Alfie Welcome

Privacy Policy

Language

Privacy Policy

A. Our Vision on Privacy and AI in Education

1.1 Our Core Values: Autonomy and Transparency

When it comes to privacy in the broad sense, two of our core values are important: autonomy and transparency. As a user of our app, you know how your information is used within our app. You are in control when it comes to your own data.

Education and generative AI is a new field of work. As pioneers in this field, we create our own guidelines:

This is what we do:

  • We are clear and transparent about where your data ends up when using our app.
  • We give users of our applications as much control as possible over their personal data.
  • We explain as best as we can what we see as the risks of generative AI in education.
  • We keep ourselves informed of the latest policies at the European and national level.
  • We continue to engage with teachers, school leaders, and policymakers about the risks of generative AI.

Here are some examples of what we don't use AI for:

  • We do not use AI for monitoring students. This creates an unnecessary privacy risk and increases the risk of discrimination and inequality.
  • We do not use generative AI for grading work submitted by students. This is inevitably discriminatory due to the current training of AI models.

1.2 We work in line with the European AI Act

We have read the AI Act and looked at how we relate to it. The AI Act classifies different AI technologies as low or high risk. Collecting biometric data, for example for facial recognition, is considered high risk. Classification through AI based on personal data is also considered high risk. Additional rules and guidelines are being established for companies that use AI in this way.

We currently do not use technologies that are assessed as high-risk. A risk that comes closest to high-risk when using our app is discrimination through the assessment of student work with the help of AI. We are currently not implementing this functionality and are aware that this is a risk.

1.3 We align with the National Policy on Generative AI

We have taken note of the government policy in the field of generative AI. This policy mentions a number of risks, similar to those written in the AI Act:

  • discrimination, mainly due to the training of the models
  • the spread of disinformation (intentional and unintentional)
  • infringement of privacy, for example by creating deepfakes

We are aware of these risks and actively respond to them. For example, we inform our users about the possible creation of potentially discriminatory content and disinformation. We do not use AI for monitoring students or creating deepfakes. The policy states that (app) developers can take the lead in combating the risks of AI: we want to do this too.

1.4 We commit to the legislation on personal data: the GDPR.

As an organization, we fall under the GDPR. We actively implement elements of this in our processes and services. The rest of this document indicates how we do this.

B. How do we handle your data when using Alfie?

What data do we store?

2.1 Personal Data during Registration and Use

  • Your name and email address are collected for account creation and communication purposes.
  • Data related to your subscription, such as the type of subscription and your payment status (we do not store full payment details ourselves).

2.2 Use of Heat Map Software

  • We collect data on how you navigate and interact within our app to optimize the user experience.
  • Session recordings help us understand which app components users value most and where improvement is needed.

Why are we allowed to use your data?

3.1 User Consent

For certain purposes, such as sending marketing communications, we will ask for your explicit consent.

3.2 Execution of the Agreement

We use your data to provide the services you have signed up for, such as creating your account, processing payments, and generating educational materials.

3.3 Compliance with Legal Obligations

We are legally required to retain financial transaction data for tax purposes.

3.4 Legitimate Interest

We use your data to improve our services, which is in both our interests. This includes, for example, analyzing pseudonymized usage data to improve functionality and usability, and securing our systems.

How long do we retain your data?

4.1 App Usage Period

Your data remains stored as long as you actively use our app.

4.2 Maximum Retention Period after Termination of Use

After termination of use, we retain your personal data for a maximum of 12 months for administrative purposes. Information about the use of the app and the content generated by you is stored in a pseudonymized form. This means the data is not directly traceable to you as a person and allows us to improve the app and perform analyses. You have the right to request that we delete your personal data. However, once data is fully anonymized, it is no longer traceable to an individual and falls outside the scope of the right to erasure.

4.3 Financial Data Retention Obligation

Financial data is retained for 7 years in accordance with tax legislation.

How do we secure your data?

5.1 Technical Security Measures

We use recognized software for storing and securing your data. Furthermore, we follow best practices to protect your data against unauthorized access and data breaches. These include, for example, the use of HTTPS for sending data, securely storing our access keys, and regularly checking the security of our systems.

