Who We Are
BULCORE Inc. ("BULCORE," "we," "us," or "our") is a US corporation developing and operating the BULCORE platform — an AI-enabled research and learning workflow platform built for higher education, knowledge workers, and institutions. BULCORE is headquartered in the United States and operates development infrastructure with our engineering partner ConsultCommerce OOD (Bulgaria).
For users accessing the Services directly (individual and team subscribers): BULCORE Inc. is the data controller. For users accessing the Services through an institutional agreement: BULCORE Inc. acts as data processor on behalf of the institution with respect to student educational records. The specific allocation of responsibilities is set out in the Data Processing Agreement (DPA) executed with each institution.
Scope of This Privacy Policy
This Privacy Policy applies to all data we collect when you:
Visit the BULCORE website at bulcore.com and any subdomains · Create an account or use the BULCORE web application · Install and use the BULCORE browser extension · Access BULCORE through an institutional integration · Contact us by email, form, or other means · Participate in pilots, surveys, or research programs.
This Policy does not apply to third-party services you access through BULCORE integrations (e.g., Google Docs). Those services have their own privacy policies. This Policy should be read alongside our Terms of Service.
The Data We Collect and Why
We collect the minimum data necessary to provide the Services.
| Category | What It Includes | Why We Collect It |
|---|---|---|
| Account Data | Full name, email address, password (hashed), institutional affiliation, role, profile settings, subscription tier | To create and manage your account; to authenticate you; to send service communications |
| Institutional Roster Data | Name, email, course enrollment, and role as provided by your institution's LMS. Only received when institutional LTI integration is active. | To provision accounts, sync course rosters, and enable faculty-student project relationships |
| Content Data | Notes (all six origin types), Topics, Projects, uploaded documents, generated documents, bookmarks, screenshots, translations, AI prompts and responses within the platform | To provide the Services; to enable collaboration within Projects; to generate the audit trail |
| Provenance Metadata | For every Note: origin method, author, timestamp, source URL or document reference, LLM provider used (if applicable) | To power the audit trail; to enable contribution analytics; to support faculty dashboards |
| Usage & Engagement Data | Actions within the platform: Notes added, documents generated, collaboration events, LLM queries within Projects, engagement timeline entries. Active Work Time — excludes idle time. | To provide platform features; to improve the Services |
| Technical & Device Data | Browser type and version, operating system, IP address, device type, session identifiers, error logs, performance metrics | To maintain platform security; to diagnose technical issues; to detect and prevent unauthorized access |
| Communication Data | Emails you send to BULCORE, support tickets, feedback submissions, survey responses | To respond to your inquiries; to improve the Services |
| Payment Data | Billing name, billing address, last four digits of payment card. Full payment card details never stored by BULCORE. | To process subscription payments; to manage billing |
| Cookie & Tracking Data | Session cookies, authentication tokens, preference cookies. No advertising or cross-site tracking cookies. | To maintain your login session; to remember your preferences; to ensure platform security |
The Two-Space Architecture — Topics vs. Projects
Topics are always private. Topics are stored in a dedicated, user-scoped data partition. There is no database join path, no API endpoint, and no administrative interface that allows any other party — including teachers, institutional administrators, or BULCORE employees — to access the content of your Topics. This is not a permission setting you can accidentally change. It is how the platform is built.
- Visible to you only. Absolute and non-negotiable. Not teachers. Not teammates. Not BULCORE staff.
- Used to explore ideas, ask questions, clarify material, draft early thoughts — freely, without judgment.
- No audit trail visible to any third party. Your Topic activity is stored only for your own retrieval.
- AI queries inside Topics are never visible in any faculty dashboard or shared analytics.
- Enforced at the database schema level: no foreign key relationship exists to any teacher or institutional access table.
- Visible to you and the collaborators you explicitly invite, at the roles you assign.
- For institutional accounts: faculty with Teacher access can see Project-level work.
