← Back to Bas Udrus

Privacy Policy

Last updated: 22 April 2026. If any term confuses you, email basudrusjo@gmail.com and we'll translate in plain English or Arabic.

The short version: We collect the minimum needed to match you with study partners, show your profile, deliver your messages, and keep the platform safe. We never sell your data. We never train AI models on your messages. You can delete your account and all associated data any time.

1. Who we are (the "data controller")

Bas Udrus operates from Amman, Jordan. The data controller for EU/UK residents is the service's sole operator. Contact: basudrusjo@gmail.com.

2. What data we collect

Category	Specific fields	Why we need it
Account	Email, display name, encrypted password (for email signup), or Google OAuth identifier	Authentication, account security, password reset
Profile	University, major, year of study, courses, bio, meeting preference, avatar photo	Matching you with compatible study partners
Content you create	Help-request posts, study-room details, chat messages (text, voice recordings, images, files), AI prompts	Delivering your content to the intended recipient or AI model
Social graph	Connections (who you matched with), group-room memberships, ratings you give	Delivering the core product: finding and keeping study partners
Usage telemetry	Event logs: sign-ups, posts created, messages sent (counts, not content), AI calls, tab opens, clicks, realtime session length	Debugging, analytics, product improvement
Technical	IP address, browser user-agent, device type, approximate location derived from IP (country/region), error logs	Abuse prevention, debugging, geo-based feature flags
Billing (Pro only)	Paddle processes this; we receive only the subscription status + customer ID — no card details reach our servers	Subscription management

Data we explicitly do NOT collect

Your academic transcript, grades, or GPA.
Your phone number, national ID, or government-issued document numbers.
Your health data. Noor is a study-motivation companion — it discusses academic stress, study habits, exam anxiety, and motivation. It is not a medical or therapeutic service. We do not infer, store, or process mental-health diagnoses, and we never share Noor conversations with any third party for purposes beyond the immediate AI response.
Your precise geolocation. IP-based country/region only.
Browsing data outside basudrus.com. No third-party tracking pixels. No Google Analytics.

3. Legal basis for processing (GDPR Art. 6)

Contract — for account, profile, messages, matching, AI features: we can't deliver the service without processing this.
Consent — for your avatar photo, optional bio, and marketing emails (if any in future). Withdraw at any time.
Legitimate interest — for abuse prevention, security logs, basic product analytics. Balanced against your privacy, and you can object (see §7).
Legal obligation — for responding to valid court orders or tax records (billing).

4. Who we share data with

We use third-party processors to actually run the service. We've vetted each for data-protection practices. Here's the complete list — no one else.

Processor	What they do	Where they process
Supabase	Database, authentication, file storage (avatars, voice clips, images), realtime messaging	AWS Asia-Pacific (Tokyo, Japan)
Vercel	Website hosting, edge functions (the serverless layer)	Global CDN, compute regions in USA & EU
Anthropic (Claude)	AI tutor, study-motivation, matching, and study-planner responses	USA. Zero-retention contract — prompts not used for model training.
Google (OAuth)	Optional sign-in with Google account	USA. Only receives basic profile fields you already agreed to share with Google.
Resend	Transactional emails (password reset, message notifications)	USA. Each email contains the minimum data needed.
Cloudflare	DNS, DDoS protection, CDN in front of basudrus.com	Global edge network
Paddle (Pro users only)	Payment processing, tax collection, invoicing. Paddle is the Merchant of Record — they're the seller on your card statement.	UK/EU-based. See Paddle's privacy policy.

We never sell your personal data, never share it with advertisers, and never license it to AI companies for training.

5. International data transfers

Your data is stored primarily in AWS Asia-Pacific (Tokyo, Japan) via Supabase. Some processing happens in the US and EU via our other processors. For EU/UK residents, transfers outside the EU/UK rely on Standard Contractual Clauses (SCCs) with our processors.

6. How long we keep data

Account + profile: as long as your account is active.
Messages: kept until you delete them or delete your account. No auto-expiration.
Voice clips & images: stored in Supabase Storage. Deleted on request or when you delete your account.
AI prompt logs (ours): metadata only (endpoint + user + timestamp). Content of the prompt is not retained after the response is streamed. Metadata kept 12 months for rate-limit and abuse-detection purposes.
Security & error logs: 90 days, then automatically purged.
Billing records (Pro): 7 years (legal requirement for tax records).
Deleted accounts: your personal data is hard-deleted within 30 days of your delete request. Billing records retained under the legal requirement above are pseudonymized.

7. Your rights (GDPR, Jordanian Personal Data Protection Law)

Regardless of where you live, you have the right to:

Access — request a copy of the data we hold about you.
Rectification — correct any data that's wrong. Most is editable directly in Profile.
Deletion (right to be forgotten) — delete your account; we hard-delete your data within 30 days.
Portability — export your messages, posts, and profile in a machine-readable format (JSON).
Restriction / Objection — ask us to stop specific processing (e.g. analytics) while keeping your account.
Withdraw consent — for optional processing like your avatar photo.
Complain — to your local data-protection authority. EU: the authority in your country of residence. UK: ICO. Jordan: the Personal Data Protection Unit at the Ministry of Digital Economy & Entrepreneurship.

Exercise any of these by emailing basudrusjo@gmail.com. We respond within 30 days (usually within 7).

8. Cookies & tracking

We use the minimum browser storage needed to keep you signed in:

Session cookies & localStorage — authentication token, dark-mode preference, language preference, unread message counters. Strictly necessary for the service to work. Not used for tracking.
No ad networks, no Google Analytics, no Facebook Pixel, no cross-site trackers. Bas Udrus is not in the surveillance-advertising business.
Vercel Web Analytics — aggregated page-view counts. First-party, no cross-site data, no personal identifiers sent.

Because we only use strictly-necessary cookies and first-party aggregate analytics, a cookie banner is not required under EU law. You can disable cookies in your browser settings, but the service will not work without session storage.

9. Children

Bas Udrus is intended for university students. We do not knowingly collect data from anyone under 16. If you believe a child under 16 has created an account, email us and we'll delete it.

10. Security

We implement industry-standard protections: HTTPS/TLS everywhere, hashed passwords, Row-Level Security on all database tables (users can only read their own data), rate-limiting on abuse-prone endpoints, stored-XSS hardening on user-uploaded URLs, audit logging, and regular security reviews. No system is perfectly secure; in the event of a breach affecting your personal data we notify you within 72 hours of becoming aware, as required by GDPR.

To report a security vulnerability: basudrusjo@gmail.com. We welcome responsible disclosure and will credit researchers publicly on request.

11. AI processing specifics

When you chat with Ustaz, Noor, or use the planner/match features, your prompt is sent to Anthropic's Claude API. Anthropic operates under a zero-retention contract: they do not store prompts beyond the immediate response and do not use them to train models. We do not send Anthropic your university, your name, or your email — only the content of your current chat. See Anthropic's Privacy Policy for their side.

12. Changes to this policy

Material changes are announced by email at least 14 days before taking effect. The "Last updated" date at the top of this page reflects the latest revision. Continued use after the effective date means you accept the updated policy. If you disagree, delete your account.

13. Contact

Privacy questions, data requests, security issues: basudrusjo@gmail.com.