Privacy Policy
We are committed to protecting your personal data and respecting your privacy. This policy explains what we collect, why we collect it, and how you can control it.
Who We Are
Speafy ("we", "our", "us") is an AI-powered language learning platform operated from Canada. The data controller responsible for your personal data is:
- Product name: Speafy
- Country of operation: Canada
- Privacy Officer: Privacy Officer, Speafy
- Contact email: privacy@speafy.com
- Website: https://speafy.com
If you have any questions about how we handle your personal data, please contact our Privacy Officer at the address above before submitting a formal complaint to a supervisory authority.
Data We Collect
We collect only the data necessary to provide and improve the Speafy service. The table below summarises every category of personal data we process.
| Category | Specific data points | Source |
|---|---|---|
| Account identity | Full name, email address, profile photo URL | Google Sign-In (provided by Google at login) |
| Learning progress | Topics completed, words learned, daily streak, study hours, flashcard memory states (stability, difficulty, retrievability, due dates), lesson history, daily log | Generated by your use of the app |
| Preferences | Native language, vocabulary target, course duration goal, display name | Entered by you in the Goals page |
| Age declaration | Confirmation that you meet the minimum age requirement for your jurisdiction, collected at sign-up | Entered by you during account creation |
| AI conversation content | Messages you send to Baran (the AI tutor) and AI-generated replies | Generated by your use of the chat feature |
| Usage & API telemetry | Claude API token counts (input/output) per session, cumulative cost estimate | Generated automatically when AI features are used |
| Technical / device data | IP address, browser type, operating system, referring URL, session timestamps | Collected automatically by Firebase Hosting and Firebase Authentication |
| Analytics data | App usage events, session duration, feature interaction — collected by Firebase Analytics and Google Analytics only with your consent | Collected automatically when analytics are enabled and consent is granted |
| Translation cache | Translated vocabulary content keyed to language setting | Generated on first use; shared across all users of the same language. Contains no personal identifiers. |
We do not collect: payment card data (handled entirely by Paddle as an independent Merchant of Record), government IDs, health data, or sensitive personal categories as defined by GDPR Article 9.
How We Use Your Data
To provide the service
- Authenticate you via Google Sign-In and maintain your session.
- Load and save your learning progress, flashcards, and preferences across devices.
- Personalise vocabulary translations and AI tutor responses to your native language.
- Schedule spaced-repetition reviews using the FSRS algorithm based on your card history.
To power AI features
- Send your chat messages and lesson context to the Anthropic Claude API via our secure server-side proxy (Google Cloud Run) to generate tutor responses, example sentences, and word analyses. Your messages are processed in real time and are not stored on our servers.
- Anthropic processes this data under its own privacy policy and API terms. We do not use your conversations to train AI models, and Anthropic does not use API input/output data to train its models by default.
To improve the service
- Analyse aggregated, anonymised usage patterns (e.g., which topics are most studied) to improve curriculum and UX.
- Monitor API cost telemetry to ensure service sustainability.
- Where you have given consent, use Firebase Analytics and Google Analytics data to understand how users interact with the app and landing page.
To communicate with you
- Send transactional emails related to your account (e.g., billing receipts from Paddle).
- Respond to support or privacy enquiries you initiate.
We do not sell your personal data. We do not use your data for behavioural advertising.
Legal Basis for Processing
For users in the European Economic Area (EEA), United Kingdom, and Switzerland, we rely on the following legal bases under GDPR Article 6:
| Processing activity | Legal basis |
|---|---|
| Creating and maintaining your account; delivering the learning service | Performance of a contract (Art. 6(1)(b)) — processing is necessary to fulfil the service you signed up for |
| Sending AI chat messages to Anthropic to generate tutor responses | Performance of a contract (Art. 6(1)(b)) — the AI tutor is a core feature of the service |
| Analysing aggregated usage patterns; monitoring service health | Legitimate interests (Art. 6(1)(f)) — improving service quality without overriding your fundamental rights |
| Storing cookies essential to authentication and session management | Legitimate interests (Art. 6(1)(f)) — strictly necessary for the service to function |
| Non-essential analytics cookies (Firebase Analytics, Google Analytics) | Consent (Art. 6(1)(a)) — collected via cookie consent banner; you may withdraw at any time |
| Compliance with legal obligations (e.g., tax records via Paddle) | Legal obligation (Art. 6(1)(c)) |
Subprocessors & Third Parties
We work with the following third-party services. Where they act as our processors, they are bound by appropriate data protection obligations. Where they act as independent controllers, they process data under their own privacy policies.
