Privacy Policy

2. Information We Collect

2.1 Information You Provide Directly

2.2 Information Collected Automatically

We do not collect or process sensitive personal information (health data, biometric data, genetic data, political opinions, religious beliefs, trade union membership, sexual orientation) unless you explicitly and knowingly provide it in teaching content in violation of Section 11 of our Terms of Service. We do not intentionally collect such data and request that you refrain from submitting it.

3. Legal Basis for Processing (GDPR & Similar Laws)

If you are located in the European Economic Area (EEA), Switzerland, the United Kingdom, or other jurisdictions with similar data protection laws, our processing of your personal data is based on the following legal grounds:

You have the right to withdraw consent at any time where processing is based on consent. Withdrawal does not affect the lawfulness of processing based on consent before its withdrawal.

4. How We Use Your Information

We use the information we collect for the following purposes:

• Providing the Service. Operating the Socrates teaching engine, processing your learning sessions, managing your account and subscription, and routing API requests to your chosen LLM provider.
• Improving the Service. Analyzing usage patterns, identifying common errors, optimizing teaching algorithms, and enhancing the user experience.
• Security & Compliance. Detecting and preventing abuse, fraud, or Terms of Service violations; responding to legal requests; maintaining system integrity.
• Communication. Sending service-related notices (billing reminders, service changes, security alerts); sending product updates and promotional content (with opt-out option); responding to support inquiries.
• Personalization. Tailoring teaching content, suggesting learning paths, and adapting difficulty levels based on your progress and preferences.
• Aggregate Analytics. Creating aggregated, anonymized statistical data for product planning and reporting. This data cannot identify you individually.

5. API Key Handling & Security

Your LLM provider API keys are among the most sensitive data we process. We handle them as follows:

• Encryption at Rest. All API keys are encrypted using AES-256 encryption before being stored in our database. Encryption keys are stored separately from the data.
• Encryption in Transit. API keys are transmitted exclusively over TLS 1.3 encrypted connections.
• Limited Use. Keys are used solely to authenticate API requests to the LLM provider you have configured. We do not inspect, log, or store the content of API keys beyond authentication.
• Access Control. Access to decrypted API keys is restricted to a small set of engineering personnel through role-based access controls and is logged and audited.
• No Model Training. We never use your API keys or the data transmitted through them to train, fine-tune, or improve our own AI models.
• Deletion. When you delete your account, all stored API keys are permanently deleted within 30 days. You may also revoke or update keys at any time through account settings.
• No Sharing. We do not sell, rent, or share your API keys with any third party except as required by law.

6. Cookies & Similar Technologies

We use cookies and similar tracking technologies to operate and improve the Service. Here is how we use them:

You can control cookies through your browser settings. Blocking essential cookies will prevent the Service from functioning. We do not use third-party advertising cookies, cross-site tracking, or behavioral advertising trackers.

When required by applicable law, we display a cookie consent banner and obtain your affirmative consent before placing non-essential cookies on your device.

7. Data Sharing & Third-Party Disclosure

We do not sell your personal information. We share your data only in the following limited circumstances:

We require all third-party service providers to enter into data processing agreements that contractually obligate them to protect your data and use it only for the specified purposes. We vet providers for security and compliance before engagement.

8. Data Storage, Transfer & Security

Storage Location. Your data is stored on secure servers located in China and/or other jurisdictions where we or our infrastructure providers maintain facilities. By using the Service, you consent to the transfer of your data to these locations.

Cross-Border Transfers. If we transfer your personal data from the EEA, UK, or Switzerland to countries not deemed adequate by the European Commission, we implement appropriate safeguards, including Standard Contractual Clauses (SCCs) approved by the European Commission, or equivalent mechanisms under applicable law.

Security Measures. We implement the following technical and organizational security measures:

• Encryption in transit: TLS 1.3 for all data transmitted to and from our servers.
• Encryption at rest: AES-256 for stored data, including API keys and personal information.
• Access control: Role-based access controls, multi-factor authentication, and least-privilege principles for all personnel with data access.
• Audit logging: All access to production data is logged and monitored for unauthorized activity.
• Regular security testing: Quarterly vulnerability scans and annual penetration tests by independent security firms.
• Employee training: Mandatory security and privacy training for all employees handling personal data.
• Incident response: Documented incident response plan for data security events.

While we implement these measures, no method of electronic storage or transmission is 100% secure. We cannot guarantee absolute security.

9. Data Retention

We retain your personal data only as long as necessary to fulfill the purposes described in this Policy, unless a longer retention period is required or permitted by law.

When retention periods expire, data is securely deleted or irreversibly anonymized. Deletion may take up to 30 days from our backup systems following the end of the retention period.

11. Children's Privacy

The Service is not directed at children under 13 years of age (or the equivalent minimum age in applicable jurisdictions). We do not knowingly collect personal information from children under 13.

If we learn that we have collected personal data from a child under 13 without verified parental consent, we will delete that information promptly. If you believe a child under 13 may have provided us with personal data, please contact us immediately at hello@topodrive.top.

In jurisdictions where a higher age of consent applies (e.g., 16 in certain EU member states), we comply with local age requirements and will seek parental consent where required.

12. AI Teaching Data & Automated Processing

Teaching Data Flow. When you use Socrates for a learning session, your conversation content, diagnostic answers, and knowledge graph data are sent to the LLM provider you have configured via your API key. This is necessary to generate educational responses. This processing is governed by the LLM provider's terms and privacy policy.

