PRIVACY POLICY

The data controller responsible for your personal data is Repsy, with its operating address at Valencia, Spain. You can contact us at any time at support@repsy.academy in relation to this Policy or your personal data.

We collect the following categories of personal data when you use the Service:

• Account data. Email address, hashed password, display name, profile preferences, and the CEFR level and learning goals you provide during onboarding.
• Learning data. Lessons completed, decks reviewed, drill attempts, mock exam results, streak counts, and timestamps associated with your activity.
• Payment data. If you purchase a paid subscription, our payment processor collects billing details directly. We receive a transaction reference, the subscription tier, and renewal status, but never your full card number or banking credentials.
• Communications. Messages you send to our support channels, feedback you submit through the product, and content you post in community surfaces.
• Device and usage data. IP address, device type, operating system, browser type, language preference, referrer, pages viewed, and interactions with the Service.
• Cookies and similar technologies. See Section 7 for details.

We use personal data for the following purposes:

• To provide, operate, and maintain the Service.
• To personalise your learning experience, including selecting lessons and drills appropriate to your level.
• To process payments, manage subscriptions, and prevent fraud.
• To communicate with you about your account, updates to the Service, and product announcements you have consented to receive.
• To monitor and improve the Service through aggregated analytics and error reporting.
• To comply with applicable laws, enforce our Terms of Service, and protect the rights, property, and safety of Repsy, our users, and others.

Where the General Data Protection Regulation (Regulation (EU) 2016/679, the “GDPR”) applies, we rely on the following legal bases:

• Performance of a contract (Article 6(1)(b)) to provide the Service you have requested.
• Legitimate interests (Article 6(1)(f)) to operate, secure, and improve the Service, and to communicate with you, where those interests are not overridden by your rights.
• Consent (Article 6(1)(a)) for optional analytics cookies and direct marketing communications, which you may withdraw at any time.
• Legal obligation (Article 6(1)(c)) where we are required by applicable law to process or retain data.

We do not sell personal data. We share personal data only as described below:

• Service providers. We engage third-party processors who act on our instructions and under written data processing agreements, including providers of authentication, database hosting, payments, customer support, email delivery, analytics, error monitoring, and log storage.
• Legal and safety. We may disclose data if required by law, regulation, legal process, or governmental request, or where necessary to protect the rights, property, or safety of Repsy, our users, or the public.
• Business transfers. If Repsy is involved in a merger, acquisition, financing, or sale of assets, personal data may be transferred as part of that transaction. We will notify you of any such change in control.

Some of our processors are located outside the European Economic Area (the “EEA”). Where personal data is transferred to a country that has not received an adequacy decision from the European Commission, we rely on appropriate safeguards such as the European Commission’s Standard Contractual Clauses, together with supplementary measures where required.

We use strictly necessary cookies to keep you signed in and to secure the Service. With your consent, we also use analytics cookies to understand how the Service is used and to detect performance issues. You can manage your preferences through your browser settings or through the cookie controls provided in the Service.

We retain personal data for as long as your account is active and for a reasonable period afterwards to comply with legal obligations, resolve disputes, and enforce our agreements. When you delete your account, we delete or anonymise personal data within thirty (30) days, except where retention is required by law (for example, tax and accounting records). Backups are overwritten on their normal rotation cycle.

We implement technical and organisational measures designed to protect personal data, including encryption in transit, access controls, and routine security review. No method of transmission or storage is completely secure; we cannot guarantee absolute security.

Subject to applicable law, you have the right to access, rectify, erase, restrict the processing of, and port your personal data, and to object to processing carried out on the basis of our legitimate interests. Where processing is based on consent, you have the right to withdraw that consent at any time without affecting the lawfulness of processing prior to withdrawal.

To exercise these rights, contact us at support@repsy.academy. You also have the right to lodge a complaint with a supervisory authority; in Spain, the competent authority is the Agencia Española de Protección de Datos (AEPD).

The Service is not directed to children under the age of thirteen (13), or under the age of digital consent in your jurisdiction where higher. We do not knowingly collect personal data from children. If you believe a child has provided us with personal data, please contact us so we can delete it.

We may update this Policy from time to time. If we make material changes, we will notify you by email or through a notice within the Service before the changes take effect. The “Effective” date at the top of this Policy indicates when it was last revised.

For questions about this Policy or our privacy practices, contact us at support@repsy.academy.