Privacy Policy
Effective Date: February 13, 2026
1. Introduction & Scope
Diamond Tree LLC (“Company,” “we,” “us,” or “our”) operates the Level 5 platform at lvl5.org (the “Service”). This Privacy Policy describes how we collect, use, disclose, and protect your personal information when you visit or use the Service.
This Privacy Policy applies to all users of the Service, including visitors, free-tier users, Pro subscribers, Team workspace members, and trainees who access shared content.
By accessing or using the Service, you acknowledge that you have read and understood this Privacy Policy. If you do not agree with our practices, please do not use the Service.
2. Information We Collect
A. Account Information
When you create an account, we collect your name, email address, and password (stored in hashed form). You may also provide a profile image and configure email notification preferences.
B. Payment Information
Payment processing is handled by Stripe. We do not store your credit card number or full payment details on our servers. We retain your Stripe Customer ID, subscription status, and billing history (invoices, payment dates, and amounts). For more information about how Stripe handles your data, please see Stripe’s Privacy Policy.
C. Content & Learning Data
We collect and store all content you create or interact with on the Service, including:
- Training modules, pages, and content blocks (text, images, video, assessments)
- Assessment responses, quiz answers, and completion data
- Notes, collections, and catalogs
- Files you upload (stored via Cloudinary)
- Content shared with you by other users
D. AI Interaction Data
When you use our AI-powered features, we collect:
- Prompts and messages you send to AI features
- AI-generated content and responses
- Token usage, model selection, and processing metadata
- Content you provide for AI processing (e.g., existing training materials submitted for summarization or enhancement)
E. Usage & Activity Data
We automatically collect information about your interactions with the Service, including:
- Pages viewed, content accessed, and actions performed
- Login timestamps, session duration, and feature usage
- IP address, browser type, operating system, and user agent
- Device information and screen resolution
F. Marketing & Analytics Data
We collect data through analytics and marketing tools, including:
- Google Analytics (GA4) data: page views, session data, user interactions, and demographic information
- Meta Pixel tracking data: page views, conversion events, and ad interaction data
- Campaign attribution data: UTM parameters, referrer URLs, landing pages, and session identifiers
G. Cookies & Similar Technologies
We use the following cookies and similar technologies:
- Session cookies (NextAuth): httpOnly, secure cookies required for authentication. These are essential for the Service to function.
- Workspace selection cookies: Store your active workspace preference.
- Campaign tracking cookies: Store marketing attribution data (UTM parameters, referrer, landing page) with a 30-day expiration.
- Google Analytics cookies: Collect usage statistics and analytics data. You can opt out using the Google Analytics Opt-out Browser Add-on.
- Meta Pixel cookies: Track conversions and advertising effectiveness. You can manage your ad preferences through Meta Ad Preferences.
3. How We Use Your Information
We use the information we collect to:
- Provide, operate, and maintain the Service
- Process payments and manage subscriptions
- Power AI content generation, summarization, and assistance features
- Track learning progress, content completion, and assessment results
- Generate workspace activity reports and engagement analytics for workspace administrators
- Analyze usage patterns to improve and optimize the Service
- Attribute marketing campaigns and measure advertising effectiveness
- Send transactional emails (invoices, password resets, invitations)
- Detect and prevent fraud, abuse, and security threats
- Comply with legal obligations and enforce our Terms of Service
4. Third-Party Service Providers & Data Sharing
We share personal information with the following third-party service providers to operate the Service. Each provider receives only the data necessary for its specific purpose.
| Provider | Purpose | Data Shared |
|---|---|---|
| Stripe | Payment processing | Payment information, billing details, transaction data |
| OpenRouter | AI model routing | User prompts and content submitted for AI processing |
| Google (Gemini) | AI content generation | User content and prompts submitted for AI processing |
| Anthropic (Claude) | AI document generation | User content and prompts submitted for AI processing |
| OpenAI | AI processing | User content and prompts submitted for AI processing |
| Cloudinary | Image storage & delivery | Uploaded images and media files |
| Ably | Real-time synchronization | Workspace event signals (no personally identifiable information in payloads) |
| Google Analytics | Website analytics | Usage data, device information, browsing behavior |
| Meta (Facebook Pixel) | Advertising conversion tracking | Page views, conversion events, ad interaction data |
| Google Gmail | Transactional email delivery | Email addresses and email content |
We may also disclose your personal information if required by law, regulation, legal process, or governmental request, or to protect our rights, property, or safety, or the rights, property, or safety of others.
We do not sell your personal information to third parties.
5. AI-Specific Data Practices
Our Service includes AI-powered features for content generation, summarization, and assistance. This section describes how your data is handled in connection with these features.
What Content Is Sent to AI Providers
When you use AI features, we may send the following to third-party AI providers:
- Text prompts and instructions you provide
- Existing training content you submit for AI processing (e.g., for summarization, enhancement, or analysis)
- Workspace context necessary to generate relevant content
What Is NOT Sent to AI Providers
- Passwords or authentication credentials
- Payment information or credit card details
- Other users’ personal information
AI Provider Data Retention
Each AI provider has its own data retention practices. As of the effective date of this policy:
- OpenRouter: Prompt logging is disabled by default; operational metadata may be retained.
- Google Gemini API: Input data may be retained for up to 55 days for safety and abuse monitoring purposes.
