Skip to main content
← Back to home

Privacy Policy

Last updated:

1. Overview & Who We Are

This Privacy Policy explains how SpeakLegends ("the app", "we", "us", or "our") collects, uses, stores, shares, and protects your personal information when you use the SpeakLegends iOS application and the speaklegends.com website (together, "the Service"). SpeakLegends is a language-learning app that turns studying a new language into a role-playing adventure with quests, lessons, streaks, and experience points.

The Service is operated by Ansuz Ltd, which is the "data controller" responsible for your personal data under the EU and UK General Data Protection Regulation (GDPR) and other applicable privacy laws. You can reach us at any time at privacy@speaklegends.com (see Section 14).

We have written this policy in plain language because we want you to actually understand what happens to your data. We collect the minimum we need to give you an account and save your learning progress. We do not run advertising, we do not use third-party tracking or analytics SDKs, and we do not sell your personal information.

2. Information We Collect

We only collect data that is necessary to operate the Service. The categories below describe everything we collect and why.

2.1 Account information

  • Email address — used to identify your account, keep your progress tied to you, and contact you about your account or important Service notices. Your email may be a private relay address if you sign in with Apple (see Section 5).
  • Display name — the name shown in the app (for example, on your profile). You provide it during sign-up, or it is supplied by Apple or Google when you first sign in.

2.2 Authentication data

  • Access token (JWT) and refresh token — short-lived and long-lived credentials that keep you signed in securely without re-entering your password. The tokens are stored on your device in the iOS Keychain (Apple's encrypted credential store). On our side, we keep a corresponding server-side session record so we can validate, rotate, and revoke your session (for example, when you sign out or delete your account).
  • Sign-in provider identifier — the stable, opaque user identifier issued by Apple or Google that lets us recognize your account on each sign-in.

2.3 Learning data

  • Your experience points (XP), streaks, lesson and quiz progress, placement results, levels, and achievements. This is the data that powers the game: it lets you pick up where you left off, keeps your streak alive, and syncs your progress if you reinstall the app or sign in on another device.

2.4 Limited technical data

  • When your device communicates with our servers, our infrastructure provider (Cloudflare) processes connection metadata such as your IP address and request details for the brief time needed to deliver the response and to protect the Service against abuse, fraud, and attacks. We do not use this data to build advertising profiles.

2.5 What we do NOT collect

We do not collect your precise location, your contacts, your photos, your microphone audio off-device, or any advertising identifier. We do not use third-party advertising networks, third-party analytics SDKs, or cross-app tracking. We do not ask you to provide payment card details — any subscription is billed by Apple through your Apple ID, and Apple does not share your card details with us.

3. How We Use Your Information

We use the information described above only for these purposes:

  • Provide and maintain your account — create your account, recognize you when you return, and let you sign in across devices.
  • Save and sync your learning progress — store your XP, streaks, lessons, and achievements so your progress is never lost.
  • Keep you securely signed in — issue, validate, and rotate your access and refresh tokens.
  • Personalize your learning — adapt lesson difficulty and recommendations based on your in-app progress.
  • Provide support — respond to your questions and resolve account issues when you contact us.
  • Protect the Service — detect and prevent fraud, abuse, cheating, and security incidents.
  • Comply with the law — meet our legal obligations and respond to lawful requests.

We do not use your data for advertising, ad targeting, or profiling for marketing, and we do not sell it.

5. Sign in with Apple & Google

You sign in to SpeakLegends using Sign in with Apple or Google Sign-In. We do not operate a separate password database for these sign-ins.

5.1 Sign in with Apple

When you use Sign in with Apple, Apple shares a stable user identifier with us and, on your first sign-in only, your name and an email address. You may choose Apple's private email relay, in which case the address we receive looks like something@privaterelay.appleid.com and forwards to your real inbox without revealing it to us. We will ask for your consent before linking any directly identifying information you give us to your Apple sign-in identity, as required by Apple. Apple's handling of your data is governed by Apple's Sign in with Apple privacy notice.

5.2 Google Sign-In

When you use Google Sign-In, Google provides us with a user identifier and your basic profile information (such as your email and name) so we can create or recognize your account. Google may process information such as your IP address for its own security and fraud-prevention purposes. Google's handling of your data is governed by the Google Privacy Policy.

6. Service Providers & Sub-processors

We do not have our own data centers. We use a small number of carefully chosen service providers ("sub-processors") that process personal data on our behalf, only under our instructions, and only to deliver the Service. We require each of them to provide a level of data protection at least equivalent to the protections in this policy.

  • Cloudflare, Inc. — our backend runs on Cloudflare Workers, and your account and learning data are stored in a Cloudflare D1 database. Cloudflare also provides network security and content delivery. Cloudflare acts as our infrastructure processor. See the Cloudflare Privacy Policy.
  • Apple Inc. — provides Sign in with Apple and distributes the app through the App Store. See the Apple Privacy Policy.
  • Google LLC — provides Google Sign-In. See the Google Privacy Policy.

We may also disclose information if required by law, regulation, legal process, or enforceable governmental request, or where necessary to protect the rights, property, or safety of our users, the public, or SpeakLegends. We do not otherwise share your personal data with anyone.

