Privacy Policy

Introduction

Luxfort Michal Mrotek, operating as ReadyToSay ("we", "us", or "our"), with registered address at ul. Malinowa 8a, Bydgoszcz, Poland, is the data controller responsible for your personal data. This Privacy Policy explains how we collect, use, store, and protect your information when you use the ReadyToSay mobile application, website (readytosay.app), and related services (collectively, the "Service"). We are committed to protecting your privacy in accordance with the General Data Protection Regulation (GDPR), the EU AI Act, the California Consumer Privacy Act as amended by the California Privacy Rights Act (CCPA/CPRA), and other applicable data protection laws.

Information We Collect

We collect the following categories of information to provide and improve our Service:

Account Information

Email address, display name, and profile picture when you register or sign in via social login (Google, Apple, or Facebook).

Conversation & Session Data

Your practice conversation messages, AI-generated responses, session feedback, scores, and conversation metadata (duration, scenario type, completion status).

Gamification & Progress Data

Achievement badges, experience points (XP), streaks, level progression, and practice session statistics.

Subscription & Payment Data

Subscription plan, billing cycle, and payment status. Payment card details are processed exclusively by Stripe and never stored on our servers.

Technical & Device Data

Device type, operating system, app version, browser type, IP address (truncated for analytics), crash reports, and performance metrics.

Analytics Data

Page views, feature usage, navigation patterns, and interaction events — collected via Mixpanel only with your consent.

We never collect health data, biometric data, precise GPS location, or government-issued identification numbers.

How We Use Your Information

We use your information for the following purposes:

• Providing the Service — facilitating AI-powered conversation practice, generating personalized feedback, and tracking your progress.
• Personalization — adapting conversation difficulty, suggesting scenarios, and customizing your learning path based on your practice history.
• AI Processing — sending your conversation messages to third-party AI providers (OpenAI, Google Gemini) to generate realistic conversation partner responses and coaching feedback.
• Analytics & Improvement — understanding how users interact with the Service to improve features, fix bugs, and develop new scenarios.
• Account Management — authenticating your identity, managing your subscription, and communicating about your account.
• Security & Fraud Prevention — detecting and preventing unauthorized access, abuse, and fraudulent activity.

Legal Basis for Processing (GDPR)

Under the General Data Protection Regulation, we process your personal data based on the following legal grounds:

Consent (Art. 6(1)(a))

For analytics tracking (Mixpanel), marketing communications, and optional data processing where we explicitly ask for your permission. You may withdraw consent at any time.

Contract Performance (Art. 6(1)(b))

Processing necessary to provide the Service you signed up for — including account creation, conversation practice, AI-generated feedback, and subscription management.

Legitimate Interest (Art. 6(1)(f))

For security monitoring, fraud prevention, service improvement, and aggregated analytics that do not override your fundamental rights.

Legal Obligation (Art. 6(1)(c))

Where we are required to retain certain data for tax, accounting, or regulatory compliance purposes.

AI Processing & Transparency

ReadyToSay uses artificial intelligence to power conversation practice. In compliance with the EU AI Act, we provide the following transparency information:

What Data Goes to AI

Your conversation messages within a practice session are sent to AI providers to generate realistic responses. We also send the scenario context and your selected difficulty level. We do not send your name, email, or other personal identifiers to AI providers.

AI Providers

We use OpenAI (GPT models) and Google (Gemini models) as our AI providers. These providers process data under Data Processing Agreements (DPAs) with us.

No AI Training on Your Data

Your conversation data is NOT used to train AI models. Both OpenAI and Google process our API requests under zero-data-retention agreements where technically available, meaning your data is not stored by them beyond the immediate API response.

AI Disclosure

All conversation partners in ReadyToSay are AI-generated. They are not real people. AI-generated feedback and coaching suggestions are for practice purposes only and do not constitute professional advice.

Right to Human Review

Under GDPR Article 22, you have the right not to be subject to decisions based solely on automated processing that significantly affect you. You may request human review of any AI-generated assessment by contacting us at privacy@readytosay.app.

Data Retention

We retain your data for the following periods:

• Conversation session data: 12 months from creation, then automatically anonymized and aggregated for service improvement.
• Account data: Retained while your account is active. After account deletion, we retain a minimal record for 30 days (grace period), then permanently delete.
• Analytics data: 13 months (Mixpanel default retention).
• Server logs: 90 days, then automatically purged.
• Consent records: 3 years, as required for GDPR compliance documentation.
• Payment records: As required by tax and accounting law (typically 5–7 years for transaction records).

You can request deletion of your data at any time. See the Account Deletion section below for details.

Your Rights

Depending on your location, you have the following rights regarding your personal data:

GDPR Rights (EU/EEA Residents)

• Right of access (Art. 15) — obtain a copy of your personal data.
• Right to rectification (Art. 16) — correct inaccurate or incomplete data.
• Right to erasure (Art. 17) — request deletion of your data ('right to be forgotten').
• Right to restriction (Art. 18) — limit how we process your data.
• Right to data portability (Art. 20) — receive your data in a structured, machine-readable format.
• Right to object (Art. 21) — object to processing based on legitimate interest.
• Right to withdraw consent — withdraw consent at any time without affecting prior processing.
• Right to human review (Art. 22) — request human review of automated decisions.
• Right to lodge a complaint with your local Data Protection Authority.

