Gemma 4 Privacy Policy

📋 Our GDPR Commitment

As an educational resource serving users globally, we fully comply with the EU General Data Protection Regulation (GDPR) and the UK Data Protection Act 2018. We process personal data lawfully, fairly, and transparently, with clear purposes and minimal retention periods.

Lawful Bases for Processing

• Consent: For newsletter subscriptions, analytics cookies, and optional features. You may withdraw consent at any time.
• Legitimate Interests: For website security, fraud prevention, service improvement, and educational content delivery.
• Contractual Necessity: For account management, API access, and premium feature delivery where applicable.
• Legal Obligation: For compliance with tax, accounting, and regulatory requirements.

🔐 Your GDPR Rights

Under GDPR, you have specific rights regarding your personal data. We provide clear mechanisms to exercise these rights:

• Right to Access: Request a copy of your personal data we hold, including purposes of processing and retention periods.
• Right to Rectification: Correct inaccurate or incomplete personal data through your account settings or by contacting us.
• Right to Erasure ("Right to be Forgotten"): Request deletion of your personal data, subject to legal retention requirements.
• Right to Restriction: Limit processing of your data while accuracy is verified or objections are considered.
• Right to Data Portability: Receive your data in a structured, machine-readable format for transfer to another service.
• Right to Object: Object to processing based on legitimate interests or for direct marketing purposes.
• Rights Related to Automated Decision-Making: Not subject to solely automated decisions with legal or significant effects.

To exercise these rights, contact our Data Protection Officer at privacy@gemmai4.com. We respond to all verified requests within 30 days.

🌍 International Data Transfers

As a global service, your data may be transferred to and processed in countries outside your residence. We ensure adequate protections through:

• Standard Contractual Clauses (SCCs) approved by the European Commission
• Binding Corporate Rules for intra-group transfers
• Adequacy decisions for countries with equivalent data protection standards
• Explicit consent for transfers to countries without adequacy decisions

All transfers comply with Chapter V of GDPR. You may request details of specific safeguards by contacting our DPO.

🔍 What We Collect Automatically

Like most websites, we collect certain information automatically through server log files and analytics tools. This data helps us improve security, performance, and user experience:

• IP Addresses: Used for security monitoring, fraud prevention, and geographic analytics (country/region level only).
• Browser & Device Information: Browser type, version, operating system, device model, and screen resolution for compatibility testing.
• Referral Data: Pages visited before and after our site to understand user journeys and content effectiveness.
• Timestamps: Date and time of access for security auditing and usage pattern analysis.
• Clickstream Data: Pages viewed, time spent, and interaction patterns to optimize content and navigation.
• Error Logs: Technical errors encountered to improve site stability and fix bugs.

🔒 How We Use Log Data

Log file information is processed for specific, legitimate purposes:

• Security & Fraud Prevention: Detecting and mitigating attacks, unauthorized access attempts, and abusive behavior.
• Performance Optimization: Identifying slow-loading pages, broken links, and technical issues affecting user experience.
• Analytics & Improvement: Understanding how users interact with our content to enhance educational value and usability.
• Compliance & Auditing: Maintaining records for legal obligations, dispute resolution, and regulatory requirements.

Retention Period: Log files are retained for 90 days for security purposes, then aggregated and anonymized for long-term analytics. Individual IP addresses are deleted after 30 days unless required for active security investigations.

📊 What is the DART Cookie?

Google, as a third-party vendor, uses cookies to serve ads on our site. Google's use of the DART cookie enables it to serve ads to users based on their visit to our site and other sites on the Internet. Users may opt out of the use of the DART cookie by visiting the Google ad and content network privacy policy.

How DART Cookies Work

• Ad Personalization: DART cookies help deliver ads relevant to your interests based on your browsing history across participating websites.
• Frequency Capping: Limits the number of times you see the same ad to improve user experience and ad effectiveness.
• Campaign Measurement: Helps advertisers understand ad performance and optimize campaigns for better results.
• Fraud Prevention: Detects and prevents invalid traffic and click fraud to protect advertisers and publishers.

🔐 Your Cookie Choices

You have multiple options to control cookies on our site:

• Browser Settings: Configure your browser to refuse all cookies or indicate when a cookie is being sent. Note that some site features may not function properly if cookies are disabled.
• Google Ad Settings: Visit Google Ad Settings to manage ad personalization and opt out of interest-based advertising.
• Network Advertising Initiative: Use the NAI Opt-Out Tool to opt out of multiple advertising networks simultaneously.
• Our Cookie Banner: When you first visit our site, you can accept, reject, or customize cookie preferences through our consent management platform.

Essential Cookies: Some cookies are strictly necessary for our site to function (e.g., security, session management). These cannot be disabled as they are required for basic functionality.

🔐 Data Collection Principles

We collect only the data necessary to provide and improve our educational services. Our collection practices follow these core principles:

• Data Minimization: We collect only what is strictly necessary for specified purposes.
• Purpose Limitation: Data is used only for the purposes disclosed at collection or compatible purposes.
• Storage Limitation: Data is retained only as long as necessary for the stated purposes or legal requirements.
• Accuracy: We maintain reasonable procedures to ensure data accuracy and provide mechanisms for correction.
• Integrity & Confidentiality: We implement technical and organizational measures to protect data against unauthorized access, alteration, or disclosure.

📋 Types of Information We Collect

Information You Provide Directly

• Account Information: Email address, username, and optional profile details when creating an account.
• Communications: Content of messages sent through contact forms, support tickets, or community forums.
• Submissions: Code snippets, prompts, or educational content shared in tutorials, benchmarks, or community features.
• Preferences: Language settings, notification preferences, and content interests to personalize your experience.

