Privacy Policy

Last updated: February 1, 2026

At Deskmate, we take your privacy seriously. This policy explains how we collect, use, and protect your personal information when you use our platform.

1. Scope & Applicability

  • This Privacy Policy applies to all users of the Deskmate platform ("Service"), operated by Deskmate Inc. ("we," "us," or "our"). It covers data collected through our website at deskmate.ai, our web application, API endpoints, and any related services.
  • By accessing or using the Service, you acknowledge that you have read, understood, and agree to the practices described in this policy. If you do not agree, please discontinue use of the Service immediately.
  • This policy does not apply to third-party websites, products, or services linked from our platform, even if they carry the Deskmate brand or logo.

2. Information We Collect

  • Account Information: When you register, we collect your name, email address, school or institutional affiliation, role (e.g., teacher, administrator), and AP subject preferences.
  • Content Data: Educational materials you create, generate, or upload within Deskmate, including rubrics, worksheets, lesson plans, exams, and associated metadata such as course, unit, and knowledge tags.
  • Usage Data: Features accessed, documents generated, search queries, session duration, click patterns, and feature-level engagement metrics.
  • Device & Technical Data: IP address, browser type and version, operating system, device identifiers, screen resolution, time zone, and referring URLs.
  • Payment Information: When you subscribe to a paid plan, our payment processor (Stripe) collects billing details. We receive only the last four digits of your card number, card brand, and billing country. We never store full payment credentials.
  • Communications: Messages you send to our support team, feedback submissions, and survey responses.

3. How We Use Your Information

  • Service Delivery: To operate, maintain, and improve the Deskmate platform; to generate AI-powered educational content; and to provide customer support.
  • Personalization: To customize your experience, suggest relevant templates, and tailor AI outputs to your subject area and curriculum preferences.
  • Analytics & Improvement: To analyze aggregate usage patterns, identify product issues, measure feature adoption, and improve our AI models. Usage analytics are processed in aggregate form and are not used to profile individual users.
  • Communication: To send transactional emails (account verification, password reset, billing receipts), service announcements, and — with your opt-in consent — educational newsletters and product updates.
  • Security & Fraud Prevention: To detect, prevent, and respond to security incidents, unauthorized access, and fraudulent activity.
  • Legal Compliance: To comply with applicable laws, regulations, legal processes, or enforceable governmental requests.

4. Legal Bases for Processing (GDPR)

  • If you are located in the European Economic Area (EEA), United Kingdom, or Switzerland, we process your personal data under the following legal bases:
  • Contract Performance: Processing necessary to provide the Service you have requested (e.g., account creation, content generation, subscription management).
  • Legitimate Interests: Processing necessary for our legitimate business interests, such as product improvement, security, and fraud prevention, where such interests are not overridden by your rights.
  • Consent: Where you have given explicit consent, such as for marketing communications or optional analytics cookies. You may withdraw consent at any time.
  • Legal Obligation: Processing necessary to comply with legal requirements to which we are subject.

5. Data Sharing & Disclosure

  • We do not sell your personal data. We do not rent, trade, or otherwise monetize your information. We share data only in the following limited circumstances:
  • AI Model Providers: We transmit content to AI providers (Anthropic, OpenAI, Google) for content generation. This data is processed in real time and is not retained by these providers for model training. We maintain Data Processing Agreements (DPAs) with all AI subprocessors.
  • Infrastructure Providers: We use cloud hosting (Vercel, Supabase/AWS) to store and serve data. All providers maintain SOC 2 Type II certification or equivalent.
  • Payment Processor: Stripe processes payment transactions. Stripe's privacy policy governs the handling of your payment data.
  • Analytics: We use privacy-respecting analytics to understand product usage. Data is aggregated and anonymized before analysis.
  • Legal Requirements: We may disclose data if required by law, subpoena, court order, or governmental regulation, or if we believe disclosure is necessary to protect our rights, your safety, or the safety of others.
  • Business Transfer: In the event of a merger, acquisition, or sale of assets, user data may be transferred. We will notify you before your data becomes subject to a different privacy policy.

6. International Data Transfers

  • Deskmate is headquartered in the United States. If you access the Service from outside the U.S., your data will be transferred to and processed in the United States.
  • For users in the EEA, UK, or Switzerland: We rely on Standard Contractual Clauses (SCCs) approved by the European Commission, supplemented by additional technical and organizational measures, to ensure adequate protection for international transfers.
  • We conduct Transfer Impact Assessments as required and implement supplementary measures including encryption in transit and at rest, access controls, and contractual obligations with all subprocessors.

7. Data Retention

  • Active Accounts: We retain your data for as long as your account is active and as needed to provide you the Service.
  • After Deletion: When you delete your account, we remove or anonymize your personal data within 30 days, except where retention is required by law (e.g., billing records retained for tax compliance for up to 7 years).
  • Content Data: Educational content you create is deleted upon account deletion. Exported copies remain your responsibility.
  • Usage Logs: Aggregated, anonymized usage data may be retained indefinitely for product analytics. This data cannot be linked back to individual users.
  • Backups: Encrypted database backups are rotated on a 90-day cycle. Data deleted from production systems is purged from backups within this window.

