Privacy Policy

Last Updated: November 14, 2025

Effective Date: November 14, 2025

Chipmunk Studio (defined here as 'We', 'Us' or 'Our'), develops applications for mobile devices. The purpose of this privacy policy (defined here as 'Policy') is to provide you with information regarding the processing of personal data of the users that use our apps.

This policy applies to all apps developed and published by Chipmunk Studio.

We will comply with all relevant and applicable legislative requirements, and, in the event of any conflict, the legislative requirements will override the provisions of this Policy.

What This Policy Covers

This policy will let you know:

  • What information (often referred to as 'data') is collected from you by Us
  • How your information is used
  • With whom your information may be shared
  • How your data is stored and transferred
  • How you can access, update, or delete your information

Information We Collect

Depending on the specific app and features you use, the data We collect may include:

Account and Profile Information (Optional)

  • Email address (only if provided through sign-in services)
  • Display name or username
  • Authentication credentials
  • User preferences and settings
  • Profile information you choose to provide

User-Generated Content

  • Content you create, upload, or share within our apps
  • Text input, responses, and interactions during lessons
  • Audio recordings and text transcriptions from speech during lessons (Note: Audio is sent to Apple servers for speech recognition, then transcriptions are used in lessons. Apple does not store audio for service improvement.)
  • Lesson conversation data (your interactions with AI-powered learning features)
  • Custom lesson topics or preferences you create

Usage and Activity Data

  • Activity data related to app functionality (such as tasks completed, time spent, performance metrics)
  • Progress tracking (achievements, milestones, points, or other in-app progression systems)
  • App interactions (screens viewed, buttons tapped, features used)
  • Onboarding and tutorial completion data
  • Session frequency, duration, and usage patterns

Technical Information

  • Device type and operating system version
  • App version and configuration
  • User identifiers for your account (account-based identifiers – not advertising identifiers)

Subscription and Purchase Information (if applicable)

  • Purchase history and transaction details
  • Subscription status and type
  • In-app purchase records
  • Entitlements and expiration dates

Diagnostic Data

  • Crash reports and error logs
  • Performance metrics
  • Debugging information

We Do NOT Collect:

  • Advertising identifiers (Apple IDFA or Google AAID)
  • Precise GPS location data
  • Contacts, photos, or other device content
  • Browsing history outside our app
  • Data for cross-app or cross-website tracking purposes

How We Use the Information We Collect

When you install and use our applications, We can collect and process some of your data for different legitimate purposes. You will find below explanations regarding the reasons why We may collect data:

App Functionality

  • To provide and maintain our app services and features
  • To authenticate users and manage accounts
  • To track your progress and sync data across devices
  • To personalize content and features based on your preferences and usage
  • To provide AI-powered features and functionality (conversations, grammar checking, hints)
  • To enable speech recognition for lesson interactions
  • To process and manage subscriptions and in-app purchases
  • To provide customer support when requested

Analytics and Product Improvement

  • To understand how users interact with our apps
  • To identify and fix bugs, crashes, and technical issues
  • To analyze feature effectiveness and user engagement
  • To optimize app performance and user experience
  • To test and develop new features
  • To measure app outcomes and user completion rates

Communications

  • To send transactional notifications (account updates, receipts)
  • To respond to customer support requests
  • To notify you of important service changes

We Do NOT:

  • Use your data for targeted advertising
  • Track you across third-party apps or websites
  • Sell your personal information to third parties
  • Send unsolicited marketing emails

For all data processing activities that rely on users' consent, you can withdraw your consent at any time from the "settings" page in our various applications.

Third-Party Service Providers & Data Processing

We use third-party service providers to deliver app functionality. These providers process user data on our behalf under strict data processing agreements. Below is a complete list of services, what data they process, and how data is stored and transferred.

Cloud Infrastructure & Database Services

Google Cloud Platform / Firebase (Google LLC)

Services Used:

  • Firebase Authentication
  • Firebase Firestore Database
  • Firebase Cloud Storage
  • Firebase Cloud Functions
  • Firebase Analytics
  • Firebase App Check (security)

Purpose:

  • User authentication and account management
  • Data storage and synchronization across devices
  • Secure API key delivery via Cloud Functions
  • App performance monitoring and analytics
  • Security verification to prevent abuse

Data Shared:

  • User authentication credentials (email, authentication tokens)
  • Learning progress, streaks, XP, and achievements
  • User preferences and settings
  • Analytics events (screen views, feature usage, errors)
  • Profile information

Data Storage & Transfer:

  • Storage location: United States (Google Cloud servers)
  • Data transfer: HTTPS/TLS encrypted connections
  • Data at rest: Encrypted using Google Cloud encryption standards
  • Cross-border transfers: Standard Contractual Clauses (GDPR-compliant)

Privacy Policy: https://firebase.google.com/support/privacy

Apple iCloud / CloudKit (Apple Inc.)

