Privacy Policy

Onelingy ("we," "us," or "our") is committed to protecting your privacy and ensuring the security of your personal information. This Privacy Policy explains how we collect, use, store, share, and protect information about you when you use our language learning platform at onelingy.com (the "Service"). This Privacy Policy applies to all users of Onelingy, including visitors who browse the website without creating an account, free-tier users, and premium subscribers. By accessing or using the Service, you acknowledge that you have read, understood, and agree to the practices described in this Privacy Policy. We operate in compliance with applicable data protection laws, including the General Data Protection Regulation (GDPR) for users in the European Economic Area (EEA), the UK General Data Protection Regulation (UK GDPR) for users in the United Kingdom, and the California Consumer Privacy Act (CCPA) for California residents. If you are located in a jurisdiction with specific data protection requirements, additional provisions may apply to you as described in the relevant sections below. We may update this Privacy Policy from time to time. When we make changes, we will update the "Last updated" date at the top of this page and, where required by law, notify you via email or a notice on the Service.

We collect the following categories of information: INFORMATION YOU PROVIDE DIRECTLY: • Account information: When you register using Google Sign-In, we receive your name, email address, and profile photo from Google. We use this information solely to create and manage your account. • Profile information: You may optionally provide additional profile details such as your display name, country of residence, and learning preferences (native language, target learning language, selected voice). • Communications: If you contact us via email at support@onelingy.com, we collect your email address, name, and the content of your message. INFORMATION COLLECTED AUTOMATICALLY: • Learning data: Your typing accuracy, words per minute (WPM), story completion records, practice session duration, and overall progress statistics. • Usage data: Pages visited, features used, time spent on the Service, and interaction patterns. • Device information: Browser type and version, operating system, screen resolution, and general device type (desktop/mobile). • Session data: IP address (used for security and fraud prevention), approximate geographic location (country/region level, derived from IP address), and session timestamps. • Local storage data: Your app configuration, preferences, and learning progress may be stored in your browser's localStorage for a fast, offline-capable experience. INFORMATION FROM THIRD PARTIES: • Google OAuth: Name, email address, and profile photo as described above. • Gumroad: We receive transaction confirmation data (subscription status, purchase date, order ID) from Gumroad when you subscribe. We do not receive or store your full payment card details.

We use the information we collect for the following purposes: SERVICE DELIVERY: • To create and maintain your user account. • To provide personalized language learning content based on your language preferences and skill level. • To display your progress, statistics, and achievements within the Service. • To enable text-to-speech functionality in your selected language. • To manage your subscription status and provide access to premium features. SERVICE IMPROVEMENT: • To analyze usage patterns and understand how users interact with the Service. • To identify and fix technical issues, bugs, or performance problems. • To develop new features, stories, and learning tools based on user behavior. • To test and optimize the Service's interface and user experience. COMMUNICATION: • To send account-related emails such as welcome messages, subscription confirmations, and billing notifications. • To respond to your support inquiries and customer service requests. • To notify you of important changes to the Service, these Terms, or this Privacy Policy. • We do not send unsolicited marketing emails. You will only receive transactional emails related to your account and subscription. LEGAL & SECURITY: • To prevent fraud, abuse, and unauthorized access to the Service. • To comply with applicable laws, regulations, and legal processes. • To enforce our Terms of Service and protect the rights, property, or safety of Onelingy, our users, and the public. We process your personal data based on the following legal grounds: (a) performance of a contract (to provide the Service you requested); (b) legitimate interests (to improve the Service and prevent fraud); (c) legal obligation (to comply with applicable laws); and (d) consent (where you have given explicit consent, such as for optional data collection).

LOCAL STORAGE: The majority of your learning data — including your configuration, preferences, daily goals, streak counts, and session statistics — is stored directly in your browser's localStorage on your device. This data remains on your device and is not transmitted to our servers. If you clear your browser's localStorage or use a different browser or device, this local data will be lost. SERVER-SIDE STORAGE: Account data linked to your Google Sign-In (name, email, profile photo, and subscription status) is stored on our secure servers hosted via Vercel's infrastructure. Vercel employs industry-standard security measures including TLS encryption in transit and AES-256 encryption at rest. SECURITY MEASURES: We implement a variety of technical and organizational measures to protect your personal information from unauthorized access, disclosure, alteration, or destruction, including: • Transport Layer Security (TLS/HTTPS) encryption for all data transmitted between your browser and our servers. • Secure authentication via Google OAuth 2.0 — we never store your Google password. • Access controls limiting who within our team can access user data. • Regular security reviews and vulnerability assessments. • No storage of payment card information on our servers. Despite our best efforts, no method of internet transmission or electronic storage is 100% secure. While we strive to protect your personal data, we cannot guarantee absolute security. In the event of a data breach that affects your rights and freedoms, we will notify you and relevant authorities as required by applicable law.

