DrillKit is an AI-powered tool that turns your online lesson chat from Zoom, Google Meet, Skype, or Microsoft Teams into professional, print-ready ESL worksheets in under 30 seconds. It automatically extracts vocabulary, generates exercises (gap-fill, error correction, vocab match, word formation, and more), and produces beautiful PDFs tailored to the student's CEFR level and native language.

Does DrillKit support Zoom chats?

Yes! Simply copy the chat text from your Zoom, Google Meet, Skype, or Microsoft Teams lesson and paste it directly into the input area. You can also paste vocabulary lists or handwritten notes. DrillKit's AI strips out timestamps, sender names, and other noise automatically.

Can I export worksheets to PDF?

Absolutely. Every worksheet is generated as a high-quality, print-ready PDF. Pro users can also export to Google Docs and customize branding with their school logo and accent colors.

Which languages are supported?

DrillKit supports translations in 11 languages: Spanish, French, German, Italian, Portuguese, Japanese, Korean, Chinese, Arabic, Turkish, and Russian. The AI auto-detects the student's native language from the chat transcript.

What exercise types can DrillKit generate?

DrillKit generates 11 exercise types: Gap Fill, Vocab Match, Error Correction, Sentence Completion, Multiple Choice, Word Scramble, Sentence Reorder, Translation, Word Formation (Cambridge Part 3), Key Word Transformation (Cambridge Part 4), and Dialogue Builder.

How does the AI extract vocabulary from chat transcripts?

The AI scans your pasted chat transcript, strips out noise (timestamps, reactions, media placeholders), identifies teachable vocabulary, phrasal verbs, idioms, and student errors, then scores each item by relevance. You review and select the best items before generating exercises.

Is DrillKit free to use?

Yes! The free plan includes 10 worksheets per month with 4 exercise types and standard templates. The Pro plan ($4.99/month or $3.33/month billed yearly) unlocks unlimited worksheets, all 11 exercise types, custom branding, and priority AI processing.

Can I customize the worksheet with my school branding?

Pro users can add their school or institution name, choose custom accent colors, select from 5 worksheet styles (Standard, Classic, Modern, Playful, Academic), and add footer text to every generated worksheet.

Privacy Policy | DrillKit

1. Data Controller

For the purposes of the General Data Protection Regulation (EU Regulation 2016/679, hereinafter “GDPR”), the Italian Legislative Decree 196/2003 (as amended by D.lgs. 101/2018), and all applicable data protection legislation, the Data Controller is:

Legal Name

Soldato Matthew James

Registered Address

Via Torino 2, 20831 Seregno (MB), Italy

Codice Fiscale

SLDMTH99T02B729X

Partita IVA

13444260965

Tax Regime

Regime Forfettario (L. 190/2014, commi 54-89)

Contact Email

privacy@drillkit.ai

The Data Controller operates as a sole proprietor (ditta individuale) under the Italian regime forfettario and is responsible for determining the purposes and means of processing your personal data through the DrillKit platform (“Platform”, “Service”, or “we/us/our”).

2. Scope of This Policy

This Privacy Policy applies to all personal data processed through the DrillKit website at drillkit.ai and all related services, including:

Browsing the website
Creating an account and signing in
Using the worksheet generation service
Subscribing to a paid plan
Subscribing to our newsletter
Contacting us via email

This policy is provided in accordance with Articles 13 and 14 of the GDPR and the Italian Data Protection Code (D.lgs. 196/2003, as amended).

3. Personal Data We Collect

We follow the principles of data minimisation and privacy by design (Art. 25 GDPR). We collect only the personal data strictly necessary to provide our Service.

