Privacy Policy

Last updated: July 2025

1. Who We Are (Data Controller)

Worzup is an AI-powered language learning service. The controller is established in the European Union.

2. What Data We Collect and Why

Data	Purpose	Legal Basis (GDPR Art. 6)
Email address	Account creation, verification, login, password reset, critical service communications	(b) Contract performance
Username & password hash	Authentication	(b) Contract performance
Display name	In-app personalization (optional field)	(b) Contract performance
Country	Regional defaults and localization (optional field)	(f) Legitimate interest
Birth year	Age eligibility verification (minimum age 16)	(c) Legal obligation (GDPR Art. 8)
Learning data (lookups, SRS scores, quiz results, readup content)	Core service functionality — delivering personalized language learning	(b) Contract performance
Activity logs	Progress tracking, usage statistics shown to the user	(b) Contract performance
Google OAuth identity	Authentication via Google Sign-In (email and name only)	(b) Contract performance
IP address (transient)	Security, rate limiting. Not stored long-term.	(f) Legitimate interest
Web push subscription	Optional push notifications (user-enabled, revocable)	(a) Consent
Anonymous page-view analytics	Understanding how visitors use the site (self-hosted Umami — no cookies, no personal data)	(f) Legitimate interest
Signup attribution (UTM parameters)	Understanding which campaigns bring new users	(f) Legitimate interest

Data we do NOT collect

• We do not automatically import your Google profile picture. You may choose to link it in settings.
• We do not use analytics cookies or third-party tracking services. Our analytics tool (Umami) is self-hosted on our own server, collects no personal data, and uses no cookies.
• We do not sell or share your data with third parties for advertising purposes.

3. How We Use Google Sign-In

When you sign in with Google, we receive your email address, name, and a unique identifier from Google. We use this only for authentication and account creation. We do not access your Google contacts, calendar, or any other Google services.

4. Data Processors

We use the following third-party services to operate Worzup:

Processor	Purpose	Data Location
Microsoft Azure	Server hosting	West Europe (Netherlands)
OpenAI	AI-powered language content generation	USA (OpenAI DPA in place)
Zoho	Transactional email delivery	EU data center
Google	OAuth authentication	Global (Google DPA)

All processors are bound by Data Processing Agreements (Art. 28 GDPR). For transfers outside the EU/EEA (e.g., OpenAI), we rely on Standard Contractual Clauses (SCCs) or equivalent safeguards.

5. Data Retention

• Account data — retained as long as your account is active.
• Learning data — retained as long as your account is active.
• Email verification tokens — expire after 24 hours.
• Deleted accounts — all user data is permanently deleted within 30 days of a deletion request.

6. Your Rights

Under the GDPR, you have the following rights regarding your personal data:

• Access (Art. 15) — request a copy of your personal data.
• Rectification (Art. 16) — correct inaccurate or incomplete data.
• Erasure (Art. 17) — request deletion of your account and all associated data.
• Restriction (Art. 18) — request restricted processing of your data.
• Data Portability (Art. 20) — receive your data in a machine-readable format.
• Objection (Art. 21) — object to processing based on legitimate interest.
• Withdraw Consent (Art. 7(3)) — for processing based on consent (e.g., push notifications), you can withdraw at any time.

To exercise any of these rights, contact us at privacy@worzup.com. We will respond within 30 days.

7. Account Deletion

To request deletion of your account and all associated data, email privacy@worzup.com. Deletion covers all personal data including:

• Account profile (username, email, display name, country)
• All learning data (lookups, SRS data, quiz scores, activity logs)
• Readup content and bundles
• Push notification subscriptions
• Google OAuth identity links

Deletion is permanent and irreversible. We will process requests within 30 days.

8. Security

We implement appropriate technical and organizational measures to protect your data (Art. 32 GDPR), including:

• Password hashing using industry-standard algorithms
• HTTPS encryption for all data in transit
• Secure, time-limited email verification tokens
• Secure authentication with encrypted cookies
• Regular backups

9. Children's Privacy

Worzup is not intended for users under 16 years of age. We do not knowingly collect personal data from anyone under 16. If we discover that we have collected data from a user under 16, we will promptly delete the data and terminate the account.

10. Supervisory Authority

If you believe we have not handled your data appropriately, you have the right to lodge a complaint with your local data protection supervisory authority.

11. Changes to This Policy

We may update this Privacy Policy from time to time. Material changes will be communicated via email or an in-app notice. The "Last updated" date above will be revised accordingly.