Oryxlex AcademyLegal · Oryx Edge LLC
Privacy Policy
What we collect, why we collect it, how we protect it, and how to exercise your rights. Applies to all visitors and users of the OryxLex platform.
Version 2.0 · Effective 2026-05-11
2.1 Information We Collect
Information You Provide Directly
- Identity: Full name, email address, phone number, mailing address.
- Authentication: Password (hashed), security questions, two-factor authentication settings.
- Billing: Credit card information (tokenized via Stripe), billing address, tax identification.
- Educational: Essays, practice answers, study notes, performance self-assessments.
- Communications: Customer support messages, feedback, survey responses.
- Preferences: Study schedule, target jurisdiction, exam date, notification settings.
Automatically Collected Data
- Device: IP address, browser type and version, operating system, device identifiers.
- Usage: Pages visited, features used, time spent, click patterns, search queries.
- Performance: Page load times, error logs, crash reports.
- Location: General geographic location derived from IP address (not precise geolocation).
- Cookies: Authentication tokens, preference settings, analytics identifiers.
Derived & AI-Generated Data
- Study performance metrics: accuracy rates, time-per-question, subject mastery scores;
- Weak subject area identification via algorithmic analysis of error patterns;
- Predicted readiness indicators from statistical modeling;
- Learning profile from adaptive algorithm outputs;
- AI interaction logs (prompts submitted and AI responses generated).
2.2 Legal Bases for Processing (GDPR)
| Basis | Application |
|---|---|
| Contract Performance | Providing the Service, processing payments, delivering AI feedback |
| Legitimate Interests | Fraud prevention, security, product improvement, analytics |
| Consent | Marketing communications, optional AI features, cookie placement |
| Legal Obligation | Tax compliance, regulatory reporting, legal process response |
Where we rely on consent, you may withdraw it at any time without affecting the lawfulness of processing based on consent before its withdrawal.
2.3 How We Use Data
- Service Provision: Authenticating accounts, delivering content, processing AI requests.
- Payment Processing: Billing, invoicing, fraud detection, subscription management.
- AI Feedback: Generating essay scores, explanations, and personalized recommendations.
- Personalization: Adapting study plans, content sequencing, and difficulty levels.
- Product Improvement: Training AI models, developing new features, conducting research.
- Security: Detecting unauthorized access, preventing abuse, enforcing Terms.
- Legal Compliance: Responding to legal process, fulfilling regulatory obligations.
- Marketing: Sending promotional communications (with consent only).
2.4 Sharing of Information
We do not sell personal information. We share data only with:
| Category | Examples | Purpose |
|---|---|---|
| Hosting & Infrastructure | Supabase, cloud providers | Data storage, authentication, service delivery |
| Payment Processors | Stripe, Inc. | Billing, subscription management |
| AI Vendors | OpenAI, Anthropic | Essay grading, tutoring, content generation |
| Analytics | Google Analytics, Mixpanel | Usage analysis, feature optimization |
| Professional Advisors | Legal counsel, auditors | Compliance, litigation, audits |
| Authorities | Courts, regulators | Legal process, law enforcement requests |
All third-party processors are bound by written data processing agreements requiring confidentiality, security safeguards, and processing limitations.
2.5 Data Retention
We retain personal data for as long as necessary to provide the Service, comply with legal obligations, resolve disputes, and protect against fraud.
Specific Retention Periods
- Account information: Duration of your account plus 7 years post-termination (legal compliance).
- User Content (essays, notes): Duration of your account; deleted upon request unless required for legal compliance.
- Billing records: 7 years (tax compliance).
- AI interaction logs: 2 years for model improvement and quality assurance.
- Analytics data: Indefinitely in aggregated, de-identified form.
2.6 Security Measures
- Encryption: TLS 1.3 in transit; AES-256 at rest.
- Access Controls: Role-based access with principle of least privilege.
- Authentication: Multi-factor authentication for administrative access.
- Audit Logging: Comprehensive logging of data access and system changes.
- Vulnerability Management: Regular penetration testing and security assessments.
- Incident Response: Documented procedures with defined escalation paths.
- Backups: Encrypted, geographically distributed backup with tested recovery procedures.
No system can be guaranteed to be completely secure. You are responsible for maintaining the confidentiality of your account credentials.
2.7 Your Rights
Depending on your jurisdiction, you may have the right to:
- Access: Request a copy of the personal data we hold about you.
- Correction: Request correction of inaccurate or incomplete data.
- Deletion: Request deletion of your personal data (subject to legal retention requirements).
- Portability: Receive your data in a structured, machine-readable format.
- Objection: Object to processing based on legitimate interests or for direct marketing.
- Restriction: Request restriction of processing in certain circumstances.
- Withdraw Consent: Withdraw consent for processing based on consent.
- Non-Discrimination: Receive equal service regardless of exercising privacy rights.
To exercise these rights, contact privacy@oryxlex.com. We will respond within 30 days. We may verify your identity before fulfilling requests.
2.8 International Transfers
Your data may be transferred to and processed in the United States and other countries where our service providers operate.
