Privacy Policy

1. Data we collect

We collect the following categories of personal data:

• Account data — your email address and the password you choose (stored as a secure hash; we never see it in plain text).
• Profile data — display name, Spanish dialect preference, CEFR level, learning goal, daily practice target, and reason for learning. You provide this during onboarding and can update it at any time.
• Usage data — lessons completed, flashcard reviews, quiz scores, streak activity, and session timestamps. This is how we personalise your plan and track your progress.
• Payment data — if you subscribe to Rumbo Core, payments are processed by Stripe. We receive a subscription status and billing reference from Stripe. We do not store, see, or have access to your card number, expiry date, or CVV.
• Communications — if you contact us by email, we keep a record of that correspondence.

We do not collect sensitive personal data (such as health data, ethnicity, or political opinions), and we do not knowingly collect data from children under 13 without parental consent.

2. How we use your data

We use your personal data only for the following purposes:

• Providing and personalising the Rumbo learning experience — generating your lesson plan, tracking progress, and adapting content to your level and goal.
• Managing your account and subscription, including processing payments through Stripe and sending transactional emails (account confirmation, password reset, subscription receipts).
• Improving Rumbo — aggregated, anonymised usage patterns help us understand which features are working and which need improvement. We do not profile individual users for this purpose.
• Responding to support requests and feedback you send us.
• Meeting our legal obligations, including tax records and fraud prevention.

3. Legal basis for processing

Under UK GDPR, we rely on the following lawful bases:

• Contract — processing your account data and usage data is necessary to deliver the service you signed up for.
• Legitimate interests — improving the product and detecting abuse, where these interests are not overridden by your rights.
• Legal obligation — retaining financial records as required by HMRC and applicable law.
• Consent — where we send optional communications (such as the newsletter), we will ask for your explicit consent and you may withdraw it at any time.

4. Data sharing

We do not sell, rent, or trade your personal data. We share it only with the third parties necessary to run the service:

• Supabase — our database and authentication provider, storing your account and learning data. Servers are located in the EU.
• Stripe — payment processing. Stripe is PCI-DSS compliant and handles all card data directly. Their privacy policy is available at stripe.com/gb/privacy.
• Anthropic — the AI that powers lesson generation and conversation practice. Lesson prompts include your CEFR level and learning goal but not your name or email. Anthropic does not use API inputs to train their models.
• Resend — transactional email delivery (account confirmation, password reset). They receive your email address only for the purpose of delivering those emails.
• Vercel — hosting and infrastructure for the web application.

We may disclose your data if required by law, court order, or to protect the safety of our users or the public.

5. Data retention

We keep your personal data for as long as your account is active. If you delete your account, we will delete your profile data and learning history within 30 days, except where we are required to keep records for legal purposes (for example, financial records which must be kept for 7 years under UK law).

Anonymised, aggregated data (e.g. "X% of A1 learners complete this topic") may be retained indefinitely as it cannot identify you.

6. Your rights

Under UK GDPR you have the following rights. You can exercise any of them by emailing us at hello@rumbospanish.app.

You also have the right to lodge a complaint with the UK Information Commissioner's Office (ICO) at ico.org.uk if you believe we have not handled your data correctly. We would appreciate the opportunity to address your concerns first.

7. Cookies and local storage

Rumbo uses browser cookies strictly to maintain your login session (set by Supabase Auth). We do not use advertising, analytics, or tracking cookies. We use sessionStorage to temporarily hold your onboarding answers during sign-up; this data is cleared once your account is created.

8. International transfers

Some of our third-party providers operate infrastructure outside the UK. Where data is transferred to countries without an adequacy decision, we ensure appropriate safeguards are in place — typically Standard Contractual Clauses approved by the UK ICO or the EU Commission.

9. Security

We use industry-standard measures to protect your data: encrypted connections (HTTPS), password hashing (via Supabase Auth), and access controls limiting who can see production data. No system is 100% secure — if you believe your account has been compromised, contact us immediately at hello@rumbospanish.app.

10. Changes to this policy

We may update this policy from time to time. We will notify you of material changes by email or in-app notice at least 14 days before they take effect. The "Last updated" date at the top of this page always reflects the current version. Continued use of Rumbo after changes take effect constitutes acceptance of the updated policy.