Privacy Policy
Last updated: 18 April 2026
Who we are
LearnAI (“the site”, “we”) is an educational site operated by Simon Elliston Ball. You can reach the operator at simon@simonellistonball.com. We are the data controller for the purposes of the UK GDPR and EU GDPR.
What this policy covers
This policy covers everything processed when you visit LearnAI, including the tutor chat, canvas builders, scenarios, and playgrounds. It does not cover any third-party site you reach by following a link out.
What data we process
1. Data you type into the site
Prompts, canvas contents, scenario responses, and tutor chat messages. These are sent to the large language model provider (Anthropic, via the Vercel AI Gateway, or a local Ollama instance in development) so the model can respond. The full prompt and response are also sent to Langfuse (langfuse.com), our LLM observability provider, so we can debug failures and improve the course. Do not paste secrets, personal data about third parties, or confidential information into the tutor or canvases.
2. Product analytics — only with your consent
If you accept the cookie banner, we load PostHog (posthog.com, EU region) which records: pages visited, buttons and features you click, scroll depth, browser and device type, a randomly-generated anonymous ID stored in your browser, and occasional session replays with form inputs masked. We use this to understand which lessons and tools people actually use. If you decline, PostHog is not loaded and none of this is collected.
3. Server logs
Our host (Vercel) records standard access logs including IP address and user-agent, retained for up to 30 days for security and debugging. We do not use these logs for analytics.
4. Local browser storage
Your tutor conversations, canvases, system prompts, and UI preferences are stored in your browser's localStorage. If you are not signed in, this content never leaves your device except when you submit it to the tutor or another AI feature. Clearing your browser storage deletes this content permanently — we cannot recover it.
5. Optional account sign-in
You can optionally sign in with Google, LinkedIn, or GitHub. When you do, we receive the name, email address, and profile picture those providers choose to share with us, plus a stable provider account ID. We use this only to identify your account and to display your name in the app. We never post on your behalf or read anything beyond your public profile.
6. Server-side storage (signed-in users only)
When you are signed in, we store your artefacts on our server so they sync between devices: Agent Canvases, REMIT Worksheets, System Prompts, scenario progress, quiz answers, and tutor conversations. Each record is private to your account. You can delete individual records from the app; to delete your entire account and all server-side data, email the address below and we will erase within 30 days. Deleted records are held as tombstones for up to 30 days so other devices you are signed in on can propagate the delete, then purged.
Legal basis (UK/EU GDPR)
- LLM prompts and Langfuse tracing— legitimate interest (operating and improving a functional AI tutor) and performance of the requested service.
- PostHog analytics and session replay— your explicit consent via the cookie banner. You can withdraw at any time by clicking “Reset analytics choice” in the footer.
- Account sign-in and server-side artefact storage — performance of the requested service (syncing your work across devices) and your request when you chose to sign in.
- Server logs— legitimate interest in operating a secure service.
Where data is stored
- Vercel(United States / EU regions) — hosting and server logs.
- Vercel AI Gateway— routes prompts to the LLM provider. Zero data retention is enabled where supported by the provider.
- Anthropic(United States) — processes prompts to generate responses.
- Langfuse(EU region) — stores LLM traces including prompts and responses, retained for up to 90 days.
- PostHog(EU region, eu.i.posthog.com) — stores analytics events and session replays, retained per PostHog's defaults (currently 7 years for events, 30 days for replays) but we reserve the right to shorten this.
- Your browser— tutor chats, canvases, preferences, consent choice.
- Neon(EU region, via Vercel Marketplace) — Postgres database that stores your account and, if you are signed in, your synced artefacts. Retained until you delete the record or your account.
- OAuth providers(Google, LinkedIn, GitHub) — only if you choose to sign in with them. They receive the fact that you are authenticating for LearnAI.
Where data leaves the UK/EEA it is transferred under Standard Contractual Clauses or equivalent safeguards provided by the processor.
Cookies and similar storage
LearnAI does not set marketing or advertising cookies. We use:
- Strictly necessary —
localStoragekeys for your consent choice, anonymous ID, tutor conversations, canvases, and theme. No banner required under PECR / the ePrivacy Directive. - Analytics— PostHog cookies and local storage, only set if you accept the banner.
Your rights
Under UK and EU GDPR you have the right to access, correct, delete, restrict, or port any personal data we hold, and to object to processing based on legitimate interest. Because we identify you only by a random ID generated in your browser, the fastest way to exercise these rights is:
- Clear your browser's site data for this domain — this removes your anonymous ID and all locally stored content.
- Email simon@simonellistonball.com with the anonymous ID (visible in your browser's
localStorageunderlearnai.anonId) and, if you have an account, the email address you signed in with. We will delete the associated PostHog, Langfuse, and account records within 30 days.
You also have the right to complain to a supervisory authority — in the UK, the Information Commissioner's Office.
AI-specific notes
The tutor and other AI features use third-party language models. Responses may be inaccurate, out of date, or reflect biases in the training data. Do not rely on them for legal, medical, financial, or safety-critical decisions. We do not use your prompts to train any model; however, the LLM provider's own terms apply to their handling of data in transit.
Children
LearnAI is aimed at adult learners in a professional context and is not directed at children under 13. We do not knowingly collect data from children.
Changes to this policy
We may update this policy as the site evolves. Material changes will be announced in the footer for at least 30 days.
See also: Terms and Conditions.