Privacy Policy
Last updated: 01 July 2026 · Effective date: 01 July 2026
1. Data Controller
Speassy is operated by an individual based in Poland who acts as the Data Controller within the meaning of GDPR Article 4(7).
Contact: privacy@speassy.com
Website: https://speassy.com
Full controller details including legal name, registered address, and company registration numbers will be published upon incorporation of a Polish legal entity. To exercise your rights under GDPR or contact the Data Controller directly, email privacy@speassy.com.
2. What Speassy Currently Offers
In its current version, Speassy provides two features: live audio rooms for group speaking practice, and 1-on-1 text messaging for language exchange. The Platform is entirely free. There are no teacher listings, no paid lessons, no marketplace, and no subscription plans. This Privacy Policy reflects exactly what the Platform currently does.
3. Personal Data We Collect and Why
The table below lists every category of personal data Speassy collects, the legal basis for processing, and how long we retain it.
| Data Category | Examples | Legal Basis | Retention |
|---|---|---|---|
| Account data | Name, email, password hash, date of birth | Contract performance (Art. 6(1)(b)), Legal obligation for age verification (Art. 6(1)(c)) | Account lifetime + 30 days |
| Messages | 1-on-1 text messages content | Contract performance (Art. 6(1)(b)) | Account lifetime, or until deleted by user |
| Usage analytics | Page views, feature usage (via GA4, Mixpanel) | Consent (Art. 6(1)(a)) | 2 years |
| Error monitoring data | Crash logs, error traces (via Sentry) | Legitimate interest (Art. 6(1)(f)) | 90 days |
| Server logs | IP address, access logs | Legitimate interest (Art. 6(1)(f)) | 90 days |
| Room reports | Report reason, room ID, reporter user ID | Legal obligation (Art. 6(1)(c), DSA Art. 13) | 3 years |
| Consent records | Cookie consent, marketing opt-in timestamps | Legal obligation (Art. 6(1)(c)) | Minimum 3 years |
Passwords are stored using a strong one-way hashing algorithm. We never store or transmit plaintext passwords. Your date of birth is used exclusively for age verification and is never sent to Mixpanel, Google Analytics, or any other third-party service.
4. Age Verification
Speassy is restricted to users aged 16 and over under GDPR Article 8 and Polish law. We collect your full date of birth (day, month, year) at registration to enforce this.
- If the date of birth you enter indicates you are under 16, registration is blocked immediately and no account or data record is created.
- If you are 16 or older, your date of birth, the timestamp of verification, and your calculated age at registration are stored as compliance evidence.
- Your date of birth is never transmitted to any analytics provider or used for any purpose other than age verification.
- If we become aware that a user registered by providing a false date of birth and is under 16, we will delete their account and all associated data without delay.
The legal responsibility for providing an accurate date of birth lies with the user. Speassy fulfils its obligation under GDPR Art. 8 by collecting full date of birth, calculating age server-side, and blocking under-16 registrations.
5. How We Collect Your Data
- Directly from you: when you register (name, email, date of birth, password), update your profile, send messages, or contact support.
- Automatically: IP address, device type, browser, and usage patterns collected via server logs, Google Analytics (GA4), and Mixpanel — only after age is verified and cookie consent is given.
- Error monitoring: Sentry captures technical error data automatically when the app encounters a bug, under legitimate interest. No cookie consent is required for Sentry’s core error monitoring.
- Room reports: when you submit a report from an audio room, we collect the report reason, room identifier, and your user identifier. We do not store audio.
6. How We Use Your Data
- To provide the Platform: account data and messages are processed under contract performance (Art. 6(1)(b)).
- To verify age: your date of birth is processed under legal obligation (Art. 6(1)(c)) to comply with GDPR Art. 8.
- To maintain security: error and log data are processed under legitimate interest (Art. 6(1)(f)).
- To understand Platform usage: Mixpanel and GA4 analytics, processed only with your consent (Art. 6(1)(a)) and only after age is verified.
- To send marketing communications: email newsletters and push notifications only if you have explicitly opted in (Art. 6(1)(a)). You can withdraw at any time.
- To process room reports: report data is processed under legal obligation (Art. 6(1)(c)) to comply with DSA Article 13.
7. Analytics Blocked Until Age and Consent Are Confirmed
Mixpanel and Google Analytics (GA4) are not initialised until both of the following are true:
- Your date of birth has confirmed you are 16 or older at registration, and
- You have accepted analytics cookies via our cookie consent banner.
If your registration is blocked because you are under 16, no analytics data is collected about that session. Sentry error monitoring may run before consent under legitimate interest — it tracks technical errors only, not user behaviour.
8. Third-Party Data Processors
We share data with the following processors acting on our instructions. All have been assessed for GDPR compliance. There are currently no payment processors as Speassy is entirely free.
| Processor | Purpose | Data Shared | Location |
|---|---|---|---|
| home.pl S.A. | VPS hosting | All primary data | Frankfurt, Germany (EEA) |
| Google Analytics (GA4) | Usage analytics | Anonymised usage data | US (SCCs) |
| Mixpanel | Product analytics | Anonymised usage data | US (SCCs) |
| Sentry | Error monitoring | Error logs, browser info | US (SCCs) |
Mixpanel and Sentry are US-based. Transfers are covered by Standard Contractual Clauses (SCCs) under GDPR Art. 46(2)(c). Your primary data — account details, messages, and date of birth — is stored exclusively on our home.pl VPS in Frankfurt, Germany, within the EEA.
9. Marketing Communications
9.1 Email Newsletters
We send email newsletters only to users who have explicitly opted in via a separate unchecked checkbox at or after registration. Every email contains a one-click unsubscribe link. You can also withdraw consent at any time in account settings.
9.2 Push Notifications
We request push notification permission only after you have completed onboarding. You can disable push notifications at any time in your device settings or in the Speassy app under Settings > Notifications.
10. Audio Rooms and the Report Mechanism
Live audio room sessions are transmitted in real time. Speassy does not record or store any audio content. All registered users aged 16 and over have full access to audio rooms.
Every audio room contains a visible report button. When you submit a report, we collect the report reason, the room identifier, and your user identifier. No audio is stored. Report data is retained for 3 years under our DSA Article 13 legal obligation and reviewed by Speassy.
11. Your Rights Under GDPR / RODO
All requests are free of charge and will be responded to within 30 days (extendable to 90 days for complex requests with prior notice):
| Right | What It Means |
|---|---|
| Access (Art. 15) | Get a copy of all personal data we hold about you. |
| Rectification (Art. 16) | Correct inaccurate data. |
| Erasure (Art. 17) | Request deletion of your data (“right to be forgotten”). |
| Restriction (Art. 18) | Limit how we process your data. |
| Data portability (Art. 20) | Receive your data in a machine-readable format. |
| Objection (Art. 21) | Object to processing based on legitimate interest. |
| Withdraw consent (Art. 7) | Withdraw consent at any time where processing is based on consent. |
| Lodge complaint (Art. 77) | Complain to a supervisory authority (UODO). |
12. Data Security
- Passwords: hashed using a strong one-way algorithm — never stored or transmitted in plaintext.
- Date of birth: stored securely and excluded from all analytics payloads and third-party transmissions.
- Transport encryption: all data in transit encrypted using TLS 1.2 or higher (HTTPS enforced).
- Server security: home.pl VPS in Frankfurt secured with firewall rules, regular patching, and restricted access.
- Error monitoring: Sentry enables rapid detection of and response to security incidents.
In the event of a personal data breach likely to result in risk to your rights, we will notify UODO within 72 hours (GDPR Art. 33) and notify affected users directly where high risk is likely (GDPR Art. 34).
13. International Data Transfers
Your core data (account details, messages, date of birth) is stored on our VPS server in Frankfurt, Germany — within the EEA. No international transfer occurs for primary data storage.
Google Analytics, Mixpanel, and Sentry are US-based and receive certain data. All transfers are covered by Standard Contractual Clauses (SCCs) under GDPR Art. 46(2)(c).
14. Data Retention
- Account data (name, email, password hash): duration of account + 30 days after deletion.
- Date of birth and age verification record: duration of account + 3 years after deletion.
- Messages: duration of account, or until deleted by the user.
- Usage analytics (Mixpanel, GA4): 2 years.
- Error data (Sentry): 90 days.
- Server logs (IP address, access logs): 90 days.
- Consent records (cookie and marketing): minimum 3 years.
- Room reports: 3 years.
When you delete your account, all personal data is deleted or irreversibly anonymised within 30 days, except where legal obligations require retention (age verification record, consent records, room reports).
15. Automated Decision-Making
Speassy does not use automated decision-making or profiling that produces legal or similarly significant effects (GDPR Art. 22). Age blocking at registration is an automated compliance check required by law — users are free to return when they reach the minimum age of 16.
16. Changes to This Policy
We will update this Privacy Policy when new features are introduced, when a company is incorporated, or when legal requirements change. Registered users will be notified by email at least 14 days before material changes take effect.
17. Contact and Supervisory Authority
17.1 Contact
Contact: privacy@speassy.com
Website: https://speassy.com
17.2 Supervisory Authority — UODO
If you believe we have not handled your personal data lawfully, you may lodge a complaint with:
Urząd Ochrony Danych Osobowych (UODO)
Address: ul. Stawki 2, 00-193 Warsaw, Poland
Website: https://uodo.gov.pl
Email: kancelaria@uodo.gov.pl
Phone: +48 22 531 03 00