Privacy Policy

Last updated: February 19, 2026

1. Introduction

SubLearn ("we", "us", or "our") is committed to protecting your privacy. This Privacy Policy explains how we collect, use, store, and protect your personal data when you use SubLearn (the "Service").

SubLearn is the data controller responsible for your personal data. Our servers are hosted by Hetzner Online GmbH in Germany, within the European Union, and we process all data in compliance with the General Data Protection Regulation (GDPR) and applicable EU data protection laws.

2. Information We Collect

Account Information

  • Name, email address, and profile picture (if provided)
  • Authentication credentials or OAuth tokens (Google, GitHub, Discord, Facebook)
  • Language preferences and learning goals

Learning Data

  • Vocabulary lists, progress scores, and exercise results
  • Videos watched, time spent, and interaction patterns
  • Streaks, XP points, achievements, and leaderboard rankings
  • Custom notes and study materials you create

Technical Data

  • IP address, browser type, operating system, and device information
  • Pages visited, referral URLs, and session duration
  • Cookies and similar tracking technologies (see Section 12)

Billing Data

  • Subscription plan and payment history (processed by Lemon Squeezy; we do not store credit card numbers)

3. How We Collect Information

  • Directly from you: When you create an account, update your profile, or contact support.
  • Through OAuth providers: When you sign in via Google, GitHub, Discord, or Facebook, we receive your basic profile information (name, email, avatar) as authorized by you.
  • Automatically: Through cookies, server logs, and similar technologies when you use the Service.
  • From third parties: Payment status from Lemon Squeezy and usage data from integrated services.

4. Legal Basis for Processing (GDPR)

We process your personal data under the following legal bases:

  • Contract performance: Processing necessary to provide the Service you signed up for (account management, learning features, subscriptions).
  • Legitimate interest: Improving the Service, preventing fraud, ensuring security, and sending service-related communications.
  • Consent: Where you have given explicit consent, such as for push notifications or optional marketing communications. You may withdraw consent at any time.
  • Legal obligation: Where we need to process data to comply with applicable laws.

5. How We Use Your Information

  • Provide, maintain, and improve the Service
  • Track your learning progress, vocabulary, and achievements
  • Personalize content recommendations and adaptive learning paths
  • Generate AI-powered exercises, explanations, and translations
  • Process subscription payments and manage billing
  • Send service-related notifications (account, security, feature updates)
  • Respond to support requests and communicate with you
  • Analyze usage patterns to improve features and fix issues
  • Prevent fraud, abuse, and unauthorized access

6. AI Data Processing

SubLearn uses AI services (including Google Gemini and OpenAI) to generate learning content such as exercises, grammar explanations, and vocabulary enrichment. When generating AI content:

  • We may send anonymized or contextual learning data (such as target language and difficulty level) to AI providers
  • We do not send your personal information (name, email, or account details) to AI providers
  • AI-generated content is cached on our servers to minimize external data transfers
  • AI providers may retain data according to their own privacy policies

We do not use your personal data for automated decision-making that produces legal effects or similarly significant effects on you.

7. Data Sharing

We do not sell your personal data. We share data only in the following circumstances:

  • Service providers: Hetzner (hosting), Lemon Squeezy (payments), and AI providers (content generation) — only as necessary to operate the Service.
  • OAuth providers: Google, GitHub, Discord, and Facebook receive authentication requests when you use social login.
  • Legal requirements: When required by law, court order, or governmental request.
  • Business transfers: In the event of a merger, acquisition, or sale of assets, your data may be transferred as part of that transaction.
  • With your consent: When you explicitly authorize us to share data with a third party.

8. International Data Transfers

Your data is primarily stored and processed on servers located in Germany (EU). However, some third-party services we use (such as AI providers and payment processors) may process data outside the European Economic Area (EEA).

When data is transferred outside the EEA, we ensure appropriate safeguards are in place, including EU Standard Contractual Clauses (SCCs) or adequacy decisions by the European Commission.

9. Data Retention

  • Account data: Retained for as long as your account is active. Deleted within 30 days of account deletion.
  • Learning data: Retained for as long as your account is active. You may export or delete it at any time.
  • Technical logs: Server and access logs are retained for up to 90 days for security and debugging purposes.
  • Billing records: Retained for up to 7 years as required by tax and accounting regulations.

10. Data Security

We implement industry-standard security measures to protect your data, including:

  • Encryption in transit (TLS/HTTPS) and at rest
  • Secure authentication with bcrypt password hashing
  • Regular security updates and vulnerability monitoring
  • Access controls limiting employee access to personal data
  • Regular backups with encrypted storage

No method of electronic transmission or storage is 100% secure. While we strive to protect your data, we cannot guarantee absolute security.

11. Your Rights

Under the GDPR and applicable data protection laws, you have the following rights:

  • Right of access: Request a copy of the personal data we hold about you.
  • Right to rectification: Request correction of inaccurate or incomplete data.
  • Right to erasure: Request deletion of your personal data ("right to be forgotten").
  • Right to data portability: Request your data in a structured, machine-readable format.
  • Right to restrict processing: Request that we limit how we use your data.
  • Right to object: Object to processing based on legitimate interest or for direct marketing.
  • Right to withdraw consent: Withdraw consent at any time where processing is based on consent.

To exercise any of these rights, contact us at [email protected]. We will respond within 30 days. You also have the right to lodge a complaint with your local data protection authority.

12. Cookies

We use cookies and similar technologies to operate the Service. Our cookies include:

  • Essential cookies: Required for authentication, session management, and security. These cannot be disabled.
  • Preference cookies: Remember your language, theme (dark/light mode), and display settings.
  • Session cookies: Maintain your login state and CSRF protection. These expire when you close your browser.

We do not use third-party advertising or tracking cookies. For more details, see our Cookie Policy.

13. Push Notifications

With your explicit consent, we may send web push notifications for learning reminders, streak alerts, and feature updates. You can enable or disable push notifications at any time through your browser settings or your SubLearn account preferences.

Push notification tokens are stored on our servers and deleted when you disable notifications or delete your account.

14. Children's Privacy

SubLearn is not directed at children under 16 years of age. We do not knowingly collect personal data from children under 16. If you are a parent or guardian and believe your child has provided us with personal data, please contact us at [email protected] and we will take steps to delete such information.

15. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of material changes by posting the updated policy on the Service and updating the "Last updated" date. For significant changes, we may also notify you via email.

We encourage you to review this policy periodically. Your continued use of the Service after changes constitutes acceptance of the updated policy.

16. Contact

If you have questions about this Privacy Policy or wish to exercise your data protection rights, please contact us: