Privacy Policy

Last updated: June 1, 2026

This privacy policy explains how Viglot ("we", "us", "our") collects, uses, stores, and protects your personal data when you use our mobile application and website. We are committed to protecting your privacy in accordance with the General Data Protection Regulation (GDPR) and applicable German data protection law.

1. Data Controller

The controller responsible for data processing is:

2. What Data We Collect

2.1 Account Data

When you register, we collect:

• Email address — used for authentication and account recovery
• First name — shown in your profile
• Authentication provider — whether you signed up via email/password, Google, or Apple

Passwords are hashed by our authentication provider and are never stored by us in plain text.

2.2 Profile Data

To personalize your learning experience, we collect:

• Native language, target languages, and selected CEFR difficulty levels
• Learning preferences (exercise type settings, interface language)

During registration, you may optionally provide additional personal details used to personalize AI-generated learning content. This data is provided with your consent and includes:

• Age range and city
• Occupations, pets, and transportation preferences
• Hobbies, sports, and social venues
• Personal interests and dream travel destinations
• Favorite cuisines, movie genres, and music genres
• Learning motivations and free-text custom entries

This personalization data is entirely optional. You may skip these steps during registration, and you can update or remove this information at any time through the app.

2.3 Learning Data

As you use the app, we collect data about your learning activity:

• Exercise performance — scores, attempts, completion status, pronunciation scores
• Voice task performance — goal evaluation results, confidence scores, AI feedback, identified strengths and areas to improve, and a basic engagement indicator inferred from interaction patterns (such as response timing and message length, not from your voice or tone)
• Spaced repetition data — review intervals, next review dates, ease factors
• Session data — session start/end times, scenarios completed
• Streak and statistics — daily practice streaks, phrases learned, session counts
• Difficult items — words and phrases you mark for extra practice
• Usage quotas — resource consumption counters per feature (e.g., exercises generated, voice and speaking-task attempts)

2.4 Conversation Data

When you use our conversation-based and speaking exercises:

• Conversation exercise messages — in interactive text exercises (such as our "Make Yourself Understood" exercise), the messages you type and the AI's replies are stored as the conversation record, together with the AI's evaluation and feedback
• Voice task results — the AI's evaluation of your spoken voice tasks (goal completion, feedback, strengths and areas to improve, and short snippets derived from what you said)

2.5 Audio Data

During speech exercises and voice tasks, audio recordings of your speech are captured by your device and transmitted to Google's AI services for real-time transcription and pronunciation analysis. For pronunciation and short spoken-answer exercises, the audio passes through our servers in memory only (it is never written to disk or storage). For real-time voice conversation tasks, your microphone audio streams directly from your device to Google and does not pass through our servers at all. We do not permanently store your raw audio recordings. Audio is processed in real time and only the resulting transcriptions and scores are retained.

2.6 Device Data

• Device identifier — a randomly generated UUID created on first app installation, used for device-based security measures (preventing account farming). This is not your hardware ID.
• Installation identifier — a pseudonymous identifier provided by Firebase Installations that is unique to your app installation. We use it only as an input to an irreversible one-way hash for trial abuse prevention (see section 3.5). We never store the identifier itself.
• App attestation tokens — device integrity verification tokens used to ensure requests come from a legitimate app installation

2.7 Technical Data

• IP address — used temporarily for rate limiting and abuse prevention; not stored long-term
• API request logs — transient server logs for debugging and security monitoring
• Crash and error diagnostics — when the app crashes or encounters an unexpected error, we collect a pseudonymous crash report (stack trace, device model, OS version, app version, installation-scoped identifier). This is not linked to your account. You can disable this at any time via Settings → App Settings → Crash Reporting.

2.8 In-App Usage Statistics

To understand how the app is used and to improve it, we collect anonymized usage events such as: which screens are opened, how long sessions last, which learning features are used, and whether sign-up or subscription flows complete. These events do not include your name, email address, payment details, or the content you type into the app.