- Full audit trail: Notes added, documents generated, collaboration events, LLM usage, engagement timeline.
- AI queries inside Projects are recorded in the Project audit trail and visible to authorized parties.
- Enforced at the API and database level: role-based access is validated on every request.
Content moves from your private Topic space to a shared Project space only through your deliberate action. You must explicitly add a Note from a Topic to a Project. Promotional actions are logged in the Project audit trail with a timestamp and author attribution. They are never logged in a way that makes unpromoted Topic content visible.
How We Use Your Data
| Purpose | Description | Data Used |
|---|---|---|
| Providing the Services | Storing and retrieving your Notes, Topics, Projects, and documents; powering research tools; enabling collaboration; generating the audit trail; running AI features | Content Data, Provenance Metadata, Usage Data |
| Account Management | Creating and maintaining your account; authenticating your identity; managing your subscription; sending service-critical communications | Account Data, Payment Data |
| Faculty & Institutional Dashboards | Generating contribution analytics, engagement timelines, alignment scoring, and weighted contribution scores visible to authorized faculty within Projects (never Topics) | Usage Data, Provenance Metadata, Content Data (Project-level only) |
| Security & Fraud Prevention | Detecting and preventing unauthorized access, abuse, and fraud; maintaining audit logs for security purposes | Technical Data, Account Data, Usage Data |
| Platform Improvement | Diagnosing bugs and performance issues; analyzing aggregate usage patterns to improve features | Technical Data, Usage Data (aggregated and de-identified) |
| Legal Compliance | Complying with applicable laws and regulations (FERPA, COPPA, Colorado Privacy Act); responding to lawful legal process | Any data categories as required by applicable law |
| Communications | Responding to support requests; sending product update announcements (opt-out available); notifying you of material changes | Account Data, Communication Data |
We will never use your data to train AI models. We will never sell your data. We will never use your Content for advertising or marketing purposes.
AI Features & Data
BULCORE integrates AI language models to power research assistance, Note generation, document creation, and gap analysis features. When you use an AI feature, your prompt or query is sent to an AI model provider for processing. The response is returned to BULCORE and stored as part of your workflow.
No user data is ever used to train AI models. BULCORE's agreements with all AI model providers explicitly prohibit the use of user data — including prompts, queries, responses, Notes, Topics, and any other platform content — to train, fine-tune, or improve AI models. This commitment is contractually binding on our AI providers.
| Provider | Role | Data Sent |
|---|---|---|
| OpenAI (Azure-hosted) | Primary LLM provider for Ask LLM, document generation, Boost Insight, What Am I Missing? | Your prompt text and sufficient context to generate a response. No personal identifiers included beyond what you include in your query. |
| Anthropic Claude (in development) | Additional LLM provider for multi-LLM comparison features | Prompt text and context only |
AI language models can produce inaccurate, incomplete, outdated, or fabricated content — including hallucinated citations. BULCORE's Source Review Protocol requires you to verify all sources before finalizing documents. You are responsible for reviewing AI-generated content for accuracy.
Data Sharing & Sub-Processors
BULCORE does not sell, rent, or trade your personal data to any third party for any purpose. BULCORE's products are ad-free. We do not generate revenue from your data.
We share data only: with sub-processors who process data on our behalf to provide the Services · with your institution, if you access through an institutional agreement (limited to Project-level data) · with your collaborators and authorized Project members · when required by law or valid legal process · in connection with a merger or acquisition, subject to the protections in Section 7.4.
| Sub-Processor | Country | Purpose | Data Categories |
|---|---|---|---|
| Microsoft Azure | United States | Cloud hosting (API, database, Service Bus, Active Directory, Azure OpenAI) | All platform data categories |
| OpenAI (Azure-hosted) | United States | AI language model processing for LLM-powered features | Prompt text and query context |
| Anthropic (planned) | United States | Additional LLM inference provider | Prompt text and query context |
| ConsultCommerce OOD | Bulgaria | Platform engineering and development — limited access to production data for debugging only, under a signed DPA | Technical Data, limited Content Data under access controls |
| Stripe (or equivalent) | United States | Subscription payment processing | Billing name, billing address, payment card data |
| Email Service Provider | United States | Transactional email delivery | Account Data (email address, name) |
Because Topic content is stored in a user-scoped partition accessible only by the account holder, BULCORE's ability to produce Topic content in response to legal process is architecturally constrained. When legally permitted, we will notify you before disclosing any data to a government authority.
