← Back to home

SprichstDu — Privacy Policy

Effective date: March 25, 2026

This privacy policy explains how SprichstDu ("we", "us", "the Service") collects, uses, and protects your personal data when you use our website and email service. We are committed to protecting your privacy in accordance with the EU General Data Protection Regulation (GDPR) and applicable German data protection law.

1. Data Controller

Pedro Laplaza Email: hallo@sprichstdu.de

If you have any questions about data protection, you can contact us at the address above.

2. What Data We Collect

When you register for and use SprichstDu, we collect the following personal data:

Account data: email address, password (hashed, never stored in plain text), native language selection, German proficiency level (A1–B2), preferred delivery time (morning or afternoon).

Learning data: current progress (week and day), module completion status, vocabulary review history.

Email engagement data: whether you opened a lesson email (tracked via Resend webhook), timestamp of opens.

Feedback data: your optional one-tap feedback responses ("Used it" / "Got it" / "Too hard"), collected via HMAC-signed tokens without requiring login.

Technical data: IP address and browser information collected automatically by our hosting provider during website visits.

3. Legal Basis for Processing

We process your data on the following legal bases under Article 6 GDPR:

Contract performance (Art. 6(1)(b)): processing your account data and delivering lesson emails is necessary to provide the Service you signed up for.

Legitimate interest (Art. 6(1)(f)): collecting email open data and feedback to improve lesson quality and the overall service. You can opt out of feedback at any time by simply not tapping the feedback buttons.

Consent (Art. 6(1)(a)): where applicable, for any processing that goes beyond what is strictly necessary for the Service. You can withdraw consent at any time.

4. How We Use Your Data

We use your data to: deliver your daily lesson emails at the time and level you selected; display your learning progress and vocabulary history on your dashboard; improve lesson content based on aggregated feedback; send you essential service communications (welcome email, level completion, important updates); and ensure the security and proper functioning of the Service.

We do not use your data for advertising, profiling, or automated decision-making. We do not sell or rent your personal data to third parties.

5. Third-Party Services

We use the following third-party services to operate SprichstDu. Each has been selected with data protection in mind:

Supabase (database and authentication): stores your account data, learning progress, and content. Data is hosted in the EU region. Supabase acts as a data processor under a Data Processing Agreement.

Resend (email delivery): sends your daily lesson emails and service emails. Resend processes your email address and provides email open tracking via webhooks. Resend is US-based but maintains GDPR-compliant data processing practices.

Vercel (hosting and cron jobs): hosts the SprichstDu website and runs scheduled email delivery. Vercel processes technical data (IP addresses) during website visits. Vercel uses EU edge locations where available.

We do not use any third-party analytics, advertising, or tracking services beyond the above.

6. Data Retention

We retain your personal data for as long as your account is active. If you delete your account via the Settings page, your login session is ended and email delivery is stopped immediately. To request complete deletion of all stored data, contact us at hallo@sprichstdu.de. We will process deletion requests within 30 days.

Feedback data is stored with a signed token that expires after 7 days. Aggregated, anonymized feedback may be retained indefinitely for service improvement.

7. Your Rights Under GDPR

Under the GDPR, you have the following rights regarding your personal data:

Right of access (Art. 15): you can request a copy of all personal data we hold about you.

Right to rectification (Art. 16): you can correct inaccurate data via your Settings page or by contacting us.

Right to erasure (Art. 17): you can request deletion of your personal data by contacting us at hallo@sprichstdu.de.

Right to data portability (Art. 20): you can request your data in a structured, machine-readable format.

Right to restrict processing (Art. 18): you can request that we limit how we process your data.

Right to object (Art. 21): you can object to processing based on legitimate interest at any time.

Right to withdraw consent (Art. 7): where processing is based on consent, you can withdraw it at any time without affecting the lawfulness of prior processing.

To exercise any of these rights, email us at hallo@sprichstdu.de. We will respond within 30 days. If you believe your data protection rights have been violated, you have the right to lodge a complaint with a supervisory authority, in particular in the EU member state of your habitual residence or place of work.

8. Data Security

We take appropriate technical and organizational measures to protect your data, including: password hashing (passwords are never stored in plain text), Row-Level Security on all database tables ensuring users can only access their own data, HMAC-SHA256 signed tokens for no-login feedback to prevent tampering, HTTPS encryption for all data in transit, and access controls limiting who can access production systems.

9. International Data Transfers

Your data is primarily stored in the EU (Supabase EU region). Some processing occurs through US-based services (Resend, Vercel). These transfers are safeguarded through Standard Contractual Clauses (SCCs) and the providers' GDPR compliance commitments. We only use providers that maintain adequate data protection standards.

10. Cookies and Tracking

The SprichstDu website uses only essential cookies required for authentication and session management (via Supabase Auth). We do not use any marketing, analytics, or third-party tracking cookies. No cookie consent banner is required for strictly necessary cookies under GDPR.

11. Children's Privacy

SprichstDu is not intended for users under 16 years of age. We do not knowingly collect personal data from children under 16. If we become aware that a user is under 16, we will delete their account and associated data promptly.

12. Changes to This Policy

We may update this privacy policy from time to time to reflect changes in our practices or legal requirements. If we make material changes, we will notify you by email before the changes take effect. The "Last updated" date at the bottom of this page indicates when the policy was most recently revised.

13. Contact

For any questions, concerns, or requests related to your privacy or this policy:

Email: hallo@sprichstdu.de Website: www.sprichstdu.de

Last updated: March 25, 2026