Is It Safe to Upload Your Notes to an AI Study Tool?
An honest guide to what happens to a file when you upload it, how a private study tool differs from a note-sharing site, why your uni objects to some uploads, and the questions to ask before you trust any tool with your material.
You're about to drag a PDF of your lecturer's slides into an AI study tool so it can make you some flashcards or a study guide. It's a small, ordinary action. It is also the moment you hand a copy of someone else's intellectual property to a company you know almost nothing about, and it's worth about ten minutes of thought before you make it a habit.
This guide is deliberately not a sales pitch. It covers what actually happens to a file after you upload it, the difference between a tool that keeps your material private to you and a platform that republishes it to other students, why universities have taken a hard line on some uploads, and the specific questions you should ask any tool — including this one — before you trust it. Where we don't know something, we say so and tell you where to look it up.
Quick answer
Uploading your notes to an AI study tool is usually fine, with two real risks that people conflate and shouldn't.
The privacy risk is about what the company does with your file: whether it's stored, whether staff can see it, whether it's used to train AI models, whether it's shared with other companies, and whether you can actually get it deleted. These answers differ enormously between tools and are almost never what you'd guess. They are written down in the privacy policy, and you have to read it — including Scholarly's.
The academic-integrity and copyright risk is different, and it's the one that can actually get you into trouble with your university. It comes from uploading material you don't own — your lecturer's slides, recordings, or past papers — to a platform that then republishes it to other students. Universities including UWA state plainly that distributing course material outside the learning management system without the copyright owner's permission breaches their academic integrity policy. A private tool that turns your slides into flashcards only you can see is a fundamentally different act from uploading those slides to a public repository in exchange for download credits, even though both start with the same drag-and-drop.
Before you upload anything sensitive or anything you didn't write, ask the seven questions further down this page.
What actually happens when you upload a file
Strip away the marketing and the mechanics are mundane. When you upload a PDF to essentially any AI study tool:
- The file leaves your device and is transmitted to the company's servers. It is no longer only on your laptop.
- It gets stored, at minimum temporarily, usually persistently, so the app can show it to you again tomorrow.
- The text (and often the images) are extracted into machine-readable form.
- That content is sent to a large language model to generate whatever you asked for. This is the step people don't picture. Very few study tools train their own models; the overwhelming majority send your content to a third-party model provider's API. So "who can see my notes" is usually a question about at least two companies, not one.
- The output is stored and shown to you.
- The content may then be used for other purposes — improving the product, evaluating models, training models — depending entirely on what that company's policy permits.
Steps 1 through 5 are unavoidable; they are what the product is. There is no way to get an AI to make flashcards from your notes without your notes reaching an AI. Anyone claiming otherwise is selling something.
Step 6 is where tools genuinely differ, and it is the one you get to have an opinion about.
The distinction that matters most
There are two very different products both described as "upload your notes," and students routinely confuse them.
A private study tool takes your source material and generates study artefacts for you: flashcards, a quiz, a summary, a podcast. Other students cannot browse your uploads. Your material isn't listed, indexed, or made searchable. The product is the artefact, and the audience is you. Scholarly works this way — your uploads become your revision notes, your cue cards, your practice exam. There is no public library of other students' uploads to browse, because that isn't the product.
A note-sharing platform is a repository. Its business model runs on volume of uploaded documents: students upload course material — often their lecturers' — and in exchange get credits, a subscription discount, or access to download what everyone else uploaded. Sites in this category, such as Studocu and Course Hero, openly describe this upload-to-unlock model; it's not a secret, it's the product. The material you upload is republished to other users, and frequently ends up indexed by Google.
That republishing step is the whole ballgame. It's the difference between making a photocopy for yourself and putting the photocopy in the campus newsagent. If you only take one thing from this article: know which of the two you are using, because your university certainly does.
Why your university cares (and this is the part that can bite you)
Here's the uncomfortable fact that most students haven't internalised: your lecture slides are not yours. Neither are the recordings, the problem sets, the past papers, or the tutorial solutions. They're typically the intellectual property of the university or the academic who wrote them, and you're granted access to them for your own study — not a licence to redistribute them.
