Privacy Policy

Effective date: April 22, 2026

This Privacy Policy explains how LIRA Study LLC, an Arizona limited liability company doing business as "LIRA" ("LIRA," "we," "us," or "our"), collects, uses, shares, and protects personal information when you use our web application, backend API, and related services (the "Service"). It applies to visitors of our website and to registered users. By using the Service, you agree to the practices described below.

1. Summary — the TL;DR

  • We collect only what we need to run the Service for you.
  • We do not sell your personal information.
  • We do not share your personal information for cross-context behavioral advertising.
  • We do not use your content to train our own AI models, and our AI vendor (Anthropic) does not train on our API traffic either.
  • You can export or delete everything from Settings.

2. Information we collect

2a. Information you provide

  • Account information — email address, password (stored as a salted hash by our auth provider, Supabase), display name, and any profile details you add (exam date, target score, weekly study hours, section goals, user type, prior attempt context for retakers).
  • Study content you create — logged questions and your answers, error tags, confidence ratings, notes, flashcards, study-session records, full-length scores, images you upload for the question scanner.
  • Messages to LIRA — the content of your chats with the AI coach, prompts to the explainer, and prompts to the flashcard/quiz generators.
  • Support communications — emails you send us.
  • Waitlist submissions — the email you submit to be notified about future products (e.g., LIRA NCLEX).

2b. Information collected automatically

  • Usage and request logs — HTTP method, request path, response status, latency, IP address, user agent, and timestamp. Used for debugging, abuse prevention, and service security. IP addresses are retained in logs for up to 30 days.
  • Cookies and similar technologies — we use strictly necessary cookies for authentication (session tokens issued by Supabase Auth) and a small number of first-party local-storage entries to remember UI preferences (theme, last tab). We do not use third-party advertising cookies or cross-site tracking.

2c. Information from third parties

  • Stripe — if you subscribe to a paid plan, Stripe processes your payment. We receive only the minimum necessary: your Stripe customer ID, plan, subscription status, and billing events. We do not store your card number, CVV, or full bank details.
  • Anki / AnkiConnect — if you connect AnkiConnect (optional), deck names and card counts are transmitted from your local Anki to the Service during sync. The sync is initiated by you and only while your local Anki is running.

3. How we use the information

  • To provide and operate the Service — classify questions, compute analytics, generate coach responses, quizzes, explanations, flashcards, and the daily focus tip.
  • To run the business — accept payments through Stripe, send receipts, respond to support requests, send essential service emails (e.g., billing receipts, security alerts).
  • To secure and improve the Service — detect fraud and abuse, rate-limit, diagnose bugs, run aggregated, de-identified analysis of feature usage.
  • To comply with law, enforce our Terms, and protect our rights and users' safety.

We do not use your personal information for advertising, profiling for targeted advertising, or cross-context behavioral advertising. We do not sell your personal information.

4. How AI vendors handle your content

When you use an AI feature (chat, explainer, quiz generator, flashcard generator, auto-classifier, image analyzer), the relevant portion of your input is sent to Anthropic, PBC via the Claude API to generate the response. We send only what is technically required for that specific request.

Under our commercial agreement with Anthropic:

  • Inputs and outputs to the Claude API are not used to train Anthropic's models.
  • Anthropic retains API logs for up to 7 days for operational and abuse-prevention purposes, then deletes them automatically. Retention may be extended only where required by law or to investigate misuse.
  • Anthropic does not sell your data and applies industry-standard security controls.

We do not use your personal information to train our own machine-learning models. If that ever changes, we will notify you in advance and obtain any consent required by law before doing so.

5. Who we share information with

We share personal information only with the service providers we need to run the Service, and only for the purposes described below:

  • Supabase, Inc. — database hosting and authentication.
  • Anthropic, PBC — AI inference for coach, explainer, flashcards, quiz generation, classification, image analysis. (See Section 4 for handling details.)
  • Stripe, Inc. — subscription billing and payment processing.
  • Email delivery providers — for transactional emails (receipts, confirmations, support replies, waitlist notifications).
  • Legal disclosures — where required by valid legal process (subpoena, court order), or where we believe in good faith that disclosure is necessary to protect rights, safety, or the integrity of the Service.
  • Business transfers — if we are involved in a merger, acquisition, financing, or sale of assets, your information may be transferred as part of that transaction. We will notify users before their information becomes subject to a different privacy policy.

Each provider above is bound by written data-processing terms that limit their use of your personal information to performing the services for us.

