Privacy Policy

Last updated: June 2026 (v2.1)

Data Controller

This Privacy Policy describes how the data controller listed below collects, uses, and protects personal data when you use the AI Language Tutor mobile application and the website at ailanguagetutor.app (collectively, the "Service").

Legal entity: Individual Entrepreneur Snisar Viktoriia (ФОП Снісар Вікторія)
Latin transliteration (for banking and platform records): PE SNISAR VIKTORIIA
Trading as: AI Language Tutor
Registered location: Dnipro, Ukraine
Ukrainian taxpayer ID (РНОКПП): 3174519508
Apple Developer Team ID: 7V4KG9VG58
Contact email: support@ailanguagetutor.app

We are established outside the EU/EEA. We are in the process of formally appointing an EU representative under GDPR Art. 27 and will update this section with their name, address, and contact details before the appointment takes effect. In the meantime, EU/EEA users may contact us directly at support@ailanguagetutor.app for any data protection matters; we will respond within 30 days.

1. Data We Collect

We collect the following categories of personal data, each for a specific purpose:

Account data — email address, display name, native language. Purpose: authentication and personalization of the Service.
Learning data — conversation transcripts, vocabulary entries, scenario progress, drill results. Purpose: delivering the core tutoring service and tracking your progress.
Audio recordings — pronunciation samples and any meeting audio you upload for analysis. Audio is retained for up to 14 days and then automatically deleted by our cleanup worker. Purpose: speech-to-text transcription, pronunciation assessment, and feedback generation.
Usage data — session timestamps, in-app events, screen views, feature usage. Purpose: product analytics and improvement.
Subscription data — subscription tier, renewal state, in-app purchase receipts (processed via RevenueCat). Purpose: managing your paid entitlements.
Phone number — collected during free-trial activation via SMS verification (Twilio). Purpose: trial-fraud prevention.
Push notification token — device push token issued by Firebase Cloud Messaging (FCM). Purpose: delivering reminders and account notifications.
Telegram account data (optional) — Telegram numeric user ID, chat ID, and (where set) public username. Collected only if you connect your Telegram account in Profile → Settings to receive the daily phrase, vocabulary reminders, or learning nudges via our Telegram bot. Purpose: delivering reminder messages through Telegram as an alternative or complement to push notifications. You can disconnect at any time in Profile → Settings; disconnect deletes the stored Telegram identifiers.
Approximate country — ISO two-letter country code derived from your IP address by Cloudflare (via the CF-IPCountry request header) at sign-up and sign-in. Purpose: GDPR-aware routing of AI provider traffic (see Sub-processors table). We do not store the IP address itself; only the country code is persisted on your profile.
Technical telemetry — crash reports, performance traces, anonymized device and OS information (via Sentry). Purpose: diagnosing errors and maintaining stability.

2. Data We Do NOT Collect

Payment card details. All payments are handled by Apple App Store and Google Play in-app-purchase systems. We never see or store your card number or CVV.
Voice biometric identity. We transcribe your speech to text. We do not extract or store voice patterns for the purpose of identifying or authenticating you. See "Voice biometrics determination" below.

3. Third-Party Processors (Sub-processors)

To deliver the Service we engage the service providers listed below. Where required by applicable law, we put in place data-processing terms and international-transfer safeguards, such as the European Commission's Standard Contractual Clauses (SCCs), Data Privacy Framework certifications, or another valid transfer mechanism. Maintenance of these contractual arrangements is an ongoing process; copies of relevant agreements are available on request.

Service	Purpose	Data sent	Region
Anthropic (Claude API)	LLM for conversation and feedback generation	Text only (no PII intentionally sent)	USA
OpenAI	LLM cascade; text-to-speech (models `tts-1`, `tts-1-hd`, `gpt-4o-mini-tts`); fallback speech-to-text; text embeddings	Text and voice audio	USA
Google Gemini	Primary LLM for Pro/Premium feedback generation for users in the EU/EEA/UK; also used for judge / validation roles	Text only	EU/USA (Google Cloud routing)
DeepSeek	Primary LLM for Pro/Premium in-conversation voice turns for all users (selected on the merits of voice-turn naturalness — see `backend/scripts/llm_eval/results/2026-05-19_path_a_gemini_eval_RESULTS.md`); also primary LLM for feedback generation for users outside the EU/EEA/UK where GDPR transfer restrictions do not apply (country detected from the Cloudflare `CF-IPCountry` header at sign-in)	Text only	China (DeepSeek-managed)
Deepgram	Primary streaming speech-to-text (Nova-2)	Voice audio	USA (`api.deepgram.com`)
ElevenLabs (Premium tier)	High-quality TTS voice synthesis	Text only	USA
Azure Speech (Premium tier)	Pronunciation assessment and shadowing	Voice audio sample	EU or USA (depending on Azure region)
PostHog	Product analytics and feature flags	User ID, in-app events, IP address	EU (`eu.posthog.com`)
Sentry	Error and crash tracking	Anonymized stack traces and technical context; `send_default_pii=False` set at backend SDK init (`backend/app/main.py`) — Sentry does not receive request bodies, headers with auth tokens, or user identifiers by default	USA
RevenueCat	Subscription state and IAP receipt management	RevenueCat user ID, entitlements, receipt metadata	USA
Apple (Sign in with Apple)	OAuth authentication	Apple-relayed or real email, optionally name	USA
Google (Sign in with Google)	OAuth authentication	Email, name, Google account ID (scopes: `openid email profile`)	USA
Firebase / Firebase Cloud Messaging	Push notification delivery	Device push token, message payload	USA
Twilio	SMS phone verification	Phone number, country, source IP	USA
Resend	Transactional and lifecycle email delivery	Email address, message content	USA
S3-compatible object storage (self-hosted MinIO, running on our Hetzner instance)	Audio file retention (14 days) and meeting-audio uploads	Voice audio files	EU/EEA — Finland (Hetzner data center, Helsinki); audio never leaves the EU
Hetzner Online GmbH	Hosting infrastructure (compute, PostgreSQL, Redis, MinIO object storage, nginx)	All Service data while at rest on our servers (account, learning, audio, logs)	EU/EEA — Finland (data center in Helsinki); processor headquartered in Germany
Cloudflare, Inc.	DNS, content delivery network, DDoS protection, and country-code lookup via the `CF-IPCountry` request header (used for GDPR-aware AI routing — see DeepSeek row)	HTTP request metadata, including IP address (transient) and approximate country	Global edge network (EU/EEA POPs serve EU/EEA traffic); processor headquartered in USA
Telegram FZ-LLC (Telegram Bot API)	Optional delivery channel for daily phrase, vocabulary reminders, and learning nudges via our Telegram bot	Telegram user ID, chat ID, username, message content (only if you connect your Telegram account)	UAE / Global (Telegram-managed)

4. Legal Basis for Processing (GDPR Art. 6 and Art. 9)

Account creation and core service delivery — Art. 6(1)(b), performance of a contract.
Voice processing (STT, TTS, pronunciation assessment) — Art. 6(1)(a), explicit consent. You are asked to confirm consent before your first voice session, and you can withdraw it at any time in the app under Profile → Settings → Voice.
Analytics (PostHog) — Art. 6(1)(f), our legitimate interest in product improvement. You may opt out via the cookie banner on the website or under Profile → Privacy in the app.
Marketing emails — Art. 6(1)(a), explicit opt-in consent with a checkbox at signup and an unsubscribe link in every message.
Phone verification — Art. 6(1)(b), contract performance and trial-fraud prevention.
Crash and error tracking — Art. 6(1)(f), our legitimate interest in service stability and security.

We do not process special-category data under Art. 9. See "Voice biometrics determination" below.

5. Retention Periods (Art. 13(2)(a))

Data category	Retention
Account data	Until you delete your account (+ a 30-day grace period implemented by our account-purge worker)
Conversation transcripts	12 months (then purged by our retention worker)
Audio recordings (pronunciation, uploaded meeting audio)	14 days, then automatically deleted by our S3 cleanup worker
Vocabulary entries	Until you delete the entry or your account
JWT authentication tokens	Access token 15 minutes, refresh token 30 days
Analytics events (PostHog)	24 months (enforced via PostHog EU Cloud project retention settings); analytics identity is deletable on request via support@ailanguagetutor.app and as part of account deletion
Error logs (Sentry)	90 days (Sentry default)
Coach free-text feedback (your written replies to the in-app coach thumbs-up / thumbs-down prompts)	90 days, after which the free-text body is NULLed by our retention worker (the anonymized rating and category are kept for product analytics)
Telegram identifiers (telegram_id, chat_id, username)	Until you disconnect Telegram in Profile → Settings or delete your account, whichever is first

6. Your Rights Under GDPR (Arts. 15–22)

You have the following rights with respect to your personal data:

Right to access (Art. 15). Export your data in JSON via Profile → Settings → Export, or by contacting support@ailanguagetutor.app.
Right to rectification (Art. 16). Edit your profile data at any time in the app.
Right to erasure / "to be forgotten" (Art. 17). Delete your account from Profile → Settings → Delete Account, or by contacting support@ailanguagetutor.app. Data is hard-deleted within 30 days, subject to lawful retention obligations.
Right to restrict processing (Art. 18). Contact support@ailanguagetutor.app.
Right to data portability (Art. 20). The export above is provided in machine-readable JSON.
Right to object (Art. 21). You may object at any time to processing based on legitimate interest (in particular, analytics).
Right not to be subject to automated decision-making (Art. 22). We do not make consequential automated decisions about you. Tier-based feature gating (Free / Pro / Premium) is contractual, not algorithmic profiling.
Right to withdraw consent (Art. 7(3)). Voice consent can be withdrawn under Profile → Settings; marketing-email consent can be withdrawn via the one-click unsubscribe link (RFC 8058 / List-Unsubscribe header) included in every commercial email; the Telegram bot integration can be disconnected at any time under Profile → Settings, which deletes your stored Telegram identifiers.
Right to lodge a complaint (Art. 77). You may contact your local supervisory authority. Examples for our target markets:
- Ukraine: Ombudsman of Ukraine — ombudsman.gov.ua
- Poland: UODO — uodo.gov.pl
- Czech Republic: ÚOOÚ — uoou.cz
- Romania: ANSPDCP — dataprotection.ro
- Hungary: NAIH — naih.hu
- Germany: BfDI — bfdi.bund.de
- Spain: AEPD — aepd.es
- Or your local supervisory authority.