5.2 Data Storage and Access Control

Your data is stored on servers within the EU, with strict access controls. Our developers also have access to your data on a need-to-know basis.

5.3 Management of Administrative Access

Access to data for management and maintenance is limited to a minimum number of employees and has its own authentication process. Our developers must be logged in before they can access your data.

What rights do you have as a user of the app?

Under the GDPR, you have certain rights regarding the processing of your personal data. These rights include:

  • Access: You have the right to access the data we process about you.
  • Rectification: If we hold incorrect or incomplete data about you, you have the right to have it corrected.
  • Erasure: You have the right to have your data deleted by us.
  • Restriction: You have the right to temporarily restrict the processing of your data.
  • Objection: You have the right to object to the processing of your personal data.
  • Withdraw Consent: You have the right to withdraw your consent for the processing of your personal data, insofar as the processing is based on your consent.
  • Complaint: You have the right to lodge a complaint with the relevant Data Protection Authority.

You can submit your requests to us via the contact details at the bottom of this statement.

Which third parties do we share your data with?

7.1 Primary AI Provider: Google Cloud (Vertex AI)

For our core AI functionalities, including text and image generation, we use Google's Vertex AI platform. For our base product, we configure these services to process and store your data exclusively on servers located **within the European Union**. This means that the prompts you enter are not sent overseas as part of our standard operation.

7.2 Fallback AI Providers (Conditional US Processing)

To ensure service continuity in the rare event of a disruption with our primary AI provider, we may use fallback services. If a fallback mechanism is activated, the data you enter (prompts) **will be processed in the United States**. This is done based on our legitimate interest to provide a resilient and uninterrupted service. Our fallback providers include:

  • For Text Generation: We may use OpenRouter, which provides access to various AI models from providers like OpenAI and Anthropic.
  • For Image Generation: We may use Fal.ai as a fallback service.

We are working to provide users with direct control over these fallback features in the future.

7.3 Google User Data (Authentication)

If you choose to sign in or register for Alfie using your Google account (Google OAuth), we access specific data from your Google profile. This section details how we access, use, store, and share this information.

  • Data We Access: We request access to your basic profile information, specifically your name, email address, and profile picture. We do not request access to any other Google data.
  • How We Use It: This data is used exclusively to create and authenticate your Alfie account, pre-fill your profile, and communicate with you.
  • How We Store It: Your name, email address, and a link to your profile picture are stored securely on our servers (hosted by Google Firebase) within the EU.
  • How We Share It: We do not sell or transfer this data. It is shared only with Google as necessary for the authentication service to function.

Our use and transfer of information received from Google APIs will adhere to the Google API Services User Data Policy, including the Limited Use requirements.

7.4 Stripe (Payment Processing)

For processing subscription payments, we use Stripe (USA). We share the necessary invoice and account data. We do not have access to your full card details. For Stripe's terms, see: https://stripe.com/privacy.

International Transfer of Personal Data

Our standard service is designed to process your AI-related data within the European Economic Area (EEA). However, as described in section 7.2, certain data may be transferred outside the EEA to the United States in specific fallback situations. Our payment processor, Stripe, also processes data in the US.

For these transfers of personal data to countries that do not offer an adequate level of protection according to the European Commission, such as the US, we rely on appropriate safeguards. We do this by utilizing our partners' certification under the EU-U.S. Data Privacy Framework (DPF) and/or by using the Standard Contractual Clauses (SCCs) approved by the European Commission. These mechanisms impose contractual obligations on our partners to protect your data according to European standards.

What cookies do we use?

8.1 Cookie Policy

We use essential cookies for the operation of the app and analytical cookies to understand the use of the app. See our cookie policy for a detailed list.

C. Other Provisions

What if we change something in this statement?

9.1 Procedure for Changes

We reserve the right to change or update this privacy statement at any time. We always note the date when the statement was last modified. You can consult this statement from time to time for the most up-to-date information.

Do you want to talk to us about privacy?

10.1 Contact

For questions about our privacy statement, you can contact us via our contact form or directly at team@alfie.school. We are open to your feedback and questions.

Open Alfie B.V.
Chamber of Commerce (KVK): 90017102

Version 3 - Last updated on September 1, 2025