6. Data retention

  • Account and study data — retained while your account is active. Deleted from production within 30 days of account deletion; purged from encrypted backups within a further 90 days.
  • Chat / AI prompt history — retained while your account is active; you can delete individual conversations at any time.
  • Request logs / IP addresses — up to 30 days.
  • Billing records — retained for at least 7 years for tax and accounting compliance, even after account deletion.
  • AI-vendor logs (Anthropic) — up to 7 days at the vendor, controlled by Anthropic's retention policy.
  • Waitlist emails — until you unsubscribe or the product launches.

7. Your privacy rights

Regardless of where you live, every LIRA user can access, correct, export, or delete their data from Settings. The sections below describe additional rights under specific laws.

7a. California (CCPA/CPRA)

If you are a California resident, you have the right to:

  • Know what personal information we have collected, the categories and specific pieces, the sources, and the purposes for which we use it.
  • Delete personal information we hold about you.
  • Correct inaccurate personal information.
  • Opt out of the sale or "sharing" (for cross-context behavioral advertising) of your personal information. We do not sell or share your personal information, so there is nothing to opt out of — but you may confirm this in writing by emailing us.
  • Limit use of sensitive personal information. We only process sensitive personal information (e.g., account credentials) for purposes permitted under Cal. Civ. Code §1798.121(a) and do not use it for inferring characteristics about you.
  • Non-discrimination for exercising any of these rights.
  • Appeal any denial of a rights request.

Categories of personal information collected in the last 12 months (Cal. Civ. Code §1798.140): identifiers (email, IP); customer-record information (name); commercial information (subscription status); internet/network activity (usage logs); inferences (analytics derived from your study history). We do not collect biometric information, geolocation beyond city-level IP, or characteristics of protected classifications.

To exercise a California right, email privacy@lirastudy.com. We will verify your identity by confirming ownership of the account email. We respond within 45 days (extendable by 45 days where permitted). Authorized agents must provide written permission.

7b. Other U.S. states

Residents of Colorado, Connecticut, Delaware, Indiana, Iowa, Kentucky, Maryland, Minnesota, Montana, Nebraska, New Hampshire, New Jersey, Oregon, Rhode Island, Tennessee, Texas, Utah, and Virginia have broadly similar rights (access, delete, correct, portability, opt-out of sale / targeted advertising / certain profiling). Email privacy@lirastudy.com and cite the statute; we will respond within the timeframe required by your state's law.

7c. European Economic Area / United Kingdom (GDPR / UK GDPR)

If you are in the EEA, UK, or Switzerland, you have the rights of access, rectification, erasure, restriction, portability, objection, and the right to lodge a complaint with your supervisory authority. The legal bases we rely on are: performance of a contract (to provide the Service you signed up for), legitimate interests (security, fraud prevention, service improvement), consent (for optional features like the NCLEX waitlist), and legal obligation (tax, compliance). International transfers out of the EEA rely on Standard Contractual Clauses or equivalent safeguards.

8. Children

The Service is not directed at children under 13. We do not knowingly collect personal information from children under 13. If you believe a child under 13 has provided us with personal information, contact privacy@lirastudy.com and we will delete it promptly. If you are between 13 and 18 and a resident of a state with additional minor-privacy protections (including California under CPRA §1798.99.28 and similar), you may exercise those rights by contacting the same address.

9. Security

We apply administrative, technical, and physical safeguards designed to protect your information against unauthorized access, loss, or alteration. This includes encryption in transit (TLS 1.2+), encryption at rest on our database provider, row-level security and per-user access controls, scoped API tokens, rate limiting, anomaly monitoring, and restricted employee access on a need-to-know basis. No system is perfectly secure; we cannot guarantee absolute security.

If we become aware of a personal-data breach affecting you, we will notify you and the relevant authorities in accordance with applicable law.

10. International transfers

LIRA is operated from the United States. If you access the Service from outside the U.S., your information will be processed in the U.S. by us and by the service providers listed in Section 5. For transfers from the EEA, UK, or Switzerland, we rely on Standard Contractual Clauses or equivalent lawful-transfer mechanisms.

11. Changes to this Policy

We may update this Privacy Policy. If changes are material, we will notify you by email or in-app at least 30 days before they take effect, except where a shorter notice period is required by law. We do not retroactively apply materially weaker privacy practices to information collected under a prior policy without your affirmative consent.

12. Contact

For privacy questions or to exercise any right described above, email privacy@lirastudy.com. For general support, use support@lirastudy.com. For legal notices, legal@lirastudy.com.

See also: Terms of Service · Disclaimer · Accessibility