← Back to Serona

Privacy Policy

Effective Date: May 18, 2026

Last Updated: May 18, 2026

This Privacy Policy describes how Serona ("we," "us," or "our") collects, uses, shares, and protects information when you use our web application and related services (collectively, the "Service"). Serona is a study tool that helps students transcribe lectures, generate notes, flashcards, quizzes, and study guides using artificial intelligence.

We wrote this policy in plain language so it is accessible to our users, many of whom are high school students. If you have questions about anything here, please reach out to us at the contact information in Section 22.



1. Who We Are

Serona is a web-based study application designed to help students learn more effectively. We provide tools for transcribing lectures and using AI to generate personalized study materials including notes, flashcards, quizzes, and study guides.

If you have any questions or concerns about this Privacy Policy or our data practices, you can contact us at:

2. Information We Collect

We collect several categories of information to provide and improve the Service. Below is a summary of what we collect, organized by category. For California residents, we have included the corresponding CCPA/CPRA category for each type of information.

CategoryWhat We CollectCCPA Category
Account InformationEmail address, name, password (hashed)Identifiers (Cal. Civ. Code 1798.80(e))
Education InformationSchool name, grade level (9th-12th), study style preferencesEducation information
Profile PreferencesTimezone, avatar color, theme preferenceIdentifiers; Internet or other electronic network activity
Audio TranscriptionsLecture transcriptions (WebM format, up to 25 MB per transcription)Audio, electronic, visual, or similar information
Uploaded DocumentsPDFs, images, text documents uploaded for study material generationAudio, electronic, visual, or similar information
Generated ContentNotes, flashcards, quizzes, study guides, transcripts, handwritten note entriesInferences drawn from personal information
Class InformationClass names, class colors, deadlines, associated resourcesEducation information
Commercial InformationSubscription status, plan type. Payment card details are handled entirely by Stripe and are never stored on our servers.Commercial information
Device InformationBrowser type, authentication session dataInternet or other electronic network activity

3. How We Collect Information

We collect information through the following methods:

Directly from You

When you create an account, you provide your name, email, school, grade level, and study style preferences. When you use the Service, you actively upload documents, create class entries, set deadlines, and write notes.

From Your Device

When you transcribe a lecture, your device's microphone captures audio that is sent to our servers for transcription. We also use browser local storage for your theme preference and authentication session cookies.

From Third-Party Sources

When you provide a YouTube video URL, we fetch the transcript from YouTube's servers to generate study materials. We do not access your YouTube account or any YouTube data beyond the specific video transcript you request.

From Your Transcriptions

Important: Audio transcriptions of lectures may inadvertently capture voices, names, or other personal information of third parties present during the transcription, such as teachers, professors, or fellow students. You are responsible for ensuring that all individuals whose voices may be captured are aware of and consent to the transcription. Please see Section 6 for more details on your transcription responsibilities.

4. How We Use Your Information

We use the information we collect for the following purposes:

  1. Providing the Service: Creating and managing your account, storing your classes and study materials, and delivering the core functionality of Serona.
  2. AI-Powered Content Generation: Sending your transcriptions to Groq (primary) or OpenAI (fallback) for transcription, and sending transcripts and uploaded documents to Anthropic for generating notes, flashcards, quizzes, and study guides.
  3. Payment Processing: Facilitating subscription payments through Stripe, including managing your subscription status and billing cycle.
  4. Communications: Sending transactional emails related to your account, such as trial expiration notices. We do not send marketing emails.
  5. Service Improvement: Understanding how the Service is used so we can improve functionality, fix issues, and develop new features.
  6. Security and Compliance: Protecting against unauthorized access, maintaining data integrity, and complying with legal obligations.

5. AI and Automated Processing

Serona uses artificial intelligence to power its core features. We believe transparency about how your data flows through AI systems is important, so here is a detailed breakdown.

Groq — Primary Audio Transcription

When you transcribe a lecture, the audio file (in WebM format, up to 25 MB) is sent to Groq's transcription APIas the primary transcription provider. Groq converts your audio into text and returns the transcript to us. The audio file itself is transmitted to Groq's servers for processing.

  • What Groq receives: Your audio transcription.
  • What Groq returns: A text transcript of the transcription.
  • Data retention by Groq: As of the effective date of this policy, Groq does not use data submitted through its API to train its models.
  • Groq's Privacy Policy: https://groq.com/privacy-policy/

OpenAI — Fallback Audio Transcription

If the primary transcription provider (Groq) is unavailable or times out, the audio file is sent to OpenAI's Whisper API as a fallback. In timeout scenarios, audio may be sent to both Groq and OpenAI. OpenAI converts your audio into text and returns the transcript to us.

