1. Data Controller
Sognora (“we”, “us”, or “our”) is the data controller for personal information collected through PuanAI. If you have any questions about how we process your data, contact us at shin@sognoragroup.com.
2. Data We Collect
We collect the following categories of personal data:
- Account information: Email address and authentication provider (Google, Apple, or Facebook OAuth)
- Profile and preferences: Target band score, exam date, target country, and study pace settings
- Usage data: Essay text submitted for scoring, voice recordings from speaking practice sessions, AI-generated scores and feedback, submission history, and per-user identifier (user_id) associated with learning events
- Technical data: IP address (for security, rate-limiting, and regional routing), browser and device type, approximate location (country-level) inferred from IP, access timestamps, referrer URL, and session identifiers
- Cookies and similar technologies: Session authentication cookies (essential), analytics cookies (Google Analytics `_ga`, `_gid`; Microsoft Clarity `_clck`, `_clsk`), and marketing/ad-measurement cookies (Google Ads). A consent record cookie (`puanai_cookie_consent`) stores your category choices. Vercel Web Analytics is cookie-less and is loaded only after analytics consent.
- Payment data: Transaction records, amount, currency, and billing country (processed by Dodo Payments; we do not store card details or CVV)
3. How We Use Your Data
We use your data to:
- Provide and operate the AI scoring and feedback service
- Personalize your learning experience and track progress
- Process payments and manage your credit balance
- Send transactional emails (e.g., purchase receipts)
- Improve service quality through aggregated, anonymized analytics
4. Third-Party Services and Processors
We rely on the processors and services below. Each is engaged only for the purpose listed and operates under appropriate data processing agreements or standard contractual clauses (SCCs) for international transfers.
- Anthropic (Claude API): AI essay and speaking analysis. Essay text and transcripts are transmitted for scoring. Anthropic does not use API inputs to train its models per its API terms. Region: US.
- Dodo Payments: Payment processing. Card data is collected and stored directly by Dodo Payments; we only receive transaction metadata. Region: varies by card network.
- Google Analytics 4 (Google Ireland Ltd.): Aggregate usage analytics. Loaded only after analytics consent. IP addresses are anonymized and ad-personalization signals are disabled unless marketing consent is granted. Region: EU/US (SCCs).
- Google Ads (Google Ireland Ltd.): Conversion measurement and optional ad personalization. Loaded only after marketing consent. Region: EU/US (SCCs).
- Google AdSense (Google Ireland Ltd.): Contextual ads (only if enabled on your region’s build). Loaded only after marketing consent.
- Microsoft Clarity (Microsoft Corp.): Aggregated behavior analytics and heatmaps. Loaded only after analytics consent. Region: US.
- Vercel Web Analytics (Vercel Inc.): Cookie-less, aggregated page-view analytics. Loaded only after analytics consent. Region: global Vercel infrastructure.
- Google OAuth / Apple ID / Meta Login: Authentication providers. Only the email, provider-specific user ID, and display name are received.
- Amazon CloudFront (CDN): Static asset delivery (images, fonts, scripts). Receives IP address and User-Agent header solely to serve content. Region: global edge network.
We do not sell your personal data to third parties. A copy of the data processing agreement (DPA) for any of the above processors is available on request.
5. Data Retention
- Account and submission data: Retained while your account is active. Anonymized or deleted within 30 days of an account deletion request.
- Server logs (IP, User-Agent, endpoint): 90 days, used for security, abuse prevention, and debugging. Deleted or truncated thereafter.
- Analytics (Google Analytics, Microsoft Clarity, Vercel Web Analytics):Up to 14 months at the default GA4 retention setting; Microsoft Clarity sessions up to 1 year; Vercel Web Analytics reports are retained according to the active Vercel plan and account settings.
- Payment records: Retained as required by applicable tax and accounting law (typically 5–10 years).
- Aggregated, anonymized data: May be retained indefinitely. It no longer identifies you and falls outside GDPR personal-data scope.
6. Your Rights
You have the right to:
- Access: Request a copy of the personal data we hold about you
- Correction: Request correction of inaccurate personal data
- Deletion: Request deletion of your personal data (right to be forgotten)
- Portability: Request your data in a portable format
- Objection: Object to certain types of processing
To exercise any of these rights, contact us at shin@sognoragroup.com. We will respond within 30 days.
7. Rights for Turkish Users (KVKK)
If you are located in Turkey, you have additional rights under the Law on Protection of Personal Data (KVKK No. 6698). These include the right to learn whether your personal data has been processed, to request information about processing, to learn the purpose of processing and whether data is used in accordance with that purpose, and to request correction, deletion, or destruction of your data. To exercise your KVKK rights, contact us at shin@sognoragroup.com.
8. Security
We implement industry-standard security measures including encrypted data transmission (TLS), secure authentication, and access controls to protect your personal data. However, no internet transmission is completely secure and we cannot guarantee absolute security.
9. Children’s Privacy
PuanAI is not directed at children under the age of 13. We do not knowingly collect personal data from children under 13. If you are between 13 and 18, you must have parental or guardian consent to use the Service. If you believe we have inadvertently collected data from a minor, please contact us immediately.
10. Changes to This Policy
We may update this Privacy Policy from time to time. We will notify you of material changes by posting the updated policy and updating the date above. Your continued use of the Service after changes constitutes acceptance of the revised policy.