3.1 Account & Authentication Data

When you create an account, we collect:

Email address — provided directly or via Google OAuth
Full name — if provided via Google OAuth
Profile picture URL — if provided via Google OAuth
Hashed password — only if you sign up with email/password (we never store plain-text passwords)
Authentication provider — the method used to sign in (Google or email)

3.2 Usage Data

We automatically collect:

Worksheet generation count — tracked per user per calendar month for enforcing free-tier limits
Subscription tier — your current plan (Free or Pro)
Feature usage — which exercise types , worksheet styles, and output formats you select

3.3 Input Content (Transient Processing)

When you use the worksheet generator, you may paste:

Chat transcripts from online lessons
YouTube video URLs (for transcript extraction)
News articles, vocabulary lists, or free-form text

verified

Important: We do not store your input text

Input content is processed in memory only for the purpose of generating your worksheet. It is sent to our AI processing partner, processed, and the result returned. We do not store, log, or retain your input text or generated worksheets on our servers after the request is complete.

3.4 Payment Data

When you subscribe to a paid plan, payment processing is handled entirely by Stripe Payments Europe Ltd. We share the following with Stripe:

Your name and email address
Billing address
Your subscription plan and start date

We never receive, process, or store your credit card number, CVV, or full payment card details. All card data is tokenized and handled directly by Stripe, which is certified PCI-DSS Level 1 (the highest security standard for payment processors).

3.5 Technical Data

Our hosting infrastructure automatically collects standard technical data:

IP address
Browser type and version
Operating system
Referring URL
Date and time of access
Pages visited

3.6 Newsletter Data

If you subscribe to our newsletter, we collect your email address for the sole purpose of sending you teaching tips, product updates, and relevant content. You may unsubscribe at any time using the link in every email.

3.7 Communication Data

If you contact us via email, we process your email address, name, and the content of your communication to respond to your inquiry.

4. Legal Basis for Processing

Under Article 6 of the GDPR, we process your personal data based on the following lawful grounds:

Processing Activity	Legal Basis (Art. 6 GDPR)
Account creation & authentication	Contractual necessity — Art. 6(1)(b)
Worksheet generation (AI processing)	Contractual necessity — Art. 6(1)(b)
Usage tracking (worksheet count limits)	Contractual necessity — Art. 6(1)(b)
Payment processing via Stripe	Contractual necessity — Art. 6(1)(b)
Newsletter subscription	Consent — Art. 6(1)(a)
Service improvement & security	Legitimate interest — Art. 6(1)(f)
Tax & fiscal record-keeping	Legal obligation — Art. 6(1)(c)
Fraud prevention	Legitimate interest — Art. 6(1)(f)
Responding to data subject requests	Legal obligation — Art. 6(1)(c)

5. Free Tier & Data as Consideration

DrillKit offers a free tier that allows limited worksheet generation without monetary payment. In accordance with Article 135-octies of the Italian Consumer Code (Codice del Consumo), when personal data is provided in exchange for a digital service, such data is legally equivalent to monetary consideration.

This means that as a free-tier user, you are entitled to:

The same consumer protections as paying subscribers, including but not limited to the right of withdrawal
Clear and complete information about how your data is processed
The assurance that your data will not be used for purposes beyond those disclosed in this policy without your explicit consent

6. Third-Party Sub-Processors

We engage the following third-party service providers (“sub-processors”) to deliver our Service. Each sub-processor is bound by a Data Processing Agreement (“DPA”) in accordance with Article 28 of the GDPR.

Sub-Processor	Purpose	Data Shared	Location	Transfer Mechanism
Supabase Inc. (hosted on AWS)	Authentication, database, user management	Email, UUID, OAuth tokens, usage records	US (AWS)	SCCs (Module 3)
Stripe Payments Europe Ltd. Dublin, Ireland	Payment processing	Name, email, billing address, tokenized card data	Ireland / US	EU-U.S. DPF + SCCs
Google LLC (Google OAuth)	Social authentication (Google Sign-In)	Email, name, profile picture URL	US	EU-U.S. DPF + SCCs
Vercel Inc. Website hosting	Website hosting & CDN	IP address, request logs	US / Global Edge	SCCs
Google LLC / OpenAI Inc. AI processing	Vocabulary extraction & worksheet generation	Input text only (transient, not stored)	US	DPF + SCCs

Stripe's DPA is automatically incorporated into its Services Agreement and includes compliance with the EU-U.S. Data Privacy Framework. Supabase provides a standard DPA that includes Module 3 (Processor-to-Processor) of the Standard Contractual Clauses. For more information on Stripe's data practices, visit stripe.com/privacy.

