# **Privacy Policy for EngTutor** **Last Updated: January 9, 2026** **Data Controller**: EngTutor (operating as autónomo in Spain, EU) **Contact**: support@engtutor.ai **Website**: https://engtutor.ai ## **1. Information We Collect** ### **Account Information** - **Email address**: Required for account creation and authentication - **Username**: Optional display name ("seedname") for personalization - **Authentication data**: Session tokens managed by Supabase Auth ### **Practice Data** - **Conversation messages**: All messages you type during practice scenarios - **AI corrections**: Grammar/vocabulary corrections generated by OpenAI models - **Exercise history**: Completed scenarios, scores, progress tracking - **Voice recordings**: If you use TTS features, audio files are cached temporarily ### **Usage Data** - **Pages visited**: For product improvement (analytics not yet implemented) - **Browser/device info**: Basic technical data (user agent, screen size) - **Credit consumption**: Usage events for billing and fraud prevention ### **Automatically Blocked Data** Our system **automatically detects and blocks** sensitive information: - Passwords, API keys, credit card numbers - Passport numbers, SSNs, personal IDs - Private keys or cryptographic secrets ## **2. Legal Basis for Processing (GDPR)** We process your data under **GDPR Article 6**: - **Contract**: Providing conversation practice and corrections (necessary for service) - **Consent**: Optional features like TTS audio generation - **Legitimate interest**: Fraud prevention, service improvement - **Legal obligation**: Responding to lawful data requests --- ## **3. How We Use Your Data** 1. **Provide core service**: Generate AI responses, corrections, and feedback 2. **Track progress**: Save exercise history and performance scores 3. **Improve quality**: Analyze common errors to enhance AI prompts 4. **Prevent abuse**: Monitor credit usage for fraud detection 5. **Communication**: Send essential service updates (rare) --- ## **4. Third-Party Processors** Your data is shared only with these **essential service providers**: | Provider | Purpose | Data Shared | Location | |----------|---------|-------------|----------| | **Supabase** | Auth, database, file storage | All user data | US/EU (selected by user region) | | **OpenRouter** | AI chat & embeddings | Messages, embeddings | US (OpenAI endpoints) | | **ElevenLabs** | Text-to-speech (if enabled) | Text for voice generation | US/Ireland | | **Stripe** | Payment processing | Email, transaction data | US/EU | | **Private UK Host** | Server hosting | Encrypted data at rest | UK | All processors are **GDPR-compliant** and bound by Data Processing Agreements. --- ## **5. International Data Transfers** As a global service, your data may be transferred outside the EU. We ensure adequate protection through: - **Standard Contractual Clauses** with all processors - **Privacy Shield** compliance (where applicable) - **Encryption** in transit (TLS) and at rest (AES-256) --- ## **6. Data Retention** - **Active accounts**: Data retained indefinitely unless deleted by you - **Deleted sessions**: Cleared immediately from app, hard-deleted within 30 days - **Cancelled accounts**: Hard-deleted within 90 days of cancellation request - **Backups**: May persist for up to 60 days after deletion **Important**: Even after clearing sessions, anonymized analytics may be retained for product improvement. --- ## **7. Your Rights (GDPR and Global Privacy Laws)** As a user, you have the right to: ### **Access** - Download your complete data: **Contact support@engtutor.ai** - (Feature coming soon: self-service export in app settings) ### **Rectification** - Update your email/name in account settings - Modify any incorrect practice data ### **Erasure ("Right to be Forgotten")** - **Current method**: Email support@engtutor.ai from your registered address - **Response time**: Within 30 days - **Note**: Account deletion is not yet self-service but will be implemented in Q2 2026 ### **Data Portability** - Request machine-readable export of your conversation history - Format: JSON (compatible with LLM fine-tuning) ### **Restriction** - Temporarily limit processing while disputing accuracy ### **Objection** - Opt-out of non-essential data processing ### **Withdraw Consent** - Disable TTS audio generation in settings (if enabled) --- ## **8. Cookie Policy** **Current Status**: **No tracking cookies** as of January 2026. ### **Essential Cookies** - **Supabase Auth**: Session management (required for login) - Lifespan: 1 year - Purpose: Authentication state - **Cannot be disabled** (essential for service) ### **Future Cookies** If we add analytics in the future: - You will be prompted to accept/reject - We will never sell data to advertisers --- ## **9. Children's Privacy** **Policy**: - Users must be **13+ years old** (COPPA compliance) - If under 18, parental consent is required - We do not knowingly collect data from children under 13 - If discovered, accounts will be terminated and data deleted immediately --- ## **10. Security Measures** - **Encryption**: TLS 1.3 in transit, AES-256 at rest - **Access control**: JWT tokens with 1-hour expiration - **Monitoring**: Automated alerts for suspicious activity - **Penetration testing**: Planned for Q2 2026 - **No passwords stored**: Supabase handles auth securely --- ## **11. Data Breach Notification** If a breach occurs: - **EU users**: Notified within 72 hours - **Other users**: Notified within 14 days - **Method**: Email and in-app notification --- ## **12. Changes to This Policy** We may update this policy as our service evolves: - **Material changes**: Email notification 30 days in advance - **Minor updates**: Posted here with updated date - **Effective date**: Changes take effect immediately unless stated otherwise **Last updated**: January 9, 2026 --- ## **13. Contact & Complaints** **Data Protection Officer**: Emma Rodriguez (founder) **Email**: support@engtutor.ai **Response time**: Within 3 business days **EU Supervisory Authority**: Agencia Española de Protección de Datos (AEPD) C/ Jorge Juan, 6, 28001 Madrid, Spain **Website**: www.aepd.es --- ## **14. Acknowledgment** By using EngTutor, you acknowledge that you have read and understood this policy. Your continued use constitutes acceptance. --- **For autónomo compliance**: This policy satisfies both Spanish LOPD-GDD and GDPR requirements. No physical address is published publicly; business address is available upon lawful request.