Data Retention
We retain your data only for as long as necessary to provide the Services, comply with legal obligations, and fulfill the purposes described in this Policy.
| Data Category | Retention Period | Notes |
|---|---|---|
| Account Data | Duration of account + 30 days after closure | Retained to allow account reactivation within 30 days. Permanently deleted after the grace period. |
| Content Data (Topics, Notes, Projects) | Duration of account + 30 days after closure | Your intellectual work is yours. We delete it when you leave. Institutional accounts: subject to institution's FERPA record-keeping obligations. |
| Provenance Metadata & Audit Trail | Duration of account + up to 7 years (institutional) | Audit trail data may be subject to institutional FERPA record-keeping obligations. |
| Institutional Roster Data | Duration of institutional agreement + 90 days | Roster data re-synced each academic term. |
| Payment Data | 7 years from transaction date | Required by US tax and financial regulations. |
| Security Logs & Technical Data | 90 days (standard) / up to 1 year (incidents) | Used for security monitoring and incident investigation. |
| Communication Data | 3 years from last contact | Retained to maintain support history. |
| Free Trial Data | 30 days after trial expiry | Content retained for 30 additional days after trial then permanently deleted. |
You may request deletion of your data at any time by contacting support@bulcore.com. We will process deletion requests within one (1) business day on average and confirm completion in writing.
Your Rights
You have meaningful rights over your personal data. We are committed to honoring these rights promptly and without unnecessary barriers.
To exercise any of these rights, email support@bulcore.com. We will respond within 45 days.
FERPA — Student Educational Records
The Family Educational Rights and Privacy Act (FERPA) protects the privacy of student education records at institutions that receive federal funding. When BULCORE provides services to a US educational institution, BULCORE acts as a "school official" with a "legitimate educational interest" under FERPA, functioning as a data processor on behalf of the institution.
Topic content is not an education record under FERPA because it is never shared with the institution and is inaccessible to school officials. Topic content constitutes the student's personal research notes, equivalent to a physical notebook that the school has no access to.
Under FERPA, the following data constitutes education records when generated by or about a student within an institutional deployment: Notes intentionally added to a Project within a course context · Documents generated within a Project · Project-level contribution analytics and engagement data · Faculty feedback and evaluation data within Projects · Alignment scores and weighted contribution scores.
Students have the right to inspect and review their education records · request amendment of records they believe are inaccurate · consent to disclosure of education records to third parties, except where FERPA authorizes disclosure without consent · file a complaint with the US Department of Education regarding FERPA violations.
COPPA — Children Under 13
BULCORE is not directed to children under 13. Users must be at least 13 years of age to create an Account. We do not knowingly collect personal information from children under 13 without verifiable parental consent.
Where BULCORE is deployed by an educational institution that includes students under 13, the institution is responsible for obtaining the parental consent required by COPPA and FERPA prior to provisioning student accounts.
If we discover that we have collected personal information from a child under 13 without verifiable parental consent, we will delete that information promptly. Parents who believe their child under 13 has created an account without consent should contact support@bulcore.com immediately with the subject line COPPA.
Colorado Privacy Act & US State Laws
BULCORE Inc. is incorporated and headquartered in Colorado. The Colorado Privacy Act (CPA) applies to BULCORE's processing of Colorado consumers' personal data. Under the CPA, Colorado consumers have rights to: access, correction, deletion, portability, and opt-out of sale (we do not sell data).