7. International Data Transfers

Your personal data may be transferred to and processed in countries outside the European Economic Area (“EEA”), primarily the United States, through our sub-processors listed above.

Such transfers are protected by appropriate safeguards in accordance with Article 46 of the GDPR:

EU-U.S. Data Privacy Framework (DPF) — for processors certified under the DPF (Stripe, Google)
Standard Contractual Clauses (SCCs) — the European Commission-approved contractual clauses (2021 version) incorporated into our sub-processor agreements
Supplementary measures — including encryption in transit and at rest, access controls, and contractual prohibitions on data repurposing

You may obtain a copy of the Standard Contractual Clauses by contacting us at privacy@drillkit.ai.

8. Data Retention

We retain personal data only for as long as necessary to fulfil the purposes for which it was collected, or as required by law.

Data Category	Retention Period	Justification
Account data	Duration of account + 30 days after deletion	Contractual necessity
Usage data	12 months (rolling)	Service operation
Input text (transcripts, URLs)	Not retained — processed in memory only	Data minimisation
Payment & billing records	10 years from the date of transaction	Italian fiscal law obligation (Art. 2220 c.c.; DPR 600/1973; regime forfettario requirements)
Server & access logs	90 days	Security & debugging
Newsletter subscription	Until you unsubscribe	Consent
Support communications	2 years from resolution	Legitimate interest

Upon expiration of the retention period, personal data is securely deleted or anonymised so that it can no longer be associated with you.

9. Your Rights as a Data Subject

Under Articles 15–22 of the GDPR, you have the following rights with regard to your personal data:

visibility

Right of Access (Art. 15)

Obtain confirmation of whether your data is being processed and receive a copy of your personal data.

edit

Right to Rectification (Art. 16)

Request correction of inaccurate personal data or completion of incomplete data.

delete

Right to Erasure (Art. 17)

Request deletion of your personal data when it is no longer necessary ("right to be forgotten").

pause_circle

Right to Restriction (Art. 18)

Request that processing of your data be restricted in certain circumstances.

download

Right to Data Portability (Art. 20)

Receive your data in a structured, commonly used, machine-readable format.

block

Right to Object (Art. 21)

Object to processing based on legitimate interest, including profiling.

undo

Right to Withdraw Consent

Withdraw consent at any time without affecting the lawfulness of prior processing.

gavel

Right to Lodge a Complaint

File a complaint with the Garante per la Protezione dei Dati Personali (see Section 14).

How to Exercise Your Rights

To exercise any of these rights, send a request to privacy@drillkit.ai with the subject line “Data Subject Request”. We will verify your identity and respond within 30 days. If the request is complex or we receive a high number of requests, we may extend this period by up to an additional 60 days, and we will notify you of the extension.

Exercising your rights is free of charge. We may charge a reasonable fee or refuse manifestly unfounded or excessive requests, particularly if they are repetitive, in accordance with Art. 12(5) GDPR.

10. Children & Minors

DrillKit is a tool designed for teachers and educators. It is not directed at children or minors. Users must be at least 16 years old to create an account under general GDPR provisions, or at least 14 years old under Italian law (Art. 2-quinquies, D.lgs. 101/2018), to consent to the processing of their personal data for information society services.

If we become aware that we have collected personal data from a child under the applicable age of digital consent without verified parental consent, we will delete that data promptly. If you believe that a minor has provided us with personal data, please contact us at privacy@drillkit.ai.

10.1 COPPA Compliance (United States)

For users in the United States, we comply with the Children's Online Privacy Protection Act (“COPPA”). DrillKit does not knowingly collect personal information from children under 13. If a school or teacher uses DrillKit to generate worksheets for children under 13, the school acts under the “School Official Exception” and may consent on behalf of parents, provided the data is used exclusively for an authorised educational purpose.

10.2 FERPA Compliance (United States)

DrillKit does not directly collect student education records as defined under the Family Educational Rights and Privacy Act (“FERPA”). Teachers who paste student-identifiable content are responsible for ensuring compliance with their institution's FERPA obligations. We recommend teachers anonymise or pseudonymise any student-identifiable information before pasting it into DrillKit.

