Privacy Policy

Last update: April 29, 2026

1. Data controller

The data controller is Soltea, based in Italy. For any privacy-related requests, please write to privacy@edukite.it.

2. Data collected

EduKite collects the following data:

  • Google authentication data: name, email address and profile picture, obtained via Google OAuth 2.0 at login.
  • Billing data: name, surname, company name, VAT number, tax code, address, SDI/PEC code, entered voluntarily by the user for electronic invoicing.
  • Usage data: logs of operations performed (OCR, audio generation, map generation, image generation) with related costs, for credit tracking purposes.
  • Uploaded content: images with text, PDF and DOCX documents uploaded by the user for processing. This content is used exclusively to provide the service.

3. Purpose of processing

Personal data is processed for the following purposes:

  • User authentication and identification.
  • Service delivery: processing uploaded content to generate summaries, audio and concept maps.
  • Credit and billing management.
  • Service improvement via aggregate and anonymized analysis (Google Analytics 4, with consent — see section 7).
  • Measuring the effectiveness of our advertising campaigns on Google Ads and optimizing ad spend, only with explicit marketing consent (see section 7).

4. Data retention

Content uploaded by the user (images, documents) is not permanently stored. It is processed to generate learning materials and can be deleted by the user at any time.

Account data and generated lessons are retained until the user deletes their account or for a maximum period of 24 months from the last login.

5. Third-party services

EduKite uses the following third-party services to deliver the service:

  • Google OAuth 2.0: for user authentication.
  • OpenAI API: for text processing, audio generation (text-to-speech) and image generation. Content sent to OpenAI is subject to OpenAI's privacy policy.
  • Stripe: for payment processing. Payment data is managed directly by Stripe and is not stored on our servers.
  • Google Analytics 4: for aggregate usage analysis. Active only after explicit user consent via the cookie banner. IP anonymized. Data retained for 14 months. Subject to Google's privacy policy.
  • Google Ads: for measuring advertising campaign effectiveness and attributing conversions to ad clicks. Active only with explicit marketing consent via the cookie banner. Without such consent, only aggregate statistical data (modeled conversions) may be collected. Subject to Google's privacy policy.

6. User rights

In accordance with the GDPR (EU Regulation 2016/679), the user has the right to:

  • Access their personal data.
  • Request rectification or deletion of data.
  • Object to processing or request its restriction.
  • Request data portability.
  • Withdraw consent at any time.
  • Revoke analytics and marketing consent at any time via the "Cookie preferences" link in the footer, without affecting the lawfulness of processing prior to revocation.

To exercise these rights, write to privacy@edukite.it.

7. Cookies and tracking technologies

EduKite uses three categories of cookies:

Technical cookies (always on)

Required for the service to function. No consent needed (legal basis: legitimate interest, GDPR art. 6.1.f). These include:

  • Authentication token (JWT session)
  • Language preference (i18n_lang)
  • Cookie choice (edukite_consent, 180-day duration)

Analytics cookies (optional, with consent)

Google Analytics 4 collects aggregate usage data (pages viewed, common actions, device) to help us improve the service. Active only after explicit consent via the cookie banner. You can revoke consent at any time via the "Cookie preferences" link in the footer.

Privacy measures applied:

  • IP anonymized before geolocation
  • Google Consent Mode v2 active
  • Data retained for 14 months, then automatically deleted

Marketing cookies (optional, with consent)

Google Ads lets us measure the effectiveness of our advertising campaigns on search engines and YouTube, attributing conversions (sign-ups, purchases) to ad clicks. Active only after explicit consent via the cookie banner. You can revoke consent at any time via the "Cookie preferences" link in the footer.

Cookies and identifiers used:

  • _gcl_au, _gcl_aw, _gcl_dc: ad click identifiers (gclid) for Google Ads attribution
  • NID, IDE (Google): ad personalization and remarketing preferences
  • Google Signals enabled for cross-device conversion attribution
  • Ad personalization enabled (remarketing)

Without marketing consent, Google Ads receives only aggregate statistical and modeled data (Consent Mode v2 advanced), with no individual user identifiers.

We do not use social network pixels or third-party trackers other than those listed above.

8. Security

We adopt adequate technical and organizational security measures to protect personal data from unauthorized access, loss or destruction. Communications use the HTTPS protocol. Authentication data is managed via JWT tokens.