BULCORE honors applicable US state privacy laws. We do not sell personal data under any state law definition of "sale." We will not discriminate against you for exercising your privacy rights.
To exercise CPA or other state privacy rights, contact support@bulcore.com. We will respond within 45 days.
Cookies & Tracking Technologies
| Cookie Type | Purpose | Duration |
|---|---|---|
| Authentication (Strictly Necessary) | Maintains your login session across pages. | Session (expires on logout or browser close) |
| Security (Strictly Necessary) | Prevents cross-site request forgery attacks. Required for platform security. | Session |
| Preferences (Functional) | Remembers your interface preferences (e.g., dark/light mode, language setting). | 1 year |
| Analytics (Optional) | Measures aggregate platform usage. No personally identifiable information shared with analytics providers. | 2 years |
No advertising or behavioral tracking cookies · No cross-site tracking technologies · No fingerprinting or device tracking beyond session management · No social media tracking pixels.
Strictly necessary cookies cannot be disabled without breaking the Services. Optional analytics cookies can be disabled in your browser settings or by contacting support@bulcore.com.
Data Security
| Security Control | Implementation |
|---|---|
| Encryption at Rest | AES-256 encryption for all stored data across Azure SQL and associated storage |
| Encryption in Transit | TLS 1.2–1.3 enforced for all client-to-server communication. No plaintext connections accepted. |
| Data Isolation | Per-tenant data isolation at the database schema and row level. No cross-tenant data access is possible by design. |
| Access Control | Azure Active Directory identity management. Role-based access enforced at API and database layer. Two-space architecture enforced in database schema. |
| Security Incident Record | Zero security incidents in the past 13 months since current architecture was deployed. |
| Uptime | 99.94% operational uptime (above 99.9% SLA target) |
| Data Request Resolution | 100% resolution rate on data requests; average response time of 1.2 business days |
No security system is perfect. We encourage you to use a strong, unique password for your BULCORE account and to notify us immediately at support@bulcore.com if you suspect any unauthorized access.
Data Breach Notification
In the event of a personal data breach that is likely to result in a risk to individuals, we commit to the following notification timeline:
| Recipient | Timeline | Content |
|---|---|---|
| Affected Users | Within 72 hours of BULCORE becoming aware | Nature of the breach, categories of data affected, likely consequences, measures taken or proposed, and contact information for further inquiries |
| Institutional Administrators | Within 24 hours of BULCORE becoming aware | Full breach notification as above, plus affected user count and scope within the institution |
| US State Regulators | As required by applicable state breach notification law | Colorado Security Breach Notification Act and other applicable state laws |
Reports of suspected breaches should be sent to support@bulcore.com.
Changes to This Privacy Policy
We may update this Privacy Policy from time to time as our practices evolve or as legal requirements change. When we make material changes, we will:
Post a notice within the BULCORE application · Send an email notification to the address on your Account · Update the effective date at the top of this Policy.
We will not retroactively apply material changes to data we have already collected without your explicit consent.
Contact Us & How to Exercise Your Rights
| Topic | Contact | Response Commitment |
|---|---|---|
| Privacy requests (access, deletion, correction, portability) | support@bulcore.com | Acknowledgment within 2 business days; full response within 45 days (CPA) |
| Security incidents and breach reports | support@bulcore.com | Immediate triage; acknowledgment within 1 business day |
| FERPA requests and student record inquiries | support@bulcore.com (subject: FERPA) | Within 30 days; institutional coordination required |
| COPPA — parental consent and underage account concerns | support@bulcore.com (subject: COPPA) | Within 1 business day for urgent matters |
| General privacy questions | support@bulcore.com | Within 5 business days |
| Data Processing Agreement requests (institutional) | support@bulcore.com (subject: DPA Request) | Within 5 business days |
BULCORE is built on a simple belief: Human thinking deserves a private space to develop freely. This Privacy Policy is how we keep that promise.
"Where AI assists. Humans author. Learning endures."