we do not offer a "Do Not Sell or Share" opt-out.
Categories of personal information we collect are described in Section 2 above. We collect this information from you directly. We use it for the business purposes described in Section 3.
8.4 European Economic Area Users (GDPR)
If you are located in the EEA, UK, or Switzerland, our lawful bases for processing your personal data are:
- Contract: Processing necessary to provide the Service you signed up for
- Consent: Where you have given specific consent (e.g., notification emails)
- Legitimate interest: Security, fraud prevention, and service improvement
You additionally have the right to:
- Data portability (receive your data in a structured, machine-readable format)
- Restriction of processing
- Object to processing based on legitimate interest
- Lodge a complaint with your local data protection authority
9. Data Security
We implement appropriate technical and organizational measures to protect your personal information, including:
- Encryption in transit (TLS/HTTPS for all connections)
- Secure password hashing (handled by Supabase Auth using bcrypt)
- Row-level security (RLS) on all database tables ensuring users can only access their own data
- Secure HTTP-only authentication cookies
- Content Security Policy (CSP), HTTP Strict Transport Security (HSTS), and other security headers
- Rate limiting on all API endpoints to prevent abuse
- PCI DSS compliance through Stripe — payment card data never touches our servers
- File storage access controls ensuring users can only access their own uploaded files
While we take reasonable measures to protect your information, no method of electronic transmission or storage is 100% secure. We cannot guarantee absolute security.
10. Data Breach Notification
In the event of a security breach involving your personal information that creates a real risk of significant harm to you, we will:
- Notify the Office of the Privacy Commissioner of Canada as required by PIPEDA
- Notify affected individuals as soon as feasible
- Maintain records of the breach
- Comply with any additional breach notification requirements under applicable provincial, state, or international law
11. Children's Privacy
Sylly is designed for post-secondary students and is not directed at children under the age of 13. We do not knowingly collect personal information from children under 13. If we discover that we have collected personal information from a child under 13, we will delete it promptly.
For users between 13 and 16 years of age, we recommend parental or guardian review of these terms and our privacy practices before use. Under Quebec's Law 25, parental consent is required for users under 14.
12. Commercial Electronic Messages (CASL)
In accordance with Canada's Anti-Spam Legislation (CASL), we will only send you commercial electronic messages (such as marketing emails or promotional content) with your express consent. Transactional messages related to your account (such as password resets, subscription confirmations, and billing receipts) do not require consent under CASL.
All commercial messages will include our identification information and a clear unsubscribe mechanism. You can unsubscribe at any time, and we will process your request within 10 business days.
13. Cookies and Similar Technologies
Sylly uses only essential cookies required for the Service to function:
- Authentication cookies: Secure HTTP-only cookies managed by Supabase to maintain your login session
We do not use advertising cookies, analytics cookies, or third-party tracking cookies. We do not use local storage or session storage for tracking purposes.
14. Automated Decision-Making
The Service uses automated systems for the following purposes:
- Study plan generation: Our planning engine automatically generates study session recommendations based on your evaluation schedule, weights, and grades. You can modify or dismiss any recommendations.
- AI content generation: AI features generate study materials based on your input. All AI-generated content is presented for your review — you decide whether and how to use it.
- Tier enforcement: Usage limits are automatically enforced based on your subscription plan.
None of these automated processes make decisions that produce significant legal or similarly significant effects on you. You maintain control over your academic decisions at all times.
15. Changes to This Privacy Policy
We may update this Privacy Policy from time to time. If we make material changes, we will notify you by email or by displaying a prominent notice within the Service at least 30 days before the changes take effect. We encourage you to review this page periodically.
16. How to Contact Us
If you have questions about this Privacy Policy, want to exercise your privacy rights, or wish to file a complaint about our privacy practices, please contact us:
- Privacy inquiries: privacy@sylly.ca
- General support: support@sylly.ca
We will respond to all privacy-related requests within 30 days.
If you are not satisfied with our response, you may file a complaint with:
- Canada: Office of the Privacy Commissioner of Canada — priv.gc.ca
- Quebec: Commission d'accès à l'information du Québec — cai.gouv.qc.ca
- California: California Attorney General — oag.ca.gov/privacy
- EEA/UK: Your local data protection authority