Privacy Policy
Updated May 12, 2026Summary
We sell access to an AI tool that generates course outlines. To run it, we need an account for you, payment processing for paid plans, and a connection to an AI model that turns your prompts into curricula. This policy explains exactly which third parties we use, what data each one sees, how long we keep it, and how you can read, export, or delete your data at any time.
We don't sell personal data. We don't run advertising pixels or track you across other websites. We don't use your inputs or generated courses to train AI models.
1. Who is responsible for your data
Syllabi (the “Service”) is jointly operated by Gianmarco Paglierani and Filippo Agliettias natural persons (the “Operators”, “we”, “us”). The Operators act as joint controllers within the meaning of Article 26 GDPR for personal data processed in connection with the Service.
Contact for privacy matters: hello@syllabi.online. Please include “Privacy request” in the subject line so we can route it correctly.
A postal address is available to data subjects, supervisory authorities, and other persons with a legitimate interest on written request to the email above.
2. What we collect and why
Account data
When you create an account we collect your email address, a hashed password (or, if you sign in with Google, your Google account identifier and basic profile fields like name and avatar URL), and an optional display name and preferred interface language. Legal basis: performance of contract (Art. 6(1)(b) GDPR).
Course inputs and outputs
When you generate a course we process the topic, niche, audience level, length, and any other parameters you submit, plus the resulting AI-generated curriculum (titles, modules, lessons, quizzes, pacing schedules). These are stored against your account so you can re-export and edit them later. Legal basis: performance of contract.
Billing data
If you subscribe to a paid plan or buy a one-time pack, our payment processor (Stripe — see Section 3) handles your card details directly. We never see or store full card numbers. We do store the Stripe customer and subscription identifiers, your plan tier, the renewal date, and whether a cancellation is scheduled. Legal basis: performance of contract and compliance with tax/accounting obligations (Art. 6(1)(b) and (c)).
Service and security logs
Our hosting providers automatically record IP address, user agent, request path, and timestamps for each request, plus error traces when something fails. We use this only to keep the Service running, fix bugs, and detect abuse. Legal basis: legitimate interest in operating and securing the Service (Art. 6(1)(f)).
Direct communications
When you email us or use the contact form, we keep the message and your email address so we can reply and so we have a record if you raise the same issue again. Legal basis: legitimate interest in providing support.
What we do NOT collect
- • We do not use Google Analytics, Facebook Pixel, or any cross-site advertising tracker.
- • We use limited product/performance telemetry from our hosting provider to keep the Service reliable.
- • We do not buy or sell data about you from data brokers.
- • We do not use your inputs or generated courses to train AI models.
3. Sub-processors
We use the following third-party service providers (“sub-processors”) to operate Syllabi. Each one is contractually bound to process personal data only on our instructions and to maintain security measures appropriate to the data they handle.
| Provider | Purpose | Region |
|---|---|---|
| Supabase | Authentication, database, file storage for generated courses and exports | EU |
| Stripe | Payment processing, subscription management, invoice generation, billing portal | EU / US (SCCs) |
| Anthropic | AI inference (Claude model) — receives your course prompts to generate curricula | US (SCCs) |
| Vercel | Frontend and API hosting, limited product analytics, and performance monitoring | EU edge / US (SCCs) |
| Google Cloud Run | Background workers for long-running generations and exports | EU (europe-west8) |
| Inngest | Event-driven job orchestration for course generation and export pipelines | EU / US (SCCs) |
| Resend | Transactional email delivery, including support, welcome, course-ready, and subscription emails | EU / US (SCCs) |
| Upstash | Rate limiting and abuse prevention for generation endpoints | EU / US (SCCs) |
| Google (OAuth) | Sign-in with Google (only if you choose this method) | EU / US (SCCs) |
Anthropic note:Anthropic states that API inputs and outputs are not used to train models by default. Your prompts and generated curricula are processed to return a response, subject to Anthropic's current API data usage and retention terms.
International transfers: Where a sub-processor is based outside the European Economic Area, we rely on the European Commission's Standard Contractual Clauses (SCCs) and any applicable adequacy decisions. You can request a copy of the relevant transfer safeguards by emailing hello@syllabi.online.
4. How long we keep your data
- • Account, profile, and generated courses: kept for as long as your account exists.
- • After you delete your account: profile, courses, quiz attempts, and stored exports are deleted within 30 days; backups holding residual copies are overwritten on a rolling 35-day cycle.
- • Invoices and tax records: retained for the legally required period (typically 10 years under Italian and EU tax law).
- • Service logs: retained for up to 90 days, then deleted or aggregated.
- • Support emails: retained for up to 2 years from the last reply.
5. Your rights
Under the GDPR and equivalent laws, you have the right to:
- • Access the personal data we hold about you (Art. 15).
- • Rectify inaccurate data — most of this you can edit directly in your profile (Art. 16).
- • Erasure — delete your account and all associated data from the Account tab in your profile, or by emailing us (Art. 17).
- • Portability — download a structured JSON archive of your profile, courses, and quiz attempts from the Account tab, or request one by email (Art. 20).
- • Restrict processing in certain circumstances (Art. 18).
- • Object to processing based on legitimate interest (Art. 21).
- • Withdraw consent at any time where processing is based on consent.
- • Lodge a complaint with a supervisory authority — typically the data protection authority in your country of residence.
To exercise any of these rights, email hello@syllabi.online. We will respond within one month.
6. Cookies
We use a small number of cookies — strictly necessary ones (Supabase authentication) and a preference cookie that records your cookie-banner choice. We do not use advertising or cross-site tracking cookies. Our hosting provider may collect limited cookieless analytics and performance telemetry. Full details are in our Cookie Policy.
7. Security
Data is encrypted in transit (HTTPS/TLS) and at rest at our hosting providers. Row-level security policies in Supabase scope access to your own data. Generated exports are stored in a private bucket only accessible with a short-lived signed URL bound to your account.
No system is perfectly secure. If we become aware of a personal data breach that is likely to result in a risk to your rights and freedoms, we will notify the relevant supervisory authority within 72 hours and, where required, notify affected users without undue delay.
8. Children
Syllabi is not directed at children. You must be at least 16 years old to use the Service (or the digital age of consent in your country if it is lower, in which case you must have parental or guardian consent). We do not knowingly collect personal data from children under that age; if you believe a child has provided us with personal data, contact hello@syllabi.online and we will delete it.
9. Automated decision-making
Syllabi uses AI to generate course curricula based on your inputs. This is not automated decision-making in the sense of Art. 22 GDPR — the output is content, not a decision that produces legal or similarly significant effects on you. You can edit, regenerate, or discard any output.
10. Changes to this policy
We may update this policy from time to time. When we make material changes, we will update the date at the top of this page and, for substantive changes, notify registered users by email at least 14 days before the change takes effect.
11. Contact
Privacy and support questions: hello@syllabi.online
A postal address is provided on written request to hello@syllabi.online.