Privacy Policy

Privacy Policy – Elira

Effective Date: [INSERT DATE] Last Updated: [INSERT DATE]

Elira ("we", "us", "our") is operated by Hüseyin Talha Kadat as a sole proprietorship registered in the Republic of Türkiye. This Privacy Policy explains how we collect, use, share, and protect your personal information when you use our mobile application and website (eliraapp.com).

By using Elira, you acknowledge that you have read and understood this Privacy Policy.

1. Overview

Elira is an AI-powered language learning application that provides vocabulary training, AI-generated learning content, spaced repetition flashcards, quizzes, and text-to-speech tools.

This Policy covers:

2. Information We Collect

2.1 Account Information

When you create an account, we collect:

  • Email address (required) – for authentication, password reset, and account-related communication
  • Username (required) – publicly visible identifier you choose
  • Password (stored as a salted hash; never in plain text)
  • Profile photo / avatar (optional) – either a preset avatar or an image you upload
  • Native language and study language preferences (required for personalization)

If you sign in with a social provider (Apple, Google, or Facebook), we also receive the email address, name, and profile picture URL associated with that provider account.

2.2 Learning Data

Generated as you use the app:

  • Vocabulary you add (words, meanings, language)
  • Sentences you write or save
  • Flashcard review history (correct/incorrect, timestamps)
  • Quiz results (matching, listening, context, spelling)
  • Streak and daily activity dates
  • Personal collections (folders) and bookmarks
  • Onboarding choices and preferences

2.3 Technical Data

  • Platform (iOS / Android / Web) – needed for push notifications and platform-specific behavior
  • Push notification token (Firebase Cloud Messaging) – used solely to deliver notifications to your device
  • IP address – temporarily processed in memory for spam and brute-force prevention; not persistently stored
  • Time zone – used to schedule notifications in your local time

We do not collect device model, IMEI, MAC address, advertising identifiers, or other persistent device identifiers. We do not use crash analytics or third-party error reporting SDKs.

2.4 Usage Data

  • Daily session duration – aggregated in seconds per day, used to display your activity statistics

We do not track which screens you visit, which buttons you tap, or your individual feature usage events.

2.5 Payment Information

When you subscribe to Elira Premium:

  • In-app purchases are processed by Apple App Store or Google Play. We receive only the subscription status and a transaction identifier; we never see your payment card details.
  • Web purchases are processed by Paddle (acting as the merchant of record). Paddle collects your billing information directly. We receive only your subscription status, plan, and email address from Paddle.

3. How We Use Your Data

We use your data to:

  • Provide and operate the Elira service (sync vocabulary, run quizzes, render flashcards)
  • Generate AI responses (translations, definitions, conjugations, stories, examples)
  • Send transactional emails (password reset, account notifications)
  • Send push notifications you have enabled (learning reminders, streak updates)
  • Manage subscriptions and process payments via Apple, Google, or Paddle
  • Detect and prevent abuse (rate-limiting, spam protection)
  • Comply with legal obligations
  • Improve service reliability (only via aggregated, non-identifiable data)

3.1 Legal Basis for Processing (GDPR)

Under the EU General Data Protection Regulation (GDPR), we process your data on the following legal bases:

Data categoryLegal basis
Account information, learning data, paymentsPerformance of a contract (Article 6(1)(b))
IP address for rate-limitingLegitimate interest in service security (Article 6(1)(f))
Push notification tokensYour consent (Article 6(1)(a)) — withdrawable in app settings
Compliance with tax / accounting lawsLegal obligation (Article 6(1)(c))

4. Third-Party Service Providers

We work with the following service providers ("data processors") who process your data on our behalf, under written agreements consistent with applicable data protection law:

