Privacy Policy

Oholingo (“we,” “us,” or “our”) provides a web-first language learning experience available at oholingo.com (the “Platform”). We are committed to protecting your privacy and handling personal data in a transparent, secure, and lawful manner.

This Privacy Policy explains what information we collect, how we use it, the legal bases that apply where required (including the EU/EEA and UK), who we share it with, how long we keep it, and the rights and choices available to you. It applies to visitors, registered learners, subscribers, and anyone who otherwise interacts with our websites, applications, APIs, or related services that link to this policy.

By accessing or using the Platform, you acknowledge that you have read this Privacy Policy. Where local law requires separate consent (for example, for certain cookies or direct marketing), we will obtain it in the manner described below or in a separate notice. If you do not agree with this Privacy Policy, please discontinue use of the Platform.

This policy is designed to support GDPR (EU General Data Protection Regulation), the UK GDPR and Data Protection Act 2018, and common requirements under U.S. state privacy laws such as the California Consumer Privacy Act (CCPA) as amended by the California Privacy Rights Act (CPRA). It also highlights considerations for other regions. It does not create contractual rights on its own; your relationship with us is also governed by our Terms of Service and any order form or subscription agreement you accept.

For consistency throughout this Privacy Policy, the following terms have the meanings below. Capitalized terms used in our Terms of Service may carry the same meaning here unless otherwise stated.

• Account: A registered user profile that allows access to Platform features after authentication.
• Controller: The entity that determines the purposes and means of processing personal data (see Section 3).
• End User / Learner: A natural person who uses the Platform to learn languages or access content.
• Personal data / Personal information: Information relating to an identified or identifiable individual. Under some U.S. state laws, certain categories are treated specially (for example, “Sensitive Personal Information”).
• Processing: Any operation performed on personal data, including collection, storage, use, disclosure, alignment, restriction, erasure, or destruction.
• Processor / Service provider: An entity that processes personal data on behalf of the Controller (or, under U.S. law, processes personal information on our behalf under a contract).
• Usage data: Information collected automatically about how the Platform is accessed and used (for example, logs and analytics events).

Unless we tell you otherwise in a supplemental notice (for example, for a specific enterprise arrangement), the data controller responsible for personal data processed in connection with the Platform is:

• Oholingo (operating the Oholingo service)
• Contact (privacy): privacy@oholingo.com
• General support: support@oholingo.com

If you are located in the EU/EEA or UK, you may also contact our Data Protection contact at privacy@oholingo.com. Depending on your jurisdiction, you may have the right to lodge a complaint with a supervisory authority; see Section 14 and Section 22.

Where we process personal data on behalf of an organization (for example, a school or employer) under a separate agreement, that organization may be the controller for certain data, and we act as a processor. In those cases, the organization’s instructions and privacy terms may apply to you.

We collect different types of information depending on how you use the Platform, your settings, and whether you purchase a subscription. We may combine data obtained from you with data obtained automatically or from third parties where permitted by law.

4.1 Personal Information

Information that identifies you or can reasonably be linked to you, such as your name, email address, and—if you choose to provide it—profile details like a display name, photo, language preferences, biography, or country of residence.

4.2 Account Data

Data associated with your credential and profile, including authentication identifiers (for example, email login or federated identity provider subject IDs), account creation timestamps, password reset tokens (handled securely), subscription status, billing identifiers, role(s), and administrative flags needed to operate your Account.

4.3 Usage Data

Data about how you interact with the Platform, such as pages or screens viewed, features used, taps/clicks, completion of lessons, quizzes, exercises, study sessions, search queries inside the product, time spent, referral sources, and crash or error diagnostics needed to maintain reliability.

4.4 Device and Technical Data

Device and connection information such as device type, operating system, browser type and version, approximate location derived from IP address (typically at city/region granularity), time zone, language settings, available fonts/plugins (where relevant), and network information used for security signals and abuse prevention.

4.5 Learning, Progress, and Gamification Data

Metrics associated with your learning activities, including course or pathway enrollments, lesson progress, completed modules, quiz scores, spaced repetition scheduling, XP, streaks, achievements, leaderboard or ranking placements, listening and speaking practice metadata (including recordings where you submit them), and other product analytics needed to personalize your study experience and operate gamification.

4.6 Communications Data

Content of communications you send to us (for example, support tickets, feedback forms, chat transcripts if enabled), email delivery and engagement metadata (opens and clicks where measured), and notification preferences for email or push messages.

