Privacy Policy

1. Data Controller and Identification

For the purposes of Regulation (EU) 2016/679 (GDPR), the UK GDPR, the Spanish Organic Law 3/2018 on the Protection of Personal Data and the Guarantee of Digital Rights (LOPDGDD), and Law 34/2002 on Information Society Services and Electronic Commerce (LSSI-CE), the data controller is:

[Nombre legal completo del titular — pendiente], a sole-trader natural person established in Spain (hereinafter, the “Operator”, “we”, “us”, or “Talq AI”). Tax ID (NIF): [NIF — pendiente]. Address for service: [Domicilio postal para notificaciones — pendiente]. Contact: support@talqai.app. Website: https://talqai.app.

Because the Operator is established in the European Economic Area, no separate Article 27 GDPR representative is required for EEA users. Talq AI has not designated a Data Protection Officer because the legal thresholds in Article 37 GDPR are not met; however, all privacy matters are handled directly by the Operator at privacy@talqai.app.

2. Scope of this Policy

This Privacy Policy describes how we collect, use, disclose, and safeguard personal information when you interact with the Talq AI website at https://talqai.app (including the pre-launch waitlist), the Talq AI mobile application for iOS and Android (the “App”), and any related support, billing, communications, and back-end services (collectively, the “Service”).

Where a particular practice applies only to the website or only to the App, that scope is indicated in the relevant subsection. If you do not agree with this Policy, please do not use the Service.

3. Personal Data We Collect

4. How We Use Personal Data

• Operate, secure, maintain, and provide the Service, including authentication, real-time voice infrastructure, and personalized practice.
• Provide language-learning features: conversation generation, transcription, feedback, scenario planning, recommendations, and progress tracking.
• Manage subscriptions and entitlements, restore purchases, and respond to billing or refund inquiries.
• Send transactional communications (account verification, password reset, subscription receipts and renewal notices, support replies, security notices, and material policy changes).
• Send waitlist and product launch communications you have requested, with an unsubscribe option in every message.
• Measure reliability and improve the product through analytics, diagnostics, performance monitoring, and aggregate usage analysis.
• Detect, prevent, and respond to fraud, abuse, security incidents, and violations of our Terms of Service.
• Comply with applicable legal obligations, respond to lawful requests, and establish, exercise, or defend legal claims.

5. Automated Processing and Artificial Intelligence

The Service uses third-party large language models, speech-to-text systems, and text-to-speech systems to generate practice conversations, transcribe your speech, generate feedback, and synthesize spoken replies. These outputs are produced by automated systems and may be inaccurate, incomplete, biased, or contextually inappropriate.

In line with the EU Artificial Intelligence Act and Article 22 GDPR, we confirm that the Service does not use solely automated decision-making with legal or similarly significant effects on you. AI is used exclusively to deliver educational content; you retain full control over how you use the outputs. Where applicable, we mark AI-generated content as such.

Your conversation prompts and audio are sent to AI and speech providers strictly for the purpose of generating an immediate response. We do not authorize providers to use your inputs to train their public foundation models, and we contractually rely on each provider’s zero-retention or short-retention configuration where available. Provider terms may evolve; the current list of providers is in Section 7.

6. Legal Bases for Processing (EEA / UK)

• Performance of a contract (Article 6(1)(b) GDPR): to create your account, deliver the Service, and process subscriptions and support requests.
• Legitimate interests (Article 6(1)(f) GDPR): to keep the Service secure, prevent abuse, measure reliability, improve the product, and communicate operational changes. You may object at any time on grounds relating to your particular situation.
• Consent (Article 6(1)(a) GDPR): for optional marketing emails, beta-test invitations, non-essential analytics where required by local law, and any processing of special-category data you voluntarily submit. You may withdraw consent at any time without affecting the lawfulness of processing carried out before withdrawal.
• Compliance with legal obligations (Article 6(1)(c) GDPR): to comply with tax, accounting, consumer-protection, and other applicable Spanish and EU laws.
• Establishment, exercise, or defense of legal claims (Article 9(2)(f) GDPR), where applicable.

7. Service Providers and Recipients

We do not sell your personal data, and we do not “share” it for cross-context behavioral advertising as those terms are defined under California law. We disclose personal data only to the categories of recipients listed below, strictly to the extent necessary to deliver, secure, and support the Service:

• Supabase (database, authentication, storage) — processor.
• LiveKit (real-time voice infrastructure) — processor.
• Deepgram (speech-to-text) — processor.
• Inworld (text-to-speech) — processor.
• Groq, OpenRouter, and OpenAI (conversational and feedback large language models) — processors.
• RevenueCat (subscription management and entitlement reconciliation) — processor; the Apple App Store and Google Play act as independent controllers/sellers of record for payment and tax processing.
• PostHog (product analytics and event measurement) — processor.
• Sentry (crash reporting, diagnostics, performance monitoring) — processor.
• Resend and other transactional email providers — processors.
• Vercel (website hosting, build infrastructure, and aggregate website analytics) — processor.
• Professional advisors (legal, accounting, tax) and competent public authorities, where strictly necessary or legally required.
• A successor entity in the event of a merger, acquisition, or asset sale, subject to equivalent confidentiality and data-protection obligations.