CCPA/CPRA Rights (California Residents)

• Right to know what personal information is collected, used, and shared.
• Right to delete your personal information.
• Right to opt-out of the sale of personal information. Note: We do NOT sell your personal information.
• Right to non-discrimination for exercising your privacy rights.

To exercise any of these rights, contact us at privacy@readytosay.app. We will respond within 30 days.

Sub-processors & Third-Party Services

We share your data with the following sub-processors, each operating under a Data Processing Agreement (DPA):

We regularly review our sub-processors and their data protection practices. This list is current as of the last updated date above.

International Data Transfers

Some of our sub-processors are located outside the European Economic Area (EEA). When we transfer personal data outside the EEA, we ensure appropriate safeguards are in place: Standard Contractual Clauses (SCCs) approved by the European Commission, or the EU-US Data Privacy Framework (DPF) for certified US companies. Our primary database (Neon) and backup storage (Backblaze B2) are hosted in the EU. Analytics data (Mixpanel) is processed through the Mixpanel EU endpoint. We strive to minimize data transfers outside the EU wherever technically feasible.

Cookies and Tracking

We use cookies and similar technologies on our website:

Essential Cookies

Required for basic website functionality, including consent preferences and session management. These cannot be disabled.

Analytics Cookies

Used only with your explicit consent to understand website usage via Mixpanel. You can opt out at any time.

You can manage your cookie preferences at any time using the Cookie Settings .

The ReadyToSay mobile app does not use browser cookies. Analytics in the app are handled through the Mixpanel SDK, which is only activated after you provide consent via the in-app consent screen, in accordance with ePrivacy Directive requirements.

Payments & Subscriptions

Payment processing for ReadyToSay is handled by Stripe, a PCI DSS Level 1 certified payment processor.

• We never store, process, or have access to your full credit card number, CVV, or bank account details.
• Stripe collects and processes payment information directly. We only receive a tokenized reference, payment status, and billing metadata (plan type, amount, currency).
• For in-app purchases on iOS or Android, payments are processed by Apple or Google respectively, under their own privacy policies.
• Subscription management and receipt validation may be processed through RevenueCat under their Data Processing Agreement.

Stripe Privacy Policy →

Social Login

ReadyToSay offers sign-in via Google, Apple, and Facebook. When you use social login:

• We receive only your email address, display name, and profile picture from the social login provider.
• We do not access your contacts, posts, messages, or any other data from your social media accounts.
• You can revoke ReadyToSay's access at any time through your Google, Apple, or Facebook account settings.
• Apple's "Hide My Email" feature is fully supported — you can sign in without sharing your real email address.

Children's Privacy

ReadyToSay is intended for users aged 16 and older. We do not knowingly collect personal information from individuals under 16 years of age. If we learn that we have collected personal data from a person under 16, we will take steps to delete such information promptly. If you believe a child under 16 has provided us with personal data, please contact us at privacy@readytosay.app.

Account Deletion

You can request deletion of your account and associated data at any time:

• In the ReadyToSay app: Go to Settings → Account → Delete Account.
• Via our website: Visit readytosay.app/delete-account and follow the instructions.
• By email: Send a request to privacy@readytosay.app with the subject "Account Deletion Request".

What Gets Deleted

Your profile information, conversation history, practice session data, progress and achievements, and subscription data (billing records retained as required by law).

After you request deletion, your account enters a 30-day grace period during which you can reactivate it. After 30 days, all data is permanently and irreversibly deleted.

Some anonymized, aggregated data (e.g., total session counts, average scores) may be retained for service improvement purposes, but this data cannot be linked back to you.

Data Security

We implement industry-standard security measures to protect your data:

• All data in transit is encrypted using TLS 1.2+ (HTTPS).
• Passwords are hashed using Argon2id with per-user salts.
• Database connections are encrypted and access is restricted by IP allowlists.
• API endpoints are protected with rate limiting, CORS policies, and security headers (CSP, HSTS, X-Frame-Options).
• We conduct regular security reviews and dependency vulnerability scanning.
• Access to production systems is limited to authorized personnel with multi-factor authentication.

In the event of a data breach that poses a risk to your rights, we will notify affected users and the relevant Data Protection Authority within 72 hours, as required by GDPR Article 33.

Changes to This Policy

We may update this Privacy Policy from time to time. For significant changes, we will notify you via in-app notification and/or email at least 30 days before the changes take effect. The "Last Updated" date at the top of this page indicates the most recent revision. We encourage you to review this policy periodically. Continued use of the Service after changes take effect constitutes acceptance of the updated policy.

Contact Us

For privacy-related questions, data subject requests, or to exercise your rights, contact us:

We respond to all requests within 30 days. For GDPR requests, we may extend this period by up to 60 additional days for complex requests, in which case we will inform you of the extension and the reasons within the initial 30-day period.

If you are not satisfied with our response, you have the right to lodge a complaint with your local Data Protection Authority. For Polish residents, this is the President of the Personal Data Protection Office (UODO).