Privacy Policy

Last updated: March 31, 2026

This privacy policy explains how Viglot ("we", "us", "our") collects, uses, stores, and protects your personal data when you use our mobile application and website. We are committed to protecting your privacy in accordance with the General Data Protection Regulation (GDPR) and applicable German data protection law.

1. Data Controller

The controller responsible for data processing is:

2. What Data We Collect

2.1 Account Data

When you register, we collect:

• Email address — used for authentication and account recovery
• First name — shown in your profile
• Authentication provider — whether you signed up via email/password, Google, Microsoft, or Apple

Passwords are hashed by our authentication provider and are never stored by us in plain text.

2.2 Profile Data

To personalize your learning experience, we collect:

• Native language, target languages, and selected CEFR difficulty levels
• Learning preferences (exercise type settings, interface language)

During registration, you may optionally provide additional personal details used to personalize AI-generated learning content. This data is provided with your consent and includes:

• Age range and city
• Occupations, pets, and transportation preferences
• Hobbies, sports, and social venues
• Personal interests and dream travel destinations
• Favorite cuisines, movie genres, and music genres
• Learning motivations and free-text custom entries

This personalization data is entirely optional. You may skip these steps during registration, and you can update or remove this information at any time through the app.

2.3 Learning Data

As you use the app, we collect data about your learning activity:

• Exercise performance — scores, attempts, completion status, pronunciation scores
• Voice task performance — goal evaluation results, detected emotions, confidence scores, AI feedback, identified strengths and areas to improve
• Spaced repetition data — review intervals, next review dates, ease factors
• Session data — session start/end times, scenarios completed
• Streak and statistics — daily practice streaks, phrases learned, session counts
• Difficult items — words and phrases you mark for extra practice
• Usage quotas — resource consumption counters per feature (e.g., exercises generated, chat turns used)

2.4 Conversation Data

When you use the AI chat or voice task features:

• Chat messages — text messages exchanged with the AI tutor are stored to maintain conversation context and enable history
• Voice task transcripts — transcriptions of your speech during voice tasks, along with AI evaluation results and feedback

2.5 Audio Data

During speech exercises and voice tasks, audio recordings of your speech are captured by your device and transmitted to third-party AI services for real-time transcription and pronunciation analysis. We do not permanently store your raw audio recordings on our servers. Audio data is processed in real-time and only the resulting transcriptions and scores are retained.

2.6 Device Data

• Device identifier — a randomly generated UUID created on first app installation, used for device-based security measures (preventing account farming). This is not your hardware ID.
• App attestation tokens — device integrity verification tokens used to ensure requests come from a legitimate app installation

2.7 Technical Data

• IP address — used temporarily for rate limiting and abuse prevention; not stored long-term
• API request logs — transient server logs for debugging and security monitoring

2.8 Website Data

Our website (viglot.com) collects minimal data:

• Language preference — stored in your browser's local storage (not a cookie) to remember your selected interface language

We do not use tracking cookies, analytics services, or advertising pixels on our website.

3. How and Why We Use Your Data

3.1 Providing the Service (Art. 6(1)(b) GDPR — Contract Performance)

We process your account, profile, learning, conversation, and audio data to:

• Authenticate you and maintain your account
• Generate AI-powered exercises and content at your CEFR level
• Personalize learning content based on your profile interests and preferences
• Analyze your pronunciation and provide feedback
• Evaluate voice task performance and provide detailed feedback
• Maintain conversation history for contextual AI interactions
• Schedule spaced repetition reviews
• Track your learning progress and statistics
• Enforce usage quotas and manage resource allocation

3.2 Personalization Based on Consent (Art. 6(1)(a) GDPR — Consent)

The optional personal details you provide during registration (such as your interests, hobbies, occupations, and preferences) are processed based on your consent to personalize the topics, scenarios, and vocabulary in your AI-generated learning content.

You can withdraw your consent at any time by removing this data in the app settings. Withdrawal of consent does not affect the lawfulness of processing carried out before the withdrawal. The core learning service continues to function without this personalization data.

3.3 Security and Abuse Prevention (Art. 6(1)(f) GDPR — Legitimate Interests)

We process device identifiers, IP addresses, and attestation tokens to:

• Prevent account farming and credential sharing (device tracking with limits)
• Rate-limit API requests to protect service availability
• Verify that requests come from legitimate app installations
• Detect and block prompt injection attacks against our AI systems

Our legitimate interest is maintaining service security and preventing abuse. Device tracking is limited to a maximum of 1 active device per account and 2 accounts per device.

4. Who We Share Data With

4.1 Cloud Infrastructure and AI Services

We use services provided by Google LLC as our primary cloud infrastructure and AI provider. Google acts as a data processor on our behalf for the following purposes:

• Authentication — managing user accounts, processing email addresses, hashed passwords, and authentication tokens
• AI processing — content generation, speech transcription, pronunciation analysis, AI chat and voice conversations, and audio generation for learning materials
• Storage — hosting generated media files and application data

Text prompts, audio recordings, and conversation data are sent to Google's services for processing. Google LLC is headquartered in the United States.