Usage statistics are processed only with your consent where consent is required under applicable law (for users in the European Economic Area). You will be asked on first launch of the app and can change your choice any time via Settings → App Settings. The legal basis is consent (Art. 6(1)(a) GDPR). Withdrawal of consent does not affect the lawfulness of processing carried out before withdrawal. For information about the processor and international transfers, see section 4.

2.9 Push Notifications

If you enable push notifications, we store a device-specific push notification identifier (provided by your operating system) alongside your account and your interface language so we can send review reminders and service-related messages to the correct device in your preferred language. To deliver these messages, the identifier and message content pass through a third-party mobile-platform provider (based in the United States) whose push-relay service forwards them to Apple's and Google's push systems for delivery to your device; this provider also delivers over-the-air app updates. The identifier is rotated by your operating system from time to time; we delete it when you log out, uninstall the app, or disable notifications in Settings, and in any case it automatically expires 180 days after the device was last seen (see section 5 for transfers and section 6 for retention).

The legal basis is contract performance (Art. 6(1)(b) GDPR) for transactional notifications you have opted in to. You can disable push notifications at any time via the in-app Settings or in your device's operating system settings.

2.10 Website Data

Our website (viglot.com) uses only the data listed below. We do not use any advertising cookies, tracking pixels, social-media plugins, heatmap tools, or fingerprinting.

Strictly necessary storage (no consent required)

• Language preference (viglot-language) — stored in your browser's local storage to remember the interface language you selected.
• Consent choice (viglot-consent) — stored in your browser's local storage to remember whether you accepted or rejected analytics so we do not ask you again on every page load. Retained until you clear your browser storage.

Analytics (only with your consent — Art. 6(1)(a) GDPR, § 25 TTDSG)

If — and only if — you click "Accept" on the cookie banner, we load Google Analytics 4 (GA4) to collect aggregated statistics about how visitors use the site (page views, referrer, approximate country derived from IP, device type). Until you consent, no Google Analytics script is requested from Google's servers, no GA cookies are set, and no data is sent to Google.

When consent is given, GA4 sets two first-party cookies:

• _ga — distinguishes unique visitors (lifetime: up to 13 months)
• _ga_YKJWCCSQ3Y — session state for our GA property (lifetime: up to 13 months)

We operate GA4 with Google Consent Mode v2 and with advertising features disabled: ad_storage, ad_user_data, and ad_personalization are always denied. No advertising cookies are set, no advertising pixels are used, and Google may not use the data for its own advertising purposes. Google LLC acts as our data processor; data may be transferred to the United States under the EU-US Data Privacy Framework (see section 5).

You can withdraw your consent at any time by clicking "Manage cookie preferences" in the footer of any page and selecting "Reject". This will stop further analytics collection in your browser. To delete previously stored GA cookies, clear your browser's cookies for viglot.com.

3. How and Why We Use Your Data

3.1 Providing the Service (Art. 6(1)(b) GDPR — Contract Performance)

We process your account, profile, learning, conversation, and audio data to:

• Authenticate you and maintain your account
• Generate AI-powered exercises and content at your CEFR level
• Personalize learning content based on your profile interests and preferences
• Analyze your pronunciation and provide feedback
• Evaluate voice task performance and provide detailed feedback
• Run interactive speaking and conversation-practice exercises and store their evaluation results (such as resolution of practice dialogues, scores, and feedback) so you can review your progress
• Schedule spaced repetition reviews
• Track your learning progress and statistics
• Enforce usage quotas and manage resource allocation

3.2 Personalization Based on Consent (Art. 6(1)(a) GDPR — Consent)

The optional personal details you provide during registration (such as your interests, hobbies, occupations, and preferences) are processed based on your consent to personalize the topics, scenarios, and vocabulary in your AI-generated learning content. Some of these optional fields may reveal special categories of data within the meaning of Art. 9(1) GDPR (for example interests that allude to religious, political, or ethnic associations). Where you choose to provide such details, you give your explicit consent to their processing for this personalization purpose under Art. 9(2)(a) GDPR. Providing these details is entirely voluntary and the core learning service works without them.