7. We Do Not Sell or Share Your Data

We do not sell your personal information, and we do not "share" it for cross-context behavioral advertising as those terms are defined under the California Consumer Privacy Act (CCPA), as amended by the California Privacy Rights Act (CPRA), or any other applicable U.S. state privacy law. We have not sold or shared personal information in the preceding twelve months, and we have no plans to do so.

Because we do not sell or share personal information and do not use it for targeted advertising, there is nothing to opt out of. Even so, we honor browser-based Global Privacy Control (GPC) signals as a valid opt-out request where applicable law requires it. We also do not use your personal information to infer characteristics about you for advertising, and we do not discriminate against you for exercising any privacy right.

8. Data Retention & Account Deletion

We keep your account information and learning data for as long as your account is active so that your progress is preserved. We keep data only as long as necessary for the purposes described in this policy or as required by law.

8.1 How to delete your account and data

You can permanently delete your account and associated personal data at any time, directly inside the app:

  1. Open SpeakLegends and go to Settings.
  2. Tap Account, then Delete Account.
  3. Confirm the deletion when prompted.

You can also request deletion by emailing privacy@speaklegends.com from the email address associated with your account.

8.2 What happens when you delete

When you delete your account, we revoke your active access and refresh tokens, delete your server-side session record, and erase your account information and learning data (email, display name, XP, streaks, lesson progress, and achievements) from our Cloudflare D1 database. Deletion is completed within 30 days of a verified request. Residual copies in routine, secured backups are overwritten on our standard backup rotation cycle, after which they are no longer recoverable. We may retain a minimal record of the deletion request itself where necessary to demonstrate compliance, and any limited information we are required to keep by law.

9. How We Protect Your Data

We take the security of your data seriously and apply appropriate technical and organizational measures, including:

  • Encryption in transit — all traffic between the app and our servers is protected with TLS (HTTPS).
  • Credential protection — your sign-in tokens are stored on-device in the iOS Keychain; server-side sessions are rotated and can be revoked.
  • Encryption at rest — account and learning data is stored in Cloudflare D1 on Cloudflare's secured infrastructure.
  • Least-privilege access — access to systems and data is restricted to what is necessary to operate the Service.

No method of transmission or storage is 100% secure. If we ever become aware of a personal-data breach that affects you, we will notify you and the relevant supervisory authority as required by applicable law (including the GDPR's 72-hour notification requirement, where applicable).

10. International Data Transfers

Cloudflare operates a global network, and the app is distributed worldwide. Your information may therefore be processed in countries other than the one in which you live, including the United States, which may have different data-protection laws than your country. Where we transfer personal data out of the European Economic Area or the United Kingdom, we rely on appropriate safeguards, such as the European Commission's Standard Contractual Clauses (and the UK International Data Transfer Addendum) or an adequacy decision, to ensure your data remains protected.

11. Children & Age Requirement

SpeakLegends is not directed to children under 13 (or under the minimum age of digital consent in your country, which may be up to 16 in parts of the European Economic Area). You must meet this minimum age to create an account and use the Service.

We do not knowingly collect personal information from children below the applicable age, consistent with the U.S. Children's Online Privacy Protection Act (COPPA) and similar laws. If we learn that we have collected personal information from a child below the applicable age without the required consent, we will delete that information and the associated account promptly. If you are a parent or guardian and believe your child has provided us with personal information, please contact us at privacy@speaklegends.com.

12. Your Privacy Rights

Depending on where you live, you have rights over your personal data. We honor these rights regardless of where you are located.

12.1 If you are in the EEA or the UK (GDPR)

  • Access — get a copy of the personal data we hold about you.
  • Rectification — correct inaccurate or incomplete data.
  • Erasure — have your data deleted ("right to be forgotten").
  • Portability — receive your data in a portable format.
  • Restriction & objection — limit or object to certain processing.
  • Withdraw consent — where processing is based on consent.
  • Complain — lodge a complaint with your local data protection supervisory authority.

12.2 If you are in California or another U.S. state

  • Know / access — what personal information we collect and how we use it.
  • Delete — request deletion of your personal information.
  • Correct — request correction of inaccurate personal information.
  • Opt out of sale/share — note that we do not sell or share personal information, so this does not apply, but the right is disclosed for transparency, and we honor Global Privacy Control signals.
  • Non-discrimination — we will not treat you differently for exercising any right.

12.3 How to exercise your rights

You can exercise many rights directly in the app (for example, edit your profile, or delete your account and data via Settings → Account → Delete Account; see Section 8). For any privacy request, email us at privacy@speaklegends.com. We will verify your request using the email address associated with your account and respond within the timeframe required by applicable law. Exercising your rights is free, and you may use an authorized agent where the law allows.

13. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices or for legal reasons. When we do, we will revise the "Last updated" date at the top of this page, and for material changes we will provide a more prominent notice in the app or on the website. We review this policy at least once every twelve months. Your continued use of the Service after an update means you accept the revised policy.

14. How to Contact Us

If you have any questions, concerns, or requests about this Privacy Policy or your personal data, please contact the data controller:

We will respond to every legitimate request as promptly as we can and within the period required by applicable law.