8. Data Security

  • We implement industry-standard technical and organizational measures to protect your data:
  • Encryption: All data is encrypted in transit using TLS 1.3 and at rest using AES-256 encryption.
  • Access Controls: Internal access to user data follows the principle of least privilege. Access is restricted to authorized personnel, requires multi-factor authentication, and is logged for audit purposes.
  • Infrastructure: Data is hosted in SOC 2 Type II certified facilities with physical security controls, redundant power, and network isolation.
  • Monitoring: We maintain real-time security monitoring, intrusion detection systems, and automated alerting for anomalous activity.
  • Testing: We conduct regular penetration testing, vulnerability assessments, and code security reviews.
  • Incident Response: We maintain a documented incident response plan. In the event of a data breach affecting your personal data, we will notify you and relevant supervisory authorities within 72 hours as required by applicable law.

9. Your Privacy Rights

  • Depending on your jurisdiction, you may have the following rights regarding your personal data:
  • Right of Access: Request a copy of the personal data we hold about you.
  • Right to Rectification: Request correction of inaccurate or incomplete personal data.
  • Right to Erasure ("Right to be Forgotten"): Request deletion of your personal data, subject to legal retention requirements.
  • Right to Data Portability: Receive your data in a structured, commonly used, machine-readable format (JSON or CSV).
  • Right to Restrict Processing: Request that we limit how we use your data in certain circumstances.
  • Right to Object: Object to processing based on legitimate interests, including profiling.
  • Right to Withdraw Consent: Where processing is based on consent, withdraw that consent at any time without affecting the lawfulness of prior processing.
  • Right to Non-Discrimination: We will not discriminate against you for exercising your privacy rights.
  • To exercise any of these rights, email privacy@deskmate.ai. We will respond within 30 days (or within the timeframe required by applicable law). We may need to verify your identity before processing your request.

10. Cookies & Tracking Technologies

  • We use cookies and similar technologies to operate the Service, remember your preferences, and understand how you interact with our platform.
  • Essential Cookies: Required for the Service to function (authentication, security, load balancing). These cannot be disabled.
  • Functional Cookies: Remember your preferences such as language selection and theme settings. Disabling these may affect your experience.
  • Analytics Cookies: Help us understand usage patterns. These are only set with your consent where required by law.
  • We do not use advertising cookies or third-party tracking pixels. We do not participate in cross-site behavioral advertising.
  • You can manage cookie preferences through your browser settings or, where applicable, through our cookie consent banner.

11. Third-Party Subprocessors

  • We engage the following categories of subprocessors to deliver the Service. All subprocessors are bound by Data Processing Agreements:
  • AI Providers: Anthropic (Claude), OpenAI (GPT), Google (Embedding) — content generation and semantic processing. Data is processed in real time and not retained for training.
  • Cloud Infrastructure: Vercel (hosting, edge compute), Supabase/AWS (database, storage) — SOC 2 Type II certified.
  • Payment Processing: Stripe — PCI DSS Level 1 compliant.
  • Email Delivery: Transactional email services for account notifications.
  • A complete, up-to-date list of subprocessors is available upon request at privacy@deskmate.ai.

12. Children's Privacy

  • Deskmate is designed for use by educators and educational professionals. The Service is not directed at individuals under the age of 13 (or the applicable age of digital consent in your jurisdiction).
  • We do not knowingly collect personal information from children. If we become aware that we have inadvertently collected data from a child, we will take immediate steps to delete such data.
  • Educators using Deskmate should not input personally identifiable student data into the platform. The Service is designed for curriculum and content generation, not student data management.
  • If you believe a child has provided us with personal information, please contact us at privacy@deskmate.ai.

13. California Privacy Rights (CCPA/CPRA)

  • If you are a California resident, you have additional rights under the California Consumer Privacy Act (CCPA) as amended by the California Privacy Rights Act (CPRA):
  • Right to Know: You may request disclosure of the categories and specific pieces of personal information we have collected, the sources of collection, the business purpose, and the categories of third parties with whom we share data.
  • Right to Delete: You may request deletion of your personal information, subject to certain exceptions.
  • Right to Opt-Out of Sale: We do not sell personal information. We do not share personal information for cross-context behavioral advertising.
  • Right to Non-Discrimination: We will not deny you goods or services, charge different prices, or provide a different quality of service for exercising your CCPA rights.
  • To submit a CCPA request, email privacy@deskmate.ai or use the "Manage Data" option in your account settings.

14. Changes to This Policy

  • We may update this Privacy Policy from time to time to reflect changes in our practices, legal requirements, or the Service itself.
  • Material Changes: For significant changes that affect how we handle your data, we will provide at least 30 days' advance notice via email and/or a prominent in-app notification before the changes take effect.
  • Non-Material Changes: Minor clarifications or formatting updates may be made without advance notice. The "Last updated" date at the top of this page will always reflect the most recent revision.
  • Continued use of the Service after the effective date of a revised policy constitutes your acceptance of the updated terms. If you disagree with the changes, you may close your account and request deletion of your data.

Contact Us

If you have any questions about this Privacy Policy or wish to exercise your privacy rights, please contact our Data Protection team:

Email: privacy@deskmate.ai

Deskmate Inc., San Francisco, CA, United States

Terms of ServiceRequest a DPARequest Data Export
Privacy Policy — Deskmate