1. Who We Are
LinguaFlow ("we", "us") operates the language-learning platform at linguaflow-lilac.vercel.app. This Privacy Policy explains how we collect, use, and share personal information about you when you use the Service. If you have questions, email scarpatti74@gmail.com.
2. Information We Collect
Account data. Email address, display name, hashed password (managed by Supabase Auth), target language, CEFR level, and daily-goal preference.
Learning data. Lesson progress, streak, pronunciation scores, flashcard state, voice recordings you submit for scoring, and written practice.
Device data. Browser type, operating system, approximate location derived from IP, and interaction events (page views, feature usage).
Payment data. If you subscribe to a paid plan, our payment processor collects your billing details. We do not store your full card number on our servers.
3. How We Use Your Information
- Provide, personalize, and improve the Service
- Score your pronunciation and generate AI coaching (using Azure Cognitive Services and Google Gemini)
- Send account and billing notifications
- Send product updates and educational tips (you can opt out at any time)
- Detect fraud, abuse, and violations of our Terms
- Comply with legal obligations
4. Legal Bases (GDPR)
If you are in the EU/EEA, we process your personal data based on (a) performance of the contract to provide the Service, (b) your consent for marketing communications, (c) our legitimate interest in operating and improving the Service, and (d) compliance with legal obligations.
5. Sharing and Disclosure
We share personal information only with:
- Supabase (authentication, database, and file storage)
- Microsoft Azure (speech synthesis and pronunciation assessment)
- Google (AI-generated exercises, tutor, and translations via Gemini)
- Our payment processor (billing only)
- Legal authorities when required by law
We do not sell your personal information and we do not share it for third-party advertising.
6. AI and Voice Data
When you use pronunciation scoring, we send the target phrase and a short recording of your voice to Azure Cognitive Services for real-time assessment. Azure's data-handling terms apply. The resulting scores are stored in your account so you can track progress; the raw audio is not persisted unless you explicitly save it.
Text prompts sent to Google Gemini for exercise generation, AI tutoring, or on-demand translation are subject to Google's terms. We do not send personal identifiers along with those prompts.
7. Cookies and Similar Technologies
We use strictly necessary cookies for authentication and locale preferences. We do not use third-party advertising cookies. Your browser can be configured to refuse cookies, but the Service will not function correctly without authentication cookies.
8. Data Retention
We retain your personal data while your account is active. When you delete your account, we remove personal identifiers within 30 days, except where retention is required by law (for example, for tax or fraud-prevention purposes).
Aggregated, anonymized learning analytics may be retained indefinitely to improve the Service.
9. Your Rights
Depending on where you live, you may have the right to:
- Access, correct, or delete your personal information
- Object to or restrict our processing
- Withdraw consent for marketing at any time
- Receive a portable copy of your data
- Lodge a complaint with your local data-protection authority
To exercise these rights, email scarpatti74@gmail.com. We respond within 30 days.
10. Children's Privacy
The Service is not directed at children under 13 (or the local minimum age of digital consent). We do not knowingly collect data from children under that age. If you believe we have, please contact us and we will delete it.
11. International Transfers
Your data may be processed in the United States, the European Union, or other regions where our service providers operate. We rely on standard contractual clauses and equivalent safeguards for cross-border transfers.
12. Security
We use industry-standard encryption in transit (TLS) and at rest, role-based access control, and audit logging. No system is perfectly secure — please use a strong, unique password and enable multi-factor authentication when it becomes available.
13. Changes to This Policy
We may update this Privacy Policy from time to time. Material changes will be notified in-app or by email at least 14 days before they take effect.