Information Collected Automatically

• Usage Data: Pages visited, features used, time spent, and interaction patterns to improve educational content.
• Device Information: Device type, operating system, browser version, and screen resolution for compatibility optimization.
• Location Data: Approximate geographic location (country/region) derived from IP address for content localization and compliance.
• Performance Metrics: Page load times, error rates, and technical diagnostics to maintain site reliability.

🔗 How We Use Your Information

We use collected information for specific, legitimate purposes:

• Service Delivery: Providing access to tutorials, benchmarks, downloads, and community features.
• Personalization: Tailoring content recommendations, language preferences, and learning paths to your interests.
• Communication: Sending service updates, security alerts, and educational newsletters (with consent).
• Improvement: Analyzing usage patterns to enhance content quality, site performance, and user experience.
• Security: Protecting against fraud, abuse, unauthorized access, and technical vulnerabilities.
• Compliance: Meeting legal obligations, responding to lawful requests, and enforcing our terms of service.

🤝 Our Third-Party Partners

We work with trusted third-party service providers to deliver and improve our educational resources. Each partner is contractually obligated to protect your data and comply with applicable privacy laws:

• Hosting & Infrastructure: Cloud providers (e.g., Google Cloud, AWS) for secure, scalable hosting with enterprise-grade security certifications.
• Analytics: Privacy-focused analytics tools (e.g., Plausible, Fathom) that anonymize data and respect Do Not Track signals.
• Content Delivery: CDNs (e.g., Cloudflare) for fast, secure content delivery with DDoS protection and WAF capabilities.
• Communication: Email service providers (e.g., SendGrid) for transactional emails and newsletters with unsubscribe mechanisms.
• Community Features: Forum platforms (e.g., Discourse) with robust privacy controls and data export capabilities.

🔍 Third-Party Privacy Practices

We conduct due diligence on all third-party partners to ensure they meet our privacy and security standards:

• Data Processing Agreements: Contracts that define data handling responsibilities, security requirements, and breach notification procedures.
• Security Assessments: Regular audits and certifications (SOC 2, ISO 27001) to verify security controls and compliance.
• Data Minimization: Partners receive only the data necessary to perform their specific service functions.
• Geographic Restrictions: Data processing locations are restricted to jurisdictions with adequate privacy protections.
• Subprocessor Transparency: We maintain a public list of subprocessors and provide notice of material changes.

Third-Party Links: Our site may contain links to external resources (e.g., Hugging Face, GitHub, official Gemma documentation). We are not responsible for the privacy practices of these external sites. We encourage you to review their privacy policies before providing any personal information.

🛡️ Our Commitment to Young Users

Gemma 4 educational resources are designed for general audiences, including students, educators, and lifelong learners. We take special care to protect the privacy of children under 13 (or under 16 in the EU/UK) in compliance with the Children's Online Privacy Protection Act (COPPA) and GDPR-K.

Age Restrictions & Parental Consent

• Minimum Age: Users under 13 (or 16 in EU/UK) may not create accounts or submit personal information without verifiable parental consent.
• Parental Controls: Parents/guardians can review, delete, or restrict processing of their child's data by contacting us at privacy@gemmai4.com.
• Educational Use: Schools and educational institutions may use our resources under FERPA-compliant agreements with appropriate data protection safeguards.
• Content Filtering: We implement age-appropriate content filters and avoid collecting unnecessary personal information from young users.

🔐 Data Practices for Young Users

When we knowingly collect information from children (with parental consent), we apply enhanced protections:

• Limited Collection: Only essential information (e.g., first name, grade level) for educational personalization; no persistent identifiers without consent.
• No Behavioral Advertising: We do not use children's data for targeted advertising or profiling.
• Parental Access: Parents can access, correct, or delete their child's information at any time through our privacy portal.
• Data Retention: Children's data is deleted when no longer needed for the educational purpose or upon parental request.
• Security Measures: Enhanced encryption, access controls, and monitoring for data involving young users.

Reporting Concerns: If you believe we have collected information from a child without proper consent, please contact us immediately at privacy@gemmai4.com. We will promptly investigate and take appropriate action.

📱 Scope of This Policy

This Privacy Policy applies exclusively to information collected through our online properties, including:

• Websites: gemmai4.com and related subdomains providing educational content about Gemma 4.
• Applications: Web applications, mobile apps, and browser extensions developed by our community.
• APIs: Programmatic interfaces for accessing benchmarks, tutorials, or community features.
• Communications: Email newsletters, support tickets, and community forum interactions.

Offline Collection: This policy does not apply to information collected offline or through third-party platforms not operated by us (e.g., social media, external forums, or partner websites). Those platforms have their own privacy policies governing data collection and use.

🔄 Policy Updates & Notifications

We may update this Privacy Policy periodically to reflect changes in our practices, services, or legal requirements. When we do:

• Material Changes: We will provide prominent notice (e.g., email, site banner) at least 30 days before material changes take effect.
• Continued Use: Your continued use of our services after changes constitute acceptance of the updated policy.
• Historical Versions: We maintain an archive of previous policy versions for transparency and reference.
• Consent Renewal: For changes affecting data processing based on consent, we will seek renewed consent where required.

Effective Date: The "Last Updated" date at the top of this policy indicates when the current version became effective. We encourage you to review this policy periodically for updates.

🔐 How to Exercise Your Rights

To exercise your privacy rights or submit a request:

1. Submit a Request: Email privacy@gemmai4.com with "Privacy Request" in the subject line, specifying your request type (access, deletion, correction, etc.).
2. Verification: We will verify your identity to protect against unauthorized requests. This may include confirming account details or requesting additional information.
3. Response Timeline: We respond to verified requests within 30 days, with possible extensions for complex requests as permitted by law.
4. Appeals: If you are unsatisfied with our response, you may appeal to our internal review team or contact your local data protection authority.