Privacy Policy

Account. Email address, hashed password (or OAuth identifier), display name, and account creation date. Source: you, at sign-up.

Profile. Display name, premium status, premium gem color, language preference. Source: you, in settings.

Practice data. Voice recordings, transcript alignment, accuracy scores, mistake history, lesson progress, streak counts, XP, and total practice time. Source: generated as you use the Service.

Payment metadata.For card sales: order ID, subscription status, last 4 digits of card, billing country — source: Gumroad. For crypto sales: invoice ID, blockchain transaction hash, paid currency and amount — source: NOWPayments. We never see your full card number, your wallet's private keys, or any seed phrase.

Technical. IP address, browser/device user agent, request timestamps, error logs. Source: automatically, when you use the Service.

We do not collect: full payment-card numbers; biometric identifiers beyond the voice features needed for scoring; precise geolocation; or data from minors under sixteen (16).

We use personal data to:

(1) provide the Service: authenticate you, run pronunciation scoring, track progress, and gate premium features; (2) process payments — for card sales, via Gumroad which acts as Merchant of Record and as an independent data controller for billing data; for crypto sales, via NOWPayments which acts as a payment processor for an invoice issued by us; (3) generate AI-personalized practice content (premium feature) by sending your most-missed words to OpenAI for sentence generation, without identifying account data attached; (4) communicate with you via transactional email (receipts, security alerts, refund correspondence) — we do not send marketing email without separate opt-in consent; (5) detect and prevent abuse: rate-limit enforcement, fraud detection, account-security investigations; (6) comply with legal obligations and enforce our Terms.

Legal bases (GDPR). Contract — providing the Service you signed up for. Legitimate interests — security, abuse prevention, service improvement, balanced against your rights. Consent — any feature explicitly marked as opt-in (none currently). Legal obligation — tax records, responding to lawful requests.

Voice recordings you submit during practice are transmitted to OpenAI's APIs for transcription (Whisper) and to OpenAI's text-generation APIs (GPT-4o-mini) for premium content generation. Per OpenAI's API terms in effect at the time of writing, API inputs are not used to train OpenAI models and are retained for abuse-monitoring purposes for a limited period before deletion.

We do not transmit your account email, name, or user ID with these requests — only the audio or text needed to produce the result. Aggregated, non-identifying derivatives (e.g., your top mistake words) are stored in our database to power the focus-session feature.

We share data only with the following categories of recipients, each acting on our instructions or as an independent controller for their own portion of the flow:

Supabase — hosting, authentication, database (EU or US, per project region). Vercel — application delivery and edge functions (global edge). OpenAI — AI transcription and content generation (US). Gumroad, Inc. — card-payment processing, tax handling, billing receipts; acts as an independent data controller for card-payment data (US). NOWPayments — crypto-payment invoice hosting and on-chain transaction monitoring; acts as a processor for crypto invoices we issue.

We do not sell your personal data, and we do not “share” it for cross-context behavioural advertising as defined by the California Privacy Rights Act.

International transfers are protected by Standard Contractual Clauses (SCCs) where required by GDPR or UK GDPR.

Account profile — while your account is active; deleted within thirty (30) days of an account-deletion request.

Practice data (recordings, scores) — while your account is active; deleted on request. Raw voice recordings are not retained server-side beyond the time required to return a score.

Payment metadata — retained seven (7) years for tax-compliance purposes. Card-payment records are controlled by Gumroad, Inc. as Merchant of Record under their own retention policy. Crypto-invoice records are retained by us for the same tax-compliance period.

Application/error logs — ninety (90) days.

We use industry-standard measures: TLS in transit, encrypted storage at rest, row-level security in our database, scoped service-role keys, hashed passwords (handled by Supabase Auth). No system is perfectly secure; we will notify affected users and authorities of any qualifying data breach without undue delay as required by law.

Depending on your jurisdiction, you have the right to: access the personal data we hold about you; rectify inaccurate data; erase your data (“right to be forgotten”); restrict or object to certain processing; port your data in a structured, machine-readable format; withdraw consent for any processing based on consent; and lodge a complaint with your local supervisory authority.

California residents (CCPA/CPRA) additionally have the right to know, delete, correct, and limit the use of sensitive personal information, and the right to non-discrimination for exercising these rights.

To exercise any of these, email deplazaa@gmail.com from the address associated with your account. We will respond within thirty (30) days, or forty-five (45) for complex requests.

We use only strictly-necessary cookies and local storage for authentication session state. We do not use third-party analytics, advertising cookies, or behavioural tracking.

The Service is not directed at children under sixteen (16) and we do not knowingly collect data from them. If you believe a child has provided us with personal data, contact deplazaa@gmail.com for prompt deletion.

Material changes will be communicated by email or via an in-app notice at least fifteen (15) days before they take effect.

Andrii Donich
Malovskogo 10, Odesa, Ukraine
Data protection contact: deplazaa@gmail.com