Get Started

Legal

Privacy Policy

← Back

Last updated: May 2026

1. Who we are

LearnAI Studio is operated by Digital Creative Academy, the data controller for your personal data. In this policy, "we", "us", and "our" refer to Digital Creative Academy. We are committed to protecting your personal data in accordance with applicable data protection law, including the UK GDPR and the Data Protection Act 2018.

Contact: learning-support@digital-creative-academy.com

2. What data we collect

We collect the following personal data when you register and use the Service:

  • Account data: your display name, username, and email address
  • Authentication data: a securely hashed version of your password (we never store your password in plain text)
  • Content data: the source materials, microlearning content, and settings you create within the platform
  • Usage data: projects created, content generated, features used, and activity logs for security and service improvement
  • Payment data: processed securely by Stripe — we do not store card details
  • Technical data: browser type and device information used to deliver the Service

3. How we use your data

We use your personal data to:

  • Provide and maintain your account and the Service
  • Send transactional emails such as account verification and password reset codes
  • Enable collaboration features (e.g. sharing microlearning with teammates)
  • Improve the Service through aggregated, anonymised usage analysis

We do not sell your personal data to third parties and do not use it for advertising purposes.

4. Legal basis for processing (UK GDPR)

We process your personal data on the following legal bases:

  • Contract: processing necessary to provide the Service you signed up for (account management, content delivery, billing)
  • Legitimate interest: service security, fraud prevention, debugging, and aggregated usage analysis to improve the platform
  • Legal obligation: where we are required to retain records for tax, legal, or regulatory purposes

5. Data security

We take the security of your data seriously:

  • Passwords are hashed using bcrypt (cost factor 12) — your actual password is never stored or readable
  • Authentication tokens are signed JWTs with a 30-day expiry
  • Verification codes (OTPs) are hashed before storage and expire within 10 minutes
  • All data in transit is protected by HTTPS/TLS

6. Third-party processors

To provide the Service, we share data with the following processors:

  • OpenAI — for AI content generation and podcast audio. Your source content (text you upload or write) is sent to OpenAI's API for processing. No personal data (name, email, account details) is shared. OpenAI may retain API data for up to 30 days for abuse monitoring; it is not used to train OpenAI's models. See OpenAI's Privacy Policy
  • Perplexity — for research enrichment. Only topic-level queries are sent — no personal data is shared. See Perplexity's Privacy Policy
  • Pexels — for stock image sourcing. Image search terms only are sent — no personal data is shared
  • Stripe — for payment processing. We do not store your card details; all payment data is handled by Stripe directly. See Stripe's Privacy Policy
  • Render — our cloud hosting provider where your account data and content are stored
  • Cloudflare — for DNS, CDN, and DDoS protection; traffic to our service passes through Cloudflare's network

Each processor is bound by their own data processing terms. We recommend reviewing their privacy policies if you have concerns about specific data types.

7. Data retention

We retain your account data for as long as your account is active. When you delete your account, your personal data and all associated content is permanently deleted from our systems. Backups are purged within 30 days.

Our platform runs automated daily maintenance to manage content and protect storage. The following automated actions apply to your content:

  • Draft projects: Projects left in draft status for more than 90 days are automatically archived. Archived projects remain in your account but are no longer listed in your active workspace.
  • Deleted content (trash): Content you move to trash is permanently purged after 30 days with no recovery possible.
  • SCORM exports: We retain a maximum of 3 SCORM export files per project. Older exports beyond this limit are automatically removed.

These automated processes run daily at 2:00 AM UTC. They are designed to keep your workspace clean and comply with data minimisation requirements under UK GDPR.

8. Your rights

Under UK GDPR, you have the right to:

  • Access the personal data we hold about you
  • Correct inaccurate data
  • Request deletion of your data ("right to be forgotten")
  • Object to or restrict processing in certain circumstances
  • Data portability (receive your data in a machine-readable format)

To exercise any of these rights, contact us at learning-support@digital-creative-academy.com.

9. Cookies

We use an HttpOnly session cookie to maintain your login state securely. We do not use tracking cookies or third-party analytics cookies.

10. Changes to this policy

We may update this Privacy Policy from time to time. We will notify registered users of material changes by email. Continued use of the Service after changes constitutes acceptance.

11. Contact us

For privacy-related enquiries, please contact: learning-support@digital-creative-academy.com