Privacy Policy¶
Effective Date: April 1, 2026
Last Updated: April 1, 2026
This Privacy Policy describes how AI Castle Inc. ("Company," "we," "us," or "our") collects, uses, shares, and protects your personal information when you use the Physicar AI platform and related services (the "Services").
1. Information We Collect¶
1.1 Information You Provide¶
| Category | Data | Purpose |
|---|---|---|
| Account Information | Name, email address, date of birth, password (hashed) | Account creation, age verification, authentication |
| Profile Information | Display name | Personalization |
| Chat Content | Messages you send and AI responses | Providing AI chat services |
| Classroom Information | Classroom membership, invite codes used | Classroom management, educator supervision |
1.2 Information Collected Automatically¶
| Category | Data | Purpose |
|---|---|---|
| Device & Browser | Browser type, language preference, timezone | Service optimization, localization |
| Network | IP address, approximate location (country) | Security, age verification by jurisdiction, rate limiting |
| Usage Data | Credit usage, chat frequency, feature interactions | Service improvement, billing |
1.3 Information from Third Parties¶
We do not currently collect personal information from third-party sources.
2. How We Use Your Information¶
We use your information for the following purposes:
- Providing Services: Processing your requests, generating AI responses, managing your account
- Authentication & Security: Verifying your identity, preventing fraud, enforcing rate limits
- Age Verification: Determining minimum age requirements based on your jurisdiction
- Classroom Management: Enabling educators to manage student access and usage
- Communication: Sending verification emails, password reset links, and service notifications
- Service Improvement: Analyzing usage patterns to improve platform features (aggregated data)
- Legal Compliance: Meeting our obligations under applicable laws and regulations
3. How We Share Your Information¶
3.1 Third-Party Service Providers¶
We share information with the following categories of service providers who process data on our behalf:
| Provider | Data Shared | Purpose | Location |
|---|---|---|---|
| OpenAI | Chat messages (text content only) | AI response generation | United States |
| Cloudflare | All data (hosting infrastructure) | Platform hosting, CDN, edge computing, data storage | Global (primary: United States) |
| Resend | Email address | Transactional emails (verification, password reset) | United States |
3.2 Classroom Educators¶
If you join a Classroom, the educator may see:
- Your display name and email address
- Your credit usage within the Classroom
- Your join date
3.3 Legal Requirements¶
We may disclose your information when required by law, court order, or governmental authority.
3.4 Business Transfers¶
In the event of a merger, acquisition, or sale of assets, your information may be transferred as part of the transaction.
4. International Data Transfers¶
Physicar AI is a global service. Your data may be transferred to and processed in countries other than your country of residence, including the United States and other jurisdictions where our service providers operate.
We ensure appropriate safeguards are in place for international data transfers in compliance with applicable data protection laws.
For users in the Republic of Korea: Please refer to our Cross-Border Transfer Consent for detailed information required under the Personal Information Protection Act (PIPA).
5. Data Retention¶
| Data Type | Retention Period |
|---|---|
| Account information | Until account deletion |
| Chat messages | Retained for multi-turn context; deleted upon account deletion |
| Usage logs | Up to 12 months |
| Deleted account records | Up to 3 years (for legal compliance) |
| Session data | Up to 7 days |
| Credit/billing data | As required by tax and accounting laws |
6. Your Rights¶
Depending on your jurisdiction, you may have the following rights:
- Access: Request a copy of your personal information
- Correction: Request correction of inaccurate information
- Deletion: Request deletion of your account and personal data
- Portability: Request your data in a portable format
- Objection: Object to certain processing activities
- Withdrawal of Consent: Withdraw consent where processing is based on consent
To exercise your rights, please contact us at contact@physicar.ai.
7. Children's Privacy¶
We do not knowingly collect personal information from children below the minimum age for their jurisdiction without appropriate consent. Users who do not meet age requirements must access the Services through a supervised Classroom.
If we become aware that we have collected personal information from a child without proper consent, we will take steps to delete that information.
8. Security¶
We implement technical and organizational measures to protect your personal information, including:
- Password hashing with PBKDF2 (100,000 iterations, SHA-256)
- HTTPS encryption for all data in transit
- Session-based authentication with secure tokens
- Rate limiting and abuse prevention
- Regular security reviews
9. Cookies and Local Storage¶
We use browser local storage to maintain your authentication session. We do not use tracking cookies or third-party advertising cookies.
| Storage Item | Purpose | Duration |
|---|---|---|
physicar_session |
Authentication token | Until logout or expiration (7 days) |
10. Changes to This Policy¶
We may update this Privacy Policy from time to time. We will notify you of material changes by posting the revised policy on this page with an updated effective date.
11. Contact Us¶
For privacy-related inquiries:
- Email: contact@physicar.ai
- Company: AI Castle Inc.
Jurisdiction-Specific Provisions¶
Republic of Korea¶
Users in the Republic of Korea have additional rights and protections under the Personal Information Protection Act (PIPA). Please review our consent documents:
- Personal Information Collection and Use
- Third-Party Sharing of Personal Information
- Cross-Border Transfer of Personal Information
European Economic Area (EEA)¶
For users in the EEA, we process your personal information based on the following legal bases: performance of a contract (providing the Services), legitimate interests (security, service improvement), and consent (where required). You have additional rights under the GDPR, including the right to lodge a complaint with a supervisory authority.
This Privacy Policy is available in multiple languages. In the event of any conflict between translated versions, the English version shall prevail.
