This Privacy Policy explains how Mathra AI, operated by Mirza Ahmad Baig trading as TwentyThree Labs, collects, uses, stores, and protects your personal data when you use our mobile application on Android and iOS. By using Mathra AI, you agree to the practices described herein.
| Field | Details |
| Operator (Individual) | Mirza Ahmad Baig |
| Trading Name | TwentyThree Labs |
| Registered Address | Ringstr. 3, 76689 Karlsdorf-Neuthard, Germany |
| Legal Contact Email | legal@mathraai.com |
| App / Service Name | Mathra AI |
| Platforms | Android and iOS |
We collect the following categories of personal data:
| Category | Data Points | Purpose | Legal Basis (GDPR) |
| Account Identity | Name, email, profile photo | Account creation & login | Art. 6(1)(b) — Contract |
| Authentication | Google / Apple Sign-In token | Secure third-party login | Art. 6(1)(b) — Contract |
| App Content | Math problems, AI solutions, session history | Core functionality & history | Art. 6(1)(b) — Contract |
| Camera / Images | Photos to scan math problems | OCR processing; not stored permanently | Art. 6(1)(a) — Consent |
| Voice Data | Audio of spoken problems | Speech-to-text; transient processing only | Art. 6(1)(a) — Consent |
| Device & Technical | Device model, OS, crash logs | Performance & bug fixing | Art. 6(1)(f) — Legitimate Interest |
| Usage Analytics | Features used, session duration | App improvement | Art. 6(1)(f) — Legitimate Interest |
| Payment / Billing | Subscription status (via Google Play / App Store) | Subscription management; no card data stored by us | Art. 6(1)(b) — Contract |
- Provide core functionality: solving problems, displaying step-by-step solutions, saving history.
- Authenticate you securely via Google Sign-In or Apple Sign-In.
- Personalise your learning experience based on your problem history.
- Process your math input (text, image, voice) using our AI providers: Anthropic (Claude) and Google Gemini.
- Manage your subscription and verify entitlements through Google Play and Apple App Store.
- Send important service notifications (security alerts, policy changes).
- Improve the app through aggregated, anonymised usage analytics.
- Comply with applicable laws and respond to legal obligations.
Important: Your math problems are transmitted to third-party AI services for processing: Anthropic (Claude) and Google Gemini. We have Data Processing Agreements (DPAs) in place with each provider as required by GDPR Art. 28.
| Provider | Purpose | Privacy Policy | Location |
| Anthropic (Claude) | AI math processing (primary) | anthropic.com/privacy | USA |
| Google (Gemini) | AI math processing (fallback) | policies.google.com/privacy | USA / EU |
| Firebase Authentication | User authentication | firebase.google.com/support/privacy | Global |
| Firebase Analytics | Usage analytics & app improvement | firebase.google.com/support/privacy | Global |
| Firebase Crashlytics | Crash reporting & diagnostics | firebase.google.com/support/privacy | Global |
| Firebase Cloud Messaging | Push notifications | firebase.google.com/support/privacy | Global |
| RevenueCat | Subscription management | revenuecat.com/privacy | USA |
| Google Sign-In | Authentication | policies.google.com/privacy | Global |
| Apple Sign-In | Authentication | apple.com/legal/privacy | Global |
| Google Play Billing | Subscriptions (Android) | policies.google.com/privacy | Global |
| Apple App Store | Subscriptions (iOS) | apple.com/legal/privacy | Global |
Your problem history and solutions are stored on our secure cloud servers to enable the History and Progress features. We implement the following safeguards:
- Encryption in transit: TLS 1.2+ for all data transfers.
- Encryption at rest: all stored personal data and problem history are encrypted.
- Access controls: only authorised personnel can access user data.
- Regular security audits and vulnerability assessments.
- Automatic session timeouts and token expiry.
- GDPR Art. 33 breach notification: supervisory authority notified within 72 hours of a confirmed breach.
As our AI providers are primarily based in the United States, your data may be transferred outside the EEA. We ensure such transfers comply with GDPR Chapter V through:
- Standard Contractual Clauses (SCCs) adopted by the EU Commission.
- Data Processing Agreements (DPAs) with all sub-processors.
- EU-U.S. Data Privacy Framework where providers are certified.
- Adequacy Decisions where recognised by the EU Commission.
Mathra AI is available to users of all ages, including children under 13. We comply with the U.S. Children's Online Privacy Protection Act (COPPA), EU GDPR Article 8, and equivalent global laws protecting minors.
