Privacy Policy

PolishReady ("we", "us", "our") is the data controller responsible for your personal data as described in this Privacy Policy. For questions regarding how your data is processed, contact us at support@polishready.pl.

We collect the following categories of personal data:

• Account Information: Email address, display name, and authentication data collected during registration through Supabase Auth, including data from third-party OAuth providers if used (e.g., Google).
• Learning Data: Your selected Polish proficiency level, native language, learning progress, quiz and exercise scores, module completion records, and performance analytics.
• User-Generated Content: Photographs of handwritten essays uploaded for AI grading, audio recordings of speaking practice sessions, and text responses submitted during exercises.
• Payment Information: If you subscribe to a paid plan, Stripe processes your payment details directly. We receive and store only a limited subset of payment metadata (e.g., last four digits of your card, billing country, transaction identifiers, and subscription status). We never store full credit card numbers, CVVs, or complete banking details.
• Technical Data: IP address, browser type and version, device type, operating system, referring URLs, pages visited within the Service, timestamps, and other diagnostic data collected automatically through server logs and hosting infrastructure.
• Cookies: We use strictly necessary cookies for authentication and session management. See Section 8 for details.

We process your personal data under the following legal bases as defined by the General Data Protection Regulation (EU) 2016/679:

• Performance of Contract (Art. 6(1)(b)): Processing necessary to provide the Service you have registered for, including account management, content processing, AI feedback generation, and subscription management.
• Legitimate Interests (Art. 6(1)(f)): Processing necessary for service improvement, security monitoring, fraud prevention, analytics, and enforcement of our Terms of Service, where our legitimate interests are not overridden by your fundamental rights and freedoms.
• Consent (Art. 6(1)(a)): Where we rely on your consent (e.g., for optional communications), you may withdraw consent at any time without affecting the lawfulness of processing performed prior to withdrawal.
• Legal Obligation (Art. 6(1)(c)): Processing necessary to comply with applicable legal obligations, including tax reporting, financial record-keeping, and responses to lawful government requests.

We use your personal data for the following purposes:

• Providing and operating the Service, including generating AI-powered feedback on writing and speaking exercises.
• Personalizing your learning experience based on your proficiency level and native language.
• Processing subscription payments and managing billing through Stripe.
• Communicating with you regarding your account, service updates, and support requests.
• Analyzing aggregated and anonymized usage patterns to improve the Service, fix bugs, and develop new features.
• Detecting, preventing, and addressing fraud, abuse, security incidents, and technical issues.
• Enforcing our Terms of Service and other applicable policies.
• Complying with applicable legal obligations.

We share personal data with the following categories of third-party service providers, strictly for the purposes described in this Privacy Policy:

• Supabase (Supabase Inc.): Authentication, database hosting, and file storage. Your account data, learning records, and uploaded content are stored on Supabase-managed infrastructure.
• Stripe (Stripe Payments Europe, Ltd.): Payment processing. Stripe receives your payment details directly during checkout. Stripe's processing of your data is governed by Stripe's own privacy policy and applicable data processing agreements.
• Resend (Resend, Inc.): Transactional email delivery. Your email address is shared with Resend for the purpose of sending account-related communications such as email verification, password resets, and service notifications.
• Google Cloud / Gemini (Google LLC): AI-powered grading and feedback. User-submitted content (essay images, audio recordings) is transmitted to Google's AI services for processing. Google's use of this data is governed by their data processing terms and the Google Cloud Terms of Service.
• Vercel (Vercel Inc.): Application hosting and content delivery network services.

We do not sell, rent, lease, or trade your personal data to third parties for their marketing or advertising purposes.

We may disclose your personal data if required to do so by law, regulation, legal process, or enforceable governmental request, or when we believe in good faith that disclosure is necessary to protect our rights, property, or safety, or the rights, property, or safety of others, or to detect and prevent fraud or security incidents.

Your personal data may be transferred to and processed in countries outside the European Economic Area (EEA), including the United States, where our third-party service providers maintain infrastructure. When such transfers occur, we ensure that appropriate safeguards are in place in accordance with GDPR Chapter V requirements, including:

• Standard Contractual Clauses (SCCs) approved by the European Commission.
• Reliance on adequacy decisions issued by the European Commission.
• Service provider certifications under recognized frameworks (e.g., the EU-U.S. Data Privacy Framework).

By using the Service, you acknowledge and consent to the transfer of your data to jurisdictions that may have data protection laws that differ from those in your country of residence.