Stores account identity, learning progress, and session tokens. Firebase Authentication manages sign-in. Firestore holds all user data. Firebase Analytics collects usage events where consent is granted.
Privacy policy ↗Collects anonymised usage data on the Speafy landing page and app. Activated only after you grant consent via the cookie banner. You may opt out at any time by withdrawing consent.
Privacy policy ↗Receives your chat messages and lesson context to generate tutor responses. Data is transmitted via our server-side proxy on Google Cloud Run — your API key is never exposed to the browser. Anthropic does not use API data to train its models by default.
Privacy policy ↗Our proxy server that forwards AI requests to Anthropic. Verifies Firebase authentication tokens to ensure only signed-in Speafy users can make AI requests. Does not persist your data beyond transient request handling.
Privacy policy ↗Handles all subscription billing as an independent Merchant of Record. Paddle is a separate data controller for payment data — we share only your name, email, and subscription plan with Paddle to facilitate billing. We never see or store your payment card details. Paddle manages VAT and sales tax compliance globally.
Privacy policy ↗We do not share your personal data with any other third parties except where required by law (e.g., in response to a valid court order).
International Data Transfers
Speafy is operated from Canada. Some of our subprocessors are based in the United States, which means your personal data is transferred internationally when you use the service:
- Google Firebase, Google Analytics & Cloud Run — Google LLC is certified under the EU–US Data Privacy Framework (DPF) and offers EU Standard Contractual Clauses (SCCs) as a transfer mechanism for EEA, UK, and Swiss users. For Turkish users, transfers are governed by SCCs as required under KVKK Article 9 (as amended June 2024).
- Anthropic — Transfers are governed by Standard Contractual Clauses (SCCs) incorporated into Anthropic's Data Processing Agreement, providing equivalent protection for users in the EEA, UK, Turkey, and other jurisdictions requiring transfer safeguards.
- Paddle — Paddle acts as an independent Merchant of Record and relies on SCCs and the UK–US Data Privacy Framework for transfers involving EEA and UK residents.
Where personal data is transferred outside your country of residence, we ensure it receives equivalent protection through the safeguards above. You may request a copy of the applicable SCCs by contacting us at privacy@speafy.com.
Data Retention
| Data category | Retention period | Reason |
|---|---|---|
| Account identity & learning progress | Until you delete your account, plus 30 days for recovery | Service delivery |
| AI conversation messages | Not retained — processed in real time via our server-side proxy and not stored on our servers or in Firestore. Chat history visible within your session is held in browser memory only and is cleared when you close the session. | Privacy by design |
| Translation cache (shared) | Indefinitely, unless the language is removed from service | Performance — avoids re-generating identical translations for all users. Contains no personal identifiers. |
| Technical / server logs | 30 days (Google Cloud Run default) | Security monitoring and error diagnosis |
| Analytics data (Firebase Analytics, Google Analytics) | Up to 14 months (Google's default retention for Analytics data) | Usage trend analysis; only collected where consent is granted |
| Billing records (via Paddle) | 7 years | Tax and legal compliance obligation |
When your account is deleted, all personal data held in Firestore (account identity, progress, flashcards, preferences) is permanently erased within 30 days. Anonymised, aggregated data that cannot be linked back to you may be retained for service analytics.
Cookies & Local Storage
Strictly necessary (no consent required)
Firebase Authentication uses browser cookies and localStorage to maintain your signed-in session. Without these, the app cannot function. These are set only after you sign in.
Functional storage
We use localStorage (browser storage, not a cookie) to cache:
- Your learning progress and flashcard states — a performance mirror of Firestore data, so the app loads instantly.
- Generated example sentences (to avoid redundant AI calls).
- UI string translations for non-English interfaces.
This data never leaves your device unless synced to Firestore as described in Section 2.
Analytics cookies (consent required)
We use Firebase Analytics and Google Analytics on both the Speafy app and the speafy.com landing page to measure usage and improve the service. These services may set cookies (including Google's _ga and _gid cookies) and collect device identifiers. They are non-essential and will only be activated after you grant explicit consent via the cookie consent banner displayed on your first visit.
To withdraw your analytics consent at any time, click the "Cookie Settings" link in the page footer. Withdrawing consent stops new data collection but does not affect data already collected before withdrawal.
Third-party cookies
Our landing page loads fonts from Google Fonts via CDN. Google Fonts does not use cookies and does not retain IP addresses beyond standard server log rotation.
You can also manage or delete cookies at any time through your browser settings. Clearing Firebase-related storage will sign you out of the app.
Your Rights
Depending on your location, you have the following rights regarding your personal data. EEA, UK, and Swiss users have all rights listed below under GDPR / UK GDPR. California residents have additional rights under the CCPA (noted separately). Users in other jurisdictions should refer to Section 12 for rights specific to their country.
Request a copy of the personal data we hold about you (GDPR Art. 15).
Correct inaccurate or incomplete data. Update your name and language in the Goals page instantly (GDPR Art. 16).
Delete your account and all associated data ("right to be forgotten") via the app's account deletion feature or by emailing us (GDPR Art. 17).
Ask us to stop processing your data while a dispute is resolved (GDPR Art. 18).
Receive your personal data in a structured, machine-readable format. Email us at privacy@speafy.com and we will provide it within one calendar month (GDPR Art. 20).
Object to processing based on legitimate interests, including profiling (GDPR Art. 21).
Where processing is based on consent (e.g., analytics cookies), withdraw it at any time via the "Cookie Settings" link in the footer, without affecting prior processing.
File a complaint with your local data protection authority if you believe your rights have been violated.
California residents (CCPA / CPRA)
California residents have the right to know what personal information is collected, to delete personal information, to correct inaccurate personal information, to opt out of the sale or sharing of personal information (we do not sell or share personal information for advertising purposes), and to non-discrimination for exercising these rights. Note that the CCPA's thresholds for mandatory compliance (annual gross revenues above $25 million, or buying/selling/sharing the personal information of 100,000 or more consumers) may not currently apply to Speafy at its present scale. We nonetheless respect and honour these rights for all California users. To exercise your California rights, contact privacy@speafy.com.
To exercise any of the above rights, email privacy@speafy.com with the subject line "Privacy Rights Request". We will respond within one calendar month (or within the timeframe required by applicable law, whichever is shorter). We may ask you to verify your identity before processing your request.
Children's Privacy
Speafy welcomes learners of all ages. However, the minimum age to create an account without parental or guardian consent depends on your location, as set out below. During sign-up, we ask you to confirm that you meet the minimum age requirement for your jurisdiction.
| Jurisdiction | Minimum age without parental consent |
|---|---|
| United States | 13 (COPPA) |
| European Economic Area | 13–16 (varies by member state; e.g. 16 in Germany, Netherlands, and Ireland; 13 in most others) |
| United Kingdom | 13 (UK GDPR) |
| Canada | 13 |
| India | 18 (DPDP Act 2023) |
| All other countries | 13 |
If you are below the applicable minimum age for your jurisdiction, you may only use Speafy with the verifiable consent of a parent or legal guardian. Your parent or guardian must review this Privacy Policy and our Terms of Service on your behalf and contact us at privacy@speafy.com to register their consent before account creation.
What we do not do for users below the minimum age
- We do not knowingly collect personal data from users below the applicable minimum age without verifiable parental or guardian consent.
- We do not serve behavioural advertising to any user.
- We do not profile or track minors for commercial purposes.
- Users who do not meet the minimum age requirement for their jurisdiction are not permitted to create an account. We do not knowingly collect analytics data from users below the applicable minimum age.
For parents and guardians
If you believe your child has created a Speafy account without your knowledge or consent, contact us immediately at privacy@speafy.com with the subject line "Child Account Removal". We will verify the request and permanently delete the account and all associated data within 72 hours of verification.
Educational use
If Speafy is used within an educational institution involving minors, the institution must contact us at privacy@speafy.com before deployment to establish a written data processing agreement, a parental consent mechanism, and any jurisdiction-specific safeguards required by applicable law (including FERPA in the United States and equivalent frameworks in other countries).
COPPA (United States)
With respect to the Children's Online Privacy Protection Act, Speafy does not knowingly collect personal information from children under 13 in the United States beyond what is strictly necessary to operate the service. If we discover that we have inadvertently collected additional personal information from a child under 13, we will delete it promptly. If you believe this to be the case, please contact us at privacy@speafy.com.
Security
We implement technical and organisational measures appropriate to the risk level of the data we process:
- Encryption in transit: All data between your browser and our services is encrypted using TLS 1.2 or higher (HTTPS enforced everywhere).
- Encryption at rest: Firestore data is encrypted at rest by Google using AES-256.
- API key isolation: The Anthropic API key is stored exclusively on our Cloud Run server and is never embedded in client-side code or accessible from the browser.
- Authentication: All AI API requests are verified against your Firebase ID token. Unauthenticated requests are rejected at the proxy level.