Australian universities have been unusually direct about this. UWA's guidance to students states that course materials may not be shared outside the learning management system — "for example, by uploading them to file sharing websites or emailing them to friends at other universities" — and that "distributing course material outside of the LMS without the permission of the copyright owner is a breach of the University's Academic Integrity Policy." The University of Melbourne maintains guidance for staff on inappropriately shared content, and universities across Australia and the UK have run takedown efforts against copyrighted teaching material appearing on academic file-sharing sites.
The consequences universities list for this are not trivial — depending on severity, penalties can range up to failure of a subject, suspension or exclusion. And note the second problem stacked on top: on many of these platforms, the uploaded material includes past assessment items and worked solutions, which drags the whole thing into contract-cheating territory. That is a separate and more serious category of misconduct than a copyright breach.
To be clear and fair about it: using a note-sharing site is not itself illegal, plenty of what's on them is students' own original notes, and this article is not accusing any company of a crime. The point is narrower and entirely practical — the act of uploading your lecturer's material to a platform that republishes it is the thing your university has a policy against. Uploading that same PDF to a private tool that generates flashcards only you can see does not republish anything, and is a materially different act. Know which one you're doing.
Seven questions to ask any AI study tool
Apply these to any tool you're considering. Apply them to Scholarly too — that's the point of writing them down. The answers live in the privacy policy and terms; if a company makes them hard to find, that is itself an answer.
1. Is my material republished to other students? The single most important question, for the reasons above. If the product has a public library of user-uploaded documents, you know what it is.
2. Is my content used to train AI models? Policies vary wildly. Some tools promise never to train on user content; some train on it by default; some let you opt out; some reserve the right in language most users never read. Search the policy for "train," "training," "machine learning," and "improve our services." Do this for us as well — Scholarly's privacy policy is the authoritative answer for this product, not this blog post, and the section on User Content is the part to read.
3. Who else gets my content? Look for "third parties," "service providers," "sub-processors," and "partners." Nearly every tool shares content with at least a model provider. The question is who else, and under what obligations.
4. Can I actually delete it — and does deletion mean deletion? This is the question with the most surprising answers. Many policies distinguish between removing content from your account and removing it from backups, aggregated datasets, or models it has already been used to train. Content already absorbed into a training set generally cannot be pulled back out. If deletion matters to you, read this clause specifically, in every tool you use — ours included, on the same terms as anyone else's. We would rather you read it than take our word for it.
5. How long is it kept? Some tools delete on account closure. Some reserve the right to retain content indefinitely. Both are legal if disclosed. You just need to know which one you've agreed to.
6. Where is it stored, and does it cross borders? Relevant if you're handling anything sensitive, and specifically regulated in Australia (see below).
7. Do I have the right to upload this at all? Your own notes: yours, upload freely. Your lecturer's slides, recordings, or past papers: not yours. For a private tool this is generally accepted personal study use; for anything that republishes, don't.
What GDPR gives you, in plain language (UK and EU)
If you're in the UK or EU, the law is on your side in a few concrete ways. Skipping the jargon, UK GDPR gives you rights that the ICO summarises as follows — you can:
- Be told what a company collects and why (the right to be informed).
- Get a copy of the personal data a company holds about you (the right of access — a "subject access request").
- Correct it if it's wrong (rectification).
- Have it erased in certain circumstances (the right to erasure, often called the right to be forgotten).
- Restrict or object to how it's processed, in certain circumstances.
- Take it elsewhere (data portability).
Two things worth understanding about how this actually works in practice. First, the right to erasure is not absolute — it applies "in certain circumstances," and a company can have lawful grounds to retain some data. Second, and more importantly for AI tools: there is a principle called purpose limitation, which means data collected for one purpose shouldn't be quietly repurposed for an unrelated one. But if a company's policy tells you at signup that your content may be used to train models, and you accept it, that's disclosed, not hidden. GDPR is largely a transparency regime, not a guarantee of good behaviour. It gives you the right to know and the right to ask — it does not, by itself, stop a company from doing something you'd dislike if they told you they'd do it and you clicked accept.
Which is why the answer to "is it safe?" is always "read the policy," and never "it's fine, we're in Europe."
What the Australian Privacy Act gives you, in plain language
Australia's regime is the Privacy Act 1988 and its thirteen Australian Privacy Principles (APPs), overseen by the OAIC. The ones that matter here:
- APP 1 — organisations must manage personal information openly and transparently, and have a clear privacy policy.