We retain your personal data only for as long as necessary to fulfill the purposes described in this policy or as required by law. Specific retention periods:

• Account data: Retained for the duration of your active account. Upon account deletion request, we will delete or irreversibly anonymize your personal data within 30 days, except where retention is required by law.
• Learning data and user-generated content: Retained for the duration of your active account. Anonymized and aggregated data derived from your content may be retained indefinitely for service improvement and AI model training purposes.
• Payment and financial records: Retained for up to 7 years after the transaction date, as required by applicable tax and financial regulations.
• Technical and server logs: Retained for up to 90 days for security monitoring, debugging, and incident response purposes.

After the applicable retention period, personal data is securely deleted or irreversibly anonymized.

We use the following categories of cookies:

• Strictly Necessary Cookies: Required for user authentication, session management, and core Service functionality. These cookies cannot be disabled without breaking the Service.

We do not currently use advertising cookies, social media tracking cookies, or third-party analytics cookies.

You may manage cookie preferences through your browser settings. However, disabling strictly necessary cookies will prevent you from logging in and using the Service. By continuing to use the Service, you consent to the use of strictly necessary cookies as described above.

If you are located in the European Economic Area (EEA), you have the following rights under the General Data Protection Regulation:

• Right of Access (Art. 15): Request a copy of the personal data we hold about you.
• Right to Rectification (Art. 16): Request correction of inaccurate or incomplete personal data.
• Right to Erasure (Art. 17): Request deletion of your personal data, subject to applicable legal retention requirements and legitimate grounds for continued processing.
• Right to Restriction of Processing (Art. 18): Request that we limit how we process your data under certain circumstances.
• Right to Data Portability (Art. 20): Request a copy of your data in a structured, commonly used, machine-readable format.
• Right to Object (Art. 21): Object to processing of your data based on legitimate interests or for direct marketing purposes.
• Right to Withdraw Consent: Where processing is based on consent, you may withdraw your consent at any time without affecting the lawfulness of processing carried out prior to withdrawal.

To exercise any of these rights, contact us at support@polishready.pl. We will respond to your request within 30 days. We may request verification of your identity before processing your request.

If you believe that your data protection rights have been violated, you have the right to lodge a complaint with a supervisory authority, in particular in the EU member state of your habitual residence, place of work, or place of the alleged infringement.

If you are a California resident, you may have additional rights under the California Consumer Privacy Act (CCPA) and the California Privacy Rights Act (CPRA):

• Right to Know: Request disclosure of the categories and specific pieces of personal information we have collected, the sources of collection, the business purposes for collection, and the categories of third parties with whom we share data.
• Right to Delete: Request deletion of your personal information, subject to legally recognized exceptions.
• Right to Non-Discrimination: We will not discriminate against you for exercising any of your CCPA rights.

We do not "sell" or "share" personal information as those terms are defined under the CCPA/CPRA.

The Service is not directed to children under the age of 16, and we do not knowingly collect personal data from children under 16. If we become aware that we have inadvertently collected personal data from a child under 16 without appropriate parental consent, we will take steps to delete such data as promptly as possible. If you believe that a child under 16 has provided us with personal data, please contact us immediately at support@polishready.pl.

We implement appropriate technical and organizational security measures to protect your personal data against unauthorized access, alteration, disclosure, or destruction. These measures include but are not limited to: encryption of data in transit (TLS/SSL), encrypted database connections, access controls and authentication mechanisms, regular security reviews, and infrastructure monitoring.

However, no method of transmission over the internet or method of electronic storage is completely secure. While we strive to use commercially reasonable means to protect your personal data, we cannot guarantee its absolute security and shall not be liable for any breach of security that occurs despite our implementation of reasonable security measures, except to the extent required by applicable law.

The Service uses automated processing, including artificial intelligence models provided by third parties, to generate feedback on your language exercises (writing and speaking). This automated processing is a core part of the Service and is performed under the legal basis of contract performance.

This automated processing does not produce legal effects concerning you or similarly significantly affect you. AI-generated feedback is advisory in nature and intended solely for educational practice purposes. You are not subject to decisions based solely on automated processing that produce legal or similarly significant effects as contemplated by GDPR Article 22.

We may update this Privacy Policy from time to time to reflect changes in our practices, technologies, legal requirements, or other factors. We will indicate material changes by updating the "Effective Date" at the top of this policy. It is your responsibility to review this policy periodically. Your continued use of the Service after any modifications are posted constitutes your acceptance of the updated policy. If changes materially affect how we process your existing personal data, we will make reasonable efforts to notify you (e.g., via email or in-app notification) prior to the changes taking effect.

For questions, concerns, or requests regarding your personal data or this Privacy Policy, contact us at:

support@polishready.pl

For GDPR-related inquiries or complaints, you also have the right to contact the relevant data protection supervisory authority in your jurisdiction.