Privacy Policy

LearnQuest.ai is an AI-powered English language learning platform operated by [Company Legal Name] ("LearnQuest," "we," "us," or "our"), a company registered in the Kingdom of Saudi Arabia, with its registered office at [Registered Address], Riyadh, Kingdom of Saudi Arabia.

As the operator of this platform, we act as the Data Controller for the personal data we collect from users. As Data Controller, we determine the purposes and means by which your personal data is processed, and we are responsible for ensuring that such processing is carried out lawfully, fairly, and transparently in full compliance with the Saudi Personal Data Protection Law (PDPL) and its Executive Regulations.

Where we engage third parties to process personal data on our behalf (such as cloud hosting providers), we do so under data processing agreements that bind those parties to obligations consistent with the PDPL.

In accordance with the principle of data minimization, we collect only personal data that is necessary and proportionate to the purposes described in this Policy. The categories of data we may collect include:

We do not intentionally collect sensitive personal data — including racial or ethnic origin, health data, biometric data, precise geolocation, or religious affiliation — unless you explicitly provide it for a disclosed purpose or unless we are required to do so by applicable law.

We collect personal data through the following means:

• Directly from you — when you register, complete your profile, interact with AI NPCs, submit feedback, or contact our support team.
• Automatically — through cookies and similar technologies when you access our platform (see Section 7 for full details).
• Through your gameplay — conversation logs, progress scores, and in-game decisions are captured automatically to power personalized and adaptive learning.
• Through third-party integrations — such as social sign-on services (e.g., Sign in with Google or Apple), payment processors, and analytics providers. We collect only the data shared with us by these services, as permitted by your settings with them.

We use your personal data only for the purposes for which it was collected. Those purposes are:

• Creating and managing your user account and verifying your identity.
• Delivering the Service and personalizing the learning experience to your CEFR level and progress.
• Improving and fine-tuning our AI models and NPC systems, using aggregated and anonymized data only (see Section 6).
• Sending transactional communications — including account confirmation, password resets, and subscription receipts. These are not optional.
• Sending service-related security and policy update notifications. These are not optional.
• Sending optional marketing or promotional communications — only with your explicit prior consent, which you may withdraw at any time.
• Processing subscription payments and managing billing through Paddle.
• Providing customer support and resolving complaints or disputes.
• Conducting analytics to understand platform usage and identify areas for improvement.
• Complying with legal obligations under Saudi Arabian law, including the PDPL, tax law, and cybersecurity regulations.
• Detecting, investigating, and preventing fraud, abuse, and security threats to the Service.

Under the Saudi PDPL, every act of personal data processing must be grounded in a lawful basis. We rely on the following bases:

• Consent: For optional marketing communications, non-essential cookies, and any processing activity where we explicitly request your agreement. You may withdraw consent at any time without affecting the lawfulness of processing already carried out.
• Contract: To perform our obligations under the agreement you enter into when you create an account — including delivering the Service, managing your subscription, and processing payments.
• Legal Obligation: Where we are required to process or retain data to comply with applicable Saudi Arabian law, including tax, anti-fraud, and cybersecurity regulations.
• Legitimate Interest: For activities such as platform security, fraud detection, service improvement analytics, and internal communications — where our legitimate interests are not overridden by your rights and freedoms. We carry out a balancing assessment before relying on this basis.
• Vital Interests: In rare circumstances where processing is necessary to protect the vital interests of you or another person — for example, in an emergency safety situation.

LearnQuest uses AI systems, including large language models and optimized NPC personas, to power its adaptive learning experience. The following explains how your data interacts with these systems:

• Conversation Inputs: Text and voice inputs you provide during NPC interactions are processed in real time by our AI to generate contextually appropriate learning responses. These interactions are also stored to track your progression and adapt future sessions.
• Adaptive Learning: Your assessment scores and ongoing performance data are used to automatically calibrate the difficulty and vocabulary of AI responses to your current CEFR level.
• Model Improvement: We may use conversation data to improve our AI models. Before doing so, we apply strict anonymization and aggregation techniques. We do not use your identifiable personal data to train AI models that are shared with or sold to third parties.
• Human Oversight: While AI drives the learning experience, no significant decisions affecting your account status, subscription, or reported performance are made by automated systems alone. You may at any time request a human review of any AI-driven outcome that affects you by contacting support@learnquest.ai.

We use cookies and similar technologies (collectively, "cookies") to operate and improve the Service. Cookies are small data files placed on your device when you access our platform.

• Strictly Necessary Cookies: Essential for the Service to function — for example, maintaining your login session and securing your account. These cannot be disabled without breaking core functionality.
• Performance & Analytics Cookies: Allow us to understand how users interact with the Service, identify errors, and measure performance. These are disabled by default and activated only with your consent.
• Functionality Cookies: Remember your preferences (such as language settings) to provide a more consistent experience. Enabled with your consent.
• Marketing Cookies: Used only if you opt in to receive tailored promotional communications. Disabled by default.

You can review and update your cookie preferences at any time through your account privacy settings or via your browser's cookie management tools. Please note that disabling non-essential cookies will not affect your core learning experience.

We do not sell your personal data to any third party, under any circumstances. We share your data only in the following limited and lawful situations:

• Service Providers: We engage trusted third-party vendors to process data on our behalf — including cloud hosting providers, our payment processor (Paddle), analytics tools, and AI infrastructure services. All such providers operate under contractual data processing agreements that impose obligations consistent with the PDPL and prohibit them from using your data for their own purposes.
• Educational Institutions: If you access LearnQuest through a school or organization, we may share your learning progress data with authorized administrators of that institution, as disclosed at the time of enrollment.
• Legal Requirements: We may disclose personal data where required by Saudi Arabian law, a binding court order, or a competent government authority. We will notify you of such disclosure where we are legally permitted to do so.
• Business Transfers: In the event of a merger, acquisition, or sale of all or part of our business, your personal data may be transferred to the acquiring entity. We will notify you in advance by email and through a prominent notice on our platform, and you will have the right to request deletion of your data before any transfer takes place.
• With Your Consent: For any sharing not described in this Policy, we will seek your explicit consent before proceeding.

