Skip to main content
CEFRhub Logo

Privacy Policy

Last updated: 2026-03-10

Introduction

CEFR Hub AI ("we", "our", "us") is committed to protecting your privacy. This policy explains how we collect, use, and protect your personal information in accordance with the Personal Information Protection and Electronic Documents Act (PIPEDA), Quebec's Act respecting the protection of personal information in the private sector (Law 25), the General Data Protection Regulation (GDPR), and the Family Educational Rights and Privacy Act (FERPA) where applicable.

1. Data We Collect

We collect and process the following personal data:

  • 1
    Account Information: Email address, name (optional), password (encrypted)
  • 2
    Evaluation Results: Assigned CEFR levels, detailed analyses, personalized recommendations
  • 3
    Metadata: Evaluation title, evaluated language, evaluation type (oral/written), timestamp
  • 4
    Technical Data: IP address, browser type, device information

Data NOT Stored

Audio files submitted for oral evaluation and texts submitted for written evaluation are NOT stored on our servers. They are analyzed in real-time by our AI system and immediately deleted. Only results and analyses are retained.

2. How We Use Your Data

Your data is used to:

  • Provide CEFR language evaluation services
  • Generate personalized learning recommendations
  • Enable progress tracking
  • Improve our service quality
  • Send service updates (with your consent)
  • Ensure platform security

3. Legal Basis for Processing

We process your data on the following legal bases:

Consent: For sending audio/text evaluations to our AI system

Contract Performance: To provide the evaluation services you requested

Legitimate Interest: To improve our services and ensure security

Legal Obligation: To comply with applicable laws

Quebec's Law 25 (Act respecting the protection of personal information in the private sector)

CEFRhub Technologies Inc., a federally incorporated Canadian company, is committed to protecting the personal data of all its users in compliance with the strictest applicable data protection laws, including Quebec's Law 25 (fully in effect since September 2024). This includes:

  • Transparency regarding automated decisions: our AI-powered evaluations are clearly identified as automated processing, and you may request information about how the decision was made
  • Privacy by default: only strictly necessary personal data is collected, and privacy settings are set to their most protective level by default
  • PIA completed: CEFRhub has conducted a Privacy Impact Assessment (PIA / EFVP) in compliance with Quebec's Law 25 prior to deploying its AI analysis system. This document is available upon request for institutional clients.
  • A privacy officer has been designated to oversee compliance

FERPA (Family Educational Rights and Privacy Act)

When CEFR Hub AI is used by educational institutions in the United States, we comply with FERPA requirements:

  • We act as a 'school official' with a legitimate educational interest when processing student records on behalf of an institution
  • Assessment results and language proficiency data are treated as educational records
  • We do not disclose personally identifiable student information without proper consent or authorization
  • Parents and eligible students retain the right to access and request amendment of educational records

4. Data Storage and Security

All data is stored on secure servers located in Canada with enterprise-grade security:

  • Data encryption in transit (HTTPS/TLS)
  • Data encryption at rest
  • Access controls and enhanced authentication
  • Continuous security monitoring
  • Regular backups for disaster recovery

5. Data Sharing and Sub-processors

Your data is never sold to third parties. It is processed only by the following sub-processors, each bound by a Data Processing Agreement (DPA). Data at rest is hosted in Canada (Montréal, region northamerica-northeast1). Some sub-processors (Google Gemini API, Sentry, SendGrid, Stripe) are established in the United States; these transfers are governed by Standard Contractual Clauses (SCCs, Module 2) in accordance with GDPR Art. 46 and Law 25 Art. 17.

  • 1
    Google LLC — Firebase (servers in Canada): Hosting, database, and authentication. Certifications: ISO 27001, SOC 2 Type II. Firebase Privacy Policy.
  • 2
    Google Cloud - Gemini API: AI linguistic analysis of your submitted content. Data transmitted: linguistic content only (text or audio) — no identifying data (name, email) is transmitted. Retention: 0 days. Your content is never used to train AI models. Google Cloud DPA.
  • 3
    Stripe Inc.: Secure payment processing. Certifications: PCI DSS Level 1, SOC 2 Type II. Stripe Privacy Policy.
  • 4
    Sentry (Functional Software Inc.): Error and performance monitoring. Personal data is masked before transmission. Sentry Privacy Policy.
  • 5
    Twilio SendGrid: Transactional email delivery (account confirmation, notifications). Twilio Privacy Policy.

6. Your Rights (GDPR, PIPEDA, Law 25 & FERPA)

Depending on your jurisdiction and applicable legislation, you have the right to:

Access: Request a copy of your personal data (GDPR, PIPEDA, Law 25, FERPA)

Rectification: Correct inaccurate data (GDPR, PIPEDA, Law 25, FERPA)

Erasure: Request deletion of your data — "right to be forgotten" (GDPR, Law 25)

Portability: Export your data in a readable format (GDPR, Law 25)

Objection: Refuse processing for marketing purposes (GDPR, PIPEDA)

Withdrawal: Withdraw your consent at any time (GDPR, PIPEDA, Law 25)

Automated Decisions: Request information about and contest decisions made solely through automated processing (GDPR, Law 25)

De-identification: Request that your personal information be de-identified (Law 25)

To exercise these rights, contact us at: privacy@cefrhub.ai

7. Data Retention

We retain your data as long as your account is active.

After account deletion:

  • Personal data is deleted within 30 days
  • Anonymized analytics data may be retained for statistical purposes
  • Legal obligations may require retention of certain records

8. Cookies and Tracking

We use essential cookies for authentication and site functionality. Analytics cookies are optional and require your consent. You can manage your preferences through our cookie consent banner.

9. Protection of Minors

Our services are not intended for persons under 13 years of age. We do not knowingly collect personal data from children under 13. Under GDPR (Article 8), parental consent is required for users under 16 in the European Union. Under PIPEDA, children under 13 generally cannot provide meaningful consent. Under FERPA, when our services are used by educational institutions, parents retain rights over their child's educational records until the student reaches 18 years of age or attends a postsecondary institution. If you are a parent or guardian and believe your child has provided us with personal data, please contact us.

10. Changes to This Policy

We may update this privacy policy periodically. Material changes will be notified via email or platform notifications.

11. Contact Us

For any questions about privacy or data protection:

Data Protection Officer:dpo@cefrhub.ai