7. International Data Transfers (Art. 13(1)(f))

Some of our service providers are located outside the EU/EEA (primarily the United States, with one provider — DeepSeek — located in China). Where personal data is transferred outside the EU/EEA, we use an applicable transfer mechanism where required, such as an adequacy decision (where granted by the European Commission), the EU-U.S. Data Privacy Framework for certified providers, the European Commission's Standard Contractual Clauses (SCCs), or another valid safeguard. Details of the applicable safeguards for a specific provider are available on request at support@ailanguagetutor.app.

8. Sign in with Apple (App Store Guideline 5.1.1)

The Service supports Sign in with Apple. When you use Sign in with Apple, you may choose to share either your real email address or an Apple-relayed private email (e.g. <random>@privaterelay.appleid.com). We store whichever email Apple returns to us. You can revoke our access at any time from your Apple device: Settings → Apple ID → Sign-In & Security → Apps Using Your Apple ID.

9. Sign in with Google

Sign in with Google requests the OAuth scopes openid, email, and profile only. We do not request access to Google Drive, Google Calendar, Gmail, or any other Google service.

10. Children

AI Language Tutor is not intended for users under the age of 16. We do not knowingly collect personal data from children under 16. If you believe a child under 16 has provided us with personal data, please contact support@ailanguagetutor.app and we will delete the data promptly.

11. Voice Biometrics Determination (Art. 9 explanation)

Our voice processing is limited to speech-to-text transcription, text-to-speech synthesis, and pronunciation assessment against a reference text. We do not create, store, or compare voice prints for the purpose of identifying or authenticating you. For this reason, voice recordings are processed as ordinary personal data under Art. 6, not as biometric special-category data under Art. 9.

12. Cookies and Tracking

On the public website (ailanguagetutor.app), we use PostHog (EU-hosted) for product analytics. PostHog activates only after you accept analytics cookies via our cookie banner. We do not use advertising or cross-site tracking cookies. In the mobile app, we use platform-equivalent telemetry (Firebase and PostHog), which you can disable in Profile → Privacy.

13. Data Processing Agreement (DPA)

If you use AI Language Tutor on behalf of a company, school, or other organization and require a signed Data Processing Agreement, contact support@ailanguagetutor.app. We provide a standard GDPR-compliant DPA on request.

14. Required vs Optional Data (Art. 13(2)(e))

Some data is necessary to provide the Service; other data is optional.

Required: account data (email, display name, native language) to create your account; subscription data to manage paid access; voice and audio data when you use voice-based features (you can use text-only features without granting voice consent).
Optional: marketing emails (opt-in checkbox at signup), product analytics (opt-out via cookie banner on web and Profile → Privacy in app), push notifications (opt-out via device or in-app settings), and uploaded meeting audio (you choose whether to upload).

If you do not provide required data, the corresponding features will not be available, but you may still use the parts of the Service that do not require that data (for example, text-only practice without voice features).

15. Security Measures

We use technical and organizational measures designed to protect personal data. These include transport encryption (TLS for all client–server traffic), encryption at rest for sensitive credentials, access controls with least-privilege principles for administrative access, environment-separated production credentials, audit logging for sensitive operations, automated retention enforcement (audio cleanup worker, transcript purge worker), and restricted backend administrative access. No online service can guarantee absolute security. We will notify affected users and relevant supervisory authorities of any personal-data breach in accordance with GDPR Art. 33 and Art. 34.

16. AI Provider Configuration and Training

We do not use your conversation transcripts, voice recordings, or any personal content to train our own AI models. We only send personal content to third-party AI providers (Anthropic, OpenAI, Google Gemini, DeepSeek, ElevenLabs, Deepgram, Azure Speech) where our account settings, the provider's published terms, or our data-processing agreement with that provider prohibit use of API submissions for provider-side model training, unless we disclose otherwise in this Policy before using that provider for personal content. Routing of feedback-generation traffic between Google Gemini and DeepSeek is determined by your approximate country (see §1 "Approximate country" and the DeepSeek row in the Sub-processors table). If a provider's training posture is uncertain or changes, we will either stop sending personal content to that provider or update this section before continuing.

17. Changes to This Policy

We will notify you of material changes to this Privacy Policy at least 14 days before they take effect, via in-app notification and — if you have given marketing-email consent — by email. Older versions are archived and available on request.

18. Contact

General inquiries: support@ailanguagetutor.app.

Data-protection inquiries: please use the same address and add the subject prefix [GDPR] so we can route your request to the appropriate handler.