Skip to main content

Privacy Policy

Last updated: March 2026

At Chestnut, we take your privacy seriously. Before we get into the details, here are three commitments we make upfront:

  • We do not sell your personal data.
  • We do not allow AI providers to train on your data.
  • You can delete your account and all associated data at any time.

This Privacy Policy explains how Mikolaj Kacki, operating as Chestnut ("we", "us", or "our"), collects, uses, and protects your personal data when you use our platform at chestnut.dev (the "Service").

1. Data We Collect

Account data. When you sign up, we collect your name, email address, and avatar via your authentication provider.

Onboarding data. We collect information you provide during onboarding, such as your experience level, learning goals, and areas of interest.

Code data. When you use the Service through AI coding tools (such as Claude Code or Cursor), your tool processes code locally on your device and may send code context to our servers to generate personalised learning content. We do not directly access your codebase. We may store relevant snippets of code sent to us in our database to power course generation and ongoing personalisation. You can delete all stored code data at any time by deleting your account.

Learning data. We store your course progress, quiz responses, and knowledge graph entries.

Payment data. If you subscribe to a paid plan, Stripe collects and processes your payment information. We store your subscription status but never see or store your full card details. See Stripe's privacy policy.

Usage data. We collect anonymised usage data such as page views, feature usage, and session information to improve the Service.

2. How We Use Your Data

We use the data we collect to:

  • Provide the Service — generating courses and knowledge graphs.
  • Personalise your learning experience based on your skills, goals, and progress.
  • Process payments and manage your subscription.
  • Communicate with you about your account, updates, and changes to the Service.
  • Improve the Service through aggregated, anonymised analytics.
  • Detect and prevent fraud or abuse.

3. Third Parties

We share data with third-party service providers solely as necessary to operate the Service, including providers of AI content generation, payment processing, analytics, cloud hosting, and authentication. We use API configurations that do not permit AI providers to train on your data.

We do not sell your personal data to any third party. We do not share your data with advertisers.

4. Cookies & Tracking

We use a minimal set of cookies and tracking technologies:

  • Essential cookies to manage your login session. These are strictly necessary and do not require consent.
  • Functional cookies to support features such as referral flows.
  • Analytics cookies to collect anonymised usage data.

We do not use advertising cookies or cross-site tracking pixels. Under UK PECR regulations, non-essential cookies (functional and analytics) require your consent before being set. You can manage your cookie preferences through your browser settings. If you disable non-essential cookies, some features of the Service may not function as intended.

We do not respond to "Do Not Track" browser signals, as there is no industry-standard method for honouring them. However, we keep our tracking minimal as described above.

5. Data Retention

We retain your data for as long as your account is active and as needed to provide the Service. Specific retention periods include:

  • Account and learning data: retained for the duration of your account.
  • Usage and analytics data: handled by PostHog in accordance with their privacy policy and retention settings.
  • Server logs: retained for up to 90 days for security and debugging purposes.

When you delete your account, all associated data — including courses, progress, and knowledge graph entries — is permanently deleted within 30 days. Anonymised, aggregated data that cannot be linked back to you may be retained for analytical purposes.

6. Data Security

We implement appropriate technical and organisational measures to protect your data, including encryption of data in transit, secure storage of authentication tokens, access controls ensuring users can only access their own data, and regular security reviews. No method of transmission over the internet is 100% secure, but we take reasonable steps to protect your information.

7. Your Rights

Under the UK GDPR, you have the right to:

  • Access your personal data — your profile, courses, and learning data are visible in the app.
  • Rectification — request correction of any inaccurate or incomplete personal data we hold about you.
  • Erasure — delete your account and all associated data at any time through your account settings.
  • Object to or restrict certain processing — contact us to discuss.
  • Data portability — contact us and we will provide your data in a structured, commonly used format.
  • Withdraw consent at any time for processing based on consent (such as codebase access), without affecting the lawfulness of processing before withdrawal. To withdraw consent, contact us at the email below.
  • Lodge a complaint with the Information Commissioner's Office (ICO) if you believe your data protection rights have been violated. You can contact the ICO at ico.org.uk or by phone on 0303 123 1113.

8. UK GDPR

We process personal data under the UK General Data Protection Regulation (UK GDPR). Our lawful bases for processing include:

  • Performance of a contract — processing necessary to provide the Service you signed up for.
  • Legitimate interests — improving the Service, preventing abuse, and understanding usage patterns.
  • Consent — where you have given explicit consent, such as granting access to your codebase.

The data controller is Mikolaj Kacki, operating as Chestnut. The supervisory authority for data protection matters is the Information Commissioner's Office (ICO) in the United Kingdom.

International data transfers. Some of our service providers are based in the United States and other countries outside the United Kingdom. Where personal data is transferred outside the United Kingdom, we ensure appropriate safeguards are in place, such as Standard Contractual Clauses (SCCs) or reliance on adequacy decisions, in accordance with UK GDPR requirements.

Automated decision-making. Our Service uses AI to generate personalised learning courses based on your code and learning data. These recommendations are informational and do not produce legal or similarly significant effects. No solely automated decisions are made about you that have legal or significant consequences. You may contact us at any time to request human review of any AI-generated output.

Providing personal data. Providing your account data (name and email) is necessary to create an account and use the Service. If you do not provide this data, you will not be able to use the Service. Providing code data is optional but required for the core personalised learning features.

9. Children's Privacy

The Service is not directed at individuals under the age of 16. We do not knowingly collect personal data from children. If you believe we have inadvertently collected data from a child under 16, please contact us and we will promptly delete it.

10. Changes to This Policy

We may update this Privacy Policy from time to time. If we make material changes, we will notify you by email or through the Service and, where required, seek your renewed consent before the changes take effect. Your continued use of the Service after such changes constitutes acceptance of the updated policy.

11. Contact

If you have any questions about this Privacy Policy or your data, please contact us at mikolajkacki98@gmail.com.

Chestnut — Ship fast, learn in depth