- Anthropic Claude API: Input data may be retained for up to 30 days for safety monitoring. Data is not used for model training.
- OpenAI API: Input data may be retained for up to 30 days for safety monitoring. Data is not used for model training.
These retention periods are subject to change by the respective providers. We encourage you to review each provider’s privacy policy (linked in Section 4 above) for the most current information.
AI-Generated Content Disclaimer
AI-generated content may contain errors, inaccuracies, or biases. You are solely responsible for reviewing, editing, and approving all AI-generated content before use. You retain ownership of your inputs; AI outputs are provided “as is” without warranty.
6. Data Retention
- Account data: Retained while your account is active and for a reasonable period after deletion to fulfill legal obligations and resolve disputes.
- Activity logs: Retained for reporting, analytics, and compliance purposes.
- AI usage logs: Retained for billing, usage tracking, and service improvement.
- Payment records: Retained as required by applicable tax and financial regulations.
- Campaign tracking cookies: Expire after 30 days. Associated conversion data is retained with your account record.
- Content data: Training materials, responses, and related content are retained while your account or workspace remains active. Deleted content may be retained in backups for a limited period.
7. Data Security
We implement industry-standard security measures to protect your personal information, including:
- Passwords are hashed using bcrypt before storage
- All data transmitted between your browser and our servers is encrypted via HTTPS/TLS
- Authentication sessions use httpOnly, secure cookies with SameSite protections
- Rate limiting is applied to authentication endpoints to prevent brute-force attacks
- Server-side HTML sanitization is applied to all user-generated content to prevent cross-site scripting attacks
- Input validation and parameterized database queries are used to prevent injection attacks
While we strive to protect your personal information, no method of electronic transmission or storage is 100% secure. We cannot guarantee absolute security of your data.
8. Your Rights
A. All Users
Regardless of your location, you may:
- Access, correct, or request deletion of your personal information
- Opt out of marketing communications by following the unsubscribe link in any email
- Opt out of Google Analytics tracking using the Google Analytics Opt-out Browser Add-on
- Manage Meta advertising preferences through Meta Ad Preferences
- Request a copy of your data by contacting us at info@lvl5.org
B. European Residents (GDPR)
If you are located in the European Economic Area (EEA), United Kingdom, or Switzerland, you have additional rights under the General Data Protection Regulation (GDPR), including:
- Right of access: Obtain confirmation of whether we process your personal data and request a copy.
- Right to rectification: Request correction of inaccurate personal data.
- Right to erasure: Request deletion of your personal data under certain circumstances.
- Right to restriction: Request restriction of processing under certain circumstances.
- Right to data portability: Receive your personal data in a structured, commonly used, machine-readable format.
- Right to object: Object to processing based on legitimate interests or for direct marketing purposes.
Our legal bases for processing your personal data include: performance of a contract (providing the Service), legitimate interests (improving the Service, security, fraud prevention), and consent (where applicable, such as for marketing communications).
Your personal data is transferred to and processed in the United States. Where required, we rely on standard contractual clauses or other appropriate safeguards for international data transfers.
To exercise your rights, contact us at info@lvl5.org. You also have the right to lodge a complaint with your local data protection authority.
C. California Residents (CCPA/CPRA)
If you are a California resident, you have rights under the California Consumer Privacy Act (CCPA) and the California Privacy Rights Act (CPRA), including:
- Right to know: Request disclosure of the categories and specific pieces of personal information we have collected about you, the categories of sources, the purposes for collection, and the categories of third parties with whom we share it.
- Right to delete: Request deletion of your personal information, subject to certain exceptions.
- Right to correct: Request correction of inaccurate personal information.
- Right to opt out of sale or sharing: We do not sell your personal information. We do not share personal information for cross-context behavioral advertising purposes.
- Right to non-discrimination: We will not discriminate against you for exercising your privacy rights.
Categories of personal information we collect include:
- Identifiers (name, email address, IP address)
- Commercial information (subscription and payment records)
- Internet or electronic network activity (browsing history, interactions with the Service)
- Professional or employment-related information (if provided in content you create)
- Inferences drawn from the above categories
To exercise your rights, contact us at info@lvl5.org. We will verify your identity before processing your request.
9. International Data Transfers
Your personal information is processed and stored in the United States. If you are accessing the Service from outside the United States, please be aware that your information will be transferred to, stored, and processed in the United States, where data protection laws may differ from those in your jurisdiction. Where required by applicable law, we implement appropriate safeguards, including standard contractual clauses, for international data transfers.
10. Children’s Privacy
The Service is not intended for individuals under the age of 18. We do not knowingly collect personal information from children under 18. If we become aware that we have collected personal information from a child under 18, we will take steps to delete that information promptly. If you believe we may have collected information from a child under 18, please contact us at info@lvl5.org.
11. Changes to This Privacy Policy
We may update this Privacy Policy from time to time to reflect changes in our practices, technologies, legal requirements, or other factors. When we make material changes, we will update the “Effective Date” at the top of this page and, where appropriate, notify you via email or a prominent notice on the Service.
We encourage you to review this Privacy Policy periodically. Your continued use of the Service after any changes constitutes your acceptance of the updated Privacy Policy.
12. Contact Us
If you have questions about this Privacy Policy, wish to exercise your privacy rights, or have concerns about our data practices, please contact us:
Diamond Tree LLC
Email: info@lvl5.org