Legal

Privacy Policy

Last updated: 12 May 2026 · Early access — we will refine this page before general availability.

Early access. This policy describes how we handle personal data today. We will tighten wording and retention tables as processes mature. For questions, see the Contact section at the bottom of this page.

Who we are

Socratize (operating socratize.io) is the data controller for personal data processed through this website and the Socratize training product. For our contact address, see the Contact section at the end of this policy.

What we collect

Account data: work email, optional name, password hash (bcrypt) or Google account identifier when you use Google sign-in.
Workspace & training content: workspaces you belong to, custom training cases your admins create (titles, prompts, configuration you enter), assignments, and your progress (messages exchanged with the AI, scores, completion timestamps).
Technical & security data: IP address and user agent on authentication events; audit log entries for security-relevant actions (member added, role changed, invite issued, etc.); optional AI usage metadata (model id, token counts) for billing and abuse prevention.

What we do not do

We do not sell your personal data.
We do not run third-party advertising trackers on Socratize.
We do not use your scenario text to train public foundation models; processing is for delivering the service you requested.
We do not record voice or video.

Lawful bases (GDPR-style summary)

Where EU/UK GDPR applies, we rely on:

Contract — processing necessary to provide the Socratize service (accounts, workspaces, role-play sessions, billing).
Legitimate interests — securing the platform, fraud prevention, and limited internal diagnostics that do not override your rights.
Consent — where we ask for it explicitly (for example optional marketing or non-essential cookies, if offered).

Where data is stored & international transfers

Primary account and workspace data are stored in a managed PostgreSQL database hosted in the EU region (Railway). Some subprocessors process data in the United States or globally at the edge, including Anthropic (AI inference), Resend (transactional email), and Cloudflare (bot protection / CDN). Where required, we use appropriate safeguards such as the EU Standard Contractual Clauses and vendor data-processing agreements. A current subprocessor list is available on request.

Security (high level)

Traffic between your browser and our servers uses TLS (HTTPS).
Passwords are stored as bcrypt hashes; we do not store plaintext passwords.
Access to customer data is role-based (learners see their assignments; org/workspace admins see their scope).
Responsible disclosure: if you believe you have found a security issue, write to the address in the Contact section below.

Retention

Schedules may evolve; current intent:

Account & workspace data — kept for the life of the account and a short wind-down after closure.
Deleted accounts — personal data purged within 30 days of a confirmed deletion request, subject to legal holds.
Audit / security logs — typically retained up to 12 months unless a longer period is required for dispute resolution or law enforcement.
Backups — may retain encrypted snapshots for a bounded period beyond live deletion; we rotate and overwrite on schedule.

Your rights

Depending on your jurisdiction you may have rights to access, rectify, erase, restrict, or object to certain processing, and in some cases data portability. To exercise these rights, email the address in the Contact section below from your registered address (or prove account ownership). You may also lodge a complaint with your local supervisory authority.

Workspace admins can remove members from a workspace; organisation admins control membership within their organisation.

Cookies & similar technologies

We use an HttpOnly session cookie (auth_token) for authentication and a Cloudflare Turnstile clearance cookie for bot protection. We do not set advertising or third-party analytics cookies on this site today.

Children

Socratize is a B2B workplace training product; it is not directed at children.

Changes

We will post updates on this page and revise the “Last updated” date. Material changes may also be announced by email to organisation admins where appropriate.

Contact

Privacy questions or requests: [email protected].