4.7 Payment Data

When you subscribe or make a purchase, our payment processor(s) collect payment card details, billing address, and payment status. We typically receive limited payment information (such as subscription tier, transaction IDs, last four digits when displayed for verification, and invoice records) rather than full card numbers.

4.8 User Generated Content

Content you upload, record, or submit through the Platform, including profile information, text posts or comments in community features, uploaded files (including documents, audio, or video), and associated metadata (timestamps, tags, or moderation state).

We collect personal data from the following sources:

• Directly from you: when you register, update your profile, complete lessons, participate in community features, contact support, subscribe, or otherwise submit information to us.
• Automatically: through cookies, pixels, SDKs, local storage, and server logs when you use our websites, PWA, or APIs.
• From third parties: such as authentication providers when you choose social login; payment processors; analytics or email delivery partners; and, where applicable, enterprise customers who invite you to the Platform.
• From public sources: only where permitted by law and relevant to preventing fraud, ensuring platform integrity, or verifying professional references for certain enterprise or educator workflows (if offered).

Where GDPR or UK GDPR applies, we rely on one or more of the following legal bases:

• Contract (Article 6(1)(b)): processing necessary to provide the Platform, create and administer your Account, process subscriptions you request, and deliver essential communications about the service.
• Legitimate interests (Article 6(1)(f)): securing the Platform, preventing abuse, improving features and performance, analytics that are not invasive, product development, and internal reporting—balanced against your rights and freedoms. You may object to certain processing as described in Section 14.
• Consent (Article 6(1)(a)): where required for non-essential cookies, certain marketing messages, optional personalization, or processing of special categories of data where applicable—where you can withdraw consent at any time without affecting the lawfulness of processing before withdrawal.
• Legal obligation (Article 6(1)(c)): where we must retain or disclose information to comply with law, including tax, accounting, or regulatory obligations.
• Vital interests: rarely, to protect someone’s life or physical safety.

If we process special categories of personal data under GDPR (for example, certain biometric classifications where applicable), we will identify a lawful exemption or obtain explicit consent where required.

We use the information we collect to operate, secure, and improve the Platform, including to:

• Provide authentication, sync your progress across devices, and deliver lessons and features you select.
• Personalize learning paths, reminders, and recommendations consistent with your settings.
• Run gamification (XP, streaks, achievements), leaderboards where offered, and community features.
• Process payments, manage subscriptions, issue receipts/invoices, and detect fraudulent transactions.
• Send transactional messages (security alerts, billing notices, essential product updates) and—where permitted—marketing communications you can opt out of (Section 18).
• Maintain platform reliability, debug issues, monitor performance, and perform security monitoring.
• Provide customer support, respond to inquiries, feedback, or legal requests, and—where applicable—operate educator or internal admin dashboards for course management and service operations.
• Comply with law, enforce our Terms, investigate misuse, and protect rights, safety, and property of users and the public.
• Conduct analytics in aggregate or de-identified form where feasible to understand product usage trends.

We do not sell your personal information in the conventional sense of exchanging data for money. Certain disclosures to analytics or advertising partners may qualify as “sharing” for cross-context behavioral advertising under some U.S. state laws; see Sections 9–11 for details and your choices.

We use cookies and similar technologies (such as local storage, session storage, pixels, and software development kits) to keep you signed in, remember preferences, measure performance, and—depending on your choices—support analytics and marketing.

• Strictly necessary: required for core functionality and security (for example, session authentication tokens for Supabase-backed sessions).
• Functional: remember settings such as language, theme, or accessibility preferences.
• Analytics: help us understand aggregate usage patterns; may be implemented by first-party or third-party tools.
• Marketing: used only where permitted to measure campaigns or personalize promotional content; controllable via consent/opt-out mechanisms.

You may control cookies through your browser settings, our cookie preference tool (where provided), and the opt-out mechanisms described in Sections 9, 17, and 18. Blocking strictly necessary cookies may impair sign-in or core features.

We use analytics to understand engagement with lessons, features, and funnels, and to improve onboarding and retention. Depending on configuration, analytics may collect pseudonymous identifiers, event properties, and coarse device or network data.

If we run paid acquisition or retargeting, we may use conversion pixels or similar technologies to measure ad effectiveness. Where required, we obtain consent before loading non-essential marketing tags. You can opt out of certain interest-based advertising as described in Section 18 and through industry tools (for example, the Digital Advertising Alliance or European Interactive Digital Advertising Alliance, where available).

Push notifications operate through your device or browser permission model; you can withdraw permission at any time in system settings or in-product toggles where available.