Services Used:

  • NSUbiquitousKeyValueStore (iCloud Key-Value Storage)
  • App Group container for widget data sharing

Purpose:

  • Cross-device progress synchronization for signed-in users
  • Widget data sharing (daily goals, streaks)

Data Shared:

  • Learning progress, streaks, XP (non-sensitive data only)
  • User preferences
  • Daily goal progress

Data Storage & Transfer:

  • Storage location: Varies by user's Apple ID region
  • Data transfer: Apple's encrypted sync protocol
  • Data at rest: Encrypted by Apple iCloud infrastructure
  • Note: Data is tied to user's iCloud account and controlled by Apple's privacy policies

Privacy Policy: https://www.apple.com/legal/privacy/

Speech Recognition Services

Apple Speech Recognition (Apple Inc.)

Services Used:

  • Apple Speech Recognition API (server-based)

Purpose:

  • Convert your speech to text during lessons for high-accuracy recognition

Data Shared:

  • Audio recordings of your speech during lessons
  • Target language for recognition

Data Storage & Transfer:

  • Storage location: Apple servers (location varies by your region)
  • Data transfer: Encrypted connections to Apple's servers
  • Data retention: Apple does not store audio recordings or transcriptions to improve their services
  • Privacy: Follows Apple's strict privacy commitments for Speech Recognition API

Privacy Policy: https://www.apple.com/legal/privacy/

Important Notes:

  • Audio is sent to Apple servers temporarily for speech-to-text conversion
  • Apple does not use your audio for advertising, profiling, or marketing
  • Text transcriptions are then sent to AI services (OpenAI/Azure) for lesson processing
  • You can use text input instead of speech if you prefer not to share audio

AI & Content Processing Services

IMPORTANT: When you use lesson features, your conversation data is sent to AI service providers for real-time processing.

OpenAI (OpenAI, L.L.C.)

Services Used:

  • ChatGPT API (GPT-4 family models)

Purpose:

  • AI-powered lesson conversations
  • Grammar checking and corrections
  • Hints and learning assistance
  • Custom lesson content generation

Data Shared:

  • Lesson conversations and user text responses
  • Speech transcriptions (text only, not audio recordings)
  • Grammar check requests
  • Hint requests
  • Custom lesson topics you create

Data Storage & Transfer:

  • Storage location: United States (OpenAI infrastructure)
  • Data transfer: HTTPS/TLS encrypted API calls
  • Data retention: OpenAI retains data for 30 days for abuse and misuse monitoring, then deletes it
  • Training: OpenAI does NOT use API data to train their models
  • Processing: Real-time processing; data is not permanently stored beyond the 30-day safety period

Privacy Policy: https://openai.com/policies/privacy-policy

Important Notes:

  • Only text transcripts are sent to OpenAI (audio is processed by Apple Speech Recognition)
  • Each lesson conversation is independent; OpenAI cannot link conversations across lessons

Azure OpenAI Service (Microsoft Corporation)

Services Used:

  • Azure-hosted OpenAI models (alternative AI provider)

Purpose:

  • Same as OpenAI above (AI conversations, grammar checking, hints)

Data Shared:

  • Same as OpenAI above

Data Storage & Transfer:

  • Storage location: Depends on Azure deployment region (typically US or EU regions)
  • Data transfer: HTTPS/TLS encrypted connections to Azure endpoints
  • Data retention: Microsoft does NOT store prompt/completion data beyond processing
  • Training: Azure OpenAI does NOT use customer data to train models
  • Processing: Real-time processing with immediate deletion after response generation

Privacy Policy: https://privacy.microsoft.com/en-us/privacystatement

Enterprise Privacy Commitments:

  • Azure OpenAI operates under Microsoft's enterprise privacy commitments
  • No data sharing with OpenAI (separate infrastructure)
  • Compliant with GDPR, CCPA, and enterprise data protection standards

Translation Services

DeepL SE

Services Used:

  • DeepL Translation API

Purpose:

  • Real-time text translation during lessons
  • Translate lesson content to user's preferred language

Data Shared:

  • Text requiring translation (lesson content, user responses)

Data Storage & Transfer:

  • Storage location: European Union (Germany)
  • Data transfer: HTTPS/TLS encrypted API calls
  • Data retention: Processed in real-time; not permanently stored
  • GDPR compliance: Full GDPR compliance (EU-based company)

Privacy Policy: https://www.deepl.com/privacy

Privacy Benefits:

  • EU-based infrastructure minimizes international data transfers
  • Strong GDPR protections
  • No advertising or data resale

Text-to-Speech Services

Google Cloud Text-to-Speech (Google LLC)

Services Used:

  • Cloud Text-to-Speech API

Purpose:

  • Convert lesson text into spoken audio (the app reading to you)

Data Shared:

  • AI-generated lesson responses (created for your specific lesson session)

Data Storage & Transfer:

  • Storage location: United States (Google Cloud servers)
  • Data transfer: HTTPS/TLS encrypted
  • Data retention: Processed in real-time; text not permanently stored

Privacy Policy: https://cloud.google.com/text-to-speech/docs/data-usage

Subscription Management Services

RevenueCat (RevenueCat, Inc.)

Services Used:

  • Subscription and in-app purchase management
  • Purchase validation and receipt verification
  • Trial eligibility checking

Purpose:

  • Process and manage subscriptions
  • Validate purchases with Apple/Google
  • Track subscription status and entitlements
  • Manage trial eligibility

Data Shared:

  • User identifiers (anonymized user IDs)
  • Purchase transactions (product IDs, purchase dates)
  • Subscription status (active, expired, cancelled)
  • Transaction receipts (for validation)

Data Storage & Transfer:

  • Storage location: United States (RevenueCat infrastructure)
  • Data transfer: HTTPS/TLS encrypted API calls
  • Data retention: Subscription records retained as long as account is active; historical transaction data retained per financial regulations

Privacy Policy: https://www.revenuecat.com/privacy

Analytics Services

Firebase Analytics (Google LLC)

Services Used:

  • Firebase Analytics
  • Firebase Crashlytics (crash reporting)

Purpose:

  • App performance monitoring
  • Crash and error reporting
  • User behavior analytics (screen views, feature usage)
  • Conversion tracking (onboarding completion, subscriptions)

Data Shared:

  • Usage patterns (screens viewed, features used)
  • Device information (device type, OS version, app version)
  • App interactions (button taps, lesson completions)
  • Crash logs and error reports (anonymized)

Data Storage & Transfer:

  • Storage location: United States (Google Cloud servers)
  • Data transfer: HTTPS/TLS encrypted
  • Data retention: Aggregated data retained indefinitely; detailed event data retained for 14 months (Firebase default)
  • Note: Configured WITHOUT advertising identifier support (no IDFA/AAID tracking)

Privacy Policy: https://firebase.google.com/support/privacy

Mixpanel Analytics (Mixpanel Inc.)

Services Used:

  • Mixpanel Analytics (EU servers)

Purpose:

  • User behavior analysis and funnel tracking
  • Feature usage tracking
  • Cohort analysis and retention metrics
  • A/B testing and experimentation

Data Shared:

  • Usage patterns (lesson starts, completions, abandonments)
  • User properties (learning language, proficiency level, subscription status)
  • Event data (onboarding steps, subscription conversions, errors)
  • Session data (frequency, duration)

Data Storage & Transfer:

  • Storage location: European Union (api-eu.mixpanel.com)
  • Data transfer: HTTPS/TLS encrypted to EU servers
  • Data retention: Event data retained for 5 years; can be configured
  • Note: Configured WITHOUT advertising identifier support (no IDFA/AAID tracking)
  • Privacy benefit: EU data residency minimizes international transfers for European users

Privacy Policy: https://mixpanel.com/legal/privacy-policy

User Identification:

  • Anonymous by default for non-signed-in users
  • Identified by user ID for authenticated users (enables cross-device tracking)

How Data is Stored and Transferred

Data Storage Security

We implement multiple layers of security to protect your data:

Encryption in Transit

  • All data transmitted between your device and our servers uses HTTPS/TLS encryption
  • All communications with third-party services (OpenAI, DeepL, Google Cloud, etc.) are encrypted using industry-standard TLS 1.2 or higher protocols
  • Certificate pinning implemented for critical services

Encryption at Rest

  • User data stored in Firebase Firestore is encrypted using Google Cloud's default encryption
  • Sensitive credentials are stored using platform-secure storage mechanisms
  • iCloud sync data is encrypted by Apple's iCloud encryption

Access Controls

  • Secure credential management with verification mechanisms
  • Limited employee access to production data (need-to-know basis)
  • Multi-factor authentication required for administrative access

Secure Storage Methods

  • On-device: Platform-secure storage for credentials, local database for caching
  • Cloud: Firebase Firestore (encrypted at rest and in transit)
  • Sync: iCloud Key-Value Storage (encrypted by Apple)

International Data Transfers

We use service providers that operate globally. Your information may be transferred to and processed in countries other than your own, including:

  • United States: Firebase, OpenAI, Azure OpenAI, Google Text-to-Speech, RevenueCat, Firebase Analytics
  • European Union: Mixpanel (EU servers), DeepL (Germany)
  • Varies by region: Apple Speech Recognition, Apple iCloud (based on your Apple ID country)

These countries may have different data protection laws. We ensure appropriate safeguards are in place:

GDPR Compliance (for EU/EEA users):

  • Standard Contractual Clauses (SCCs) with US-based providers
  • Adequacy decisions where applicable (e.g., EU-US Data Privacy Framework participants)
  • Data Processing Agreements (DPAs) with all service providers

CCPA Compliance (for California residents):

  • Service providers act as "service providers" under CCPA (not "third parties")
  • Contractual restrictions prevent sale or independent use of data

By using our app, you consent to the transfer and processing of your information internationally as described in this policy.

Data Processing Agreements

All third-party service providers are contractually obligated to:

  • Process data only for the purposes we authorize
  • Implement appropriate security measures (encryption, access controls)
  • Not use data for their own independent purposes (except as disclosed in their privacy policies)
  • Comply with applicable data protection laws (GDPR, CCPA, etc.)
  • Delete or return data upon termination of services (except as required by law)
  • Notify us of data breaches affecting user data

Important Notes on AI Data Processing

What Happens to Your Lesson Data

When you use AI-powered lesson features, here's exactly what happens to your data:

1. Conversations are processed in real-time

  • Text is sent to AI providers (OpenAI or Azure OpenAI) for immediate responses
  • Responses are generated and sent back to your device
  • No permanent storage on AI provider servers (beyond 30-day safety monitoring for OpenAI)

2. Audio is sent to Apple for speech recognition

  • Speech recognition is performed by Apple's servers for high accuracy
  • Apple does not store audio or use it for service improvement
  • Only text transcripts are sent to AI services (OpenAI/Azure)
  • You can use text input instead if you prefer not to share audio

3. Data is not used for training

  • OpenAI and Azure OpenAI do NOT use API customer data to train their models
  • Your conversations remain private and are not used to improve AI models

4. Temporary retention for safety

  • OpenAI retains data for 30 days for abuse and misuse monitoring (content policy violations)
  • After 30 days, data is automatically deleted
  • Azure OpenAI does not store data beyond processing time

5. Context isolation

  • Each lesson conversation is independent
  • AI providers cannot link conversations across different lessons or users
  • No persistent user profile is built by AI providers

You Control What's Shared

  • Conversations only occur during active lessons
  • You choose whether to use speech or text input
  • Custom lesson topics you create are sent to generate personalized content
  • You can delete your account at any time to stop all data processing

Your Rights Regarding the Protection of Your Personal Data

As per relevant legislation, you have the right to (so long as certain conditions are met):

General Rights (All Users)

  • Request access to your personal data
  • Request correction of your personal data (also available in app Settings)
  • Request deletion of your personal data (available through Settings → Account → Delete Account)
  • Object to any inappropriate processing of your personal data
  • Request restriction on processing of your personal data
  • Request portability of your personal data
  • Withdraw consent for us to process your personal data (e.g., by revoking device permissions or deleting your account)

Additional Rights Based On Location

California Residents (CCPA):

  • Right to know what personal information is collected
  • Right to delete personal information
  • Right to opt-out of sale of personal information (Note: We do not sell personal information)
  • Right to non-discrimination for exercising privacy rights

EU/EEA Residents (GDPR):

  • All rights listed above
  • Right to lodge a complaint with your local supervisory authority
  • Right to object to processing based on legitimate interests
  • Right to data portability in machine-readable format

How to Exercise Your Rights

If you wish to exercise any of the above rights, please contact us at info@chipmunkstudio.com.

  • Include "Privacy Request" in the subject line
  • Specify which right(s) you wish to exercise
  • Provide enough information to identify your account (e.g., email address, user ID)

Your requests will be answered as soon as possible and within thirty (30) days at the latest.

Data Retention

We retain your information for as long as necessary to provide our services and fulfill the purposes outlined in this policy:

Data Type Retention Period
Account data Retained until you delete your account
Progress data Retained until account deletion
Usage analytics (detailed) 12-26 months (Firebase: 14 months; Mixpanel: configurable)
Usage analytics (aggregated) May be retained indefinitely in anonymized form
Subscription records 7 years (as required by tax and accounting regulations)
Crash logs and diagnostics 30-90 days
AI conversation data (OpenAI) 30 days (for abuse monitoring), then deleted
AI conversation data (Azure) Deleted immediately after processing
Translation data (DeepL) Deleted immediately after processing
Text-to-speech data Deleted immediately after audio synthesis

Account Deletion

When you delete your account (Settings → Account → Delete Account):

  1. We will delete or anonymize your personal data within 30 days
  2. Some data may be retained longer if required by law (e.g., financial records for tax compliance)
  3. Aggregated, anonymized analytics data may be retained indefinitely (this data cannot identify you)
  4. Backup copies stored by our cloud providers (Firebase, etc.) will be automatically deleted according to their backup retention schedules (typically within 90 days)

Data Security

We implement reasonable security measures to protect your information from unauthorized access, alteration, disclosure, or destruction:

Technical Security Measures

  • Encryption of data in transit (HTTPS/TLS) and at rest
  • Secure authentication systems (Firebase Authentication with MFA support)
  • Access controls and limited employee access
  • Secure credential storage using industry-standard practices
  • Regular security reviews and testing
  • Security verification to prevent abuse and unauthorized API access
  • Content filtering to prevent harmful AI-generated content

Limitations

However, no method of transmission over the internet or electronic storage is completely secure. While we strive to protect your personal information, we cannot guarantee absolute security.

You acknowledge and accept the inherent security risks of internet transmission.

Children's Privacy

We do not collect children's data specifically; however, children may use our app. Our collection of personal data is limited to the internal operations of the app, and always in accordance with the terms of this privacy policy.

COPPA Compliance (Children under 13)

We do not knowingly collect personal information from children under 13 years old. If we discover that we have collected data from a child under 13, we will delete it immediately.

Parents or guardians who believe we have collected information from a child under 13 should contact us at info@chipmunkstudio.com.

Additional Protections for All Users (Including Children)

  • No behavioral advertising or third-party ad tracking
  • No advertising identifiers (IDFA/AAID)
  • No data selling to third parties
  • Server-based speech recognition via Apple (audio not stored, not used for ads)
  • Anonymous sign-in option (where supported)

Policy Updates

This Policy may change from time to time. The most current version of our Policy can be found at: https://chipmunkstudio.com/privacy-policy

We will always keep this up to date so that you know what information we will collect from you, how we may use it, and when we may disclose it.

Notification of Material Changes

For material changes to this policy, we will notify you through:

  • In-app notification
  • Email (if you have provided one)
  • Prominent notice in the app

Your continued use of the app after changes are posted constitutes acceptance of the updated policy.

Summary of Our Privacy Practices

We Prioritize Your Privacy

  • No advertising tracking (no IDFA/AAID collection)
  • No third-party advertising networks
  • No selling of user data
  • Anonymous sign-in option available (where applicable)
  • Apple Speech Recognition for high-accuracy transcription (audio not stored or used for ads)
  • EU servers for Mixpanel (data residency for European users)
  • DeepL for translation (EU-based, GDPR-compliant)

We Collect Only What's Necessary

  • Email only if you choose to provide it
  • Activity data to track your progress and personalize your experience
  • Usage analytics to improve our apps (anonymized where possible)
  • Transaction data to manage purchases (where applicable)

You Have Control

  • Delete your account anytime through app Settings
  • Use apps anonymously without email (where supported)
  • Control device permissions (microphone, notifications, camera, etc.)
  • Request your data or deletion at any time

Contact

If you have any questions about our Policy, please contact us at:

Email: info@chipmunkstudio.com
Subject line (for privacy inquiries): "Privacy Request"

For specific requests:

  • Data access requests: "Privacy Request - Data Access"
  • Data deletion requests: "Privacy Request - Delete My Data"
  • General privacy questions: "Privacy Request - Question"

This Privacy Policy is effective as of November 14, 2025 and was last updated on November 14, 2025.

If you have any questions about this Privacy Policy, please contact us at:

info@chipmunkstudio.com