Privacy Policy

Last updated: March 2026

This policy describes how STUSYM handles personal data when using the system and connecting it to AI assistants via the MCP (Model Context Protocol).

1. Data Controller

The data controller is the operator of your STUSYM instance, typically a school or educational institution that uses the system. Contact details for the controller can be found in your instance settings.

2. What Data the System Processes

STUSYM processes only the data that you enter into the system:

  • User login data, including name, email, and password stored in encrypted form
  • Data about teachers, classes, subjects, and rooms
  • Timetable events and their assignments
  • Access and activity logs

3. MCP Interface and AI Assistants

If you connect STUSYM to an AI assistant such as ChatGPT or Claude through the MCP interface, the following applies:

  • The AI assistant accesses data only under your credentials and can see only what you can see
  • STUSYM does not send data to an AI provider on its own; data is transferred only in response to explicit AI tool calls
  • Every MCP tool call is recorded in the access log
  • STUSYM does not store conversations with AI assistants; those remain with the AI provider
Important: STUSYM acts as a data source. The actual processing of your prompts and generation of responses is handled by the AI provider, such as OpenAI or Anthropic, under its own privacy policy.

4. Sharing Data with Third Parties

STUSYM does not sell or provide your data to third parties for marketing or advertising purposes. Data may be disclosed only in the following cases:

  • Based on your explicit consent when connecting an AI assistant
  • For legal reasons
  • To hosting or infrastructure processors as part of operating the service

5. Data Retention

Data is retained for the duration of your subscription and can be deleted upon request after termination. MCP access logs are automatically deleted after 90 days.

6. Security

  • Data transfer is protected exclusively by HTTPS
  • The MCP interface requires OAuth 2.0 Authorization Code Flow with PKCE and bearer-token access
  • OAuth client registration is open, but the submitted redirect_uri must match the registered client data
  • MCP authorization is limited to instance administrators and granted OAuth scopes
  • Passwords are stored as a one-way hash
  • Access is logged and auditable

7. Your Rights

You have the right to access, correct, erase, and transfer your data. Submit your request to your instance administrator or contact us using the email address below.

8. Contact

STUSYM platform operator:
E-mail: [email protected]
Web: www.stusym.com

This policy may change from time to time. Material changes will be communicated through the system.