Some of our service providers and cloud infrastructure partners may be located or operate servers outside the Kingdom of Saudi Arabia. When we transfer your personal data internationally, we do so only where:

• The destination country or territory provides a level of personal data protection that is adequate under the requirements of the PDPL and its Executive Regulations; or
• Appropriate contractual safeguards consistent with the requirements of the PDPL are in place with the receiving party, ensuring your data receives equivalent protection; or
• The transfer is necessary to perform the contract between you and us, and you have been informed in advance.

We prioritize keeping your data within the Kingdom of Saudi Arabia or within the Middle East region where technically feasible and commercially reasonable. Our primary cloud infrastructure is hosted within the region.

We retain your personal data only for as long as is necessary for the purposes described in this Policy, or as required by applicable Saudi Arabian law. Our standard retention periods are:

• Active Account Data: Retained for the lifetime of your account. Upon account deletion, most account data is deleted within 90 days, subject to the exceptions below.
• Learning Progress Data: Retained for the lifetime of your account. Following account closure, aggregated and fully anonymized learning data may be retained for internal research and model improvement without limitation.
• Payment & Transaction Records: Retained for a minimum of 7 years in accordance with Saudi Arabian VAT and financial record-keeping regulations.
• Support & Correspondence Data: Retained for up to 3 years from the date of final resolution of the relevant matter.
• Security & Access Logs: Retained for up to 12 months, after which they are deleted or anonymized.

Upon expiry of applicable retention periods, personal data is securely deleted or irreversibly anonymized. You may request early deletion of your data at any time, subject to our legal obligations to retain certain records (see Section 11).

The Saudi Personal Data Protection Law grants you the following rights in relation to your personal data. Exercising these rights is free of charge. We will respond to all valid requests within 30 days of receipt; in cases of complexity or volume, we may extend this by a further 30 days with prior notification.

To exercise any of these rights, please submit your request to privacy@learnquest.ai with sufficient information to verify your identity. We will acknowledge your request within 5 business days.

Please note that certain rights are subject to limitations. For example, we may be unable to delete data that we are legally required to retain, or that is necessary for the establishment, exercise, or defense of legal claims. In such cases, we will clearly explain the reason for any limitation.

LearnQuest is designed as an educational platform and may be used by learners aged 13 and above. We take the privacy and safety of younger users seriously and apply the following protections:

• Users aged 13–17 may only register with the verifiable prior written consent of a parent or legal guardian, who agrees to these Terms and our Privacy Policy on the Minor's behalf.
• Educational institutions must obtain and document appropriate parental consents before enrolling students under 18 on the Service.
• We do not knowingly collect personal data from children under 13. If we learn that a child under 13 has created an account without proper consent, we will delete the account and all associated data promptly and without notification.
• We do not send marketing communications to accounts identified as belonging to users under 18.
• We do not share the personal data of Minors with third parties for any purpose other than delivering the Service, except where required by law.

Parents or legal guardians may contact privacy@learnquest.ai at any time to request access to, correction of, or deletion of a Minor's personal data held by us.

We implement appropriate and proportionate technical and organizational security measures to protect your personal data against unauthorized access, disclosure, alteration, loss, or destruction. These measures include:

• Encryption of data in transit using TLS 1.2 or higher, and encryption of data at rest using AES-256 or equivalent.
• Role-based access controls ensuring that only authorized personnel can access personal data, and only to the extent required for their role.
• Passwords stored exclusively in hashed form using a strong one-way hashing algorithm. We never store raw passwords.
• Regular internal security reviews, vulnerability assessments, and penetration testing.
• Incident response and business continuity procedures aligned with SDAIA's National Cybersecurity Framework.

Breach Notification: Despite our best efforts, no digital system can be guaranteed to be completely secure. In the event of a personal data breach that is likely to pose a risk to your rights, we will notify you and report the incident to the Saudi Data & AI Authority (SDAIA) within 72 hours of becoming aware of the breach, in accordance with the PDPL. Our notification to you will describe the nature of the breach, the categories of data affected, the likely consequences, and the measures we are taking to address it.

We may update this Privacy Policy from time to time to reflect changes in our data practices, the Service, or applicable law. When we make material changes, we will:

• Post the revised Policy on this page with an updated "Last Updated" date.
• Notify you by email and/or in-app notification at least 14 days before the changes take effect.
• Where required by the PDPL, seek renewed consent from you before implementing changes that materially affect how we process your personal data.

Your continued use of the Service after the updated Policy takes effect constitutes your acknowledgment of the changes. If you do not agree with the revised Policy, you should stop using the Service and may request deletion of your account and associated data.

For any questions, concerns, or requests relating to this Privacy Policy or the processing of your personal data, please contact our Privacy Team directly:

• Privacy Requests: privacy@learnquest.ai
• General Support: support@learnquest.ai
• Postal Address: Privacy Officer, [Company Legal Name], [Address], Riyadh, Kingdom of Saudi Arabia

If, after contacting us, you believe that your data protection rights have not been adequately addressed, you have the right to lodge a complaint with the competent supervisory authority in the Kingdom of Saudi Arabia:

• Saudi Data & AI Authority (SDAIA)
• Website: www.sdaia.gov.sa