11. Cookie Policy

DrillKit uses a minimal number of cookies, limited to those strictly necessary for the operation of the Service.

Cookie	Type	Purpose	Duration
sb-*-auth-token	Essential	Supabase authentication session	Session / 1 year
sb-*-auth-token-code-verifier	Essential	PKCE code verifier for secure OAuth flow	Session

We do not use any tracking, analytics, advertising, or marketing cookies. Since we only use strictly necessary cookies, no cookie consent banner is required under current EU ePrivacy regulations and Garante guidelines. If we introduce non-essential cookies in the future, we will update this policy and implement a consent mechanism before activation.

You can control cookies through your browser settings. Please note that disabling essential cookies may prevent you from signing in to your account.

12. Data Security

We implement appropriate technical and organisational measures to protect your personal data in accordance with Article 32 of the GDPR, including:

Encryption in transit — all data transmitted between your browser and our servers is encrypted using TLS (HTTPS)
Encryption at rest — database data is encrypted at rest through our infrastructure provider (Supabase/AWS)
Row-Level Security (RLS) — database access policies ensure users can only access their own data
PCI-DSS Level 1 — payment data handled exclusively by Stripe under the highest payment security standard
Access controls — administrative access to production systems is restricted and logged
No plain-text passwords — all passwords are hashed using industry-standard algorithms (bcrypt/Argon2 via Supabase)

Data Breach Notification

In the event of a personal data breach that is likely to result in a risk to your rights and freedoms, we will:

Notify the Garante per la Protezione dei Dati Personali within 72 hours of becoming aware of the breach (Art. 33 GDPR)
Notify affected users without undue delay if the breach is likely to result in a high risk to their rights and freedoms (Art. 34 GDPR)
Document all breaches, their effects, and remedial actions taken in our internal records

13. Automated Decision-Making & Profiling

DrillKit uses AI (artificial intelligence) to extract vocabulary and generate worksheet exercises from text you provide. This processing:

Is performed solely to deliver the core functionality of the Service
Does not produce any legal effects or similarly significant effects on you
Does not constitute profiling as defined in Art. 4(4) GDPR — we do not analyse or predict personal characteristics, behaviour, or preferences

You always have the ability to review, edit, select, and deselect all AI-generated content before any worksheet is produced.

14. Supervisory Authority

If you believe that the processing of your personal data violates the GDPR or Italian data protection law, you have the right to lodge a complaint with:

Authority

Garante per la Protezione dei Dati Personali

Address

Piazza Venezia 11, 00187 Roma, Italy

Website

www.garanteprivacy.it

garante@gpdp.it

We encourage you to contact us first at privacy@drillkit.ai so we can try to resolve your concern before you escalate to the supervisory authority.

15. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors. When we do:

We will update the “Last updated” date at the top of this page
For material changes that significantly affect how we process your data, we will provide notice via email (if you have an account) or through a prominent notice on our website
Where required by law, we will obtain your consent before applying any material change to the processing of your data

We recommend reviewing this page periodically for the latest information on our privacy practices.

16. Applicable Law & Jurisdiction

This Privacy Policy is governed by and construed in accordance with:

Regulation (EU) 2016/679 — General Data Protection Regulation (GDPR)
D.lgs. 196/2003 — Italian Data Protection Code, as amended by D.lgs. 101/2018
D.lgs. 206/2005 — Italian Consumer Code (Codice del Consumo), in particular Art. 135-octies regarding digital content supplied in exchange for personal data

Any disputes arising from this Privacy Policy shall be subject to the exclusive jurisdiction of the Courts of Monza, Italy, without prejudice to the mandatory consumer jurisdiction provisions applicable to consumers under Art. 66-bis of the Italian Consumer Code or equivalent provisions in the consumer's country of habitual residence within the EU.

17. Contact Us

For any questions, concerns, or requests regarding this Privacy Policy or your personal data, please contact:

Data Controller

Soldato Matthew James

privacy@drillkit.ai

Address

Via Torino 2, 20831 Seregno (MB), Italy

P.IVA

13444260965