Try for $0

Try for $0

Try for $0

Try for $0

Updated on April 17, 2026

Privacy Policy

By using Lectra AI, you agree to these Terms of Use. Please read them carefully.

1. CONTROLLER AND CONTACT INFORMATION

The data controller responsible for the processing of your personal data in connection with the Lectra AI application is:

LEGACY Network AG
Industriering 3, 9491 Ruggell, Principality of Liechtenstein
Email: support@getlectra.ai

If you have questions about this Privacy Policy or about how we handle your personal data, please contact us at support@getlectra.ai.

1.1 Supervisory Authority

The competent data protection supervisory authority for LEGACY Network AG is:

Datenschutzstelle (DSS) Liechtenstein
Städtle 38, Postfach 684
9490 Vaduz, Liechtenstein
www.datenschutzstelle.li

If you are resident in the European Union, you also have the right to lodge a complaint with the supervisory authority in your country of residence.

2. SCOPE AND APPLICABILITY

This Privacy Policy describes how LEGACY Network AG ("we," "us," "our") collects, uses, processes, and shares personal data when you use the Lectra AI application (available on iOS and Android) and associated services (collectively, the "Service"). It applies to all users of the Service, including anonymous guests, registered users, and premium subscribers.

This Privacy Policy complies with the General Data Protection Regulation (GDPR / EU 2016/679), the Liechtenstein Data Protection Act (Datenschutzgesetz, DSG), and the ePrivacy Directive as applicable to the Service.

3. DATA WE COLLECT

3.1 Account and Profile Data

When you create an account, we collect:

User ID (UUID, automatically generated), email address, display name, profile picture URL (where provided via Google Sign-In), account creation date, and last update date. Your password, if set, is stored exclusively as a cryptographic hash and is never stored or transmitted in plain text.

3.2 Authentication Data

Depending on your chosen sign-in method, we process:

(a) Email/password: Email address and password hash via Supabase Auth.
(b) Google Sign-In: Email address, display name, Google Account ID, and profile picture URL, received from Google via OAuth 2.0.
(c) Apple Sign-In (iOS only): Apple ID and email address (which may be masked by Apple). Apple Auth tokens are stored encrypted solely for mandatory token revocation upon account deletion, as required by Apple App Store Guidelines since June 2022.
(d) Anonymous session: A temporary UUID is assigned to your device session. No email or personal identifier is collected. If you subsequently register an account, your anonymous session data is merged with your new account.

3.3 Biometric Data

If you enable biometric login (Face ID or fingerprint recognition), authentication is performed exclusively by your device's secure hardware and operating system. Biometric data never leaves your device and is never transmitted to or stored by LEGACY Network AG.

3.4 User-Uploaded Content

When you upload documents (PDF, Word, images, audio files, video files) to the Service, we:

(a) Store the original document in encrypted Supabase Storage, accessible only to you;
(b) Extract the text content server-side;
(c) Transmit the extracted text to our AI processing providers to generate your learning paths, modules, lessons, and quiz questions;
(d) Store the generated learning content and your learning progress in your account database.

Uploaded documents and their extracted content are accessible only to you. We do not share the content of your documents with other users. We do not use your document content for AI model training.

3.5 Learning and Gamification Data

In connection with your use of the learning features, we collect total XP points earned, current and longest streak (days), last active date, subscription status and trial end date, learning paths created in the current month, lesson and module completion data, quiz scores, and achievement and badge data.

3.6 Subscription and Payment Data

We collect subscription management data including: subscription plan type (weekly, monthly, or annual), subscription status (free trial, free, or premium), subscription start and end dates, auto-renewal status, first purchase date, remaining complimentary months, and referral code data.

We do not collect or store any payment data, including credit card numbers or other financial account details. All payment processing is conducted by Apple (iOS) or Google (Android). We receive confirmation of subscription status via RevenueCat.

3.7 Usage and Analytics Data

We collect pseudonymised usage data through Mixpanel to understand how users interact with the Service. This includes:

(a) User properties: pseudonymised User ID, subscription status, app language, colour scheme, total XP, streak data, number of learning paths created, completed modules, lessons, learning minutes, badge count, group count, referral count, device type, app version, days since registration, and A/B test variant assignments.
(b) Event data: structured analytics events covering authentication actions, onboarding steps, document uploads, learning path generation, lesson and quiz activity, gamification events, group activity, subscription events, settings changes, notification interactions, and screen views.

Document content and quiz answers are never transmitted to analytics services. Only structured metrics (counts, durations, types) are collected.

3.8 Device and Technical Data

We collect certain technical information necessary for the operation and security of the Service, including: device type and model, operating system version, app version, app instance ID (via Firebase), and crash reports and stack traces (via Sentry, only in the event of application errors).

3.9 Local Device Data

Certain data is stored locally on your device and is not transmitted to our servers: app preference settings, a temporary learning cache for offline performance, and local push notification scheduling data.