- Under 13 (US — COPPA): We require verifiable parental consent before collecting personal data from children under 13 in the United States.
- Under 16 (EU/Germany — GDPR Art. 8): Children under 16 require a parent or guardian's consent to use the app.
- Parental review: Parents may review, modify, or delete their child's data at any time by contacting legal@mathraai.com.
- No profiling or advertising: We do not use children's data for advertising, behavioural profiling, or any purpose beyond providing the core educational service.
- No third-party sharing: We do not share children's data with third parties except AI processors strictly necessary for core functionality, under DPAs.
- Parental account linking: A parent or guardian account can be linked to a child's account for oversight.
- Inadvertent collection: If we discover we have collected data from a child without appropriate consent, we will delete it immediately upon notification.
| Right | Description | Applicable Law(s) |
| Access | Request a copy of all personal data we hold about you. | GDPR, CCPA, PIPEDA, LGPD |
| Rectification | Correct inaccurate or incomplete personal data. | GDPR, LGPD, PIPEDA |
| Erasure | Delete your account and all associated data within 30 days. | GDPR, CCPA, LGPD |
| Data Portability | Receive your data in a machine-readable format. | GDPR, LGPD |
| Restriction | Restrict processing in certain circumstances. | GDPR |
| Objection | Object to processing based on legitimate interest. | GDPR, LGPD |
| Withdraw Consent | Withdraw consent (camera, voice) at any time without affecting prior lawful processing. | All Laws |
| Non-Discrimination | Not be discriminated against for exercising your privacy rights. | CCPA (California) |
| Delete Account & Data | In-app one-tap deletion of your account and all associated data. | All Jurisdictions |
To exercise any right: legal@mathraai.com. We respond within 30 days (GDPR: up to 3 months for complex requests).
You can delete your account and all data at any time. In the app:
Settings → Account → Delete Account. All personal data, problem history, and solutions will be permanently erased within
30 days. Anonymised analytics may be retained up to 90 days. You may also email
legal@mathraai.com to request deletion.
| Data Type | Retention Period | Reason |
| Account & profile data | Duration of account + 30 days after deletion | Service provision |
| Problem & solution history | Duration of account + 30 days after deletion | Core feature |
| Camera / voice data | Not stored — transient processing only | Privacy by design |
| Usage analytics | Up to 24 months (anonymised) | Service improvement |
| Crash / error logs | Up to 12 months | Security & bug fixing |
| Financial / subscription records | 7 years | German tax law HGB §257 |
| Legal hold data | As required by applicable law | Legal compliance |
- Data Controller: Mirza Ahmad Baig, Ringstr. 3, 76689 Karlsdorf-Neuthard, Germany.
- Supervisory Authority: Landesbeauftragte für den Datenschutz und die Informationsfreiheit Baden-Württemberg (LfDI BW), or your local EU data protection authority.
- As the operator is based in Germany, no separate EU representative is required.
- Legal bases: Contract, Consent, Legitimate Interest, Legal Obligation — as detailed in Section 2.
- We do not sell or share personal information for cross-context behavioural advertising.
- California residents may request disclosure, deletion, and correction of personal data.
- We do not discriminate against users for exercising CCPA rights.
- Contact: legal@mathraai.com or use in-app Delete Account.
- We obtain verifiable parental consent before collecting data from users under 13.
- Parents may review, correct, and delete their child's data at any time.
- We do not condition use of the app on disclosure of more data than necessary.
- Brazilian users have all rights listed in Section 8 under LGPD.
- Processing is based on consent, contract, and legitimate interest.
- Contact: legal@mathraai.com for all LGPD requests.
- We collect only data necessary for stated purposes.
- Canadian users may access and correct their personal information.
- Unresolved complaints may be referred to the Office of the Privacy Commissioner of Canada.
- We comply with the Australian Privacy Principles (APPs).
- Complaints may be directed to the Office of the Australian Information Commissioner (OAIC).
| Contact Method | Details |
| Email (primary) | legal@mathraai.com |
| Postal Address | Mirza Ahmad Baig, Ringstr. 3, 76689 Karlsdorf-Neuthard, Germany |
| In-App | Settings → Privacy → Contact Us |
| Response Time | Within 30 days (GDPR: up to 3 months for complex requests) |
We may update this Privacy Policy periodically. We will notify you of material changes via in-app notification and/or email at least 30 days before changes take effect. Continued use of the app after the effective date constitutes acceptance. The current policy is always available in the app under Settings → Privacy Policy.