Privacy Policy

1. Who we are

Lalo ("we", "our", "us") is operated by [Company name — TBD], registered at [Registered address — TBD, EU (Estonia or Austria)]. You can reach our data protection contact at privacy@lalolearning.com.

2. Guest-first by default

Lalo works without an account. When you use Lalo as a guest, all of your learning data — progress, settings, FSRS cards, session history — is stored locally in your browser (IndexedDB) and never leaves your device. We do not see it.

3. What we collect if you sign in

If you create an account (email/password or Google SSO via Supabase), we store:

• Your email address and authentication metadata.
• Your learning profile: display name, avatar, XP, level, streak, badges, username.
• Your learning progress: FSRS card states, session history, daily stats — synced from your device so you can use Lalo on multiple devices.
• Social graph, if you use it: friends, friend requests, referral code.

4. Legal basis (GDPR Art. 6)

• Contract (Art. 6(1)(b)) — to provide the Lalo service to account holders.
• Legitimate interest (Art. 6(1)(f)) — to keep Lalo secure, measure aggregate usage, and improve the product.
• Consent (Art. 6(1)(a)) — for anything requiring explicit opt-in (e.g. optional email reminders).

5. Third-party processors & sub-processors

We use a small set of vetted processors. Each is bound by GDPR- compliant terms (DPA + Standard Contractual Clauses where applicable):

• Supabase (EU region) — authentication, Postgres database, file storage. Your account data lives here.
• Vercel (US, GDPR-compliant) — web hosting and request logs.
• Stripe (US, GDPR-compliant) — payment processing. Only invoked if you purchase Lifetime or a pack. Stripe handles card data directly; we never see it.
• Google AdSense (US) — only loaded for free-tier users who have given advertising consent. Lifetime users never load AdSense.
• Resend (US, GDPR-compliant) — email delivery, only for authenticated users with email preferences enabled.

6. Cookies & similar technologies

Lalo groups cookies and local-storage entries into three categories. You manage them via the cookie banner on first visit and any time afterwards in Settings → Cookie preferences.

• Necessary — auth session (Supabase), language preference, settings storage, cookie-consent record. Always active. Cannot be disabled because the app cannot function without them.
• Analytics (opt-in) — help us understand how Lalo is used in aggregate. Off by default. You can opt in via the cookie banner or Settings → Cookie preferences.
• Advertising (opt-in) — used by Google AdSense to serve personalized ads on the free tier. Off by default. If you have Lifetime, no ads are ever shown and these cookies never fire — regardless of consent state.

Lalo respects the browser Do Not Track (DNT)signal and the Global Privacy Control (GPC)header: when either is set, analytics and advertising consent default to off.

You can change consent at any time. Consent is re-asked every 180 days. We do not sell your data.

7. Email communications & tracking

Lalo only sends emails to authenticated users. Guests receive zero emails. Email types include:

• Onboarding (first few days after sign-up)
• Weekly recap (Sundays at 6 pm local time)
• Streak reminders
• Re-engagement emails when you've been away
• Lifetime offer (one-off)

Tracking. To measure whether our emails are actually useful (and to stop sending them when they are not), we log:

• Opens — via a 1×1 tracking pixel embedded in each email.
• Clicks — links in our emails are wrapped so we can record which were clicked.

Protections built in:

• Auto-suppression — 3 consecutive unopened emails triggers a 14-day pause, so we stop bothering you if you are not reading them.
• Hard cap — never more than 3 emails per user in any rolling 7-day window.
• Per-type unsubscribe — every email contains a one-click unsubscribe link for that specific type, plus a global preferences link.

Email logs (sent / opened / clicked timestamps) are stored in ouremail_logtable. You can request your own log via API or manage everything in Settings → Email preferences.

8. Data retention

• Guest data — lives on your device until you clear your browser storage. We never see it.
• Account data — kept while your account is active; deleted within 30 days of an account-deletion request, except where we are legally required to retain it longer.
• Email logs — 12 months from the send date, then deleted.
• Feedback reports — kept indefinitely for product improvement; anonymized after account deletion.
• Cookie consent — stored in your browser localStorage for 180 days, then re-asked.

9. Your rights (GDPR)

Under the GDPR you have the right to:

• Access — request a copy of the personal data we hold about you.
• Rectification — ask us to correct inaccurate data.
• Erasure — ask us to delete your account and associated data.
• Portability — export your data in a portable format (the app includes a CSV / Anki export).
• Object — object to processing based on legitimate interest.
• Withdraw consent — at any time, for any optional processing (cookies, emails, etc.).

To exercise any of these rights, email privacy@lalolearning.com. You also have the right to lodge a complaint with your national data protection authority.

10. Children

Lalo is not directed at children under 13 (or 16 in some EU jurisdictions). We do not knowingly collect data from children.

11. Changes to this policy

We will post any changes here and update the "Last updated" date. Material changes will be communicated in-app where possible.