You can withdraw your consent at any time by removing this data in the app settings. Withdrawal of consent does not affect the lawfulness of processing carried out before the withdrawal. The core learning service continues to function without this personalization data.

3.3 Security and Abuse Prevention (Art. 6(1)(f) GDPR — Legitimate Interests)

We process device identifiers, IP addresses, and attestation tokens to:

• Prevent account farming and credential sharing (device tracking with limits)
• Rate-limit API requests to protect service availability
• Verify that requests come from legitimate app installations

We additionally screen the text you submit to our AI features for malicious instructions ("prompt injection") in order to keep those systems secure and functioning as intended.

Our legitimate interest is maintaining service security and preventing abuse. Device tracking is limited to a maximum of 1 active device per account and 2 accounts per device.

3.4 Crash and Error Diagnostics (Art. 6(1)(f) GDPR — Legitimate Interests)

We process the pseudonymous crash and error reports described in section 2.7 to detect, diagnose, and fix stability and security problems in the app. Our legitimate interest is keeping the app reliable and secure. The reports are tied only to an installation-scoped identifier, not to your account, and you can switch this off at any time via Settings → App Settings → Crash Reporting (Art. 21 GDPR right to object). For information about the processor and international transfers, see sections 4 and 5.

3.5 Trial Abuse Prevention (Art. 6(1)(f) GDPR — Legitimate Interests)

When you start a free premium trial, we record that a trial has been claimed on your device. This prevents a single device from repeatedly obtaining free trials by creating and deleting accounts.

What we process

• A one-way cryptographic hash (SHA-256) derived from your device's installation identifier combined with a server-side secret. The original identifier cannot be recovered from this hash.
• The date on which the trial was claimed.

We do not store your device identifier itself, nor any information that identifies you personally in this record.

Legal basis. We process this data on the basis of our legitimate interest in preventing fraudulent abuse of our free trial offer (Art. 6(1)(f) GDPR, Recital 47). We have documented a balancing test which concluded that this processing does not override your fundamental rights and freedoms, because the data is pseudonymous, minimal, and retained for a limited period.

Retention. The record is automatically deleted 365 days after the trial was claimed.

Retention after account deletion. When you delete your Viglot account, we delete your personal data immediately. The trial-claim record is an exception: it is retained until the 365-day period ends, so that the trial cannot be re-claimed on the same device through repeated account creation. After this period, the record is deleted automatically. This carve-out is based on Art. 17(3)(e) GDPR.

Your rights. The rights listed in section 7 apply. In particular:

• Right to object (Art. 21 GDPR): you may object to this processing at any time by contacting info@viglot.com. We will weigh your objection against our legitimate interest in fraud prevention and respond within one month.
• Right to erasure (Art. 17 GDPR): in accordance with Art. 17(3)(e) GDPR, we may retain the record until the end of the retention period where necessary for fraud prevention and the establishment, exercise, or defence of legal claims.

4. Who We Share Data With

4.1 Cloud Infrastructure and AI Services

We use services provided by Google LLC as our primary cloud infrastructure and AI provider. Google acts as a data processor on our behalf for the following purposes:

• Authentication — managing user accounts, processing email addresses, hashed passwords, and authentication tokens
• AI processing — content generation, speech transcription, pronunciation analysis, evaluation of voice and text-based practice exercises, and audio generation for learning materials
• Storage — hosting generated media files and application data
• Crash and error diagnostics — receiving the pseudonymous crash reports described in section 2.7 (legal basis: legitimate interest, Art. 6(1)(f) GDPR; opt-out via Settings)
• Device integrity, configuration, and installation identifiers — verifying app attestation, delivering remote configuration, and providing the installation identifier described in section 2.6

Text prompts, audio recordings, and conversation data are sent to Google's services for processing. Google LLC is headquartered in the United States.

