Back to Home

Privacy Policy - WORDY

Appalex Limited

Effective Date: January 13, 2025

Data ProcessorsData CollectionYour RightsContact Us

Our Commitment to Privacy

WORDY is committed to protecting the privacy and security of our users' personal information. We strive to be transparent about our data practices and to provide you with control over your personal information.

This Privacy Policy explains how we collect, use, share, and protect your information when you use our language learning application. We comply with the General Data Protection Regulation (GDPR) for our European users and applicable US privacy laws for our American users.

1. Data Controller

Company Name: Appalex Limited
Address: 1012 Budapest, Logodi utca 48. A. lház. 1. em. 2. ajtó, Hungary
Company Registration: 01-09-433441
Tax Number: 32612600-2-41
Representative: Sándor B.
Email: info@appalex.hu
Phone: +36 702133578

Data Protection Officer:
Sándor B.
Email: info@appalex.hu
Phone: +36 702133578

2. Data Processors

We work with trusted third-party service providers who process data on our behalf:

IT Service Providers:

Processor Name and LocationPurpose
Supabase Inc.
970 Toa Payoh North #07-04, Singapore 318992		Backend services, database, authentication
Google LLC (DPF certified)
1600 Amphitheatre Parkway, Mountain View, CA 94043, USA		Firebase Analytics, Crashlytics, Cloud Messaging, Google Sign-In
Mixpanel Inc. (DPF certified)
One Front Street, Floor 28, San Francisco, CA 94111, USA		Product analytics and user behavior analysis
PostHog Inc. (DPF certified)
2261 Market Street #4008, San Francisco, CA 94114, USA		Product analytics and feature usage tracking
AppsFlyer Ltd. (DPF certified)
14 Maskit St., Herzliya 4673314, Israel		Mobile attribution and marketing analytics
RevenueCat Inc.
1032 E Brandon Blvd #3003, Brandon, FL 33511, USA		Subscription management and in-app purchases
Superwall Inc.
San Francisco, CA, USA		Paywall management and A/B testing
OneSignal Inc. (DPF certified)
201 S. B Street, Suite 200, San Mateo, CA 94401, USA		Push notifications
Shake Ltd.
Radnicka 47, 10000 Zagreb, Croatia		Bug reporting and feedback
Apple Inc.
One Apple Park Way, Cupertino, CA 95014, USA		Apple Sign-In, StoreKit, iCloud sync

Content Providers:

Provider Name and LocationPurpose
YouTube LLC (Google subsidiary, DPF certified)
901 Cherry Avenue, San Bruno, CA 94066, USA		Video playback
The Movie Database (TMDB)
USA		Movie and TV show metadata

3. Information We Collect

3.1. Account Information

Data collected:

  • Email address
  • Password (encrypted)
  • Full name (optional, from social login)
  • User ID (UUID)
  • Registration date

Purpose: Account creation, authentication, service access
Legal basis: Contract performance (GDPR Art. 6(1)(b))
Retention: Until account deletion

3.2. Language Learning Data

Data collected:

  • Languages you're learning
  • Language proficiency level
  • Saved words and phrases
  • Practice history
  • Lesson progress
  • Favorite movies/shows
  • Learning goals and preferences

Purpose: Personalized learning experience, progress tracking
Legal basis: Contract performance (GDPR Art. 6(1)(b))
Retention: Until account deletion

3.3. Usage Analytics

Data collected:

  • Screen views
  • Feature usage
  • In-app events
  • Session duration
  • App launches
  • Purchase events
  • Notification interactions

Purpose: Service improvement, user experience enhancement, troubleshooting
Legal basis: Legitimate interest (GDPR Art. 6(1)(f))
Retention: 2 years

3.4. Device and Technical Data

Data collected:

  • Device type and model
  • Operating system version
  • App version
  • Network status
  • Device identifier (IDFV)
  • IP address
  • Country (from locale)
  • Language settings

Purpose: Compatibility, troubleshooting, security
Legal basis: Legitimate interest (GDPR Art. 6(1)(f))
Retention: 1 year

3.5. Purchase and Subscription Data

Data collected:

  • Purchase ID
  • Subscription type
  • Subscription status
  • Purchase date
  • Renewal date

Purpose: Subscription management, billing, customer support
Legal basis: Contract performance (GDPR Art. 6(1)(b))
Retention: As required by tax law (typically 7-10 years)

3.6. Communication Data and Email Notifications

Data collected:

  • Email address
  • Push notification preferences
  • Email notification preferences
  • Marketing communication consent
  • Support correspondence
  • OneSignal user ID

Purpose: Push and email notifications, customer support, important service communications

Types of Email Notifications:

  • Transactional emails: Registration confirmation, password reset, subscription status changes, invoices
  • Service notifications: Maintenance notices, security alerts, terms of service updates, important app updates
  • Learning reminders: Daily learning goals, streak reminders, new content availability

Legal basis:

  • Transactional and service emails: Contract performance (GDPR Art. 6(1)(b))
  • Learning reminders: Legitimate interest (GDPR Art. 6(1)(f))

Opt-in and Opt-out Process:

  • Automatic enrollment: Upon registration, you are automatically enrolled in essential service communications (transactional and service emails) and learning reminders
  • Opt-out options:
    • You can unsubscribe from learning reminders using the "Unsubscribe" link at the bottom of these emails
    • Email preferences can be managed by contacting support at info@appalex.hu
    • Unsubscribe requests are processed within 48 hours
    • You cannot unsubscribe from transactional and service emails while your account is active as they are essential for service operation
  • Note: In-app email preference management is currently under development and will be available in a future update

OneSignal Data Processing:

