← Back to home
Privacy Policy
Last updated: 1 June 2026
This policy explains what data Selene (operated as Selene StudyOS, hereafter "Selene", "we", "us") collects when you use selenos.world and the Selene app, why we collect it, who we share it with, and the rights you have over it. We try to keep this short and honest. If something is unclear, email seankwendo23@gmail.com.
1. Who we are
Selene is a study productivity tool built by a small team in Kenya. We are not a registered company yet, so the data controller is the developer, Sean Kwendo, reachable at seankwendo23@gmail.com. We are operating in Kenya and intend to comply with the Kenya Data Protection Act, 2019 ("DPA"), and with the EU GDPR for the small number of users we serve outside Kenya.
2. What we collect
Account data
- Your email address and name (entered at sign-up, or returned by Google if you sign in with Google).
- Optional profile fields you choose to fill in: university, course of study, year, time zone, avatar URL.
- Hashed password (we never store plaintext). If you sign in only via Google, we never see a password.
Content you create
- Notes, flashcards, study plans, goals, courses, assignments, calendar events, and any files you upload (PDFs, images, audio for transcription).
- Chats with the Selene AI assistant, including the prompts you write and the replies you receive.
- Group memberships and group-shared content you opt into.
Usage data
- Pages visited, features used, AI message and token counts (for billing and abuse prevention).
- Device, browser, and IP address from request headers (used for security logs, rate limiting, and to keep sessions consistent).
- Error reports — if you send feedback via the Help dialog we receive the page URL, your browser user-agent, and the text you type.
Payment data
Payments are processed by Paystack. We never see your card or M-Pesa PIN. We receive the transaction reference, amount, status, currency, and the email Paystack ties to the transaction. We store this to know which plan you are on.
What we do NOT collect
- We do not run third-party analytics scripts (no Google Analytics, no Meta Pixel, no Hotjar).
- We do not sell or rent your data. Ever.
- We do not read your content for advertising. There are no ads in Selene.
3. Why we collect it (lawful basis)
- Contract — to deliver the service you signed up for: store your notes, run AI replies, send a verification email, charge you if you are on a paid plan.
- Legitimate interest — to keep the service running and secure: rate-limit abuse, detect fraud, fix bugs, generate aggregate usage stats.
- Consent — for things you opt into specifically (e.g. joining a study group, allowing the AI to add events to your calendar).
- Legal obligation — to comply with the Kenya Data Protection Act if a regulator asks us for records we are required to keep.
4. Who we share it with
We only share data with the third parties we need to run Selene. Each one is bound by their own privacy policy and acts as our data processor.
- Paystack — payment processing. paystack.com/privacy
- Resend — sending verification and notification emails. resend.com/legal/privacy-policy
- Google — if you sign in with Google. We verify a Google ID token and read only your email and name. policies.google.com/privacy
- AI providers — when you chat with the Selene AI, or when we automatically structure your uploaded notes, generate flashcards, quizzes, or a study plan, the relevant text is sent to one of our AI processors: Anthropic (Claude), Google (Gemini), DeepSeek, or a self-hosted model running on our own server. We pick the provider based on the task and your plan. With Anthropic and Google we use API endpoints that opt out of training on your data. DeepSeek is used for some background processing (such as cleaning up uploaded notes and generating study material); its servers are located outside Kenya, including in China, and its data-handling terms differ from the others — by using these features you consent to that processing. If you would rather your coursework not be processed by DeepSeek, contact us at
seankwendo23@gmail.com. Anthropic · Google AI · DeepSeek.
- Hosting provider — our server provider stores the encrypted data at rest. They cannot read your content.
We do not transfer data outside Kenya except as required by the providers above (most are US-based). By using Selene you consent to that transfer, with the safeguards their policies describe.
5. How long we keep it
- Account data and content: kept while your account is active.
- If you delete your account, we delete your content within 30 days. Aggregated, anonymised usage stats may survive (e.g. "X messages sent in May 2026").
- Payment records: 7 years, to satisfy Kenyan tax-record requirements.
- Backups: rolled out within 14 days.
6. Security
- All traffic between you and Selene is encrypted with TLS.
- Passwords are hashed with Django's default PBKDF2 + SHA-256, never stored in plaintext.
- Authentication uses signed JWTs delivered as
httpOnly cookies, with CSRF double-submit protection on state-changing requests.
- Staff access to
/admin requires a password plus a TOTP 6-digit code.
- The database and Redis cache run in isolated containers, reachable only from the application.
- We log security events (failed logins, rate-limit hits, suspicious activity) and review them.
7. Your rights
Under the Kenya DPA (and GDPR if applicable to you) you have the right to:
- Access a copy of your data.
- Correct anything that is wrong.
- Delete your account and content.
- Restrict or object to certain processing.
- Take your data with you (export).
- Withdraw consent for anything you previously opted into.
- Complain to the Office of the Data Protection Commissioner (odpc.go.ke).
To exercise any of these, email seankwendo23@gmail.com from the address tied to your account. We respond within 30 days.
8. Cookies
Selene uses cookies only for what is needed to make the app work:
access and refresh — your login session. httpOnly, Secure, SameSite=Lax.
csrftoken — protects against cross-site request forgery on POSTs.
selene_authed, selene_theme, selene_onboarded — small UI hints so the frontend can render fast on reload.
We do not use tracking cookies or third-party advertising cookies.
9. Children
Selene is for university students. If you are under 18 you may use Selene only with the consent of a parent or guardian. We do not knowingly collect data from children under 13.
10. Changes
If we change this policy, we update the date at the top and, for material changes, send an email to your registered address. Continued use of Selene after a change means you accept the new policy.
11. Contact
Questions, requests, complaints: seankwendo23@gmail.com. We will get back to you within a few working days.
Thanks for trusting Selene with your work. — Sean