VivaCoachPrep — Privacy Policy

Effective date: June 21, 2026
Data controller / operator: Bidun Group LLC, a Georgia limited liability company (referred to as "I" or "me" in this policy). Contact: Mike Bidun, mbidun@gmail.com
Service: VivaCoachPrep, at vivacoachprep.com

Your thesis is likely unpublished research. I treat it as highly confidential. This policy explains exactly what is collected, where it goes, and the commitments I make about it.

1. What I collect

• Account data: your email address (used for passwordless login codes) and basic profile info you provide.
• Thesis content: the PDF you upload, the text extracted from it, and the structured data the app derives (research questions, claims, the preparation grid).
• Practice data: your practice sessions — questions, your answers, AI scores, and your notes/flags.
• Usage & engagement data: which features and pages you use, how far you get in a session, and counts/timestamps of your activity — so I can see what's working and improve VivaCoach. This is behavioural metadata, not the content of your thesis or answers, and is never sold or used for advertising.
• Feedback submissions: if you use the built-in feedback widget, your comment plus a snapshot of the page state and relevant error logs, so I can reproduce and fix the issue.
• Operational data: timestamps, version info, and basic logs needed to run and debug the service. No advertising trackers.

2. Where it lives and how it's protected

Data is stored with Supabase (Postgres database + file storage) in the US East region. Protections:

• Per-user row-level security: the database itself is configured to refuse to return one user's rows to another user — this is enforced at the database layer, not just in app code.
• Thesis files are encrypted at rest.
• Access requires your account; logins use one-time email codes (no passwords to leak).

3. AI processing

To generate questions and score answers, your thesis text and practice answers are sent to our AI provider (Anthropic's Claude API). They are processed under commercial terms that prohibit using your inputs or the outputs to train AI models. AI processing happens only to deliver the features you're using.

4. Four commitments

These are firm, not aspirational:

1. Your thesis content is never used to train AI models. Not by me, and not by the AI provider under the terms we operate on.
2. No real session data in research without your opt-in. I will not use your actual practice sessions in internal evaluations, calibration, or research unless you explicitly opt in, per session, via the in-app checkbox. No opt-in, no use — full stop.
3. Right to delete. You can delete your full account and your personal data — thesis, sessions, answers, notes — either in-app (Account settings) or by emailing me. Deletion is real removal of your content, not just hiding. Two things are retained: (a) a minimal deletion record — your email, the date, confirmation it completed, and (if you tell us) why you left — kept only to confirm the deletion and handle support or a future re-invite; it contains no thesis content; and (b) aggregate, de-identified usage statistics — counts and trends with your identity stripped out, which can't be linked back to you, kept to understand how the product is used.
4. Feedback is for product improvement only. Feedback widget submissions (including page snapshots and error logs, which may contain fragments of your thesis or answers) are stored to diagnose and fix issues, and are readable only by me and the tools I use to triage them — never by other testers.

5. Email

Transactional only: login codes and essential service notices (e.g., a material change to these terms or a planned shutdown), sent via Resend from a bidun.com address. No marketing email, ever. I won't sell or share your email address.

6. Who else sees your data

Only the service providers needed to run the app, each bound by their own commercial terms:

• Supabase — database, file storage, and authentication
• Anthropic — AI processing (no training use, per §3)
• Vercel — web hosting
• Resend — transactional email delivery

I do not sell your data, share it with advertisers, or give anyone else access. I would disclose data only if legally compelled, and would notify you unless prohibited.

7. How long I keep it

Your data is kept while your account is active. When you delete your account (or specific items in-app), your personal data is removed promptly, subject only to short-lived backups that expire on their own schedule. What remains is described in §4.3: the deletion audit record, and aggregate, de-identified usage statistics that can't be linked to you.

8. Your rights

Regardless of where you live, you can:

• Access / export a copy of your data — email me;
• Correct anything inaccurate;
• Delete your account and data (§4.3);
• Withdraw any per-session research opt-in for sessions not yet used.

If you're in a jurisdiction with formal data-protection rights (e.g., GDPR or a US state privacy law), those rights apply too — email me to exercise them. Note for non-US testers: your data is stored and processed in the United States.

9. Changes to this policy

If I change this policy in a way that matters, I'll email you at least 14 days before it takes effect. The four commitments in §4 will not be weakened without your fresh, explicit consent.

10. Contact

Mike Bidun — mbidun@gmail.com. I'm a sole developer; you're talking directly to the person who can actually fix things.