Back to HomeLEGAL · DATA POLICY

Data Policy

Last updated: April 11, 2026

This Data Policy provides detailed information about how ByteMentor AI collects, processes, stores, and protects your data. It supplements our Privacy Policy with specific technical details about our data practices.

1. What Data We Collect and Why

We collect data to provide, personalize, and improve the ByteMentor AI learning experience. Below is a detailed breakdown:

Identity Data

Name, email, profile image, and OAuth provider ID from GitHub or Google. Used for authentication, account management, and personalizing your experience.

Onboarding and Profile Data

Years of experience, coding expertise level, target company tier, target companies, preferred problem sheet, primary learning goal, preferred programming language, and skill level. Used to calibrate difficulty, generate relevant problems, and personalize recommendations.

Resume Data

If you use the Jobs feature, you may paste resume text for AI-powered job matching and tailored cover letter generation. Resume text is stored in your account and can be deleted at any time from your account settings.

Learning and Practice Data

Lesson progress, practice scores, evaluation results, study plan completions, problem attempts (including difficulty, time spent, hints used, pattern guesses, confidence ratings, and scores), interview simulation responses, behavioral session answers, and code submissions. Used to track your progress, generate personalized study plans, and display analytics on your dashboard.

Skill Mastery and Cognitive Data

Our adaptive engine tracks granular skill evidence across 500+ micro-skills. For each problem attempt, we record 2 to 5 skill signals (recognition, implementation, optimization, transfer). We also store Bloom's taxonomy progression (6 cognitive levels per pattern), spaced repetition schedules (SM-2 algorithm), thinking records (understanding, plan, prediction, reflection), and cognitive phase data. This data powers adaptive difficulty, personalized problem generation, skill-aware recommendations, and the knowledge graph on your progress page.

Chat and Conversation Data

Messages exchanged with the AI tutor (ByteGuide), including your questions, code snippets, and AI responses. Used to provide contextual tutoring and maintain conversation history.

Usage and Activity Data

Daily feature usage counts (practice problems, tutor messages, session time), used for streak tracking, XP and level calculation, daily goal progress, and subscription limit enforcement. We also collect email addresses for newsletter subscribers, stored separately with subscription source and status.

Session Data

JWT authentication tokens and session identifiers stored as secure HTTP-only cookies. Login timestamps and OAuth provider details. Used to maintain authenticated sessions. We never store passwords.

2. How AI Providers Process Your Data

When you use AI-powered features, specific data is sent to third-party AI providers for processing:

Anthropic (Claude): Primary provider. Receives your code submissions and contextual prompts for analysis. Anthropic does not use API inputs to train models. System prompts may be cached by Anthropic for performance (prompt caching).
OpenAI (GPT): Alternative provider. Receives code and prompts when selected. API data is not used for model training by default per OpenAI's data usage policies.
Google AI (Gemini): Alternative provider. Receives code and prompts when selected. Data processing is governed by Google's Cloud AI Terms of Service.

We select the minimum data necessary for each AI request. We never send your full account data, learning history, credentials, or payment information to AI providers.

3. Guest Visitor Fingerprints

To offer unauthenticated visitors a free trial of each practice tool without requiring signup, we derive a server-side composite fingerprint from HTTP request headers:

IP network prefix only (first three IPv4 octets, or IPv6 /64). We do not store full IP addresses.
User-Agent, Accept-Language, and browser platform client hints.

These signals are concatenated and hashed with SHA-256; we retain only the first 24 hexadecimal characters. The resulting fingerprint is used exclusively to (a) enforce a one-try-per-tool lifetime limit per fingerprint, and (b) cap the total number of guest attempts per IP network prefix per day as an abuse-prevention measure.

Guest usage records are retained for 90 days and then permanently deleted by an automated cleanup job. Because the fingerprint is derived from headers rather than cookies, clearing your browser storage does not reset the limit. Creating a free account removes the need for fingerprinting entirely, because authenticated usage is tracked via account identifiers, not request headers.

4. Data Retention

Your data is retained permanently while your account is active. This includes your full practice history, chat history, code submissions, evaluations, skill mastery records, study plans, interview simulations, and learning progress. When you delete your account, all associated data is permanently removed. Guest visitor fingerprints (see section 3) are retained for 90 days regardless of account status.

5. Data Storage

Your data is stored securely using the following infrastructure:

Database: PostgreSQL database with encryption at rest.
Authentication Tokens: Session tokens are stored as secure, HTTP-only cookies not accessible to client-side JavaScript.
Temporary Data: AI request/response payloads are held in server memory during processing and are not persisted to disk beyond stored evaluation results.
Backups: Database backups are encrypted and retained for disaster recovery. Backup data is purged on a rolling schedule.

6. Data Sharing

We are committed to keeping your data private:

We never sell your data. Your personal information and learning data are never sold to third parties.
AI providers: Data is shared with AI providers (Anthropic, OpenAI, Google AI) solely to deliver AI-powered features as described above.
Payment processor: Subscription and billing data is processed by Dodo Payments. We do not store your payment card details.
Job listings: Search keywords and location are sent to RapidAPI (JSearch) when you use the Jobs feature. No personal data is transmitted.
Analytics: We use Google Analytics to understand aggregate usage patterns. For EEA users, analytics are loaded only after explicit opt-in consent. Analytics data is anonymized. We do not use advertising or tracking cookies.
Legal obligations: We may disclose data if required by law, legal process, or governmental request.

7. Data Export

You have the right to request a complete export of your data at any time. Your export will include account information, learning progress, practice history, skill mastery records, evaluation scores, study plans, chat history, and any other personal data associated with your account. Data exports are provided in JSON format. To request a data export, contact us at [email protected]. We will process your request within 30 days.

8. Data Deletion

You can request complete deletion of your account and all associated data. When your account is deleted:

All personal data (name, email, profile, resume text) is permanently removed.
All learning data (progress, scores, evaluations, study plans, skill mastery) is permanently deleted.
All code submissions, chat history, and interview simulation data is deleted.
All cognitive data (thinking records, Bloom's progress, spaced repetition schedules) is deleted.
Authentication sessions and tokens are immediately invalidated.
Newsletter subscription (if any) is cancelled.
Residual copies in encrypted backups will be purged within 90 days.

Note: We cannot delete data that has already been processed by third-party AI providers. Please refer to their respective data retention policies.

9. Security Measures

We implement multiple layers of security to protect your data:

Encryption in Transit: All data is encrypted using TLS (HTTPS).
Encryption at Rest: Database contents are encrypted using industry-standard algorithms.
Secure Authentication: OAuth 2.0 via GitHub and Google. We never handle or store passwords.
API Key Protection: All third-party API keys are stored as environment variables and never exposed to the client.
Input Validation: All user inputs are validated and sanitized server-side using schema validation (Zod) to prevent injection attacks.
Rate Limiting: API endpoints are rate-limited to prevent abuse and protect platform stability.
Access Control: All API routes verify user authentication before processing requests. Users can only access their own data.

10. Changes to This Policy

We may update this Data Policy at any time, at our sole discretion, without prior notice. Changes take effect immediately upon posting. The "Last updated" date at the top indicates when the latest revision was made. It is your responsibility to review this policy periodically. Your continued use of ByteMentor AI after any modifications constitutes your acceptance of the updated policy.

11. Contact Us

If you have questions about this Data Policy, want to request a data export, or wish to delete your account, please contact us at:

ByteMentor AI
Email: [email protected]