Privacy Policy
Last updated: February 17, 2026
1. Introduction
Hebbian ("we," "us," or "our") operates the hebbian.ch platform, an AI and STEM education service based in Zurich, Switzerland. This Privacy Policy explains how we collect, use, store, and protect your personal data when you use our website, learning management system, online courses, and related services (collectively, the "Platform").
We are committed to protecting your privacy in accordance with the Swiss Federal Act on Data Protection (FADP) and, where applicable, the European Union General Data Protection Regulation (GDPR).
2. Data Controller
The data controller responsible for your personal data is:
3. Data We Collect
3.1 Account Information
When you register for an account, we collect your full name, email address, and password. Your password is securely hashed using industry-standard encryption and is never stored in plain text.
3.2 Learning Data
As you use our courses and learning tools, we collect data related to your educational progress, including course and lesson completion status, video watch time, exercise submissions and scores, assignment responses and uploaded files, and classroom memberships.
3.3 File Uploads
You may upload files as part of exercises, assignments, or profile settings. These files are stored securely on our cloud infrastructure located in the European Union (Frankfurt, Germany).
3.4 Usage Data
We collect anonymized usage data through our analytics service, including pages visited and navigation patterns. This data is processed within the European Union and is used solely to improve the Platform experience.
3.5 Organization Data
If you are part of an educational institution or organization using our Platform, we may collect your organization affiliation and role within that organization.
4. How We Use Your Data
We use your personal data to:
- Create and manage your account
- Deliver courses, lessons, and educational content
- Track your learning progress and provide personalized feedback
- Enable teachers and mentors to review your submissions
- Send transactional emails (e.g., password resets)
- Analyze Platform usage to improve our services
- Provide AI-powered learning assistance
- Administer organizational accounts and classrooms
5. AI-Powered Features
Our Platform includes AI-powered learning tools that use third-party AI services (including OpenAI, Anthropic, and Google) to provide educational assistance. When you use these features, your prompts and queries are sent to these providers for processing. These providers process data according to their respective privacy policies and data processing agreements.
We do not use your personal learning data or submissions to train AI models. AI interactions are used solely to provide real-time educational assistance.
6. Third-Party Services
We use the following third-party services to operate the Platform:
Analytics (PostHog)
We use PostHog for product analytics, processed on EU servers. Only identified users are tracked, and data is used to improve the Platform experience.
Email (Resend)
We use Resend to send transactional emails such as password reset notifications. Your email address is shared with this service only for delivery purposes.
File Storage (DigitalOcean)
Uploaded files and media are stored on DigitalOcean Spaces servers located in Frankfurt, Germany (EU).
AI Providers (OpenAI, Anthropic, Google)
AI learning assistance features send your prompts to these providers for processing. No personal account data is included in these requests beyond the content you submit.
Video Embeds (YouTube)
Some pages embed YouTube videos using the privacy-enhanced mode (youtube-nocookie.com) to minimize third-party tracking.
7. Cookies & Session Data
We use the following cookies:
| Cookie | Purpose | Type |
|---|---|---|
| Session cookie | Keeps you logged in to your account | Essential |
| Analytics cookies | Helps us understand how the Platform is used | Analytics |
Essential cookies are required for the Platform to function. You can disable analytics cookies through your browser settings.
8. Data Storage & Security
Your data is stored on servers located within the European Union. We implement appropriate technical and organizational measures to protect your personal data, including:
- Passwords are hashed using bcrypt encryption
- Sessions are managed via signed JSON Web Tokens (JWT)
- File storage uses secure, access-controlled cloud infrastructure
- Database connections are encrypted and authenticated
- Password reset tokens expire after one hour
9. Data Retention
We retain your personal data for as long as your account is active or as needed to provide our services. If you request account deletion, we will remove your personal data within 30 days, except where we are required by law to retain it.
Learning progress data and submissions may be retained in anonymized form for educational research and Platform improvement purposes.
10. Children's Privacy
Our Platform serves learners of various ages, including adolescents. For users under 16, we require parental or guardian consent before account creation. Accounts for minors participating in school programs are typically created by their educational institution with appropriate authorization.
We do not knowingly collect personal data from children under 13 without verifiable parental consent. If you believe a child under 13 has provided personal data without consent, please contact us at [email protected] so we can take appropriate action.
11. Your Rights
Under the Swiss FADP and GDPR (where applicable), you have the right to:
- Access your personal data and receive a copy
- Rectify inaccurate or incomplete data
- Delete your personal data ("right to be forgotten")
- Restrict processing of your data
- Port your data to another service
- Object to processing of your data
- Withdraw consent at any time where processing is based on consent
To exercise any of these rights, please contact us at [email protected]. We will respond to your request within 30 days.
12. International Data Transfers
Your data is primarily stored and processed within the European Union and Switzerland. When data is processed by our AI providers (OpenAI, Anthropic, Google), it may be transferred to servers outside the EU/EEA. In such cases, we ensure appropriate safeguards are in place, including standard contractual clauses or equivalent protections as required by applicable law.
13. Changes to This Policy
We may update this Privacy Policy from time to time. We will notify you of significant changes by posting the updated policy on this page with a revised date. We encourage you to review this policy periodically.
14. Contact Us
If you have questions about this Privacy Policy or how we handle your data, please contact us: