Effective Date: August 4, 2025

Definitions

For clarity, here are key terms used in this Privacy Policy:

• Personal Information (or "Personal Data"): Any information that identifies or relates to an individual, such as email address, username, or learning progress data, as defined under applicable laws like the California Consumer Privacy Act (CCPA/CPRA) or the General Data Protection Regulation (GDPR).

• Processing: Any operation performed on Personal Information, such as collection, use, storage, or deletion.

• Service Providers: Third parties we use to support our operations, such as authentication or AI processing providers.

• Sensitive Personal Information: Data revealing racial/ethnic origin, religious beliefs, health, or other sensitive categories under laws like CPRA. We do not collect or process Sensitive Personal Information.
   

1. Introduction

Welcome to FluentFlow. Your privacy is a top priority for us. This Privacy Policy is intended to inform you about how we collect, use, and protect your personal information to ensure transparency and build your trust in our language learning application. By using FluentFlow, you agree to the collection and use of information in accordance with this policy. If you do not agree with the terms of this policy, please do not use our application.

​

We aim to comply with applicable privacy laws, including the GDPR (for EU/UK users), CCPA/CPRA (for California residents), and PIPEDA (for Canadian users), among others. This policy applies globally but may be supplemented by local laws based on your location.
 

2. Compliance with Privacy Laws

We process Personal Information in accordance with relevant laws. For GDPR purposes:

• We are the data controller for your Personal Information.

• Legal bases for processing include: necessity for contract performance (e.g., providing app services via account data); legitimate interests (e.g., analytics and admin access to user data to improve features, with safeguards like data minimization and access restrictions); and consent where required (e.g., for optional technical data).
   

For CCPA/CPRA:

• We categorize Personal Information as described in Section 3.

• We do not "sell" or "share" your Personal Information as defined under CCPA/CPRA (e.g., no targeted advertising or monetary exchanges).

• We do not collect or use Sensitive Personal Information.
   

If you are in a jurisdiction with specific requirements, additional rights or notices may apply (see Section 9).

In the event of a data breach involving Personal Information, we will investigate and notify affected users and authorities as required by law (within 72 hours under GDPR)
 

3. Information We Collect

We collect the minimum data necessary for app functionality. No automated tracking, cookies, inferred data, payment information, or precise location data is collected. We collect the following categories of Personal Information, aligned with CCPA categories where applicable:
 

Identifiers, such as your email address, username, unique User ID (UUID), and timestamps for account creation and updates, which are collected directly from you during account creation for authentication and account management purposes.

Commercial Information, such as your learning progress (e.g., number of cards studied, lessons completed, current and longest streaks, and last activity date), language preferences, and country preference , which are collected directly from you through app usage to provide personalized services, localization, and aggregated analytics.
 

We do not collect any Internet/Network Activity, Professional/Employment Data, Inferences, or Sensitive Personal Information.
 

Additionally, we collect User-Generated Content, such as feedback reports, suggestions, and support messages, which are collected directly from you to improve our services and respond to issues.
 

We also collect Optional Technical Data, such as device model, operating system version, and app version, which is collected directly from you only if toggled on in bug reports, for diagnosing technical issues. We do not store AI chat message history or personal dictionary entries on our servers.
 

4. How We Use Your Information

We use your Personal Information for:

• Providing, maintaining, and operating our services (e.g., account authentication).

• Notifying you about service changes.

• Analyzing usage data to understand trends and improve features.

• Enabling AI features via third-party providers (real-time processing only).

• Diagnosing issues and responding to feedback/support, using optional technical data only if provided.

• Allowing restricted admin access to non-anonymized user data (e.g., emails, learning progress) for service improvements, as detailed in Section 8.

Under GDPR, these uses are based on the legal bases outlined in Section 2. We do not use your data for automated decision-making that produces legal effects.
 

5. Data Sharing and Third-Party Services

We do not sell, trade, or share your Personal Information for marketing or advertising. Sharing is limited to Service Providers necessary for app features. No other sharing occurs (e.g., no affiliates, mergers, or additional scenarios).
 

• AI Feature Processing: Text inputs are transmitted in real-time to OpenAI (directly or via OpenRouter.ai) solely for generating AI Chat, AI Call, and verb conjugation content. Inputs are not stored by us. Model training on your inputs is disabled via API settings. We advise against submitting confidential or sensitive information. Provider handling:

  • OpenAI: See their Privacy Policy at https://openai.com/policies/privacy-policy. They process data in the US with GDPR-compliant safeguards (e.g., legally valid transfer mechanisms).

  • OpenRouter.ai: See their Privacy and Logging details at https://openrouter.ai/docs/features/privacy-and-logging. They do not store prompts unless opted in and allow opting out of training providers.
     

• Backend and Authentication: Supabase handles database hosting and authentication. See Supabase Privacy Policy at https://supabase.com/privacy. They store data with GDPR safeguards like Standard Contractual Clauses for international transfers.
   

We may disclose information if required by law or to protect our rights/safety.

For international transfers (e.g., EU data to US-based providers), we rely on providers' safeguards, such as Standard Contractual Clauses, to ensure adequate protection under GDPR.
 

6. Data Security

We implement enterprise-grade measures, including Row Level Security (ensuring access only to your data), encryption in transit and at rest, and access controls. Administrators have limited, logged access as described in Section 8; authentication data is secured by Supabase and inaccessible to us. We conduct regular audits and use vulnerability scanning.

While we strive for security, no internet transmission is fully secure—transmit at your own risk. We align with providers' measures (e.g., Supabase's secure servers).
 

7. Data Retention and Deletion

We retain Personal Information only as long as necessary for services. Account and progress data is kept while your account is active. Upon account deletion (via app settings), all data is permanently and immediately removed via automated processes—this is irreversible. Feedback reports are retained until resolved, then deleted. 
 

8. Admin Access

Administrators have restricted, logged access to non-anonymized user data, including user emails, language preferences, country, joined date, and learning statistics (e.g., cards studied, lessons completed, current streak, longest streak, last activity) for the purpose of service improvements and to view feedback content. This access is limited to what is necessary, logged for accountability, and justified under legitimate interests (e.g., enhancing app features based on user trends). No access to sensitive details like passwords.
 

9. Your Rights and Choices

You control your data. Rights include:

• Access: View/export your Personal Information.

• Correction/Modification: Update username/email in app settings.

• Deletion: Delete account and data via app.

• Portability (GDPR): Receive data in machine-readable format.

• Restriction/Objection (GDPR): Limit or object to processing (e.g., analytics).

• Withdraw Consent (where applicable): Contact us, though it may limit features.

• Limit Sensitive Use (CPRA): Not applicable, as we collect none.

• Opt-Out of Sale/Sharing (CCPA): Not applicable, as we do none.

• Non-Discrimination (CCPA): We won't penalize rights exercises.
   

Submit requests at support@fluentflow.ai. We verify identity email confirmation and respond within 30 days (45 under CCPA, extendable). No fees apply. For complaints, contact your local authority (e.g., EU data protection agency).
 

10. Children's Privacy

FluentFlow is rated 13+ on the App Store and not intended for children under 13. We do not knowingly collect data from under-13s—if discovered, we delete it. For EU users under 16, processing requires verifiable parental consent (e.g., via email); contact us if needed.
 

11. Changes to This Privacy Policy

We may update this policy. Significant changes will be notified via app notice and posted here, with highlights of modifications. Continued use constitutes agreement.
 

12. Contact Us

Questions? Email support@fluentflow.ai.