For EU/UK users: we transfer personal data pursuant to Standard Contractual Clauses (SCCs) approved by the European Commission, with appropriate supplementary measures for sensitive data transfers.
2.9 Children's Privacy — COPPA & CCPA Minor Protections
The Service is not directed to children under 13, and we do not knowingly collect personal information from children under 13.
If you are under 13, do not use the Service or provide any personal information. If we learn we have collected personal information from a child under 13, we will delete that information promptly.
For users aged 13-16: We do not sell or share personal information for behavioral advertising without verifiable affirmative consent obtained through an age-appropriate mechanism.
2.10 Contact
- Email: privacy@oryxlex.com
- Data Protection Officer: dpo@oryxlex.com
- Response time: 30 days standard; 72 hours for data breach notifications.
2.11 Cookies & Similar Tracking Technologies
We use cookies and similar technologies (local storage, pixel tags, web beacons) for the following purposes:
| Category | Purpose | Duration |
|---|---|---|
| Strictly Necessary | Authentication, security, service functionality | Session / Persistent |
| Preferences | Language, study settings, display preferences | 1 year |
| Analytics | Usage patterns, feature popularity, error tracking | 2 years |
| Performance | Load balancing, response optimization | Session |
Consent Management
For users in the EU, UK, and California, we implement a consent banner requiring affirmative consent for non-essential cookies. We honor Global Privacy Control (GPC) signals and browser “Do Not Track” preferences where legally required.
Third-Party Cookies
Our analytics and payment processing partners may set cookies. These are governed by the respective third-party privacy policies (Stripe, Google, Mixpanel, etc.). You can adjust cookie preferences in your browser settings at any time; disabling strictly necessary cookies may impair core functionality.
2.12 California Privacy Notice (CCPA/CPRA)
Consumer Rights
California residents have the right to:
- Know: Request disclosure of personal information collected, sold, shared, or disclosed.
- Delete: Request deletion of your personal information (subject to legal exceptions).
- Correct: Request correction of inaccurate personal information.
- Opt-Out: Opt out of sale or sharing of personal information. We do not sell or share personal information for cross-context behavioral advertising.
- Limit Use of Sensitive PI: We use sensitive PI only as necessary to provide the Service.
- Non-Discrimination: Receive equal service and pricing regardless of exercising your rights.
Automated Decision-Making Technology (ADMT)
We use algorithmic systems for study personalization and predictive analytics. California residents may:
- Request information about the logic, purpose, and potential consequences of ADMT;
- Opt out of ADMT that produces legal or similarly significant effects (we do not currently use ADMT for such effects, but provide this right as required by 2026 regulations);
- Request human review of any ADMT-driven decision with significant effects.
Data Broker Disclosure
We do not sell personal information to data brokers. If we ever engage data brokers for analytics, we will disclose this and provide opt-out mechanisms.
Global Privacy Control (GPC)
We honor Global Privacy Control signals and treat them as valid opt-out requests for sale/sharing and ADMT.
California contact: privacy@oryxlex.com
Toll-free for California residents: 1-800-ORYX-LEX
2.13 GDPR Data Processing Addendum
Where Oryx Edge LLC processes personal data subject to Regulation (EU) 2016/679 (GDPR), this section forms our Data Processing Addendum. For institutional customers, this DPA forms part of our master service agreement.
Roles & Definitions
| Role | Entity | Responsibility |
|---|---|---|
| Data Controller | Oryx Edge LLC | Determines purposes and means of processing |
| Data Processor | Oryx Edge LLC (for subprocessors) | Processes data on behalf of Controller |
| Data Subject | User | Individual to whom personal data relates |
| Subprocessor | Third-party vendors | Processes data under Controller's instruction |
Subprocessors
| Subprocessor | Function | Location | SCCs in Place |
|---|---|---|---|
| Stripe, Inc. | Payment processing | USA | Yes |
| OpenAI, LLC | AI model hosting | USA | Yes |
| Anthropic, PBC | AI model hosting | USA | Yes |
| Supabase, Inc. | Database & authentication | USA | Yes |
We will notify you of changes to subprocessors with at least 30 days' advance notice. You may object to new subprocessors on reasonable grounds related to data protection.
Security Measures — Technical & Organizational
- Encryption of personal data in transit and at rest;
- Pseudonymization and anonymization where appropriate;
- Role-based access controls and least-privilege principles;
- Regular security assessments and penetration testing;
- Incident detection, reporting, and response procedures;
- Staff confidentiality agreements and security training;
- Physical security controls for data center infrastructure.
Breach Notification
In the event of a personal data breach, we will:
- Notify affected institutional Controllers without undue delay and in any case within 72 hours of becoming aware;
- Provide information about the nature of the breach, categories of data affected, likely consequences, and measures taken;
- Cooperate with supervisory authorities and data subjects as required by law.
Audit & Compliance
Institutional customers may request an audit of our compliance with this DPA once per year, or more frequently if required by a supervisory authority. Audits will be conducted at reasonable times with 30 days' notice, subject to confidentiality obligations. Contact: dpo@oryxlex.com.