Borui Academy
Back

Privacy Policy

Last updated: June 9, 2026

Borui Academy (“we”) is operated by Borui (sole proprietor) in British Columbia, Canada. We comply with Canada's PIPEDA(Personal Information Protection and Electronic Documents Act) and BC's PIPA. For users in the EU/UK, we honour GDPR principles where applicable.

1. What we collect

1.1 Account data (you give us)

  • Email address (required for login + reminders)
  • Name (display only)
  • School (optional)
  • Phone (optional, for notifications you opt into)
  • Password (stored only as a bcrypt hash — we cannot read it)

1.2 Learning data (we generate as you use the platform)

  • Which courses you enrolled in
  • Diagnostic and quiz responses
  • Memory-curve card state (next-review dates, easiness factor, repetition count)
  • Mock-exam attempts and scores
  • Time spent on lessons, last-active timestamps
  • Flags/feedback you submit on questions

1.3 Technical data (collected automatically)

  • IP address (for rate-limiting + abuse prevention)
  • Browser type / OS (for compatibility)
  • Pages visited within the app (to debug issues; not sold to third parties)
  • Cookies for session authentication (JWT in localStorage; no third-party tracking cookies)

1.4 Payment data

Payments are processed by Stripe. We never see or store your full card number. We retain only the last 4 digits, card brand, billing email, and Stripe customer ID for receipts and subscription management.

2. Why we collect it (lawful basis)

PurposeData usedBasis
Run your account & deliver lessonsaccount + learning datacontract
Compute spaced-review schedule & send reminder emailslearning data + emailcontract
Process payments + send receiptspayment + emailcontract
Detect abuse / debug bugstechnical datalegitimate interest
Improve the platform (aggregate analytics)anonymized learning datalegitimate interest

We do not sell, rent, or share your personal data with advertisers or data brokers. Ever.

3. Who has access

  • You — anytime, via your account dashboard.
  • Borui (the operator) — when responding to support, debugging issues, or running aggregate analytics.
  • Sub-processors (only the data they need to do their job):
    • Stripe (payments) — Stripe's privacy policy applies.
    • Resend (email delivery) — sees your email address + the message body.
    • Cloudflare (CDN / tunnel) — sees IP + URLs as part of routing.
    • YouTube (embedded videos) — receives your IP and standard web logs when you play a video on a chapter page. We do not pass any of your account data to YouTube.

4. Where data is stored

Database lives on a server we operate physically in Canada. Daily encrypted backups are kept for 7 days. Stripe and Resend store some data in their own (mostly US) infrastructure under their respective policies.

5. How long we keep it

  • Account & learning data: while your account is active, plus 90 days after deletion (in case you change your mind).
  • Payment records: 7 years (Canadian tax-record requirement).
  • Server logs: 30 days, then deleted.
  • Backups: rolling 7 days.

6. Your rights (PIPEDA + GDPR)

You can, at any time:

  • Access all data we hold on you — email us, we'll export it.
  • Correct any inaccurate data — most fields are editable in Settings.
  • Delete your account and personal data — “Delete account” in Settings, or email us.
  • Withdraw consent for reminder emails — toggle off in Settings or click Unsubscribe in any email.
  • Object or restrict processing — email us with the specific request.
  • Lodge a complaint with Canada's Office of the Privacy Commissioner of Canada if you think we're mishandling your data.

7. Children

Our courses include content suitable for students Grade 5 and up. Students under the age of majority must have parental consent. We do not knowingly collect more data than necessary from minors. Parents may email us to request access, correction, or deletion of a minor's data.

8. Cookies

We use only essential cookies(session JWT, theme preference, sidebar collapse state). No third-party advertising cookies. No cross-site tracking. We don't need a cookie banner because we don't use non-essential cookies.

9. Security

  • HTTPS only (Cloudflare-managed TLS).
  • Passwords hashed with bcrypt (cost factor 12).
  • JWT tokens expire after 7 days.
  • Encrypted at-rest backups.
  • Rate-limited login + password-reset endpoints.

10. Changes

We may update this policy. Material changes are announced by email and on the site at least 14 days before they take effect.

11. Contact

Privacy questions or requests: [email protected]. We respond within 30 days (PIPEDA-mandated).