- APP 6 — they can generally only use or disclose your information for the purpose it was collected for (the "primary purpose"), or a secondary purpose if an exception applies.
- APP 8 — before disclosing your information overseas, they must take steps to protect it. Relevant, since most AI tools you use are American.
- APP 11 — they must take reasonable steps to protect it from misuse, loss, and unauthorised access, and to destroy or de-identify it when no longer needed.
- APP 12 and 13 — you can request access to your personal information, and ask for it to be corrected.
Now the part almost nobody tells Australian students, and it's the most practically useful thing in this section: the Privacy Act does not cover most small businesses. Per the OAIC, a business with an annual turnover of $3 million or less is generally exempt, with exceptions (health service providers and businesses that trade in personal information are covered regardless of size, among others). Reforms to narrow this exemption have been under discussion, but as things stand, that indie AI study app run by four people may simply not be subject to the Privacy Act at all.
That doesn't make it untrustworthy. It does mean the legal floor you're imagining might not exist, and the privacy policy — not the legislation — is the actual contract. Read it.
Red flags
- No privacy policy, or one that's a broken link. Walk away.
- A policy that never mentions AI training or user content at all. Not reassuring — usually just under-written, and silence is not a promise.
- A public library of other students' uploaded course material. You now know exactly what that is.
- "Upload documents to unlock downloads." The upload is the payment. Understand what you're paying with, and whose material you're paying with.
- Anything that asks you to upload a currently-running assessment. Straight into contract-cheating territory, whatever the tool claims.
- Marketing claims that contradict the policy. If the landing page says "your data is private" and clause 13 says content may be retained indefinitely and used for training, the clause is what you agreed to. This is worth checking on any tool, and it's worth checking on ours.
Being straight with you about Scholarly
We'd rather tell you where to look than make a claim you can't check.
Scholarly is a private study tool, not a note-sharing platform. What you upload becomes your study material — your flashcards, your quiz, your summary, your podcast. There is no public repository of user uploads, and other students cannot browse what you've uploaded. That's a fact about how the product is built, and it's the distinction that matters most for the academic-integrity risk described above.
For everything else — how long we keep your content, whether it's used to train or evaluate AI models, which third parties we share it with, and what happens when you delete it — read our privacy policy, and specifically the section on User Content. Don't take a marketing page's word for it, including this one. If what you find there doesn't suit you, that's a legitimate reason to use a different tool, and we'd rather you make that call with the facts in front of you than discover them later. If it raises questions, the policy has a contact address on it.
Apply the same standard to every AI tool you use. The ones worth trusting won't mind you checking.
FAQ
Is it safe to upload my own notes to an AI study tool? Generally yes — they're your own work, so there's no copyright or academic-integrity issue. The remaining question is purely a privacy one: what the company does with the file. Read the policy for how long it's kept, whether it's used for AI training, and whether you can delete it.
Is it safe to upload my lecturer's slides? For a private tool that generates study material only you can see, this is normal personal study use. What universities object to is redistribution — uploading that material to a platform that republishes it to other students. UWA, for example, states that distributing course material outside the LMS without the copyright owner's permission breaches its academic integrity policy. Don't upload teaching material to note-sharing sites.
Can my university find out what I've uploaded? To a private study tool, no — there's nothing public to find. On note-sharing platforms, yes: the material is public and often indexed by Google, and universities do monitor these sites and issue takedowns. That's precisely how students get caught.
Do AI study tools train on my notes? Some do, some don't, and some do unless you opt out. There is no industry default, which is exactly why you have to check each one rather than assume. Search the privacy policy for "train" — including Scholarly's, which is the authoritative answer for this product.
If I delete my file, is it really gone? Not necessarily. Many policies distinguish deleting content from your account and removing it from backups or from datasets already used to train a model — and content absorbed into a trained model generally cannot be extracted again. If true deletion matters to you, read that clause before you upload, not after.
Does GDPR mean my data is safe? It means you have rights to be informed, to access, to correct, and (in certain circumstances) to erase. It does not prevent a company from doing something you'd object to if they disclosed it and you accepted. Transparency is not the same as protection.
Related guides
- SWOTVAC: how to actually use the study week before your uni exams
- Scholarly's privacy policy — read it before you decide.
- Tools: revision notes generator · revision cards maker · cue cards online · cheat sheet maker



