Effective date: April 22, 2026

Outlearn, Inc. ("Outlearn," "we," "us," or "our") provides the Outlearn website, platform, applications, and related services (collectively, the "Service"). This Privacy Policy explains how we collect, use, disclose, and otherwise process Personal Data when you access or use the Service, interact with us, or communicate with us. Unless otherwise defined in this Privacy Policy, capitalized terms have the meanings given in our Terms and Conditions or other applicable agreement with you.

For customers using the Service under a separate agreement or data processing addendum, that agreement and the applicable DPA govern our Processing of customer content and other Customer Data to the extent of any conflict with this Privacy Policy.

Definitions

• Service. means the Outlearn website, platform, applications, features, integrations, and related services made available by Outlearn.
• Personal Data. means information that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular identified or identifiable individual, or is otherwise considered personal data, personal information, or a similar term under applicable Data Protection Laws.
• Usage Data. means data collected automatically from your use of the Service or Service infrastructure, such as technical logs, page usage, device information, and diagnostics.
• Cookies. means small data files placed on your device to store preferences, session information, and other technical information.
• Customer Data. means information, data, content, and other materials submitted, posted, uploaded, or otherwise transmitted by or on behalf of a customer or an Authorized User through the Service.
• Data Protection Laws. means applicable laws and regulations governing the Processing of Personal Data, which may include the GDPR, UK GDPR, CCPA, and other applicable U.S. state privacy laws.
• Deidentified Data. means data that cannot reasonably identify, relate to, describe, be capable of being associated with, or be linked, directly or indirectly, to a particular identified or identifiable individual, and that is processed in accordance with applicable law.
• Data Controller / Business. means the person or entity that determines the purposes and means of Processing Personal Data.
• Data Processor / Service Provider. means the person or entity that Processes Personal Data on behalf of a Data Controller / Business.

Our Role

When we collect and use Personal Data for our own business purposes, such as account administration, billing, marketing, security, analytics, and support, Outlearn acts as a controller or business, as applicable.

When we process Personal Data contained in Customer Data on behalf of a customer in connection with the Service, Outlearn acts as a processor or service provider, and the relevant customer acts as the controller or business, to the extent required by applicable Data Protection Laws.

Information We Collect

Personal Data you provide to us

• Account and contact details, such as name, business email address, company name, billing contact information, and login credentials.
• Communications and support information, such as messages you send to us, support requests, feedback, and responses to surveys or outreach.
• Payment and transaction information, such as billing address, subscription details, and payment-related metadata. Payment card details are processed directly by our payment processors and are not stored by us.
• Content submitted through the Service, including documents, files, knowledge sources, prompts, responses, agent configurations, comments, collaboration inputs, and other Customer Data uploaded to or generated within the Service.
• AI interaction data, when AI features are enabled, including prompts, user queries, relevant source content and workspace content processed to generate responses, and AI-generated outputs.

Information collected automatically

• Usage Data such as IP address, browser type and version, device identifiers, operating system, pages visited, referring URLs, timestamps, and diagnostic data.
• Cookie and similar technology data used to operate the Service, remember preferences, support security, and measure and improve performance.
• Log and security information used to detect abuse, investigate incidents, troubleshoot issues, and protect the Service.

Cookies and tracking technologies

We use cookies, pixels, scripts, local storage, and similar technologies to operate and secure the Service, remember your preferences, analyze usage, and improve our offerings. Examples include session cookies, preference cookies, and security cookies. You can instruct your browser to refuse cookies or to alert you when a cookie is being sent, but some parts of the Service may not function properly if cookies are disabled.

How We Use Personal Data

• provide, host, operate, maintain, and support the Service;
• authenticate users and administer accounts;
• process transactions, invoices, and payments;
• communicate with you about the Service, changes, security notices, support matters, and administrative issues;
• respond to support requests and provide customer service;
• monitor usage, troubleshoot problems, detect, prevent, and address fraud, abuse, and technical issues;
• improve, update, secure, and develop the Service and related features;
• provide analytics, reporting, search, collaboration, automation, agent, and other Service functionality;
• send newsletters, promotional materials, and other marketing communications where permitted by law, subject to your opt-out choices;
• provide AI-powered features, including AI-assisted drafting, summarization, retrieval, workflow assistance, and chatbot or agent functionality, where enabled;
• comply with legal obligations, enforce our agreements, and protect our rights, users, and business.

Legal Bases for Processing

If you are located in the European Economic Area or the United Kingdom, our legal bases for Processing Personal Data may include:

• performance of a contract with you or your organization;
• our legitimate interests, including operating, securing, improving, and supporting the Service, except where overridden by your interests or fundamental rights and freedoms;
• your consent, where required by law;
• compliance with legal obligations; and
• payment processing and related transaction administration.

Deidentified and Aggregated Information

We may create, compile, and use Deidentified Data and aggregated statistics derived from information we process, including from Customer Data, for lawful business purposes such as analytics, benchmarking, service operation, security, testing, product development, and improvement of our services and features.

We maintain reasonable technical and organizational measures designed to ensure that such information cannot reasonably be associated with an individual, household, or specific customer as its source, and we do not attempt to reidentify such information except as permitted by law, including as necessary to verify compliance with deidentification requirements. Any third parties receiving such information, if any, are required to adhere to equivalent restrictions.