4.2 Additional AI Service Providers

We use additional third-party AI service providers for image generation to create visual learning materials. These providers process text prompts describing educational scenes but do not receive your personal data, conversation history, or audio recordings.

4.3 No Sale of Data

We do not sell, rent, or trade your personal data to any third party. We do not share data with advertisers.

5. International Data Transfers

Your data is primarily processed on cloud infrastructure operated by Google LLC. While we use European regions where available, some processing (particularly AI services) may involve data transfer to the United States. Additional AI service providers used for media generation may also process data outside the European Economic Area.

Google LLC is certified under the EU-US Data Privacy Framework (DPF), which provides adequate safeguards for the transfer of personal data from the EU to the US in accordance with Art. 45 GDPR. Where other service providers are not certified under the DPF, we rely on Standard Contractual Clauses (SCCs) approved by the European Commission as the transfer safeguard in accordance with Art. 46(2)(c) GDPR. For more information on the DPF, see the Data Privacy Framework website.

6. How Long We Store Your Data

• Account and profile data — retained until you delete your account
• Learning data (exercise metrics) — automatically deleted after 90 days
• Spaced repetition data — retained until you delete your account (required for the SRS system to function)
• Conversation history — automatically deleted after 90 days of inactivity, or when you explicitly clear it, or when you delete your account
• Voice task attempts — retained until you delete your account
• User statistics and learning progress — retained until you delete your account
• Usage quota counters — automatically deleted after 90 days
• Generated learning materials — images and audio created for exercises are retained to provide the learning service and avoid regeneration; these materials contain educational content, not personal data
• Device identifiers — automatically expire after 90 days of inactivity
• Audio recordings — not stored; processed in real-time and discarded
• IP addresses and rate limiting data — stored temporarily (minutes to hours) and automatically purged
• API logs — retained for a limited debugging period, then automatically deleted

When you delete your account, your personal data is permanently deleted from our systems. Courses you created are anonymized (your user identifier is removed) but the learning content may be retained.

7. Your Rights Under GDPR

As a data subject, you have the following rights:

• Right of access (Art. 15 GDPR) — you can request a copy of your personal data
• Right to rectification (Art. 16 GDPR) — you can request correction of inaccurate data
• Right to erasure (Art. 17 GDPR) — you can request deletion of your data ("right to be forgotten")
• Right to restriction (Art. 18 GDPR) — you can request that we limit processing of your data
• Right to data portability (Art. 20 GDPR) — you can request your data in a machine-readable format
• Right to object (Art. 21 GDPR) — you can object to processing based on legitimate interests
• Right to withdraw consent (Art. 7(3) GDPR) — where processing is based on consent, you can withdraw it at any time without affecting the lawfulness of prior processing

To exercise any of these rights, contact us at info@viglot.com. We will respond within 30 days.

You also have the right to delete your account directly within the app (Settings → Delete Account), which initiates erasure of your personal data.

8. Right to Lodge a Complaint

If you believe that our processing of your personal data violates data protection law, you have the right to lodge a complaint with a supervisory authority. The competent authority for our location is:

9. Data Security

We implement appropriate technical and organizational measures to protect your personal data, including:

• Encrypted data transmission (TLS/HTTPS) for all communications
• Token-based authentication with signed tokens validated on every request
• Server-side header sanitization to prevent identity spoofing
• Rate limiting and device attestation to prevent automated abuse
• Prompt injection defenses to protect AI systems from misuse
• Cloud infrastructure with enterprise-grade security

10. AI and Automated Processing

Viglot uses artificial intelligence to generate learning content, evaluate pronunciation, and assess voice task performance. We want to be transparent about how AI processes your data:

• Content generation — AI generates exercises, vocabulary, and scenarios tailored to your language level. If you provided optional profile data, it also influences the topics and scenarios generated.
• Speech analysis — AI transcribes your spoken audio and evaluates pronunciation accuracy on a word-by-word basis.
• Voice task evaluation — AI assesses your performance in voice tasks, including goal completion, emotional engagement, and provides detailed feedback with strengths and areas to improve.

These AI outputs are learning aids — they produce scores, feedback, and content recommendations to support your learning. They do not constitute automated decision-making that produces legal or similarly significant effects within the meaning of Art. 22 GDPR. Your profile data influences the topics generated but does not result in profiling that affects your access to the service or its features.

If you have concerns about any AI-generated evaluation or feedback, you can contact us at info@viglot.com to request a human review.

11. Children's Privacy

Viglot is not directed at children under the age of 16. We do not knowingly collect personal data from children under 16. If you believe we have collected data from a child under 16, please contact us at info@viglot.com and we will promptly delete the data.

12. Changes to This Policy

We may update this privacy policy from time to time. When we make material changes, we will notify you through the app or by updating the "Last updated" date at the top of this page. We encourage you to review this policy periodically.

13. Contact

For any questions about this privacy policy or your personal data, contact us at: