Privacy Policy

1. Who We Are and Scope - Controller: Remelith Inc. ("Talkey", "we", "us", "our") - Address: 123 Innovation Drive, Suite 100, San Francisco, CA 94105, United States - Contacts: privacy@talkey.app, dpo@talkey.app, security@talkey.app - Scope: This policy applies to the Talkey mobile application, related websites, and services that link to it. 2. What We Collect A. Information you provide - Account: name, email, password or identity provider tokens (e.g., Apple/Google sign‑in) - Profile: language(s) and level, learning goals, avatar, time zone - Learning content: flashcards, notes, decks, starred items, reading/listening history - Audio and speech: recordings you create for pronunciation/listening features; derived transcripts/metrics if you enable them - Communications: support messages, feedback, survey responses - Purchases: in-app purchase receipts and subscription status (processed by the app store; we do not store full payment card data) B. Information collected automatically - Usage: feature usage, clicks, session timestamps, progress, SRS review history, completion status - Device/Diagnostics: device model, OS version, app version, crash logs, performance metrics - Approximate location: country/region (for content localization, pricing, and legal compliance) C. Information from third parties - Sign‑in providers: Apple/Google basic profile (if you choose to link) - App stores: purchase receipts, subscription state, refunds - Processors: cloud hosting, error monitoring, analytics with privacy safeguards We do not collect sensitive categories (e.g., government IDs, precise geolocation) unless you affirmatively provide them or functionality requires it and you opt in. 3. Purposes and Legal Bases We process personal data for: - Provide the service: account creation, authentication, sync across devices, spaced repetition scheduling, content delivery (GDPR: Art. 6(1)(b) contract) - Personalize learning: adapt content, track progress, recommend practice (GDPR: legitimate interests Art. 6(1)(f) with your controls) - Improve and secure: debugging, fraud and abuse prevention, service integrity, quality assurance (GDPR: legitimate interests Art. 6(1)(f)) - Communications: transactional notices, service updates; optional tips and offers with consent where required (GDPR: consent Art. 6(1)(a) or legitimate interests) - Compliance: tax, accounting, regulatory/legal requests (GDPR: legal obligation Art. 6(1)(c)) Where we rely on consent, you may withdraw at any time via in‑app settings or by contacting us, without affecting prior lawful processing. 4. Audio, Speech, and AI‑Assisted Features - Audio content you record is processed to provide pronunciation, listening, and progress analytics. Processing may occur on‑device when available; otherwise, data is sent securely to our processors. - We do not use your personal data or audio to train our internal or third‑party models without your explicit consent. - You may delete audio and associated derivatives via in‑app controls; this may disable related features. 5. Sharing and Disclosure We do not sell your personal information. We do not share personal information for cross‑context behavioral advertising ("targeted advertising") as defined by CPRA/CPA/other US state laws. We only disclose information: - Service providers (processors): e.g., cloud hosting (including Supabase), storage, error/crash reporting, analytics with IP masking/aggregation where available, email delivery, customer support tools. Providers act under written data processing agreements and are restricted to our documented instructions. - App stores and identity providers: to enable sign‑in and subscriptions (e.g., Apple App Store; Google Play). - Legal and safety: to comply with law, court orders, lawful requests, to protect rights, safety, and security. - Business transfers: in a merger, acquisition, or asset sale; we will require continued protections and provide notice where required. We maintain a current list of subprocessors at: https://talkey.app/subprocessors (or provide in writing upon request). 6. International Transfers - Your data may be processed in the United States and other jurisdictions. For transfers from the EEA/UK/Switzerland, we rely on appropriate safeguards, including Standard Contractual Clauses (and UK Addendum where applicable) and supplementary measures. - You may request a copy of the relevant transfer safeguards. 7. Data Retention We keep data only as long as necessary for the purposes above, and to comply with legal obligations: - Account and profile: for the life of the account; delete within 30 days after account closure - Learning data (progress, flashcards, notes, audio/derived metrics): for the life of the account; delete within 30 days after account closure; backups cycle out within 90 days - Diagnostics/crash logs: up to 180 days - Support tickets: up to 2 years - Purchase records (from app stores): as required for tax/accounting (typically up to 7 years) We may retain minimal records of requests and opt‑outs to honor your choices and meet compliance obligations. 8. Your Rights Where applicable, you have: - Access, correction, deletion, portability - Restriction and objection to processing based on legitimate interests - Withdraw consent (for consent‑based processing) - Lodge a complaint with a supervisory authority (e.g., your EU/UK authority) US state rights (e.g., CA/VA/CO/CT, etc.): - Know/access, delete, correct - Opt‑out of sale and sharing for targeted advertising (we do not sell; we do not share for targeted advertising) - Non‑discrimination for exercising rights How to exercise - In‑app: Settings > Privacy - Web: https://talkey.app/privacy-dashboard - Email: privacy@talkey.app Verification and timelines - We may request information to verify your identity or authority. We respond within 30 days for GDPR requests (extendable where permitted) and 45 days for CCPA/CPRA (extendable once by 45 days with notice). 9. Security We implement administrative, technical, and physical safeguards appropriate to the risk, including: - Encryption in transit and at rest; least‑privilege and role‑based access; MFA for administrative access - Secure development lifecycle, vulnerability management, logging and monitoring, incident response program - Vendor due diligence and contractual security obligations No method is 100% secure. If we detect a breach affecting your data, we will notify you and regulators as required by law. Report security issues to security@talkey.app. 10. Cookies and Tracking - App: may use SDK identifiers to support authentication, analytics with privacy controls, crash reporting, and performance. - Website: uses essential cookies; optional analytics cookies require consent where required. Manage choices via our cookie banner and your browser settings. - Do Not Track: we honor applicable consent requirements; industry DNT standards are not yet uniform. 11. Children's Privacy Talkey is not directed to children under 13 (or under 16 in the EEA where parental consent is required). Do not use the service if you do not meet the minimum age. If we learn we have collected data from an ineligible user, we will delete it. Parents/guardians can contact privacy@talkey.app. 12. Automated Decision‑Making We personalize learning (e.g., spaced repetition scheduling, difficulty recommendations). We do not engage in solely automated decisions that produce legal or similarly significant effects as defined by GDPR. 13. Data Controller, DPO, and Contact - Controller: Remelith Inc., 123 Innovation Drive, Suite 100, San Francisco, CA 94105, United States - Data Protection Officer: dpo@talkey.app - Privacy Team: privacy@talkey.app - Security: security@talkey.app EEA/UK users may also lodge complaints with their local supervisory authority. 14. Changes to This Policy We may update this policy to reflect changes in our practices or legal requirements. We will post the updated version with a new "Effective Date" and provide additional notice where required (e.g., in‑app notice or email). Continued use after the effective date constitutes acceptance. 15. Jurisdiction‑Specific Disclosures California (CCPA/CPRA) - Categories collected in last 12 months: identifiers (name, email), commercial information (subscription status), internet/electronic activity (app usage), approximate geolocation (country/region), education‑related learning progress. - Sources: you; your devices; app stores; processors. - Business purposes: see Sections 3 and 5. - Disclosure: to service providers/processors only for permitted purposes; we do not sell or share for cross‑context behavioral advertising. Virginia/Colorado/Connecticut/Utah: similar rights to access, delete, correct, and opt‑out; see Section 8.