AI-Powered Features and Data Processing

AI services

Outlearn offers AI-powered features to enhance the user experience, including AI-assisted drafting, summarization, retrieval, workflow assistance, and chatbot or agent functionality. These features may be available only on certain subscription plans and may be enabled or disabled by account administrators.

AI service providers

To provide AI features, we may use third-party artificial intelligence service providers, such as OpenAI, Anthropic, and ElevenLabs, or other providers disclosed in our applicable documentation, DPA, or subprocessor disclosures.

Data processed for AI features

• relevant source content, workspace content, and other Customer Data needed to generate AI outputs;
• user prompts, queries, and questions submitted to AI features;
• AI-generated responses, suggestions, summaries, or other outputs; and
• limited metadata such as timestamps, user identifiers, or account identifiers where needed for authentication, abuse prevention, access control, logging, or feature administration.

What we do not use for third-party model training

We do not use customer data to train third-party foundation models where our provider settings and contractual arrangements are designed to prohibit such use.

Internal improvement using deidentified data

Consistent with applicable law, we may use Deidentified Data and aggregated statistics derived from Customer Data to develop, test, improve, and operate our own services, analytics, and AI-enabled features, provided such information does not identify a customer or any individual.

AI-generated content disclaimer

AI-generated content may contain inaccuracies or errors and should be reviewed before publication or use in important contexts. Outlearn does not guarantee the accuracy, completeness, or reliability of AI-generated content. Customers remain responsible for the content they publish through the Service, including AI-generated content.

Service Providers and Subprocessors

We may engage third-party companies and individuals to provide services on our behalf, support Service functionality, process payments, host infrastructure, deliver email, provide analytics, assist with AI features, or otherwise help us operate the Service.

These service providers and subprocessors are authorized to access and process Personal Data only as necessary to perform services for us and are required to use appropriate safeguards and not to use such data for other purposes. Where required by applicable law, we will provide notice of material changes to subprocessors and remain responsible for their compliance with applicable data protection obligations related to the services they perform on our behalf.

Analytics and Payments

Analytics

We may use third-party analytics providers to help us understand how users interact with the Service. These providers may use cookies and similar technologies to collect information about your use of the Service. You can control cookies through your browser settings and, where applicable, opt out through tools made available by those providers.

Payments

We may offer paid products and services through the Service. Payment information is processed by third-party payment processors, such as Stripe, whose use of Personal Data is governed by their own privacy policies. We do not store full payment card details on our own systems.

Retention of Data

We retain Personal Data for as long as reasonably necessary for the purposes described in this Privacy Policy, including to provide the Service, comply with legal obligations, resolve disputes, enforce agreements, protect the Service, and maintain appropriate business records.

Usage Data is generally retained for a shorter period unless it is needed for security, fraud prevention, troubleshooting, product improvement, or legal compliance. Retention periods may vary depending on the nature of the data, the context in which it was collected, and applicable law.

International Transfers

Your information may be transferred to, stored in, and processed in countries other than your own, including the United States, where data protection laws may differ from those in your jurisdiction.

Where required by applicable law, we use lawful transfer mechanisms for international data transfers, which may include the European Commission’s Standard Contractual Clauses, UK transfer mechanisms, adequacy decisions, certifications, or other valid transfer mechanisms recognized under applicable Data Protection Laws.

If you are located outside the United States and provide information to us, you acknowledge that your information may be transferred to and processed in the United States and other jurisdictions in which we or our service providers operate.

Disclosure of Personal Data

We may disclose Personal Data:

• to service providers and subprocessors as described in this Privacy Policy;
• to comply with legal obligations, court orders, subpoenas, or lawful requests from public authorities;
• to protect and defend our rights, property, systems, users, and business;
• to investigate, prevent, or address fraud, security issues, abuse, or suspected illegal activity;
• in connection with a merger, acquisition, financing, reorganization, sale of assets, or similar corporate transaction, subject to appropriate confidentiality and legal protections; and
• with your consent or at your direction.

Security

We use commercially reasonable technical and organizational measures designed to protect Personal Data against unauthorized access, disclosure, alteration, or destruction. However, no method of transmission over the Internet or method of electronic storage is completely secure, and we cannot guarantee absolute security.

Your Privacy Rights

Depending on your jurisdiction, you may have rights regarding your Personal Data, including the right to access, correct, update, delete, restrict, object to certain processing, withdraw consent where processing is based on consent, or receive a portable copy of certain information.

If you would like to exercise applicable privacy rights, please contact us using the contact details below. We may request information necessary to verify your identity before responding to your request. If you are located in the EEA or the UK, you may also have the right to complain to your local data protection authority.

Marketing Communications

We may send marketing or promotional communications where permitted by law. You may opt out of marketing emails at any time by using the unsubscribe link in the message or by contacting us.

Third-Party Links

The Service may contain links to third-party websites, applications, or services that are not operated by us. We are not responsible for the privacy practices or content of those third parties, and we encourage you to review their privacy policies before providing them with information.

Children’s Privacy

The Service is not directed to children under the age of 18, and we do not knowingly collect Personal Data directly from children under 18. If we become aware that we have collected Personal Data from a child in violation of applicable law, we will take reasonable steps to delete it.

Changes to This Privacy Policy

We may update this Privacy Policy from time to time. If we make material changes, we will post the updated Privacy Policy on this page and update the effective date above. Where required by law, we will provide additional notice, such as by email or through the Service.

Contact Us

If you have any questions about this Privacy Policy or our privacy practices, please contact us at:

Email: team@outlearn.com