  • What OpenAI receives: Your audio transcription.
  • What OpenAI returns: A text transcript of the transcription.
  • Data retention by OpenAI: As of the effective date of this policy, OpenAI retains API inputs and outputs for up to 30 days for abuse and misuse monitoring, after which they are deleted. OpenAI does not use data submitted through its API to train its models.
  • OpenAI's Privacy Policy: https://openai.com/policies/privacy-policy

Anthropic — Content Generation

When you generate notes, flashcards, quizzes, or study guides, the relevant transcript text and/or uploaded document content (up to approximately 90 KB per request) is sent to Anthropic's Claude API (specifically the claude-haiku-4-5-20251001 model). Claude processes this text and returns structured study materials.

  • What Anthropic receives: Transcript text, extracted document text, and instructions for generating the requested study material type.
  • What Anthropic returns: Structured notes, flashcard sets, quiz questions, or study guide content.
  • Data retention by Anthropic: As of the effective date of this policy, Anthropic retains API inputs and outputs for up to 30 days for safety and abuse monitoring, after which they are deleted. Anthropic does not use data submitted through its API to train its models.
  • Anthropic's Privacy Policy: https://www.anthropic.com/privacy

No Automated Decision-Making

Serona does not use AI or automated processing to make decisions that produce legal effects or similarly significant effects on you. All AI-generated content is provided as study assistance and is not used to evaluate, grade, or make decisions about you.

6. Audio Transcription Responsibilities

You are solely responsible for ensuring that you have the legal right and all necessary consents to transcribe any lecture, conversation, or other audio you capture through Serona.

Transcription laws vary by jurisdiction. In the United States:

  • Two-party / all-party consent states (including California, Connecticut, Florida, Illinois, Maryland, Massachusetts, Michigan, Montana, New Hampshire, Oregon, Pennsylvania, and Washington) require the consent of all parties to a conversation before transcription.
  • One-party consent states require only one party (which can be you, the person doing the transcription) to consent.
  • School and institutional policies may impose additional restrictions on transcribing lectures, even in one-party consent states. Many schools require instructor permission before transcribing.

Transcriptions may capture the voices, names, or other personal information of instructors, classmates, or other individuals present. You must inform these individuals that a transcription is being made and obtain their consent where required by law.

Serona is not responsible for any transcriptions made in violation of applicable law or institutional policy. If we receive a valid complaint that a transcription was made without proper consent, we may remove the transcription and associated materials from the Service.

7. Third-Party Service Providers

We use the following third-party services to operate Serona. Each service receives only the data necessary for its specific function.

ServicePurposeData Shared
SupabaseDatabase hosting, authentication, file storageAll account data, study materials, uploaded files, transcripts, and authentication credentials
GroqAudio transcription (primary)Audio transcription files
OpenAIAudio transcription (fallback; Whisper API)Audio transcription files
AnthropicAI content generation (Claude API)Transcript text, extracted document text
StripePayment processingEmail address (for customer creation). All payment card details are handled directly by Stripe and never touch our servers.
ResendTransactional email deliveryEmail address, email content (e.g., trial expiration notices)
YouTube APIVideo transcript retrievalYouTube video URLs provided by you

We do not use any analytics or tracking services. We do not embed third-party advertising or social media tracking pixels.

8. Data Sharing

We want to be clear about what we do not do with your data:

  • We do not sell your personal information. We have not sold personal information in the preceding 12 months and have no plans to do so.
  • We do not share your personal information for cross-context behavioral advertising.
  • We do not share your data with data brokers.
  • We do not use your data for targeted advertising of any kind.

We may disclose your information only in the following circumstances:

  • Service Providers: To the third-party providers listed in Section 7, solely for the purposes described.
  • Legal Requirements: If required by law, regulation, legal process, or governmental request.
  • Safety: To protect the rights, property, or safety of Serona, our users, or the public.
  • Business Transfers: In connection with a merger, acquisition, or sale of assets, in which case your data would remain subject to the protections described in this policy.

9. Children's Privacy

Serona is designed for students aged 13 and older. We do not knowingly collect personal information from children under the age of 13. If we learn that we have collected personal information from a child under 13 without verifiable parental consent, we will delete that information as quickly as possible.

If you are a parent or guardian and believe that your child under 13 has provided us with personal information, please contact us at privacy@serona.io so we can take appropriate action.

COPPA Compliance

We comply with the Children's Online Privacy Protection Act (COPPA). We do not knowingly collect, use, or disclose personal information from children under 13. Our Service is not directed at children under 13.