- Firestore rules: Database security rules ensure users can only read and write their own data. Shared translation caches are write-once, read-many.
- Access controls: Production database access is restricted to authorised personnel only.
Despite these measures, no system is completely secure. If you suspect a security incident involving your data, contact us immediately at privacy@speafy.com.
Breach notification
In the event of a personal data breach, we will notify affected users and the relevant supervisory authority according to the timelines required by applicable law:
- GDPR / UK GDPR: We will notify the relevant supervisory authority within 72 hours of becoming aware of a breach, and notify affected individuals without undue delay where the breach is likely to result in high risk to their rights and freedoms (GDPR Art. 33–34).
- KVKK (Turkey): We will notify the Personal Data Protection Authority (KVKK Kurulu) within 72 hours of becoming aware of a breach.
- PIPEDA (Canada): We will notify the Privacy Commissioner of Canada and affected individuals as soon as feasible when a breach poses a real risk of significant harm.
- Japan APPI: We will notify the Personal Information Protection Commission (PPC) and affected individuals promptly upon discovering a qualifying breach.
- All other jurisdictions: We will comply with applicable breach notification requirements under local law.
We maintain an internal record of all data breaches as required by applicable law.
Jurisdiction-Specific Notices
The following notices apply to users in specific countries or regions, in addition to the general policy above.
Turkey — KVKK (Kişisel Verilerin Korunması Kanunu)
Speafy processes personal data of users located in Turkey in compliance with Law No. 6698 (KVKK) and its 2024 amendments. As a foreign data controller processing data of Turkish residents, we rely on Standard Contractual Clauses (SCCs) as the legal mechanism for international data transfers to our US-based subprocessors (Google, Anthropic), as required under the revised KVKK Article 9 effective June 2024. Turkish residents have the following rights under KVKK Article 11: the right to learn whether your personal data is being processed; the right to request information about how it is processed; the right to know the purpose of processing and whether data is used for its intended purpose; the right to know third parties to whom data is transferred; the right to request correction of incomplete or inaccurate data; the right to request deletion or destruction of data; the right to object to automated processing that produces decisions against you; and the right to claim compensation for damages arising from unlawful processing. To exercise any of these rights, contact us at privacy@speafy.com.
Canada — PIPEDA
Speafy is operated from Canada and is subject to the Personal Information Protection and Electronic Documents Act (PIPEDA). Our Privacy Officer (contactable at privacy@speafy.com) is accountable for our compliance with PIPEDA's ten fair information principles. Canadian residents have the right to access the personal information we hold about them and to challenge its accuracy. We will respond to access requests as soon as reasonably possible and no later than 30 days after receipt. Your personal data is transferred to and processed by US-based subprocessors (Google, Anthropic, Paddle). While we take steps to ensure equivalent protection through contractual safeguards, please be aware that once data is transferred to the United States it may be subject to access by US authorities under applicable US law.
Japan — APPI (Act on the Protection of Personal Information)
Speafy processes personal data of users located in Japan in compliance with the Act on the Protection of Personal Information (APPI). The purposes for which we use your personal data are specified in Sections 2 and 3 of this policy and we do not use your data beyond those purposes without obtaining fresh consent. When transferring your personal data to our US-based subprocessors, we ensure those recipients have in place a personal information protection system equivalent to Japan's APPI standards through contractual obligations. Japanese residents have the right to request disclosure, correction, addition, deletion, and suspension of use of their personal data. To submit a request, contact us at privacy@speafy.com.
Australia — Australian Privacy Principles (APPs)
Speafy processes personal data of users located in Australia in accordance with the Privacy Act 1988 (Cth) and the Australian Privacy Principles (APPs), as amended by the Privacy and Other Legislation Amendment Act 2024. Your personal data is disclosed to overseas recipients (Google and Anthropic, both in the United States). We have taken reasonable steps to ensure these recipients do not breach the APPs, including through contractual data protection obligations. Australian residents have the right to access and correct their personal data. Where our automated systems (including the AI tutor) are used in ways that may significantly affect your interests, we will provide appropriate disclosure. To make an access or correction request, contact us at privacy@speafy.com.
Gulf Cooperation Council — Saudi Arabia PDPL / UAE PDPL
Speafy processes personal data of users located in Saudi Arabia in compliance with the Personal Data Protection Law (PDPL) as enforced by the Saudi Data and Artificial Intelligence Authority (SDAIA) from September 2024. We do not collect sensitive personal data as defined under the KSA PDPL (health, financial, genetic, biometric, or religious data). Personal data is transferred to US-based subprocessors under contractual safeguards. Saudi residents have the right to access, correct, and request deletion of their personal data. For users located in the UAE, we respect the UAE Federal Decree No. 45 of 2021 on Personal Data Protection as it comes into full effect. To exercise your rights, contact us at privacy@speafy.com.
