Privacy Policy

OrderToAI LLC, operating as Diraasa (“Diraasa”, “we”, or “us”), respects your privacy. This Privacy Policy explains what personal information we collect, why we collect it, how we use it, who we share it with, and what rights you have. Parents should also read the Children’s Privacy Notice.

1. Who we are

The data controller is OrderToAI LLC, a Texas limited liability company operating as Diraasa. Privacy contact: info@diraasa.com.

2. Information we collect

2.1 Information you give us

• Identifying information: first name, last name, email address, phone number, country, time zone, preferred language.
• Profile information: profile photo, biography, teaching subjects, languages, availability, rates (teachers), learning goals (students and parents).
• Authentication information: password (hashed).
• Identity verification (teachers only): government issued ID and a live selfie. We do not store the document image; Stripe Identity does. We retain only metadata (name, date of birth, country, expiry).
• Payout details (teachers only). For teachers in Stripe Connect-supported countries, bank details are managed by Stripe Connect Express and never touch Diraasa servers. For teachers in countries served by our Wise rail (currently Egypt, Pakistan, India, and others added over time), bank account number or IBAN, IFSC or SWIFT/BIC, account-holder name, country of tax residence, and tax identifier (e.g. PAN for India) are stored on Diraasa servers, encrypted at rest with AES-256-GCM.
• Payment information: card details are entered into Stripe’s payment form (an iframe). They never touch Diraasa servers. We see only the last four digits and expiry.
• Children’s information (parents only): first name, age, gender, learning preferences. We do not collect email, phone, or location data from children.
• Content you create: messages, reviews, class notes, homework, uploaded teaching materials.
• Support communications: emails and chats with our support team.

2.2 Information we collect automatically

• Device and connection information: IP address, browser type and version, operating system, device identifiers, referring URL.
• Usage information: pages visited, features used, search queries, click events, time spent.
• Cookies and similar technologies. See our Cookie Policy.

2.3 Class transcripts

When you participate in a class, the audio is streamed to Deepgram for real time transcription. The transcript is stored on Diraasa servers. Audio is not retained. Transcripts are accessible to the parties of the class, to Diraasa moderators, and to law enforcement when legally compelled. Transcripts are retained for one year and then deleted.

3. How we use information

We use personal information to provide the platform (account creation, booking, classroom access, messaging, transcripts), process payments and payouts, verify teacher identity and prevent fraud, moderate content for safety and child protection, respond to your support requests, send service announcements and security alerts, send marketing communications (only with your consent), comply with tax and legal obligations, detect and respond to security incidents, improve the platform, and enforce our Terms.

We do not sell personal information. We do not share personal information with advertisers or data brokers. The platform does not run ads.

4. How we share information

With other users. Teacher profiles (name, photo, biography, qualifications, rates, reviews, sample video) are visible to logged in students and parents. Student first names and the age of children are visible to teachers a parent has booked with. Last names, emails, phone numbers, and addresses are NEVER visible across student-teacher boundaries.

With service providers (sub-processors). See the live list at /sub-processors. Each is bound by a Data Processing Addendum.

With authorities. When necessary to comply with law, court order, or government investigation; to report a child safeguarding concern; to protect the rights, property, or safety of Diraasa, our users, or the public; or to investigate fraud or security incidents.

In a business transaction. If Diraasa is acquired, merged, or sells its assets, your information may transfer to the acquirer subject to the same protections in this Policy.

5. International transfers

Diraasa is headquartered in the United States. Our servers and most service providers are located in the United States and the European Union. For users in the EEA, UK, or Switzerland, we rely on the European Commission’s Standard Contractual Clauses (with the UK Addendum where applicable) to lawfully transfer personal information.

6. How long we keep information

• Account data: while your account is active. Soft delete on closure, hard delete after 30 days.
• Class transcripts: 1 year, then deleted.
• Messages: while your account is active. Hard deleted 30 days after closure.
• Payment records: 7 years (US tax requirements).
• Identity verification metadata: while account is active.
• Moderation flags: 2 years, then archived.
• Audit logs: indefinite (immutable, append only, required for compliance).
• Children’s data: deleted within 30 days of parent request, on parent account closure, or when child turns 18.

7. How we keep information secure

Encryption in transit (TLS 1.3) and at rest (AES-256-GCM for sensitive fields including Wise-rail bank account numbers / IBANs, IFSC / SWIFT / BIC codes, and tax identifiers such as PAN; disk level encryption for general data), access controls based on least privilege, audit logging, regular vulnerability scanning, and incident response procedures. If a breach affects your information, we will notify you and the appropriate regulators in line with applicable law (within 72 hours for GDPR notifiable breaches).

8. Your choices

• Update your account information at any time from your settings.
• Download a copy of your data from your settings (data portability).
• Delete your account at any time (right to erasure, with a 30 day grace period).
• Unsubscribe from marketing emails by clicking the unsubscribe link in any marketing email.
• Opt out of optional cookies through the cookie banner.

9. Jurisdiction specific rights

9.1 European Economic Area, UK, and Switzerland (GDPR / UK GDPR)

You have the right to access, correct, erase, restrict, port, and object to our processing of your personal information, and to withdraw consent (where consent is the lawful basis). To exercise these rights, contact info@diraasa.com. We respond within 30 days. You may also lodge a complaint with your local supervisory authority.

9.2 California (CCPA / CPRA)

You have the right to know, delete, correct, opt out of the sale or sharing of personal information, and limit the use of sensitive personal information. We do not sell personal information and do not share for cross context behavioral advertising. We respond within 45 days.

9.3 Other US states

Residents of states with comprehensive privacy laws (Virginia, Colorado, Connecticut, Utah, Oregon, Texas, Montana, Iowa, Tennessee, Indiana, Delaware, New Jersey, New Hampshire, Minnesota, Maryland, and others) have rights similar to those in the GDPR section above.

10. Children’s data

We do not knowingly collect personal information from children under 13 except as permitted by COPPA with verifiable parental consent. See the Children’s Privacy Notice.

11. Automated decision making

We use automated systems for real time message and transcript moderation, fraud and abuse detection, and search ranking. These systems do not produce legal or similarly significant effects on you without human review. A human reviews any account suspension, ban, or refund denial that results from an automated flag before it becomes final.

12. Changes

We may update this Privacy Policy. Material changes will be communicated by email and by an in-app notice at least 30 days before they take effect.

13. Contact

Privacy team: info@diraasa.com.