California Minors (CPRA)

For users under 16 years of age who are California residents, we do not sell or share their personal information without affirmative opt-in consent. Users between 13 and 16 may provide their own opt-in consent. We do not have a "sale" or "sharing" of personal information that would require such opt-in, as we do not sell or share personal information for advertising purposes.

10. Student Data Protections

Because many of our users are students, we take additional care with student data:

  • No advertising use: We do not use student data to advertise or market to students. We do not display ads in the Service.
  • No sale of student information: We do not sell student personal information to any third party for any purpose.
  • No profiling for non-educational purposes: We do not create behavioral profiles of students for purposes unrelated to the educational services we provide.

SOPIPA Compliance

We are committed to the principles of the Student Online Personal Information Protection Act (SOPIPA). Specifically, we do not: (a) use student data for targeted advertising; (b) sell student information; (c) use collected information to create a profile of a student for non-educational commercial purposes; or (d) disclose student information except as described in this policy.

FERPA

Serona is a consumer application used directly by students. We are not a "school official" or contractor acting on behalf of a school under the Family Educational Rights and Privacy Act (FERPA). We do not receive education records from schools. The data students choose to input into Serona is provided directly by the student, not by their educational institution. If a school wishes to use Serona in an institutional capacity, a separate data processing agreement would be required.

11. Content Ownership

Your Inputs

You retain ownership of all content you provide to the Service, including your transcriptions, uploaded documents, notes you write, and any other materials you create or upload. We do not claim ownership of your inputs.

AI-Generated Content

The notes, flashcards, quizzes, study guides, and other materials generated by our AI features are provided to you for your personal educational use. Serona does not claim ownership of AI-generated outputs created from your inputs.

Important notice: The legal status of copyright in AI-generated content is evolving and may vary by jurisdiction. While we provide AI-generated materials for your use, we cannot guarantee that such content will be considered copyrightable, and we make no representations about your ability to claim exclusive intellectual property rights in AI-generated outputs. We encourage you to consult legal counsel if you have specific questions about intellectual property rights in AI-generated materials.

12. Data Retention

Active Accounts

We retain your data for as long as your account is active and you maintain a valid subscription. Your transcriptions, transcripts, notes, flashcards, quizzes, study guides, and other study materials remain accessible throughout your active subscription period.

After Trial Expiration

If your free trial expires and you do not subscribe, your data is retained for a 30-day grace period. During this window, you can reactivate your account by subscribing and regain access to all your materials. After the 30-day grace period, your data is automatically and permanently deleted (purged).

Account Deletion

When you delete your account, all associated data is permanently deleted through cascading deletion. This includes your profile, classes, transcriptions, transcripts, notes, flashcards, quizzes, study guides, deadlines, and all other data associated with your account.

Audio Transcriptions

Audio transcriptions are retained after transcription and stored alongside the resulting transcript. Both the audio file and transcript remain available in your account as long as it is active.

Third-Party Data Retention

As noted in Section 5, Groq, OpenAI, and Anthropic may each retain copies of data sent through their APIs for up to 30 days for abuse monitoring and safety purposes, after which the data is deleted. None of these companies use API data to train their models.

13. Data Security

We implement reasonable technical and organizational measures to protect your personal information:

  • Encryption in transit: All data transmitted between your browser and our servers is encrypted using TLS (Transport Layer Security).
  • Row-Level Security (RLS):Our database uses Supabase's Row-Level Security policies to ensure that each user can only access their own data. This is enforced at the database level, meaning even if there were a bug in our application code, the database itself would prevent unauthorized access.
  • Access controls: We limit access to personal information to those who need it to operate, develop, or improve the Service.
  • Payment security: All payment card information is handled by Stripe, which is PCI DSS Level 1 certified — the highest level of certification in the payment card industry. We never see, store, or process your card number.
  • Authentication: User authentication is managed by Supabase Auth with secure, hashed password storage.

While we take reasonable precautions, no method of electronic storage or transmission is 100% secure. We cannot guarantee absolute security but are committed to promptly addressing any security incidents.

14. Your Privacy Rights

Depending on where you live, you may have specific rights regarding your personal information. This section covers rights under the California Consumer Privacy Act as amended by the California Privacy Rights Act (CCPA/CPRA).

CCPA/CPRA Rights (California Residents)

If you are a California resident, you have the following rights:

  • Right to Know: You can request that we disclose the categories and specific pieces of personal information we have collected about you, the categories of sources, the business purposes for collection, and the categories of third parties with whom we share your information.
  • Right to Delete: You can request that we delete personal information we have collected from you, subject to certain exceptions (such as legal compliance or completing a transaction).
  • Right to Correct: You can request that we correct inaccurate personal information we maintain about you.
  • Right to Opt-Out of Sale/Sharing: You have the right to opt out of the sale of your personal information and the sharing of your personal information for cross-context behavioral advertising. As stated in Section 8, we do not sell or share your personal information for these purposes, so there is no sale or sharing from which to opt out.
  • Right to Limit Use of Sensitive Personal Information: You may request that we limit the use and disclosure of your sensitive personal information. We only use sensitive personal information (such as account credentials) as necessary to provide the Service.
  • Right to Non-Discrimination: We will not discriminate against you for exercising any of your privacy rights.
  • Right to Data Portability: When you exercise your right to know, you can request that we provide your information in a portable, readily usable format.

How to Exercise Your Rights

To exercise any of the rights described above, please contact us at privacy@serona.io. We will respond to verifiable consumer requests within 45 days of receipt. If we need more time (up to an additional 45 days), we will notify you of the reason and extension period.

To verify your identity, we may ask you to confirm information associated with your account, such as your email address. If you use an authorized agent to submit a request on your behalf, we may require the agent to provide proof of your written authorization and may still verify your identity directly.

Data Export Tool

Serona provides a self-service Download My Data feature that allows you to export a copy of your account data at any time. The export includes your profile information, preferences, class information, notes, flashcards, quizzes, study guides, transcripts, uploaded document metadata, and deadlines. The export is provided as a downloadable JSON file.

Audio transcriptions are not included in the self-service export due to file size. To request a copy of your audio transcriptions or to exercise your full data portability rights, contact us at privacy@serona.io. Payment information is managed by Stripe and is not included in the export.

15. State-Specific Rights

In addition to California, several other states have enacted comprehensive privacy laws. If you are a resident of one of these states, you may have the following rights:

Virginia (VCDPA)

Virginia residents have the right to:

  • Confirm whether we are processing your personal data and access that data.
  • Correct inaccuracies in your personal data.
  • Delete personal data you have provided or that we have obtained about you.
  • Obtain a copy of your personal data in a portable format.
  • Opt out of the processing of your personal data for targeted advertising, sale of personal data, or profiling in furtherance of decisions that produce legal or similarly significant effects. As noted, we do not engage in any of these activities.

Colorado (CPA)

Colorado residents have substantially similar rights to those listed for Virginia above, including the rights to access, correct, delete, obtain a portable copy, and opt out of targeted advertising, sale, or certain profiling.

Connecticut (CTDPA)

Connecticut residents have substantially similar rights to those listed for Virginia above, including the rights to access, correct, delete, obtain a portable copy, and opt out of targeted advertising, sale, or certain profiling.

Appeal Process

If we decline to take action on your request under any of these state laws, you may appeal our decision by contacting us at privacy@serona.io with the subject line "Privacy Rights Appeal." We will respond to your appeal within the timeframe required by applicable law (typically 45-60 days). If you are not satisfied with our response to your appeal, you may contact your state's attorney general.

16. International Users

Serona is operated from the United States. If you are accessing the Service from outside the United States, please be aware that your data will be transferred to, stored in, and processed in the United States, where data protection laws may differ from those in your country.

GDPR Rights (European Economic Area, UK, and Switzerland)

If you are located in the European Economic Area (EEA), the United Kingdom, or Switzerland, you have the following rights under the General Data Protection Regulation (GDPR) or equivalent legislation:

  • Right of Access: You can request a copy of the personal data we hold about you.
  • Right to Rectification: You can ask us to correct inaccurate or incomplete personal data.
  • Right to Erasure: You can request that we delete your personal data in certain circumstances (e.g., when it is no longer necessary for the purpose for which it was collected).
  • Right to Restrict Processing: You can ask us to limit how we use your data in certain circumstances.
  • Right to Data Portability: You can request your data in a structured, commonly used, machine-readable format.
  • Right to Object: You can object to our processing of your personal data in certain circumstances, including processing based on legitimate interests.
  • Right to Withdraw Consent: Where we rely on your consent for processing, you may withdraw that consent at any time without affecting the lawfulness of processing that occurred before withdrawal.
  • Right to Lodge a Complaint: You have the right to lodge a complaint with your local data protection supervisory authority.

Legal Basis for Processing

We process your personal data on the following legal bases under the GDPR:

  • Performance of a contract: Processing necessary to provide you with the Service you signed up for (e.g., account management, content generation, storage).
  • Consent: Where you have given specific consent, such as granting microphone or location permissions.
  • Legitimate interests: Processing for our legitimate interests, such as improving the Service and ensuring security, where those interests are not overridden by your rights.
  • Legal obligation: Processing necessary to comply with applicable laws.

International Data Transfers

When your data is transferred from the EEA, UK, or Switzerland to the United States, such transfers are necessary for the performance of our contract with you (i.e., providing the Service you signed up for) under GDPR Article 49(1)(b). As our user base grows, we intend to implement Standard Contractual Clauses (SCCs) approved by the European Commission to provide additional safeguards for international data transfers.

17. Cookies and Local Storage

Serona uses minimal browser storage, limited to what is necessary for the Service to function:

  • Local Storage — Theme Preference:We store your theme preference (light or dark) in your browser's localStorage. This data never leaves your device.
  • Session Cookies — Authentication: We use cookies managed by Supabase Auth to maintain your login session. These are functional cookies necessary for the Service to work and are not used for tracking.

We do not use third-party tracking cookies. We do not use advertising cookies, analytics cookies, or any cookies from third-party tracking services. There are no social media pixels, retargeting tags, or similar tracking technologies on Serona.

Do Not Track

Because we do not track users across third-party websites or services, our practices remain the same regardless of whether your browser sends a "Do Not Track" (DNT) signal. We do not engage in the type of tracking that DNT signals are intended to prevent.

18. Payment Information

All payment processing is handled by Stripe, a PCI DSS Level 1 certified payment processor. When you subscribe to Serona:

  • Your payment card information (card number, expiration date, CVV) is collected and processed directly by Stripe. This data is never transmitted to or stored on Serona's servers.
  • We store only a Stripe customer ID and a Stripe subscription ID in our database, which allow us to manage your subscription status. These are opaque identifiers that cannot be used to access your payment details.
  • Stripe may collect additional information as described in their privacy policy.

For more information about how Stripe handles your data, please see Stripe's Privacy Policy.

19. Intellectual Property and Copyright Disclaimers

Your Responsibility for Transcribed Content

You are responsible for ensuring that you have the right to transcribe, upload, and process any content through the Service. Lectures, presentations, and other educational materials are generally the intellectual property of the instructor or institution that created them. Your use of Serona to create study materials from such content should comply with your institution's policies and applicable copyright law.

Fair Use

Serona is designed to help students create personal study materials from lectures and educational content they have been authorized to access. The creation of notes, summaries, and study aids from lectures may be considered fair use under U.S. copyright law, but this determination depends on the specific circumstances of each case. We do not provide legal advice regarding fair use.

DMCA

If you believe that content available through the Service infringes your copyright, you may submit a notice under the Digital Millennium Copyright Act (DMCA) to our designated agent at privacy@serona.io. Your notice should include: (1) a description of the copyrighted work; (2) a description of the infringing material and its location on the Service; (3) your contact information; (4) a statement that you have a good-faith belief the use is not authorized; (5) a statement under penalty of perjury that the information in your notice is accurate; and (6) your physical or electronic signature.

20. AI Content Accuracy Disclaimer

The notes, flashcards, quizzes, study guides, and other materials generated by Serona's AI features are produced by automated systems and may contain errors, inaccuracies, omissions, or misrepresentations of the source material.

  • No warranty of accuracy:AI-generated content is provided "as is" without any warranty of accuracy, completeness, or fitness for a particular purpose.
  • Not a substitute for studying: AI-generated study materials are intended to supplement, not replace, your own study practices. You should always review AI-generated content against your original source material.
  • No liability for academic outcomes: Serona is not liable for any academic outcomes, grades, test scores, or other consequences that may result from relying on AI-generated content.
  • Transcription limitations: Audio transcriptions may contain errors, especially with technical vocabulary, accents, background noise, or poor audio quality. Always review transcripts for accuracy.

21. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors. When we make changes:

  • We will update the "Last Updated" date at the top of this page.
  • For material changes that significantly affect how we handle your personal information, we will notify you by email (sent to the address associated with your account) or through a prominent notice within the Service at least 30 days before the changes take effect.
  • We will maintain an archive of prior versions of this policy, which you may request by contacting us.

Your continued use of the Service after the effective date of any updated Privacy Policy constitutes your acceptance of the updated policy. If you do not agree with the changes, you should stop using the Service and delete your account.

22. Contact Us

If you have any questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us:

We aim to respond to all privacy-related inquiries within 10 business days. For formal rights requests under CCPA/CPRA, GDPR, or other applicable privacy laws, we will respond within the timeframes required by law.


© 2026 Serona. All rights reserved.