Mexico — LFPDPPP (Ley Federal de Protección de Datos Personales en Posesión de los Particulares)
For users located in Mexico, this section serves as our Aviso de Privacidad (Privacy Notice) under Mexico's Federal Law on the Protection of Personal Data Held by Private Parties (LFPDPPP, as updated March 2025). The data controller is Speafy, operated from Canada (contact: privacy@speafy.com). We collect and process your personal data for the purposes described in Sections 2 and 3 of this policy. Your data may be transferred to third parties (Google, Anthropic, Paddle) as described in Section 5; those recipients ensure an equivalent level of protection through contractual obligations. Mexican residents have ARCO rights: Acceso (access to your data), Rectificación (correction of inaccurate data), Cancelación (deletion of your data), and Oposición (objection to processing). To exercise your ARCO rights, contact us at privacy@speafy.com with the subject line "ARCO Request".
India — DPDP Act (Digital Personal Data Protection Act 2023)
Speafy processes personal data of users located in India in compliance with the Digital Personal Data Protection Act 2023 (DPDP Act) and the Digital Personal Data Protection Rules 2025. As the Data Fiduciary, Speafy specifies the purposes for processing your personal data in Sections 2 and 3 of this policy and does not process your data beyond those purposes. Personal data is transferred outside India to our US-based subprocessors under contractual safeguards. Indian residents (Data Principals) have the right to access a summary of their personal data, correct or update inaccurate data, request erasure of data no longer necessary for the specified purpose, and raise a grievance with us. As noted in Section 10, the DPDP Act defines a child as a person under 18 years of age; users under 18 in India require verifiable parental or guardian consent before using Speafy. We do not track, profile, or direct behavioural advertising at any minor. To exercise your rights or raise a grievance, contact our Grievance Officer at privacy@speafy.com with the subject line "DPDP Rights Request". We will acknowledge your grievance within 48 hours and resolve it within one calendar month.
All other jurisdictions
If you are located in a jurisdiction not specifically addressed above, we process your personal data in accordance with the applicable data protection laws of your country. The rights described in Section 9 of this policy reflect internationally recognised privacy standards. To exercise any privacy rights available to you under your local law, or to raise any privacy concern, contact us at privacy@speafy.com.
Changes to This Policy
We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors. When we make material changes, we will:
- Update the "Last updated" date at the top of this page.
- Display a prominent notice in the app the next time you sign in.
- Where required by law, obtain fresh consent before the changes take effect.
We encourage you to review this page periodically. Your continued use of Speafy after changes are posted constitutes acceptance of the updated policy, except where consent is legally required.
Previous versions of this policy are available on request by emailing privacy@speafy.com.
Contact & Complaints
For any privacy-related questions, data subject requests, or concerns, please contact our Privacy Officer:
Privacy Officer — Speafy
Email: privacy@speafy.com
We respond within one calendar month. For urgent matters, include "URGENT" in the subject line.
Right to lodge a complaint
If you are located in the EEA and are not satisfied with our response, you have the right to lodge a complaint with your national data protection authority. A list of EEA supervisory authorities is available at edpb.europa.eu.
UK users may contact the Information Commissioner's Office (ICO) at ico.org.uk.
Canadian users may contact the Office of the Privacy Commissioner of Canada at priv.gc.ca.
Turkish users may contact the Personal Data Protection Authority (Kişisel Verileri Koruma Kurumu) at kvkk.gov.tr.
Australian users may contact the Office of the Australian Information Commissioner (OAIC) at oaic.gov.au.
Indian users may contact the Data Protection Board of India once it is fully operationalised, or raise a grievance directly with us at privacy@speafy.com.
Changelog
Material changes to this policy are listed below. Minor editorial corrections (typos, formatting) are not recorded. Previous versions are available on request at privacy@speafy.com. Each version is also permanently tagged in our source repository.
| Version | Date | Summary of changes |
|---|---|---|
| 1.0 | 11 June 2026 | Initial publication. Covers data collection, GDPR/PIPEDA/KVKK/APPI/DPDP legal bases, Firebase + Anthropic + Paddle subprocessors, user rights, children's privacy (age table), cookie consent, breach notification, and jurisdiction-specific notices for Turkey, Canada, Japan, Australia, GCC, Mexico, and India. |