Skip to main content
PolyPath LU
Grades, languages, and school direction

Privacy policy

Last updated: May 2026

Who we are

PolyPath LU is a Luxembourg student cockpit for grades and study planning, operated by CritHit Studio. This policy explains what personal data we process when you use the web app or native app, and your rights under EU law (including GDPR). PolyPath does not make official school promotion or orientation decisions.

Local-first by default

Unless you turn on optional PRO features, your grades, subjects, reflections, vocabulary, and settings are stored only in your browser or app on your device. We do not receive that content unless you export it, use PRO cloud save, create a share link, or use server-backed AI features.

Categories of data

  • School and profile data you enter: name, class, subjects, grades, goals, reflections, vocabulary, and import files you choose to process.
  • Technical data: app version, language, theme, a random device identifier sent with API calls, and basic usage needed to run the service.
  • Account data (PRO, optional): email address, subscription status via Stripe, and session identifiers.
  • Cloud backup (PRO, optional): a JSON snapshot of your local app data stored on our server when you enable cloud save.
  • Share links (PRO, optional): a reduced snapshot (e.g. first name, class, subject averages) that you choose to publish; optional PIN is stored as a hash, not plain text.

Sign-in and sessions

PRO sign-in uses a magic link sent to your email (processed by our email provider). Links expire after a short time. When you open the link, we set a signed session cookie so the app knows your account. If you sign in from an installed app while another window is waiting, we use short-lived server records only to complete sign-in in the right place — not for marketing.

PRO cloud save

When you are signed in and use cloud save, we store one backup per account on Cloudflare infrastructure (EU/US depending on configuration). If two devices edit offline, the newer timestamp wins when syncing. You can delete cloud data from Settings. Local data on your device remains under your control.

View-only share links

Share links are optional and under your control. They intentionally exclude individual grades, reflections, and homework unless you put that information in fields we do not expose. Anyone with the link (and PIN if set) can view the shared snapshot until expiry or revocation.

AI features

Some PRO tools send text or bulletin photos to our API on Cloudflare Workers, which may call third-party AI models to produce explanations or scans. Do not submit more personal data than necessary. Free-tier limits and monthly quotas apply when billing is enabled.

Payments

PRO subscriptions are processed by Stripe. We receive your email, Stripe customer and subscription identifiers, and payment status — not your full card number. Manage or cancel your subscription through the Stripe customer portal linked from Settings.

Service providers

We use trusted processors to run PolyPath: Cloudflare (hosting, database, Workers AI), Stripe (payments), and Resend (sign-in emails). They process data only on our instructions and under their own terms and privacy policies.

How long we keep data

Local data stays until you delete it or clear browser storage. Magic-link and handoff tokens expire within minutes. Cloud backups and share links persist until you delete or revoke them, or until a share link reaches its expiry date. Subscription records are kept as long as needed for billing and legal obligations.

Your rights

Depending on applicable law, you may request access, correction, deletion, restriction, or portability of personal data we hold about you, and object to certain processing. To exercise these rights, contact us at the email below. You may also lodge a complaint with the CNPD in Luxembourg or your local supervisory authority.

Students under 16

PolyPath is aimed at secondary students in Luxembourg. If you are under 16, a parent or guardian should review this policy and, where required by law, give consent before you sign in, subscribe to PRO, or use cloud save or share links.

Security

We use HTTPS, signed sessions, and access controls on server data. No system is perfectly secure — keep exports private and use a device you trust.

Changes to this policy

We may update this policy when features or law change. The “last updated” date at the top will change. Continued use after an update means you accept the revised policy where permitted by law.

Contact

Data controller: CritHit Studio (PolyPath LU). Privacy questions and requests: support@crithitstudio.com.

Settings