8. International Data Transfers

Some of the providers listed in Section 7 are established outside the European Economic Area, including in the United States. Where personal data is transferred outside the EEA or the UK, we rely on appropriate safeguards under Articles 44–49 GDPR, primarily the European Commission’s Standard Contractual Clauses (and the UK International Data Transfer Addendum where applicable), supplemented by technical and organizational measures such as encryption in transit and at rest and access controls.

For transfers to the United States, where a recipient is certified under the EU–US Data Privacy Framework (and the UK and Swiss extensions), we additionally rely on that adequacy mechanism.

You may request a copy of the relevant transfer safeguards by contacting us at the privacy contact below.

9. Data Retention

We keep personal data only for as long as necessary for the purposes described in this Policy and to comply with our legal obligations. Indicative retention periods:

• Waitlist data: until launch in your region plus six (6) months, or until you unsubscribe, whichever is earlier.
• Account, profile, and learning data: while your account is active and for up to thirty (30) days after deletion to allow recovery, plus a further period in encrypted backups before they are overwritten in the normal backup cycle (up to ninety (90) days).
• Conversation transcripts and feedback history: for the duration of your account and deleted on the same schedule as your account, unless retained in aggregated, de-identified form for product analytics.
• Audio streams: not retained after the session ends, except for transient real-time buffering by communications and AI providers as strictly necessary to deliver the response.
• Subscription and tax records: up to six (6) years where required by Spanish tax and accounting law (Ley General Tributaria, Código de Comercio).
• Security and access logs: typically 30 to 90 days for incident response and abuse prevention.
• Support correspondence: up to twenty-four (24) months from the last interaction, unless a longer period is required for legal-claim purposes.

10. Security

We apply technical and organizational measures appropriate to the risk, including TLS for data in transit, encryption at rest provided by our infrastructure providers, hardened authentication, role-based access controls, secret rotation, vulnerability monitoring, and the principle of least privilege. We periodically review provider security posture (SOC 2, ISO 27001, or equivalent attestations where available).

No system is perfectly secure. If we become aware of a personal-data breach that is likely to result in a risk to your rights and freedoms, we will notify the competent supervisory authority and, where required, affected users without undue delay, in accordance with Articles 33 and 34 GDPR.

11. Your Rights (EEA / UK / Spain)

Subject to applicable law, you have the right to:

• Access your personal data and obtain a copy of it.
• Have inaccurate or incomplete data rectified.
• Request erasure (right to be forgotten) where applicable.
• Restrict processing in certain circumstances.
• Object to processing based on legitimate interests, including profiling.
• Data portability for data you provided based on consent or contract.
• Withdraw consent at any time, without affecting the lawfulness of prior processing.
• Not be subject to a decision based solely on automated processing producing legal or similarly significant effects (we do not carry out such processing).
• Lodge a complaint with the Spanish Data Protection Agency (Agencia Española de Protección de Datos, AEPD, www.aepd.es) or your local supervisory authority.

12. Your Rights (United States)

13. Children’s Privacy

The Service is not directed to children under thirteen (13) years of age, and we do not knowingly collect personal data from children under 13. In the European Economic Area, the United Kingdom, and other jurisdictions where the digital age of consent is set higher, the minimum age is sixteen (16) unless the law of the user’s country provides for a lower age (Spain and several other EU Member States set 14 under their national law). Where a parent or legal guardian becomes aware that a child below the applicable digital age has provided personal data without lawful authorization, please contact us and we will delete the data without undue delay.

This Policy and the Service comply with the U.S. Children’s Online Privacy Protection Act (COPPA) by not knowingly directing the Service to or collecting from children under 13.

14. Cookies and Similar Technologies

The website uses strictly necessary cookies and local storage to operate, including for security and rate-limiting. Aggregate analytics are collected by Vercel Analytics on a privacy-preserving, cookie-less basis. We do not use advertising cookies.

The App uses local storage and SDK-level identifiers strictly to operate the Service, deliver crash diagnostics, manage notifications, and reconcile subscription state. The App does not use IDFA-based tracking and, where applicable, does not present an Apple App Tracking Transparency prompt because no cross-app or cross-website tracking is performed.

15. App Store and Google Play Disclosures

We align this Policy with the Apple App Privacy nutrition labels and the Google Play Data safety form. The data-type categories declared in those forms correspond to the data described in Section 3 above. If you spot a discrepancy between this Policy and the store disclosures, this Policy is the canonical and most up-to-date description, and we will reconcile the store form at the next App release.

Apple and Google process payments, taxes, and refunds as independent controllers and sellers of record. We receive only a transaction reference, the country/region of purchase, and the entitlement state.

16. Account Deletion

You may delete your account at any time from inside the App (Profile → Account Data → Delete Account) or by emailing privacy@talqai.app from the address associated with the account. Public, store-compliant instructions are available at https://talqai.app/account-deletion. Deletion is subject to limited retention as described in Section 9 and the cancellation of any active subscription through the relevant app store.

17. Changes to this Policy

We may update this Policy from time to time. The “Last updated” date at the top of the document reflects the latest revision. If changes are material, we will provide reasonable advance notice through the App, the website, or by email where appropriate. Continued use of the Service after the effective date of an update constitutes acceptance of the updated Policy.

18. Contact and Complaints

Privacy and data-protection matters: privacy@talqai.app.

General support: support@talqai.app.

Postal address: [Domicilio postal para notificaciones — pendiente].

You also have the right to lodge a complaint with the Agencia Española de Protección de Datos (www.aepd.es) or with the supervisory authority of your habitual residence, place of work, or place of the alleged infringement.