We use reputable subprocessors to host and deliver the Platform. They are permitted to process personal data only under our instructions and appropriate contractual protections. Representative categories include:

10.1 Supabase (Database, Auth, Storage, Edge Functions)

We may use Supabase for authentication, relational data storage, file storage for uploads, and related edge functions. Supabase processes data you provide or generate while using the Platform, including account records and user-generated content you store with us.

10.2 Vercel (Hosting and Edge Delivery)

Our web application may be deployed on Vercel, which processes HTTP requests, caches assets at the edge, and stores deployment-related metadata needed to operate the site.

10.3 Payment Processors

Payments may be processed by providers such as Stripe or similar payment gateways. These providers handle card data directly subject to PCI DSS requirements; we receive limited transaction metadata for reconciliation and customer support.

10.4 Analytics Providers

We may use first-party analytics (for example, Vercel Analytics or product instrumentation) and/or third-party analytics services. Configurations evolve; we aim to minimize personal data shared for analytics and to apply IP anonymization or aggregation where feasible.

10.5 Email and Messaging Providers

Transactional and marketing email may be delivered via providers (such as Resend, SendGrid, Postmark, or similar). These providers process recipient addresses, message content, and delivery telemetry.

A current list of major subprocessors may be provided upon request to privacy@oholingo.com and may be updated as our infrastructure evolves.

Oholingo is operated with modern cloud infrastructure that may process and store information in the European Economic Area, the United Kingdom, the United States, and other countries where our service providers maintain facilities. Whenever personal data originating from the EU/EEA, UK, or Switzerland is transferred to countries not subject to an adequacy decision, we implement appropriate safeguards such as the EU Commission’s Standard Contractual Clauses (SCCs) and the UK Addendum (where applicable), supplemented by technical and organizational measures and transfer impact assessments when required.

You may request further information about safeguards by contacting privacy@oholingo.com.

We retain personal data only as long as necessary for the purposes described in this policy, unless a longer retention period is required or permitted by law. Criteria include the duration of your Account, ongoing contractual relationships, legal obligations (for example, accounting/tax), dispute resolution, and the feasibility of anonymization or aggregation.

• Account and profile data: retained while your Account is open and for a reasonable wind-down period thereafter (for example, recovery, disputes, or fraud prevention), unless earlier deletion is requested and no conflicting obligation exists.
• Learning and progress data: retained to provide continuity and product functionality; upon Account deletion, we delete or irreversibly anonymize such data except where a narrow retention is justified (for example, aggregated metrics).
• Security and audit logs: retained for limited periods consistent with security monitoring and incident response, often in rolling windows.
• Marketing records: retained until you opt out (and briefly thereafter to ensure the opt-out is honored and synchronized across systems).

Exact retention windows can vary by subsystem; you may request details relevant to your data by contacting us.

We implement administrative, technical, and organizational measures appropriate to the risk, including encryption in transit (TLS), access controls and least-privilege policies for staff and systems, secure software development practices, dependency monitoring, logging and alerting, backups, and vendor assessments for subprocessors. Authentication secrets and payment data are handled by specialized providers under industry standards.

No method of transmission over the Internet or electronic storage is completely secure. While we strive to protect personal data, we cannot guarantee absolute security. Please use a strong, unique password and enable available multi-factor authentication if offered.

Depending on your location, you may have rights regarding your personal data. These rights may be limited by law (for example, where responding would expose another person’s data or undermine security).

14.1 EU/EEA and UK (GDPR / UK GDPR)

• Access, rectification, erasure, and restriction of processing
• Data portability for data you provided where processing is automated and based on contract or consent
• Object to processing based on legitimate interests (including profiling in certain contexts)
• Withdraw consent where processing is consent-based
• Lodge a complaint with a supervisory authority in your country/region

14.2 California (CCPA/CPRA)

If you are a California resident, you may have the rights to know/access, delete, correct, and obtain a copy of personal information; to opt out of “sale” or “sharing” of personal information for cross-context behavioral advertising (where applicable); to limit use of sensitive personal information in certain cases; and not to receive discriminatory treatment for exercising rights. To exercise rights, see Section 24.

14.3 Other U.S. States

Residents of other U.S. states with comprehensive privacy laws may have similar rights; we will honor applicable requests consistent with law.

The Platform is not directed to children under the age where parental consent is required for online services in their jurisdiction without verifiable parental permission. We do not knowingly collect personal information from children in violation of applicable law. If you believe a child has provided us personal information, please contact privacy@oholingo.com and we will take appropriate steps to investigate and remediate.

