Privacy Policy
ChalkSurf
Last updated: July 2, 2026
Introduction
ChalkSurf ("we," "us," or "our") is an AI-powered platform that helps math teachers create, discover, and manage teaching materials. This Privacy Policy explains how we collect, use, and protect your information when you use our service at chalksurf.com (the "Service").
ChalkSurf is operated from Hungary. For the purposes of the General Data Protection Regulation (GDPR), the operator of ChalkSurf is the controller for the personal data described in this policy. You can contact us about privacy requests at [email protected].
Information We Collect
Account, Profile, and Organization Information
When you create an account, we collect your email address, authentication credentials, profile information such as your name and avatar, organization memberships, roles, and account settings. We use Supabase Authentication to manage user accounts, and passwords are never stored in plaintext. If you create API tokens or authorize MCP/OAuth access, we store credential metadata such as token names, scopes, creation dates, last-used dates, and revocation status. We do not store reusable API token secrets after they are shown to you.
Content You Create and Upload
We store the math exercises, worksheets, solutions, hints, and figures you create or upload to the Service. This includes scanned pages and images you submit for AI-powered exercise extraction. Content you mark as "Public" will be visible to other users; content marked as "Private" remains accessible only to you.
AI Processing Data
When you use our AI features - such as exercise extraction from scanned pages, exercise generation, difficulty adaptation, or content customization - your input is sent to third-party large language model (LLM) providers for processing. We send only the content necessary to perform the requested operation. We do not send your personal account information to LLM providers.
Sharing, Invitations, and Collaboration Data
When you share exercise sheets, invite users, join organizations, or accept invitations, we store the information needed to operate those workflows. This may include invited email addresses, invitation status, organization membership, sharing permissions, and timestamps.
Feedback and Support Data
If you send feedback, report an error, or otherwise contact us, we process the information you provide and related technical context so that we can respond and improve the Service.
Technical Data
We automatically collect standard technical information such as your IP address, browser type, device type, operating system, request metadata, security logs, and job-processing status. This data is used for authentication, security, troubleshooting, abuse prevention, and service reliability.
Browser Storage
The Service uses browser storage for authentication-related state, local product preferences, selected organization state, anonymous drafts, and document preview settings. We do not currently use non-essential advertising, cross-site tracking, or product analytics cookies.
How We Use Your Information
We use your information to:
- Provide and maintain the Service, including storing your exercises, worksheets, and teaching materials
- Process your content through AI features (exercise extraction, generation, and customization)
- Authenticate your identity and secure your account
- Operate organization membership, sharing, invitations, API tokens, and OAuth authorizations
- Improve reliability, diagnose errors, and protect the Service from abuse
- Communicate with you about the Service (for example, account notifications and updates)
- Comply with legal obligations and respond to valid legal requests
Legal Bases for Processing
For users in the European Economic Area (EEA), we process personal data on these legal bases:
- Performance of a contract: to create and manage your account, provide the Service, store your teaching materials, process content through features you request, and operate sharing and organization workflows.
- Legitimate interests: to secure the Service, prevent abuse, troubleshoot errors, maintain audit logs, improve reliability, and understand whether core product workflows are functioning.
- Consent: where we ask for optional permission, such as optional integrations or any future non-essential analytics or marketing.
- Legal obligations: where processing is necessary to comply with applicable law.
How We Share Your Information
We do not sell your personal information. We share information only in the following circumstances:
- Service providers: We use third-party services to operate ChalkSurf, including Supabase (database, authentication, and file storage), Cloudflare (hosting, CDN, and security), LLM API providers such as OpenRouter, Mistral, and underlying model providers (AI features), Google APIs when you choose to use Google Drive integrations, and Slack for feedback or operational notifications. These providers process data only as needed to provide their services to us or to you.
- Public content: Exercises and materials you choose to make public will be visible to other ChalkSurf users.
- Legal requirements: We may disclose information if required by law or in response to valid legal process.
Data Storage and Security
Your data is stored in Supabase-managed databases with row-level security policies. Uploaded files (such as exercise figures) are stored in Supabase Storage. We use HTTPS encryption for all data in transit and follow reasonable security practices to protect your data at rest. Access to production systems is limited to people who need it to operate, secure, or support the Service.
Data Retention
We retain your account and content data for as long as your account is active or as long as needed to provide the Service. If you request account deletion, we will delete or anonymize your personal data and private content within 30 days, except where retention is required by law, needed for security, needed to resolve disputes, or necessary to preserve content that other users or organizations are entitled to keep. Content you made public or shared with other users may persist in anonymized form after your account is deleted.
Security logs, audit records, backups, and operational records may be retained for a limited period after account deletion where necessary for security, legal compliance, or disaster recovery. When retained, we limit access and remove or anonymize personal identifiers where practical.
Your Rights
Subject to the limits and conditions in applicable law, you have the right to:
- Access your personal data and receive a copy of it
- Correct inaccurate information
- Request deletion of your personal data
- Restrict processing of your personal data
- Receive portable data that you provided to us, where GDPR portability applies
- Object to processing based on legitimate interests
- Withdraw consent where processing is based on consent
To exercise any of these rights, contact us at [email protected]. We may need to verify your identity before completing a request. We aim to respond within one month. If a request is complex or you make multiple requests, we may extend the response period as allowed by law and will tell you within the first month.
You also have the right to lodge a complaint with the Hungarian National Authority for Data Protection and Freedom of Information (NAIH): https://www.naih.hu/.
Children's Privacy
ChalkSurf is designed for use by teachers and educators, not by children. We do not knowingly collect personal information from children under 16. If you believe a child has provided us with personal information, please contact us and we will delete it.
Unless you have the necessary authority and legal basis, you should not upload student personal data, student names, or identifiable student work to the Service.
International Data Transfers
ChalkSurf is operated from Hungary. Some service providers may process data in countries outside the EEA. In those cases, we rely on appropriate safeguards such as data processing agreements, standard contractual clauses, adequacy decisions, and other transfer mechanisms recognized by applicable data protection law.
Cookies and Similar Technologies
ChalkSurf uses browser storage that is necessary to provide the Service, such as authentication state, selected organization state, local drafts, and display preferences. We do not currently use non-essential analytics, advertising, or cross-site tracking cookies. If we introduce optional analytics or marketing technologies in the future, we will update this policy and request consent where required.
Third-Party Services
The Service integrates with the following third-party services, each governed by their own privacy policies:
- Supabase - database, authentication, and file storage
- Cloudflare - hosting, CDN, and DDoS protection
- OpenRouter, Mistral, and other LLM API providers - AI-powered content processing
- Google APIs - optional Google Drive integrations you choose to use
- Slack - feedback, support, and operational notifications
Changes to This Policy
We may update this Privacy Policy from time to time. We will notify you of material changes by posting the updated policy on the Service and updating the "Last updated" date.
Contact Us
If you have questions about this Privacy Policy or your data, please contact us at:
Email: [email protected]
Supervisory authority: Hungarian National Authority for Data Protection and Freedom of Information (NAIH), https://www.naih.hu/.