ProviderPurposeData shared
Firebase Authentication (Google LLC, USA)Social sign-in (Apple / Google / Facebook)Email, name, profile picture URL, provider info
Firebase Cloud Messaging (Google LLC, USA)Push notificationsDevice push token, notification content
Anthropic (Claude API) (Anthropic PBC, USA)AI: word forms, details, reviewWords and short context strings you submit
Google Gemini API (Google LLC, USA)AI: classification, detection, translation, story generationWords, sentences, and short context strings you submit
ElevenLabs (USA)High-quality text-to-speechText strings to be synthesized
Google Cloud Text-to-Speech (Google LLC, USA)Fallback text-to-speechText strings to be synthesized
Cloudflare R2 (Cloudflare Inc., USA)Storage of avatar images and audio cacheAvatar files, audio files
Resend (Resend Inc., USA)Transactional email deliveryEmail address, message content
RevenueCat (RevenueCat Inc., USA)Mobile subscription managementAnonymous user ID, subscription events
Paddle (Paddle.com Market Ltd., UK / USA)Web payment processingEmail address, billing information (collected by Paddle directly)
Apple App StoreiOS in-app purchasesAnonymized purchase token
Google PlayAndroid in-app purchasesAnonymized purchase token

Each provider is bound by their own terms and applicable data protection law. We do not sell or rent your personal information to any party.

5. AI Processing

When you use AI-powered features, the words and sentences you submit are sent to our AI providers (Anthropic and Google Gemini) only to generate the immediate response you requested. API submissions made by these providers are typically retained briefly (e.g., up to 30 days for abuse monitoring) and then deleted, in accordance with each provider's API terms.

We do not use your inputs to build user profiles or automated decision-making systems. We do not save your raw AI prompts on our servers beyond what is necessary to display the result back to you (e.g., a generated definition stored alongside the word in your account).

6. Data Retention

We retain your personal data only as long as necessary for the purposes described in this Policy:

DataRetention
Active account data (vocabulary, sentences, progress)While your account is active
Account after deletion (database)Removed immediately
Backups containing deleted dataUp to 30 days, then permanently overwritten
Server access logsUp to 30 days
Refresh tokens (mobile session)90 days, or until logout / password change
Anonymized aggregate statisticsMay be retained indefinitely
Transactional records (tax / accounting)As required by Turkish law (typically up to 10 years)

7. Account Deletion

You can delete your Elira account at any time:

  • In the app: Settings → Delete Account (requires typing your username to confirm)
  • By email: Send a deletion request to support@eliraapp.com from the email address registered with your account

When you delete your account:

  • Your username, email, password, vocabulary, sentences, quiz history, streak, preferences, and other learning data are deleted from our active database.
  • Push notification tokens linked to your account are removed.
  • Backups will continue to contain a copy of this data for up to 30 days, after which all copies are permanently deleted.
  • Anonymized aggregate statistics that cannot identify you may be retained.
  • Records required for legal/tax compliance may be retained as required by law.

8. Your Rights (GDPR & UK GDPR)

If you are located in the European Economic Area, the United Kingdom, or Türkiye (under KVKK – Personal Data Protection Law No. 6698), you have the following rights:

  • Right of access – Obtain a copy of your personal data
  • Right of rectification – Correct inaccurate data
  • Right to erasure ("right to be forgotten") – Delete your data
  • Right to restrict processing – Limit how we use your data
  • Right to data portability – Receive your data in a machine-readable format (JSON export available on request)
  • Right to object – Object to processing based on legitimate interest
  • Right to withdraw consent – Where processing is based on consent (e.g., notifications), you may withdraw it at any time
  • Right to lodge a complaint – File a complaint with your local supervisory authority:
    • Türkiye: Kişisel Verileri Koruma Kurumu (KVKK) – kvkk.gov.tr
    • EU: Your national data protection authority (list at edpb.europa.eu)
    • UK: Information Commissioner's Office (ICO) – ico.org.uk

To exercise any of these rights, contact us at support@eliraapp.com. We will respond within 30 days.

9. California Privacy Rights (CCPA & CPRA)

If you are a California resident, the California Consumer Privacy Act ("CCPA") as amended by the California Privacy Rights Act ("CPRA") gives you the following rights:

9.1 Right to Know

You may request information about the categories and specific pieces of personal information we have collected about you in the past 12 months, the sources, the purposes, and the parties with whom we share it.