4.2 Additional AI Service Providers

We use additional third-party AI service providers (based in the United States) for image generation to create visual learning materials. These providers receive only the text prompts that describe the scene to be illustrated. They do not receive your account identifiers, conversation history, or audio recordings. Because a prompt can be derived from learning content you generated, it may occasionally reflect details you supplied; we minimise this and do not send direct identifiers. International transfers to these providers are covered in section 5.

4.3 Subscription and Purchase Management

We use a third-party subscription-management provider to verify and track your subscription and free-trial status across the Apple App Store and Google Play. This provider receives only your pseudonymous account identifier and your entitlement status (whether you have an active subscription or trial). It does not receive your name, email address, or payment-card details. The actual payment is processed by the Apple App Store or Google Play, who act as the merchants of record and hold your billing details; we never receive or store your card data. This provider is based in the United States (see section 5).

4.4 Email Delivery (Website)

If you submit your email address through a sign-up or waitlist form on our website, we use a third-party transactional-email provider (based in the United States) to send you the resulting confirmation email and to notify us of the request. This provider receives the email address you submitted and the message content for the sole purpose of delivering these emails. International transfers are covered in section 5.

4.5 No Sale of Data

We do not sell, rent, or trade your personal data to any third party. We do not share data with advertisers.

5. International Data Transfers

We host the core of your data — your account, profile, learning data, and our main AI content generation and storage — on cloud infrastructure located in the European Union. However, a number of services we rely on process data in the United States, including: authentication; crash and error diagnostics; device-integrity, configuration, and installation services; certain AI text-processing features; subscription and purchase management; push-notification delivery and over-the-air app updates; and image generation. Where these services run in the United States, your data is transferred there.

For transfers to the United States we rely on the following safeguards (Art. 44 et seq. GDPR):

• Our cloud infrastructure and AI provider is certified under the EU-US Data Privacy Framework (DPF), an adequacy decision under Art. 45 GDPR.
• For recipients that are not certified under the DPF, we rely on Standard Contractual Clauses approved by the European Commission (Art. 46(2)(c) GDPR), supplemented by additional safeguards where appropriate.

You can request a copy of the relevant safeguards by contacting us at info@viglot.com. For more information on the DPF, see the Data Privacy Framework website.

6. How Long We Store Your Data

• Account and profile data — retained until you delete your account
• Learning data (exercise metrics) — automatically deleted after 90 days
• Spaced repetition data — retained until you delete your account (required for the SRS system to function)
• Conversation history — automatically deleted after 90 days of inactivity, or when you explicitly clear it, or when you delete your account
• Voice task attempts — retained until you delete your account
• User statistics and learning progress — retained until you delete your account
• Usage quota counters — automatically deleted after 90 days
• Generated learning materials — images and audio created for exercises are retained to provide the learning service and avoid regeneration; these materials contain educational content, not personal data
• Device identifiers — automatically expire after 90 days of inactivity
• Push notification identifiers — automatically expire 180 days after the device was last seen; also deleted when you log out, disable notifications, or delete your account
• Trial-claim hash — automatically deleted 365 days after the trial was claimed (see section 3.5); retained beyond account deletion under Art. 17(3)(e) GDPR for fraud prevention
• Audio recordings — not stored; processed in real-time and discarded
• IP addresses and rate limiting data — stored temporarily (minutes to hours) and automatically purged
• API logs — retained for a limited debugging period, then automatically deleted

When you delete your account, we delete your personal data from our systems: your profile, learning progress, conversation history, device records, push notification identifiers, and account-linked statistics. This deletion is carried out across several separate systems; in the rare event that a system is temporarily unavailable, any remaining records are removed by their automatic retention limits, so that no record is kept longer than the periods listed above. Courses and scenarios you created in the app are not deleted but are de-linked from your account (your user identifier is removed) and retained so the generated learning content can continue to serve as a reusable resource. We rely on our legitimate interest (Art. 6(1)(f) GDPR) for retaining this de-identified content; where a generated phrase may still reflect optional personalization details you provided, we treat such residual data as covered by this retention.

