Elenqa Privacy Policy

Effective Date: September 12, 2025

1) Who we are

Elenqa is an AI‑assisted oral assessment platform operated by Boundless Friends Corp. ("Boundless," "we"). This Privacy Policy explains what data we collect, how we use it, and the choices and rights available to users.

Contact: privacy@elenqa.com • support@elenqa.com

2) Data we collect

  • Account & identity: name, email, role (student/teacher/admin), Institution affiliation, invite and onboarding status.
  • Assignment & performance: prompts, settings, attempt counts, due dates, grades, rubrics, and teacher feedback.
  • Recordings & transcripts: audio captured during Attempts and the resulting transcripts. These are processed to enable review and grading.
  • Service telemetry: session timing, connection state, browser/device type, error logs (no keystroke logging), to troubleshoot and secure the Service.
  • Forms: information provided on waitlist, feedback, or support forms (e.g., contact info, institution name, message content).

We do not intentionally collect payment card data in the current release. When billing is enabled, a third‑party processor (Stripe) will handle payment details under its own terms; we will not store card numbers on Elenqa systems.

3) How we use data

  • Provide, operate, secure, and troubleshoot the Service.
  • Enable Assignments, Recordings, Transcripts, grading, and exports for Educators and Institutions.
  • Communicate about access, product updates, security, and support.
  • Improve reliability, safety, and user experience (using aggregated or de‑identified metrics when possible).

Unless an Institution explicitly opts in, we do not use Student Data to train generalized AI models. We do not sell personal information or use it for cross‑context behavioral advertising.

4) Legal bases (EEA/UK)

  • Contract: to provide the Service when you or your Institution signup and use Elenqa.
  • Legitimate interests: securing and improving the Service; preventing abuse.
  • Consent: where required for certain communications or optional features; you can withdraw at any time.
  • Legal obligation: to comply with law or valid legal requests.

5) Student Data and FERPA

When used by an Institution for students, Boundless acts as a "school official" with legitimate educational interest. The Institution controls Student Data and directs its processing. We use Student Data only to deliver the Service, support the Institution, and comply with law, not for targeted advertising. Parents or eligible students should make access, correction, or deletion requests through their Institution; we will support the Institution in fulfilling those requests.

We do not create or use "voiceprints" for identification. Recordings are processed to produce Transcripts and to support grading and review.

6) Sharing with service providers

We use vetted processors that act on our instructions, including providers such as Vercel (hosting), Railway (backend hosting), Supabase (database, auth, storage), and OpenAI (speech and language processing). If billing is enabled, Stripe will act as a payment processor. We require contractual safeguards and remain responsible for their performance as our sub‑processors.

7) Data retention

  • Recordings: retained for up to 180 days by default to support grading and review, subject to Institution policy. Institutions may request earlier deletion.
  • Transcripts, grades, and feedback: retained for the life of the account or as directed by the Institution to support academic records.
  • Telemetry and logs: retained up to 90 days for security and diagnostics.

We may retain limited information as required by law, to resolve disputes, or enforce agreements.

8) Security

We use industry‑standard safeguards such as encryption in transit, access controls, and least‑privilege practices. No system is perfectly secure; please use strong, unique passwords and keep devices updated. We will notify the Institution of any security incident as required by law and our agreements.

9) International transfers

We may process data in the United States and other countries where our providers operate. Where required, we rely on appropriate safeguards or the necessity of the transfer to provide the Service.

10) Cookies and tracking

We use only essential cookies necessary for authentication, security, and core functionality. If we add optional analytics or marketing cookies in the future, we will provide required notices and controls.

11) Your rights

  • EEA/UK: rights to access, rectify, erase, restrict, object, and data portability subject to legal limits.
  • U.S. state privacy laws: depending on your state, you may have rights to know, access, delete, correct, and opt out of certain processing. We do not "sell" personal information or engage in cross‑context behavioral advertising.

To exercise rights, contact privacy@elenqa.com. For Student Data, we will coordinate with your Institution to fulfill requests.

12) Children’s privacy

We do not knowingly collect personal information directly from children under 13 without appropriate consent. Institutions are responsible for obtaining required consents and providing required notices to parents/guardians.

13) Changes to this policy

We may update this policy to reflect changes to the Service or law. We will provide notice of material changes in advance where required. Continued use after the effective date means you accept the updated policy.

14) Contact

Boundless Friends Corp.

Contact us via the in‑app “Contact Support” or “Privacy Request”.