9.2 Right to Delete

You may request deletion of personal information we have collected from you, subject to legal exceptions.

9.3 Right to Correct

You may request correction of inaccurate personal information we maintain about you.

9.4 Right to Opt-Out of Sale or Sharing of Personal Information

We do not sell or share your personal information for monetary or other valuable consideration. We do not engage in "cross-context behavioral advertising."

9.5 Right to Limit Use of Sensitive Personal Information

We do not collect or use "sensitive personal information" as defined by CPRA.

9.6 Right to Non-Discrimination

We will not discriminate against you for exercising any of your CCPA/CPRA rights.

9.7 Authorized Agent

You may designate an authorized agent to make a request on your behalf. We may require verification.

To exercise any of these rights, contact support@eliraapp.com with the subject line "California Privacy Request." We will respond within 45 days.

10. Children's Privacy

Elira is not intended for users under 13 years of age.

  • We do not knowingly collect personal information from children under 13.
  • During registration, users must confirm they are at least 13 years old.
  • If we learn that we have collected personal information from a child under 13, we will delete that information as soon as possible.
  • If you are a parent or guardian and believe a child has provided us with personal information, please contact support@eliraapp.com and we will promptly delete the data and the associated account.

11. International Data Transfers

Because most of our service providers are based in the United States or other countries outside the EEA, your personal data may be transferred to, stored, and processed in countries that do not provide the same level of data protection as your home country.

These providers may rely on mechanisms such as Standard Contractual Clauses (SCCs) or other lawful transfer mechanisms (including adequacy decisions of the European Commission, where applicable) to safeguard international data transfers.

12. Notifications

We may send you push notifications, including:

  • Spaced-repetition learning reminders
  • Streak status updates
  • Daily activity summaries

You can disable notifications at any time:

  • Globally: Through your device's system settings
  • Per-category: Through Elira's in-app notification settings

13. Marketing Communications

We currently send only transactional emails (password reset, account notifications, support replies, important service updates). We do not send marketing or promotional emails without your explicit prior consent.

If we introduce marketing communications in the future, you will be asked to opt in, and you will be able to unsubscribe at any time.

14. No Tracking, Analytics, or Advertising

We currently do not use analytics or advertising tracking tools. Elira does not display advertisements within the app, and we do not share your data with advertising networks.

If we introduce any such tools in the future, we will update this Policy and, where required, request your consent.

15. Cookies and Web Storage (eliraapp.com)

The Elira website uses minimal storage:

  • Essential storage (localStorage/cookies) – Used to keep you signed in. Required for core website functionality.
  • Paddle checkout – When you proceed to payment, Paddle may use its own cookies as required for the transaction.

We do not use:

  • Tracking or analytics cookies
  • Advertising or remarketing cookies
  • Third-party social media trackers

As we do not use non-essential cookies, a consent banner is not currently required.

16. Security

We apply reasonable administrative, technical, and physical safeguards to protect your data, including:

  • Encrypted transport (HTTPS/TLS) for all client-server communication
  • Passwords stored using bcrypt salted hashing
  • Short-lived JWT access tokens (15 minutes) with rotating refresh tokens (90 days)
  • Token invalidation on password change
  • Database access restricted to authorized administrators
  • Regular software and dependency updates

No system can guarantee 100% security. If we discover a breach affecting your personal data, we will notify you and the relevant supervisory authority as required by law.

17. Changes to This Policy

We may update this Privacy Policy from time to time. The "Last Updated" date at the top reflects the most recent revision.

For material changes (e.g., new categories of data collected, new third-party recipients, changes to your rights), we will notify you via in-app notification and/or email at least 30 days before the changes take effect.

Your continued use of Elira after a change indicates your acceptance of the updated Policy.

18. Contact

If you have any questions about this Privacy Policy or our data practices, please contact:

Data Controller: Hüseyin Talha Kadat (sole proprietorship, Türkiye) Email: support@eliraapp.com Website: https://eliraapp.com