We do not collect, process, or store any credit card numbers, bank account details, or other full payment card information on our servers. All payment transactions for Onelingy premium subscriptions are handled exclusively by Gumroad, our third-party payment processor. When you subscribe to Onelingy Premium, you are directed to Gumroad's secure checkout, which operates under Gumroad's own privacy policy and PCI DSS (Payment Card Industry Data Security Standard) compliance. Gumroad is the merchant of record for all Onelingy transactions. The information we receive from Gumroad is limited to: • Your subscription status (active, cancelled, expired). • The date of your purchase or renewal. • Your Gumroad order or license key (used to verify premium access). • The email address associated with your Gumroad account (to match with your Onelingy account). We do not receive or store your full card number, CVV, expiry date, or billing address from Gumroad. For questions about how Gumroad handles your payment data, please review Gumroad's Privacy Policy at gumroad.com/privacy.

Onelingy uses Google Sign-In (OAuth 2.0) as its authentication method. When you click "Sign in with Google," you are redirected to Google's authentication flow. We request only the minimum permissions necessary: • Your Google account email address (used as your unique identifier). • Your Google display name (used as your profile name on Onelingy). • Your Google profile photo URL (used as your avatar on Onelingy). We do NOT request access to: • Your Google Drive, Gmail, Calendar, Contacts, or any other Google services. • Your Google search history or activity. • Any Google account data beyond what is listed above. When you sign in, Google sends us a JWT (JSON Web Token) containing your basic profile information. We decode this token to authenticate your session. We do not store your Google password and we cannot access your Google account on your behalf. You can revoke Onelingy's access to your Google account at any time through your Google Account security settings at myaccount.google.com/permissions. Revoking access will sign you out of Onelingy but will not delete your Onelingy account or data — contact support@onelingy.com if you wish to delete your account.

COOKIES: Onelingy uses a minimal number of cookies strictly necessary for the operation of the Service. We do not use advertising cookies, tracking cookies, or behavioral profiling cookies. The cookies we use are: • Authentication session cookies: Used to maintain your login session so you do not need to sign in on every visit. These expire when you sign out or after a period of inactivity. • Security cookies: Used to prevent cross-site request forgery (CSRF) attacks. We do not use cookies from Facebook, Google Analytics, advertising networks, or other third-party trackers. LOCAL STORAGE: We make extensive use of your browser's localStorage to store your learning preferences, progress data, and app configuration locally on your device. This allows the app to function quickly and even partially offline. The data stored locally includes your theme preference, selected languages, voice settings, typing statistics, streak data, and daily goal configuration. You can clear all locally stored data at any time by clearing your browser's site data for onelingy.com in your browser settings. This will reset your local progress and preferences but will not affect your account data. DO NOT TRACK: We respect "Do Not Track" (DNT) browser signals. When DNT is enabled, we do not collect any additional analytics beyond what is necessary for the Service to function.

Onelingy integrates with the following third-party services to deliver its features: GOOGLE OAUTH (Google LLC): Used for user authentication. Subject to Google's Privacy Policy (policies.google.com/privacy). Google may log authentication events as per their own practices. GUMROAD (Gumroad, Inc.): Used for payment processing and subscription management. Subject to Gumroad's Privacy Policy (gumroad.com/privacy). We do not share your personal data with Gumroad beyond what is necessary to process your subscription. WEB SPEECH API: A browser-native API used for text-to-speech functionality. No personal data is transmitted when using Web Speech API voices; audio synthesis happens locally in your browser. GOOGLE TRANSLATE TTS (proxied): Used as a fallback for cloud-based voice synthesis. Requests to this service are proxied through our own API endpoint (/api/tts) and do not include personally identifiable information — only the text content to be spoken and the language code. FLAGCDN (RocketBrothers): Used to display country flag images. Flag images are loaded as static assets and do not transmit any personal data. VERCEL (Vercel Inc.): Our hosting provider. Vercel processes server logs which may include IP addresses and request metadata. Vercel is GDPR-compliant. For more information, see Vercel's Privacy Policy at vercel.com/legal/privacy-policy. We do not sell, rent, or otherwise share your personal information with any third-party companies for marketing or advertising purposes.

We retain your personal data only for as long as necessary to fulfil the purposes described in this Privacy Policy or as required by applicable law. ACCOUNT DATA: We retain your account information (name, email, subscription status) for as long as your account is active. If you request account deletion, we will delete your account data within 30 days, subject to any legal obligations to retain certain records. LEARNING DATA: Data stored in your browser's localStorage is retained on your device until you clear it or until you uninstall your browser. Server-side learning data associated with your account is retained as long as your account is active. PAYMENT RECORDS: Transaction records related to your subscription are retained for up to 7 years as required for accounting and tax compliance. This data is primarily held by Gumroad as the payment processor. SUPPORT COMMUNICATIONS: If you contact our support team, we retain your communications for up to 2 years to assist with ongoing support issues and for quality assurance. ANONYMOUS ANALYTICS: Anonymized, aggregated usage data that cannot be linked to an individual user may be retained indefinitely for the purpose of service improvement and analytics. After the applicable retention period, we securely delete or anonymize your personal data. If you would like to request earlier deletion, please contact support@onelingy.com.