4. HOW WE USE YOUR DATA

4.1 Service Delivery

(a) Creating and managing your account;
(b) Authenticating your identity;
(c) Processing your document uploads and generating personalised learning paths;
(d) Tracking your learning progress, XP, streaks, and achievements;
(e) Managing your subscription status and feature access;
(f) Operating the referral programme;
(g) Enabling group learning features (display name and XP visible to group members only);
(h) Sending daily learning reminders (push notifications, opt-in).

4.2 Service Improvement and Analytics

(a) Analysing usage patterns to identify areas for improvement;
(b) Conducting A/B tests to evaluate pricing, features, and user interface options;
(c) Monitoring application performance and diagnosing technical errors;
(d) Understanding user engagement to develop new features.

4.3 Legal Compliance and Security

(a) Complying with applicable laws, regulations, and legal obligations;
(b) Preventing, detecting, and investigating fraud, abuse, or security incidents;
(c) Enforcing our Terms of Use;
(d) Responding to lawful requests from law enforcement or regulatory authorities.

5. LEGAL BASIS FOR PROCESSING (GDPR ARTICLE 6)

(a) Contract performance (Art. 6(1)(b)): Providing the Service, including account management, document processing, learning path generation, subscription management, and authentication.
(b) Legitimate interests (Art. 6(1)(f)): Analytics to improve the Service, security monitoring, error reporting, and fraud prevention.
(c) Legal obligation (Art. 6(1)(c)): Compliance with applicable law, including responses to lawful authority requests.
(d) Consent (Art. 6(1)(a)): Analytics tracking  and push notification permissions. You may withdraw consent at any time.

6. AI DATA PROCESSING

6.1 How AI Processes Your Content

When you upload a document, the extracted text content is transmitted to our AI processing providers — Anthropic, PBC (USA) and OpenAI, LLC (USA) — for the purpose of generating your learning path, module summaries, lesson content, and quiz questions. Only the extracted text is transmitted — no account data, personal identifiers, or metadata is included in this transmission.

6.2 Storage of Processed Content

The generated learning content (modules, lessons, quiz questions) is stored in your account on our Supabase database. The original document files are stored in encrypted Supabase Storage. Both are accessible only to you through your authenticated account.

6.3 No AI Training on Your Data

We explicitly confirm that the content of your uploaded documents is not used to train, fine-tune, or improve any AI model, whether operated by LEGACY Network AG, Anthropic, or OpenAI. Your documents are processed only to generate your individual learning paths and for no other purpose.

6.4 AI Output Disclaimer

AI-generated learning content may contain inaccuracies, errors, or omissions. The Service is a learning support tool only. We make no representations about the accuracy of AI outputs and accept no liability for decisions made on the basis of AI-generated content.

7. THIRD-PARTY SERVICE PROVIDERS

We share your data with the following third-party service providers. We have entered into data processing agreements with each provider as required by applicable data protection law.

7.1 Supabase

Provider: Supabase Inc., USA
Purpose: Database, authentication, file storage, and edge functions
Data shared: All account, profile, learning, subscription, and referral data; uploaded documents; Apple Auth tokens (iOS)
Privacy policy: supabase.com/privacy

7.2 RevenueCat

Provider: RevenueCat Inc., USA
Purpose: In-app purchase and subscription management (iOS and Android)
Data shared: User ID, subscription status, purchase history, plan type, purchase date, A/B test variant
Privacy policy: revenuecat.com/privacy

7.3 Mixpanel

Provider: Mixpanel Inc., USA
Purpose: Product analytics and A/B test evaluation
Data shared: Pseudonymised User ID, analytics events and user properties as described in Section 3.7, device type, app version
Privacy policy: mixpanel.com/legal/privacy-policy

7.4 Firebase (Google)

Provider: Google LLC, USA
Purpose: Core app infrastructure
Data shared: Device identifier and app instance ID
Privacy policy: firebase.google.com/support/privacy

7.5 Google Sign-In

Provider: Google LLC, USA
Purpose: OAuth 2.0 authentication
Data shared: Email address, display name, Google Account ID, profile picture URL
Privacy policy: policies.google.com/privacy

7.6 Apple Sign-In (iOS only)

Provider: Apple Inc., USA
Purpose: OAuth authentication and mandatory token revocation
Data shared: Apple ID and email address (may be masked by Apple)
Privacy policy: apple.com/legal/privacy

7.7 Sentry

Provider: Functional Software Inc., USA
Purpose: Error monitoring and crash reporting (production environment only)
Data shared: Stack traces at point of error, User ID, device metadata (OS version, device model, app version)
Privacy policy: sentry.io/privacy

7.8 Anthropic

Provider: Anthropic, PBC, USA
Purpose: AI processing — generation of learning paths, modules, lessons, and quiz questions from extracted document text
Data shared: Extracted text from uploaded documents only. No personal identifiers, account data, or metadata are transmitted.
No AI training on user data: Anthropic does not use API inputs to train its models.
Privacy policy: anthropic.com/privacy

7.9 OpenAI

Provider: OpenAI, LLC, USA
Purpose: AI processing — generation of learning paths, modules, lessons, and quiz questions from extracted document text
Data shared: Extracted text from uploaded documents only. No personal identifiers, account data, or metadata are transmitted.
No AI training on user data: OpenAI does not use API inputs to train its models by default.
Privacy policy: openai.com/policies/privacy-policy

8. INTERNATIONAL DATA TRANSFERS

All of the third-party service providers listed in Section 7 are headquartered in the United States. Transfers of your personal data from the European Economic Area and Liechtenstein to the United States are conducted under Standard Contractual Clauses (SCCs) as approved by the European Commission, supplemented by technical and organisational security measures.

