Legal

Privacy Policy

Last updated: 27 May 2026· Version 1.0

Your privacy matters to us. This Privacy Policy explains, in plain English, what information StudyLens collects, why we collect it, who we share it with, how we keep it safe, and the rights you have over it. Each section starts with a short summary, followed by the formal version.

1. Who we are

StudyLens (Pty) Ltd, a South African company. Contact: hi@studylens.co.za.

StudyLens (Pty) Ltd (“StudyLens”, “the operator”, “we”, “us”, “our”) is a South African company. We are the Responsible Party for your personal information under the Protection of Personal Information Act, 4 of 2013 (“POPIA”).

You can reach us at hi@studylens.co.za for anything related to this policy, including POPIA requests.

2. What information we collect

Your account details, what you upload to study, basic usage info, and payment info (handled by Paystack — we never see your card details).

We collect the following kinds of personal information:

  • Account details — your name, email address, and password (stored securely by our authentication provider, Clerk).
  • Optional profile information — your school, grade, subjects, and study goals if you choose to enter them.
  • Study material you upload — photos of textbooks, notes, worksheets, and any text you paste in.
  • Generated study data — the summaries, flashcards, quizzes, and study guides we create from your uploads, plus your progress, scores, and reading history.
  • Payment information — handled by Paystack. We receive a transaction confirmation and the last 4 digits of your card; we never see or store your full card details.
  • Communications — emails and support messages you send us.
  • Technical and browser metadata — IP address, browser type, device type, pages visited, time on page, and basic event data (used for security and to fix bugs).

3. Why we collect it

To run the Service, take payments, improve our AI, support you, and keep things secure and legal.

We use your information to:

  • Provide the StudyLens Service — generating summaries, flashcards, quizzes, and study plans from your uploads.
  • Process payments and manage your Subscription.
  • Send essential service emails about your Account, billing, and security.
  • Send product updates and tips (you can opt out at any time).
  • Improve product quality, including anonymised analysis of what kinds of uploads or features fail, so we can fix them.
  • Detect, prevent, and respond to fraud, abuse, or security incidents.
  • Comply with our legal obligations (for example, tax records).

4. Legal basis for processing

We process your data because you've agreed (consent), because we need to in order to run the Service (contract), or because we have a legitimate business reason that doesn't override your rights.

Under POPIA, we rely on the following legal bases:

  • Contract performance — we need your information to give you the Service you signed up for.
  • Consent — for example, when you choose to upload material, or opt in to marketing emails.
  • Legitimate interest — for security, fraud prevention, basic analytics, and improving the Service in ways that don't harm your rights.
  • Legal obligation — to comply with tax, accounting, and other laws.

5. Third-party processors

We use a small set of trusted services to run StudyLens. They're bound by their own privacy and security commitments. Here's exactly who gets what.

We act as the Responsible Party; the services below act as Operators on our behalf, under written agreements that require them to protect your data.

  • Supabase (database hosting, EU region) — stores your Account data, study sets, generated material, and progress. Encrypted in transit and at rest.
  • Clerk (authentication, USA — GDPR-aligned) — manages your email, password, and login sessions. Clerk is SOC 2 Type II certified.
  • Vercel (web hosting, global edge network) — serves the website. Processes basic request metadata (IP, user agent) for delivery and security.
  • Google Gemini (AI, USA) — receives your uploaded images and text transiently to generate study material. Per Google's commercial Gemini API terms, your inputs are not used to train Google's models.
  • Anthropic Claude (AI fallback, USA) — receives your uploads transiently if Gemini is unavailable. Per Anthropic's commercial API terms, your inputs are not used to train Anthropic's models.
  • Paystack (payments, South Africa + Nigeria) — handles card and EFT payments. Paystack is PCI DSS Level 1 certified.

We do not sell your personal information and we don't share it with anyone except the processors above, plus anyone we're legally required to share it with.

6. AI processing — what happens to your uploads

Your uploads are sent to Google Gemini (or Anthropic Claude as a fallback) just to generate your study set. They aren't used to train AI models. We keep the generated study set in your account so you can come back to it.

When you upload a photo or text, we send it to our AI provider so it can produce your study guide. The image or text is transient — used only to generate the response and then discarded by the provider in line with their published retention windows (typically 0 to 30 days, depending on whether they hold copies for abuse monitoring).

Under both Google's and Anthropic's commercial API terms, customer inputs are not used to train their models. We keep the resulting study set in your Account so you can return to it; you can delete any set at any time from your dashboard.