Depending on your location and applicable data protection law, you may have the following rights regarding your personal data: RIGHT OF ACCESS: You have the right to request a copy of the personal data we hold about you. We will provide this information within 30 days of your request. RIGHT TO RECTIFICATION: You have the right to request correction of any inaccurate or incomplete personal data we hold about you. You can update your display name and profile directly within the app. RIGHT TO ERASURE ("RIGHT TO BE FORGOTTEN"): You have the right to request deletion of your personal data. Upon a verified request, we will delete your account and associated data within 30 days, unless we are required by law to retain certain records. RIGHT TO RESTRICT PROCESSING: In certain circumstances, you have the right to request that we limit the processing of your personal data. RIGHT TO DATA PORTABILITY: You have the right to receive your personal data in a structured, machine-readable format and to transfer it to another service provider. RIGHT TO OBJECT: You have the right to object to the processing of your personal data for legitimate interests or for direct marketing purposes. RIGHT TO WITHDRAW CONSENT: Where processing is based on consent, you have the right to withdraw consent at any time without affecting the lawfulness of processing prior to withdrawal. CALIFORNIA RESIDENTS (CCPA): California residents have additional rights under the CCPA, including the right to know what personal information is collected and shared, the right to opt out of the sale of personal information (we do not sell personal information), and the right to non-discrimination for exercising CCPA rights. To exercise any of these rights, contact us at support@onelingy.com. We will respond to your request within 30 days. We may ask you to verify your identity before processing your request.

Onelingy is operated from servers hosted by Vercel, which may process data in the United States and other countries. If you are located in the European Economic Area (EEA), United Kingdom, or Switzerland, your personal data may be transferred to countries outside your jurisdiction that may have different data protection laws. When we transfer personal data from the EEA or UK to third countries, we ensure appropriate safeguards are in place, such as: • Standard Contractual Clauses (SCCs) approved by the European Commission. • Adequacy decisions where applicable. • Binding Corporate Rules or equivalent frameworks. By using Onelingy, you acknowledge and agree that your personal data may be transferred to and processed in countries outside your country of residence, including the United States, in accordance with this Privacy Policy. If you have questions about international data transfers or wish to obtain a copy of the safeguards we have put in place, please contact us at support@onelingy.com.

Onelingy is not directed to children under the age of 13 ("children"). We do not knowingly collect personal information from children under 13. If you are under 13, please do not use the Service or provide any personal information to us. If you are between 13 and 18 years old, you may use Onelingy only with the knowledge and consent of a parent or legal guardian. If we become aware that we have inadvertently collected personal information from a child under 13 without verifiable parental consent, we will take immediate steps to delete that information from our servers. If you are a parent or guardian and believe that your child under 13 has provided us with personal information, please contact us immediately at support@onelingy.com. We do not knowingly sell or share the personal information of minors.

In the unlikely event of a data security breach that compromises your personal information, we will notify you and relevant data protection authorities as required by applicable law. If a breach is likely to result in a high risk to your rights and freedoms, we will notify you directly by email to the address associated with your account as soon as reasonably practicable, and no later than 72 hours after we become aware of the breach (where required by GDPR). Our breach notification will include: a description of the nature of the breach; the categories and approximate number of individuals affected; the likely consequences of the breach; and the measures taken or proposed to address the breach and mitigate its possible adverse effects. We maintain an incident response plan and conduct regular security audits to minimize the risk of data breaches.

We may update this Privacy Policy from time to time to reflect changes in our practices, the Service, or applicable legal requirements. When we make changes, we will update the "Last updated" date at the top of this page. For significant changes that materially affect your rights or how we use your personal data, we will notify you by sending an email to the address associated with your account at least 14 days before the change takes effect, or by displaying a prominent notice on the Service. Your continued use of Onelingy after the effective date of the updated Privacy Policy constitutes your acceptance of the changes. If you do not agree to the updated Privacy Policy, you must discontinue use of the Service and request account deletion if desired. We encourage you to review this Privacy Policy periodically to stay informed about how we protect your information.

If you have any questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us: Email: support@onelingy.com Website: onelingy.com Response Time: We aim to respond to all privacy-related inquiries within 5 business days. For formal privacy requests (data access, deletion, correction, portability), please email support@onelingy.com with the subject line "Privacy Request" and include your account email address so we can locate your data. If you are located in the EEA and are not satisfied with our response, you have the right to lodge a complaint with your local data protection authority (supervisory authority). A list of EEA supervisory authorities is available at edpb.europa.eu.