You may request a copy of the relevant Standard Contractual Clauses by contacting us at support@getlectra.ai.

9. DATA RETENTION

(a) Account data: Retained for the duration of your account. Deleted upon account deletion.
(b) Uploaded documents and learning content: Retained for the duration of your account. Deleted upon account deletion.
(c) Subscription data: Retained for the duration required by applicable commercial and tax law (typically five to ten years following the end of the subscription).
(d) Analytics data (Mixpanel): Retained in accordance with Mixpanel's data retention policies. Deletable upon request.
(e) Error logs (Sentry): Retained for a limited period for diagnostic purposes, typically 90 days.
(f) Apple Auth tokens (iOS): Retained until account deletion, at which point revocation is triggered.
(g) Anonymous session data: Retained for a limited period to allow account migration. Purged if no account is created within 30 days.

10. YOUR RIGHTS UNDER GDPR

10.1 Right of Access

You may request a copy of the personal data we hold about you by contacting support@getlectra.ai. We will respond within one month.

10.2 Right to Rectification

You may correct your display name, email address, and profile picture directly in the application. For other corrections, contact support@getlectra.ai.

10.3 Right to Erasure

You may delete your account via Settings > Account > Delete Account. This triggers deletion of all Supabase data. Mixpanel and Sentry data must be separately requested via support@getlectra.ai.

10.4 Right to Data Portability

You may request a machine-readable export of your personal data by contacting support@getlectra.ai.

10.5 Right to Object

You have the right to object to processing based on legitimate interests or for direct marketing purposes.

10.6 Right to Withdraw Consent

Where processing is based on consent (analytics, push notifications), you may withdraw consent at any time via the application settings or iOS/Android system settings.

10.7 Right to Lodge a Complaint

You have the right to lodge a complaint with the Datenschutzstelle Liechtenstein or, if resident in the EU, with the supervisory authority in your country of residence.

11. ANALYTICS OPT-OUT

Analytics data collection via Mixpanel can be disabled through Email at support@getlectra.ai and we will process your request promptly. You may also opt out of Mixpanel tracking globally at mixpanel.com/optout.

12. WARNING REGARDING SENSITIVE AND THIRD-PARTY PERSONAL DATA

12.1 Sensitive Personal Data

You should not upload documents containing sensitive categories of personal data as defined by GDPR Article 9, including health data, racial or ethnic origin, political opinions, religious beliefs, genetic data, biometric data, or data concerning sex life, sexual orientation, or criminal convictions. If you choose to upload such data, you do so at your own risk and are solely responsible for the lawfulness of that processing.

12.2 Third-Party Personal Data in Uploaded Documents

If you upload documents containing personal data of other individuals, you are acting as an independent data controller in respect of that data and are solely responsible for compliance with applicable data protection law, including obtaining any necessary consents.

13. CHILDREN'S DATA

The Service is available to users aged 13 and older. Users aged 13 to 15 may only use the Service with the prior verifiable consent of a parent or legal guardian. Where such consent is provided, the parent or guardian is responsible for ensuring their child uses the Service in accordance with these policies and our Terms of Use.

We do not knowingly collect personal data from children under the age of 13. If we become aware that an account has been created by a child under 13 without parental consent, we will delete that account and all associated data immediately. If you are a parent or guardian and believe your child under 13 has used the Service, please contact support@getlectra.ai.

14. SECURITY MEASURES

(a) Row Level Security (RLS) in Supabase — users can only access their own data;
(b) Encryption at rest for uploaded documents in Supabase Storage;
(c) Password hashing — passwords are never stored in plain text;
(d) TLS/HTTPS for all data in transit;
(e) Access controls limiting production data access to authorised personnel;
(f) Error monitoring via Sentry to detect and respond to security incidents.

No security system is impenetrable. In the event of a data breach likely to result in risk to your rights, we will notify the competent supervisory authority and, where required, affected users in accordance with applicable law.

15. COOKIES AND TRACKING

The Lectra AI mobile application does not use browser cookies. Analytics and behavioural tracking within the application are performed via Mixpanel using pseudonymised event logging as described in Section 3.7.

16. CHANGES TO THIS PRIVACY POLICY

We may update this Privacy Policy from time to time. We will notify you of material changes through the application, by email, or by updating the "Effective Date." Your continued use of the Service after the effective date of any changes constitutes your acceptance of the updated Policy.

17. CONTACT

For all privacy-related inquiries and data subject rights requests:
LEGACY Network AG
Industriering 3, 9491 Ruggell, Principality of Liechtenstein
Email: support@getlectra.ai

We will acknowledge your request within 72 hours and respond substantively within one month.