LEGAL

Privacy Policy

Draft — last updated [DATE]. Not yet reviewed by an attorney.

1. What we collect

When you use Efalio AI, we collect:

  • Account data: email, hashed password (or Google account ID if you sign in with Google), name
  • Learning profile: native/target language, level, interests, daily goals
  • Learning activity: conversation transcripts, written corrections, flashcard reviews, reading/listening quiz answers, mistake history
  • Voice recordings: only for the Pronunciation Analyzer, and only while you're using that feature — see Section 4
  • Billing data: handled by Stripe; we store your plan and subscription status, not your card details
  • Usage data: which features you use and when, for product analytics and abuse prevention

2. How we use it

We use your data to provide the Service: generating personalized lessons, scoring your writing/speaking, tracking your progress and streaks, and processing payments. We do not sell your personal data.

3. AI processing and third parties

Text you submit for correction, conversation, or scoring (and audio you submit for pronunciation analysis) is sent to OpenAI to generate a response. This is how the AI Teacher, Speaking Partner, and related features work — they cannot function without sending your input to our AI provider. We also use:

  • Stripe — payment processing for paid plans
  • Google — optional sign-in via Google OAuth, if you choose that instead of a password

Each of these providers processes data under their own privacy policies. We don't control how they handle data beyond what we send them.

4. Voice recordings

Pronunciation Analyzer recordings are sent to OpenAI's speech-to-text service for transcription and are not stored by us beyond what's needed to return your results in that session.

5. Children's privacy

The Service is intended for users aged 13 and up. We do not knowingly collect personal information from children under 13. If you believe a child under 13 has created an account, contact us at [support email] and we'll delete it. [If you intend to serve users under 13 in a jurisdiction requiring verifiable parental consent (e.g. under COPPA in the U.S.), this policy and the signup flow need additional review before launch — this draft assumes a 13+ minimum age.]

6. Your rights

You can, at any time, from Settings:

  • Export your data — download everything we hold about your account as a JSON file
  • Delete your account — immediate, permanent removal of your profile, conversations, flashcards, and progress history
  • Correct your data — update your profile information directly

If you're in the EU/UK or Turkey, these map to your rights under GDPR (Articles 15–20) and KVKK (Article 11) respectively.

7. Data retention

We retain your data while your account is active. If you delete your account, your personal data is removed immediately, except where we're legally required to retain records (e.g. billing records for tax purposes).

8. Security

Passwords are hashed, not stored in plain text. Access to the Service uses short-lived tokens that can be individually revoked. [Describe any additional security measures, e.g. encryption at rest, once finalized.]

9. International data transfers

Our servers and service providers (including OpenAI and Stripe) may process data outside your country of residence. [Specify data-transfer safeguards, e.g. Standard Contractual Clauses, once your hosting region and provider agreements are finalized.]

10. Changes to this policy

We may update this policy from time to time. Material changes will be notified in-app or by email before they take effect.

11. Contact

Questions about this policy, or want to exercise a data right without using the in-app tools? Contact us at [support email].