Privacy and Data Protection Policy

This document governs personal data processing in compliance with the General Data Protection Regulation (GDPR) 2016/679. Specifically drafted for educational environments and B2B institutional services.

1. Data Roles: Controller and Processor

In standard usage, ShrinkAI acts as the Data Controller. However, when providing services to educational institutions, ShrinkAI acts as the Data Processor under Art. 28 of the GDPR. The School or Institution remains the Data Controller for student-related information.

2. Special Category Data (Mental Health)

Conversations may involve sensitive health-related data. Under GDPR Art. 9.2(g), processing is lawful based on substantial public interest in the field of mental health and social well-being. We ensure technical anonymity through session-based volatile memory and end-to-end encryption protocols.

3. Data Architecture for School Plans

ShrinkAI implements Privacy by Design principles:

De-identification: Text inputs are strictly decoupled from user identities.
Aggregated Reporting: School management receives only statistical analytics (e.g., "Stress levels among 10th graders: 30%"). Individual names, transcripts, or personal IDs are never provided.
Safety Protocols: The system is equipped to trigger immediate local mental health resources if high-risk patterns are detected, without storing the user's personal identity.

4. Technical Security and Transfers

All data is processed through the encrypted infrastructure provided by Puter.js. No international data transfers outside the EEA occur without appropriate safeguards. We maintain rigorous technical and organizational measures to prevent unauthorized access or data breaches.

5. Consent Management

Through our Cookie Script integration, users maintain full control over non-essential cookies. In educational settings, the responsibility for managing student consent lies with the institution, in accordance with their child protection policies.

6. Rights of the Data Subject

Users retain their rights to Access, Rectification, Erasure, Restriction, Portability, and Objection. Given our session-based architecture, the "Right to Erasure" is executed automatically upon closing the browser session.

7. Compliance and Jurisdiction

This policy is subject to updates based on legislative changes. Any disputes shall be governed by the laws of Spain and the European Union.

← Return to main platform