The trial-claim hash described in section 3.5 is a separate exception: it is retained for up to 365 days after the trial was claimed even if you delete your account in the meantime, to prevent the trial from being re-claimed on the same device through repeated account creation. This carve-out is based on Art. 17(3)(e) GDPR.

7. Your Rights Under GDPR

As a data subject, you have the following rights:

• Right of access (Art. 15 GDPR) — you can request a complete copy of your personal data. The in-app data export covers most categories; to receive a full copy including all stored conversation and voice-task records, contact us at info@viglot.com and we will provide the complete export.
• Right to rectification (Art. 16 GDPR) — you can request correction of inaccurate data
• Right to erasure (Art. 17 GDPR) — you can request deletion of your data ("right to be forgotten")
• Right to restriction (Art. 18 GDPR) — you can request that we limit processing of your data
• Right to data portability (Art. 20 GDPR) — you can request your data in a machine-readable format
• Right to object (Art. 21 GDPR) — you can object to processing based on legitimate interests
• Right to withdraw consent (Art. 7(3) GDPR) — where processing is based on consent, you can withdraw it at any time without affecting the lawfulness of prior processing

To exercise any of these rights, contact us at info@viglot.com. We will respond within 30 days.

You also have the right to delete your account directly within the app (Settings → Delete Account), which initiates erasure of your personal data.

8. Right to Lodge a Complaint

If you believe that our processing of your personal data violates data protection law, you have the right to lodge a complaint with a supervisory authority. The competent authority for our location is:

9. Data Security

We implement appropriate technical and organizational measures to protect your personal data, including:

• Encrypted data transmission (TLS/HTTPS) for all communications
• Token-based authentication with signed tokens validated on every request
• Server-side header sanitization to prevent identity spoofing
• Rate limiting and device attestation to prevent automated abuse
• Prompt injection defenses to protect AI systems from misuse
• Cloud infrastructure with enterprise-grade security

10. AI and Automated Processing

Viglot uses artificial intelligence to generate learning content, evaluate pronunciation, and assess voice task performance. We want to be transparent about how AI processes your data:

• Content generation — AI generates exercises, vocabulary, and scenarios tailored to your language level. If you provided optional profile data, it also influences the topics and scenarios generated.
• Speech analysis — AI transcribes your spoken audio and evaluates pronunciation accuracy on a word-by-word basis.
• Voice task evaluation — AI assesses your performance in voice tasks, including goal completion and overall communicative confidence, and provides detailed feedback with strengths and areas to improve. The indication of your engagement level is derived only from interaction signals such as response timing and message length — not from analysis of your voice tone or any emotion-recognition technology.

These AI outputs are learning aids — they produce scores, feedback, and content recommendations to support your learning. They do not constitute automated decision-making that produces legal or similarly significant effects within the meaning of Art. 22 GDPR. Your profile data influences the topics generated but does not result in profiling that affects your access to the service or its features.

If you have concerns about any AI-generated evaluation or feedback, you can contact us at info@viglot.com to request a human review.

11. Children's Privacy

Viglot is not directed at children under the age of 16. We do not knowingly collect personal data from children under 16. If you believe we have collected data from a child under 16, please contact us at info@viglot.com and we will promptly delete the data.

12. Changes to This Policy

We may update this privacy policy from time to time. When we make material changes, we will notify you through the app or by updating the "Last updated" date at the top of this page. We encourage you to review this policy periodically.

13. Contact

For any questions about this privacy policy or your personal data, contact us at: