Privacy Policy NexStep Math

01 Introduction

NextStep Math ("NextStep Math," "we," "us," or "our") is a mobile algebra tutoring application operated by LLP "AI Laboratory" (Товарищество с ограниченной ответственностью "AI Laboratory"), a legal entity registered in the Republic of Kazakhstan (BIN: 250840016104), located at Mynbaeva Street 53, Bostandyk District, Almaty, Kazakhstan 050057.

This Privacy Policy describes how we collect, use, disclose, and protect information about you when you use the NextStep Math mobile application available on the Apple App Store and Google Play Store (collectively, the "Service").

By downloading or using NextStep Math, you acknowledge that you have read and understood this Privacy Policy. If you do not agree, please do not use the Service.

02 Information We Collect

2.1 Information You Provide Directly

Account information: if you create an account, we collect your name, email address, and password (stored in hashed form).
Camera / photo input: when you photograph a math problem, the image is processed to extract the equation. We do not store raw camera images beyond the time needed to process your request unless you explicitly save a problem to your history.
Support communications: if you contact us, we collect your name, email address, and the content of your message.
Payment information: purchases are processed by Apple App Store or Google Play and managed via RevenueCat. We do not receive or store your full payment card details — only a transaction confirmation, subscription status, and entitlement token.

2.2 Information Collected Automatically

Usage data: features used, problems solved, steps revealed, session duration, in-app navigation patterns.
Device information: device type and model, operating system and version, unique device identifiers (IDFA / GAID), app version.
Log data: timestamps, error reports, crash logs, and performance diagnostics.
Approximate location: inferred from IP address at country/region level. We do not collect GPS or precise location.

2.3 Information from Third Parties

If you sign in via Sign in with Apple or Sign in with Google, we receive only the basic profile information that provider makes available (name, email, unique identifier). We do not receive your password from these providers.

03 How We Use Your Information

Purpose	Legal basis (GDPR)
Provide and operate the Service (process math problems, display step-by-step explanations)	Performance of contract
Maintain and improve the Service (bug fixes, new features)	Legitimate interests
Personalize your experience (language, difficulty settings, saved history)	Performance of contract / Legitimate interests
Process transactions and manage subscriptions	Performance of contract
Send transactional communications (receipts, security alerts)	Performance of contract
Send promotional communications — only with your consent	Consent
Analytics and product research	Legitimate interests
Fraud prevention and security	Legitimate interests / Legal obligation
Serve in-app advertising via AdMob (non-subscribed users)	Consent (ATT / GDPR) / Legitimate interests
Comply with legal obligations	Legal obligation

We do not sell your personal information to third parties.
We do not use your data to train AI models. Math problem images are processed in real time and not retained by AI providers for training.

04 How We Share Your Information

4.1 Service Providers

We engage trusted third-party companies to perform services on our behalf. They may access your data only to perform specific tasks and are contractually obligated to protect it.

Provider	Role	Privacy policy
OpenAI, L.P.	AI inference (math problem solving and explanation generation)	openai.com/policies/privacy-policy
Google Firebase (Firestore, Hosting, Auth)	Server infrastructure, database, authentication	policies.google.com/privacy
Google Firebase (Analytics, Crashlytics)	Usage analytics, crash reporting, performance monitoring	policies.google.com/privacy
Google AdMob	In-app advertising (non-subscribed users, certain regions)	policies.google.com/privacy
RevenueCat, Inc.	Subscription management, entitlement verification	revenuecat.com/privacy
Apple Inc.	App distribution, subscription billing, Sign in with Apple	apple.com/legal/privacy
Google LLC	App distribution (Google Play), subscription billing, Sign in with Google	policies.google.com/privacy

4.2 Advertising (AdMob)

Non-subscribed users may see ads delivered by Google AdMob. AdMob may collect and use your IDFA (iOS) or GAID (Android) and other signals to serve personalized ads.

iOS — App Tracking Transparency (ATT): on iOS 14.5+, we will ask permission before AdMob accesses your IDFA. If you decline, ads will still appear but won't be personalized. Change this anytime: Settings → Privacy & Security → Tracking.

Android: opt out via Settings → Google → Ads → Delete advertising ID, or at adssettings.google.com.

We do not serve personalized ads to users under 13, or where consent has not been obtained.