Schools and educators who use Oholingo in classroom contexts are responsible for obtaining any necessary consents and for compliance with local education privacy laws (such as FERPA where applicable) to the extent relevant to their arrangement with us.

We may use automated processing to personalize your learning experience (for example, difficulty adaptation, lesson recommendations, reminders, or streak calculations) based on your progress and usage patterns. These activities typically do not produce legal or similarly significant effects solely by automated means.

If we introduce functionality that could significantly affect you based solely on automated processing, we will provide information about the logic involved and your rights, as required by applicable law.

There is no uniform industry standard for how browsers communicate “Do Not Track” (DNT) signals. Unless required by applicable law, we do not currently respond to DNT signals. You may control cookies and certain analytics and marketing trackers through our cookie settings (where available), product controls, and browser settings as described in Sections 8–9.

We may send marketing communications if permitted by law and your preferences. You can opt out of promotional emails by using the unsubscribe link in those emails or by updating your notification settings in your Account. Transactional and essential service messages (security, receipts, critical product notices) may continue even if you opt out of marketing.

Where SMS or push notifications are used for promotions, you may opt out through device settings or in-product toggles. If we engage in “sharing” for cross-context behavioral advertising under U.S. state law, you may submit an opt-out of sale/sharing request as described under Section 14 and Section 24.

If you participate in community features (for example, discussion threads, study groups, public profiles, or leaderboards), certain information may be visible to other users based on your settings. Content you post in public areas may be indexed or copied by others outside our control.

Leaderboards may display display names, avatars, and performance metrics you have agreed to share. You can review visibility controls where offered, but please assume public posts may persist in caches or third-party archives even after deletion from the Platform.

You may request deletion of your Account via in-product settings where available, or by emailing privacy@oholingo.com. Upon verification, we will delete or anonymize personal data associated with your Account, except where retention is necessary for legal compliance, dispute resolution, security, or legitimate interests (for example, limited audit logs).

Some community content may be retained in de-identified or aggregated form. Backups may persist for a limited period before automatic overwrite cycles complete deletion.

We maintain incident response procedures designed to detect, contain, and remediate unauthorized access to personal data. Where required by applicable law, we will notify regulators and affected individuals of a personal data breach without undue delay, including information about likely consequences and measures taken or proposed.

Not all incidents result in a “breach” of personal data; some may affect availability without confidentiality loss. We document incidents and outcomes for accountability and continuous improvement.

Privacy laws evolve. The following highlights are non-exhaustive summaries and are not legal advice. Where provisions conflict, the more protective or region-specific rule may apply as required by law.

EU/EEA

GDPR provides the rights summarized in Section 14. You may contact your local supervisory authority; references to the European Data Protection Board and national authorities can be found on official EU resources.

United Kingdom

UK GDPR and the Data Protection Act 2018 apply; complaints may be filed with the ICO (Information Commissioner’s Office).

Switzerland

The Federal Act on Data Protection (FADP) may apply; cross-border transfers use appropriate safeguards.

Canada

Depending on province, PIPEDA or provincial laws (for example, Quebec Law 25) may provide rights to access, rectify, and withdraw consent where processing is consent-based.

Australia

The Privacy Act 1988 (Cth) and Australian Privacy Principles may grant access and correction rights; cross-border disclosures are subject to accountability measures we maintain with subprocessors.

Brazil (LGPD)

You may have rights to confirmation, access, correction, anonymization, portability, and deletion, among others.

United States

State laws (California, Virginia, Colorado, Connecticut, Utah, and others) may grant additional rights for residents, including appeal processes if we deny a request. See Section 14 and Section 24 for how to exercise rights.

We may update this Privacy Policy periodically to reflect changes in our practices, technologies, legal requirements, or product features. We will post the revised version on this page and update the “Last updated” date. For material changes, we will provide an additional notice where appropriate (for example, email to your registered address or an in-product notice).

Continued use of the Platform after the effective date of updates constitutes your acceptance of the revised policy, except where your explicit consent is required and obtained separately.

If you have questions about this Privacy Policy, wish to exercise your privacy rights, or need supplemental information about subprocessors and safeguards, contact us at:

• Privacy: privacy@oholingo.com
• Support: support@oholingo.com
• Data protection contact (EU/UK): privacy@oholingo.com

We may need to verify your identity before fulfilling certain requests (for example, access or deletion) and may ask for additional information reasonably necessary to process your request securely.

If you are an authorized agent submitting a request under U.S. state law, we may require proof of your authority and may need to contact the consumer directly to verify the request.