Haruko
Log inGet started
Legal · Trust

Privacy Policy

Last updated: April 15, 2026 — version 1.0

How Haruko handles personal data, in plain language. We follow Chile’s Law 21.719 and apply privacy by design.

1.Who we are

Haruko is operated by Haruko SpA, a Chilean company based in Santiago, Chile. Contact: privacy@haruko.ai.

2.Legal framework

We comply with Chile's Personal Data Protection Law 21.719, in force since December 2024 and applicable to minors as well.

3.What data we collect

3.1 From the guardian

  • Email, name, hashed password (Argon2id).
  • Payment information (processed by Mercado Pago — we do not store card numbers).
  • Usage logs: pages visited, actions, IP, user-agent (for technical and security purposes).

3.2 From the minor (with guardian's consent)

  • Display name, birth year, language, accessibility settings.
  • Compiled pedagogical model (what they know, what they struggle with) — encrypted at rest with Fernet.
  • Math notebook steps (latex_output, handwriting strokes as vectors).
  • Session logs and pedagogical events.

4.How we use the data

  • Essential operation: providing personalized tutoring.
  • Product improvement: anonymized aggregate analysis (k-anon ≥30) — optional.
  • LLM sub-processors: sending pseudonymized text/images to Anthropic (Claude) and Google Cloud (Gemini).
  • Payments: email sent to Mercado Pago to process subscription.

5.Sub-processors

ProviderServiceDataLocation
AnthropicClaude (LLM)Pseudonymized session textUSA
Google CloudGemini Vision (OCR)Stroke images (without minor’s name)USA
Mercado PagoPaymentsGuardian email, amountChile
Cloudflare R2 / RailwayHosting / storageApp dataUSA / EU

6.Cookies

Haruko only uses strictly necessary cookies:

  • Session cookie (NextAuth.js): to maintain your login.
  • Language cookie: to remember your es-CL/en-US preference.

We do not use tracking or advertising cookies. For analytics we use Plausible, which does not use cookies.

7.Your rights (Law 21.719)

You can exercise these rights from your account:

  • Access: see what data we have about you and the minor in your care.
  • Portability: download all data in ZIP format.
  • Rectification: correct erroneous data.
  • Deletion: schedule complete deletion (30-day grace period).
  • Opposition: object to specific purposes (e.g. product improvement).

Response time: maximum 30 days from the request.

8.Retention

  • Minor's data: while the account is active or until you request deletion.
  • Audit logs: 6 years (legal requirement), pseudonymized after deletion.
  • Payment/billing data: 6 years (Chilean tax requirement).

9.Security

  • Encryption in transit (TLS) and at rest (Fernet).
  • Password hashing with Argon2id.
  • Audit log for all access to minor's data.
  • Limited and logged personnel access.

10.Contact

For questions or to exercise rights: privacy@haruko.ai.

If you believe your rights are not being respected, you can contact Chile's Data Protection Agency.