4.3 Legal Requirements

We may disclose your information to: (a) comply with applicable law or governmental requests; (b) enforce our Terms of Use; (c) protect the rights, property, or safety of NextStep Math, our users, or the public; or (d) detect, prevent, or address fraud or security issues.

4.4 Business Transfers

If LLP "AI Laboratory" undergoes a merger, acquisition, or sale of assets, your information may be transferred. We will provide notice before your data becomes subject to a different privacy policy.

4.5 Aggregated or De-Identified Data

We may share aggregated or de-identified information with partners for research, analytics, or marketing purposes.

4.6 With Your Consent

We may share your information for any other purpose with your prior explicit consent.

05 Data Retention

Account data: retained for the duration of your account plus 12 months after deletion.
Problem history and session data: retained for up to 24 months of account inactivity, then deleted or anonymized.
Camera images: not stored beyond processing unless explicitly saved by you.
Analytics and log data: retained for up to 24 months in identifiable form, then aggregated or deleted.
Billing records: retained for 7 years or as required by applicable tax and accounting law.

06 Security

We implement industry-standard measures including encryption in transit (TLS 1.2+) and at rest, access controls, and regular security reviews. No system is completely secure — if you believe your account has been compromised, contact us immediately at dev@ai-laboratory.kz.

07 Children's Privacy (COPPA)

The Service is intended for users who are 13 years of age or older. We do not permit children under 13 to create accounts or use the Service, and we do not knowingly collect personal information from children under 13.

By using the Service, you represent that you are at least 13 years old. If you are a parent or guardian and believe your child under 13 has provided us with personal information, contact us at dev@ai-laboratory.kz — we will promptly delete it.

EEA users: in certain European countries the minimum age is 16. Users in those jurisdictions must meet their applicable local minimum age requirement.

08 Your Rights — EEA, UK & Switzerland (GDPR)

Right of Access

Request a copy of the personal data we hold about you.

Right to Rectification

Request correction of inaccurate or incomplete data.

Right to Erasure

Request deletion of your personal data ("right to be forgotten").

Right to Restriction

Request that we temporarily stop processing your data.

Right to Data Portability

Receive your data in a structured, machine-readable format.

Right to Object

Object to processing based on legitimate interests.

Right to Withdraw Consent

Withdraw consent at any time without affecting prior processing.

Right to Lodge a Complaint

Contact your local supervisory authority (e.g., ICO in the UK).

To exercise any right, contact us at dev@ai-laboratory.kz. We will respond within 30 days. As a Kazakhstani company processing EEA/UK residents' data, we rely on Standard Contractual Clauses where required.

09 Your Rights — California Residents (CCPA / CPRA)

Right to Know: request disclosure of personal information collected about you over the past 12 months.
Right to Delete: request deletion of your personal information, subject to certain exceptions.
Right to Correct: request correction of inaccurate personal information.
Right to Opt Out of Sale or Sharing: we do not sell your personal information. We do not share it for cross-context behavioral advertising.
Right to Limit Use of Sensitive Personal Information: we do not use sensitive personal information beyond permitted purposes.
Right to Non-Discrimination: we will not discriminate against you for exercising your rights.

To submit a request, email dev@ai-laboratory.kz with subject "California Privacy Request." We respond within 45 days.

10 International Data Transfers

LLP "AI Laboratory" is based in Kazakhstan. Your information may be transferred to Kazakhstan or other countries where our service providers operate (including the United States). For EEA/UK users, we rely on Standard Contractual Clauses approved by the European Commission to ensure adequate protection.

11 Third-Party Services and Links

The Service may contain links to third-party websites or services. We are not responsible for their privacy practices and encourage you to review their policies. Our integration with Apple App Store and Google Play is governed by their respective privacy policies.

12 Changes to This Privacy Policy

We may update this policy to reflect changes in our practices, the Service, or applicable law. We will update the "Last updated" date, display an in-app notice for material changes, and email registered users for significant updates. Continued use after changes constitutes acceptance.

13 Contact Us

For privacy-related questions, requests, or concerns, please contact us. We aim to respond to all legitimate requests within 30 days.

> LLP "AI Laboratory"

✉ dev@ai-laboratory.kz

📍 Mynbaeva Street 53, Bostandyk District, Almaty, Kazakhstan 050057

🪪 BIN: 250840016104