7. How long we keep your data

While your account is active, we keep your data. When you close your account, we delete it within 30 days, and backups are purged within 90 days. Some things (like tax records) we have to keep longer by law.
  • Active accounts — we keep your data for as long as your Account is open.
  • Closed accounts — your personal data is deleted from our live systems within 30 days of Account closure, and from backups within 90 days.
  • Billing and tax records — we keep invoice and transaction records for 5 years, as required by South African tax law.
  • Logs and security data — kept for up to 90 days for security and abuse-prevention purposes.

8. Your rights under POPIA

You have the right to see, correct, delete, and download your data, to object to processing, and to withdraw consent. Email hi@studylens.co.za with subject “POPIA request” and we'll respond within 30 days.

Under POPIA, you have the right to:

  • Access — request a copy of the personal information we hold about you.
  • Correction — ask us to fix information that is wrong, out of date, or incomplete.
  • Deletion — ask us to delete your personal information (subject to legal retention requirements).
  • Objection — object to certain kinds of processing, including direct marketing.
  • Data portability — ask for a copy of your data in a structured, commonly used format (for example, JSON or CSV).
  • Withdraw consent — where we relied on your consent, you can withdraw it at any time. This doesn't affect processing we did before you withdrew.
  • Complain — to the South African Information Regulator (see section 16).

How to exercise your rights

Email hi@studylens.co.za with the subject line “POPIA request” and tell us what you want. We may need to verify your identity before acting (to protect your data from impostors). We will respond within 30 days, free of charge unless your request is clearly excessive or repeated.

9. Children's privacy

StudyLens is built for students — including under-18s. If you're under 18, a parent or guardian needs to agree. We don't profile minors or send them targeted ads.

StudyLens is designed for high-school students, many of whom are under 18. You must be at least 13 years old to create an Account. If you are under 18, your parent or legal guardian must read these terms and agree on your behalf — by signing up, you confirm that this has happened.

We collect the minimum information needed to provide the Service. We do not run behavioural advertising, profile minors, or sell data about children.

Parents or guardians who believe a child under their care has created an Account without consent can email hi@studylens.co.za to have the Account closed and the data deleted.

10. Cookies and analytics

Only essential cookies (for keeping you logged in). If we use analytics, it's a cookieless tool that doesn't track you across sites.

We use a small number of essential cookies to keep you logged in, remember your preferences, and protect against fraud. These are necessary for the Service to work.

Where we run analytics, we use Plausible Analytics, which is cookieless, doesn't fingerprint visitors, and doesn't track you across other websites. Plausible gives us only aggregated information like page views, referrers, and device type.

We do not use advertising cookies, cross-site tracking pixels, or third-party tracking.

11. Security

Encryption in transit and at rest. Strict access controls. No card data on our servers.

We take reasonable, appropriate, and industry-standard steps to protect your personal information, including:

  • Encryption of data in transit (TLS / HTTPS) and at rest (Supabase + Clerk).
  • Row-level security in our database, so users can only see their own data.
  • Access controls and audit logs on our admin systems.
  • No card data on our servers — Paystack handles all card processing.
  • Regular dependency updates and security patches.

No system is 100% secure. If a breach happens, we'll respond as quickly as possible (see the next section).

12. Data breach notification

If something goes wrong, we'll tell you and the Information Regulator within 72 hours of finding out, as POPIA requires.

If we become aware of a security breach that has compromised your personal information, we will:

  • Notify the Information Regulator of South Africa within 72 hours of becoming aware, as required by section 22 of POPIA.
  • Notify affected users as soon as reasonably possible, explaining what happened, what data was affected, what we're doing about it, and what you can do to protect yourself.

13. International data transfers

Some of our processors store data outside South Africa (EU and USA). They're bound by data-protection laws and contracts that protect your information.

Some of our processors are based outside South Africa — Supabase stores data in the EU, and Clerk, Vercel, Google, and Anthropic operate in the USA. POPIA allows these transfers where the receiving country has comparable data-protection laws or where we have appropriate contractual safeguards in place.

Where required, we rely on Standard Contractual Clauses and the vendors' published data-processing agreements to ensure your data is protected to a standard at least equivalent to POPIA.

14. Changes to this policy

If we change this policy in a meaningful way, we'll email you. The version number and date at the top of the page always show the latest version.

We may update this Privacy Policy from time to time. The version and “Last updated” date at the top of the page show the most recent version. If we make material changes, we will notify you by email and an in-app notice at least 14 days before they take effect.

15. Information Regulator (South Africa)

If you think we've mishandled your data and we haven't resolved it, you can complain to the regulator.

If you believe we have not complied with POPIA, you have the right to complain to the South African Information Regulator:

We'd also appreciate the chance to fix things first — please email hi@studylens.co.za before escalating.

16. Contact

For any privacy question, POPIA request, or concern, contact us at hi@studylens.co.za. We aim to respond within 2 business days, and within 30 days at the latest for formal POPIA requests.