No Model Training. We do not use your session data, teaching content, or API keys to train, fine-tune, or improve our own AI models. Your data is used solely to deliver the teaching session you have requested.

Automated Decision-Making. Socrates uses algorithms to: (a) adapt teaching difficulty based on your diagnostic answers; (b) recommend learning paths; (c) identify knowledge gaps. These automated decisions are integral to the tutoring experience and do not produce legal effects concerning you. If you wish to contest an automated decision, contact us at hello@topodrive.top.

Human Review. We do not routinely review individual teaching sessions. Session data may be accessed by our team on a need-to-know basis for debugging, quality assurance, or responding to your support requests. Any such access is logged and audited.

Profiling. We do not engage in profiling for marketing or advertising purposes based on your teaching data.

13. Sensitive Personal Information

We do not request or require sensitive personal information (such as health data, biometric data, genetic data, political opinions, religious beliefs, trade union membership, sexual orientation, or criminal records) to provide the Service. You should not submit sensitive personal information through the Service.

If we become aware that sensitive personal information has been submitted in violation of this policy, we will delete it promptly. We are not liable for any consequences arising from your submission of sensitive personal information in violation of this Policy.

14. Data Security Incidents

In the event of a data security incident that compromises your personal data, we will:

• Notify you without undue delay (typically within 72 hours of becoming aware) via email and/or a notice on the Service.
• Provide a description of the nature of the breach, the categories and approximate number of data subjects and records concerned.
• Communicate the name and contact details of our Data Protection Officer or other contact point where more information can be obtained.
• Describe the likely consequences of the breach and the measures we have taken or propose to take to address it.
• Notify relevant supervisory authorities as required by applicable law.

We maintain a documented incident response plan and conduct regular tabletop exercises to ensure readiness. Security incidents are investigated by our security team, and lessons learned are incorporated into our security processes.

15. Data Protection Officer & Contact

We have appointed a Data Protection Officer (DPO) who is responsible for overseeing our compliance with data protection laws. If you have any questions about this Policy or our data practices, please contact:

Data Protection Officer
Topodrive
Xi'an, Shaanxi, China
Email: dpo@topodrive.top

For general privacy inquiries: hello@topodrive.top

We will acknowledge receipt of your inquiry within 5 business days and respond substantively within 30 days.

16. Changes to This Privacy Policy

We may update this Policy from time to time. When we make material changes, we will notify you by email (to the address associated with your account) and/or through a prominent notice on the Service at least 14 days before the changes take effect.

We encourage you to review this Policy periodically. The date of the most recent update is shown at the top of this page. Your continued use of the Service after the effective date constitutes acceptance of the updated Policy. If you do not agree, you may delete your account before the effective date.

For changes that require your consent under applicable law, we will obtain your affirmative consent before implementation.

17. Complaints & Supervisory Authorities

If you are located in the EEA, Switzerland, or the UK, you have the right to lodge a complaint with your local data protection supervisory authority if you believe our processing of your personal data violates applicable law. We encourage you to contact us first so we can attempt to resolve your concern informally.

Contact your local data protection authority through: https://edpb.europa.eu/about-edpb/about-edpb/members_en (for EU/EEA).

If you are in China, you may contact the Cyberspace Administration of China (CAC) or local equivalents in Shaanxi Province.

18. Specific Provisions for Chinese Users

For users in the People's Republic of China, the following additional provisions apply under the Personal Information Protection Law (PIPL):

• Personal Information Inventory. A complete inventory of the personal information we collect is available upon request by emailing hello@topodrive.top.
• Consent. We obtain separate, informed consent for the processing of sensitive personal information and for cross-border data transfers where required.
• Third-Party Sharing List. A detailed list of third parties with whom we share personal data is available on request.
• Data Impact Assessment. We conduct personal information protection impact assessments (PIPIAs) before engaging in high-risk processing activities as defined by PIPL.
• Automated Decision-Making. You have the right to request an explanation of automated decision-making methods and to refuse the use of automated decision-making for marketing or information推送.
• Deletion Requests. We will process deletion requests within 15 business days as required by PIPL.

19. Specific Provisions for California Users (CCPA/CPRA)

If you are a California resident, the California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA) provide you with additional rights:

• Right to Know. You may request disclosure of the categories and specific pieces of personal information we have collected about you, the categories of sources, the business purpose for collection, and the categories of third parties with whom we share data.
• Right to Delete. You may request deletion of personal information we have collected, subject to certain exceptions.
• Right to Opt-Out. We do not sell your personal information. We have no actual knowledge of selling personal information of minors under 16.
• Right to Non-Discrimination. We will not discriminate against you for exercising any of your CCPA/CPRA rights.
• Right to Correct. You may request correction of inaccurate personal information.
• Right to Limit Use of Sensitive Personal Information. We do not use sensitive personal information for purposes beyond those necessary to provide the Service.

To exercise your California rights, contact us at hello@topodrive.top or call +86 (029) [phone]. We will verify your identity through email verification before processing your request. We aim to respond within 45 days (extendable by an additional 45 days with notice).

20. Contact Information

If you have any questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us:

Email (General): hello@topodrive.top
Email (DPO): dpo@topodrive.top
Support: help@addtech.site
Address: Topodrive, Xi'an, Shaanxi, China