  • We use OneSignal Inc. for sending email notifications
  • OneSignal only processes data necessary for email delivery (email address, user ID)
  • OneSignal is DPF certified for EU-US data transfers
  • OneSignal Privacy Policy: https://onesignal.com/privacy_policy

Retention: Until opt-out or account deletion

3.7. AI and Machine Learning

Data collected:

  • Learning patterns and response times
  • Error and correction analysis
  • Content preferences
  • Practice statistics

Purpose: Personalized learning algorithms, content recommendations, learning efficiency
Legal basis: Legitimate interest (GDPR Art. 6(1)(f))
Retention: Until account deletion

4. Cookies and Tracking Technologies

We use various tracking technologies to improve user experience and develop our service:

  • Firebase Analytics: App usage analysis
  • Mixpanel: Detailed user behavior tracking
  • PostHog: Feature usage and A/B testing
  • AppsFlyer: Marketing campaign effectiveness
  • Device identifiers: IDFV (Identifier for Vendor) - non-unique, app-specific identifier

4.1. Opt-out Options:

  • Disable analytics in app settings
  • iOS: Settings > Privacy & Security > Tracking > disable "Allow Apps to Request to Track"
  • Disabling tracking does not affect app functionality

4.2. Advertising Data

WORDY does not sell your personal data to third parties for marketing purposes. Data collected by analytics providers is used solely for service improvement, not for targeted advertising. WORDY is committed to providing an ad-free language learning experience.

5. Data Security

We implement appropriate technical and organizational measures to protect your personal data:

  • Encryption: All data is encrypted in transit (HTTPS/TLS)
  • Access control: Only authorized personnel have access to personal data
  • Regular security reviews
  • Data leak prevention
  • Automated security backups

6. Your Rights

Under data protection laws, you have the following rights:

6.1. Right to Access

You can request information about what personal data we process about you.

6.2. Right to Rectification

You can request correction of inaccurate personal data.

6.3. Right to Erasure ("Right to be Forgotten")

You can request deletion of your personal data when:

  • The data is no longer needed
  • You withdraw consent
  • You object to processing
  • The data was unlawfully processed

6.4. Right to Restriction

You can request restriction of processing in certain circumstances.

6.5. Right to Data Portability

You have the right to receive your personal data in a structured, machine-readable format. Upon request, we provide your data within 30 days in JSON or CSV format, including:

  • Profile data
  • Learning history
  • Saved words and progress
  • Practice statistics

6.6. Right to Object

You can object to processing based on legitimate interests.

6.7. Right to Withdraw Consent

You can withdraw previously given consent at any time.

7. International Data Transfers

Some of our processors are located outside the European Economic Area. We ensure appropriate safeguards:

7.1. EU-US Data Privacy Framework (DPF) Certified Partners:

  • Google LLC - Firebase services
  • Mixpanel Inc. - Analytics
  • PostHog Inc. - Product analytics
  • AppsFlyer Ltd. - Marketing analytics (Israel, with adequacy decision)
  • OneSignal Inc. - Push notifications

7.2. Standard Contractual Clauses (SCC) Protected Partners:

  • Apple Inc. - Authentication and app services
  • Supabase Inc. - Backend services (Singapore)
  • RevenueCat Inc. - Subscription management
  • Shake Ltd. - Bug reporting (Croatia, EU member)

7.3. Safeguards:

  • All transfers include appropriate protection levels
  • DPF certifications are regularly verified
  • SCCs are based on EU Commission Decision 2021/914
  • Details available upon request

8. Children's Privacy

WORDY is available for users aged 12 and above. We do not knowingly collect personal data from children under 12. If we become aware that we have collected data from a child under 12, we will promptly delete it.

For users under 14, parents/guardians can:

  • Access the child's learning data
  • Restrict certain content
  • Request account deletion
  • Monitor community feature usage

9. Data Retention

  • Account data: Until account deletion
  • Usage analytics: 2 years
  • Technical logs: 1 year
  • Purchase data: As required by law (7-10 years)
  • Marketing data: Until consent withdrawal

10. Automated Decision-Making

WORDY provides personalized language learning recommendations based on your learning history and preferences. This does not constitute automated decision-making under GDPR as it does not produce legal effects or similarly significant impacts.

11. Data Breach Management

In case of a data breach:

  • We notify the supervisory authority within 72 hours
  • We notify affected users in case of high risk
  • We document the incident and measures taken

We are committed to transparency. In case of a significant data breach, we will publish a public notice on our website in addition to regulatory notifications.

12. Your California Privacy Rights

If you are a California resident, you have additional rights under the California Consumer Privacy Act (CCPA):

  • Right to know what personal information we collect, use, and share
  • Right to delete personal information
  • Right to opt-out of the sale of personal information (we do not sell personal information)
  • Right to non-discrimination for exercising privacy rights

13. Contact Us

For privacy-related questions or to exercise your rights, contact us:

Appalex Limited
Email: info@appalex.hu
Phone: +36 702133578
Address: 1012 Budapest, Logodi utca 48. A. lház. 1. em. 2. ajtó, Hungary

Data Protection Officer:
Sándor B.
Email: info@appalex.hu
Phone: +36 702133578

14. Supervisory Authority

EU users can file complaints with their local data protection authority. Our lead supervisory authority is:

Hungarian National Authority for Data Protection and Freedom of Information (NAIH)
Address: 1055 Budapest, Falk Miksa utca 9-11., Hungary
Email: ugyfelszolgalat@naih.hu
Phone: +36 (1) 391-1400

15. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of changes via the app and email. Changes become effective 30 days after posting.

16. Governing Law

This Privacy Policy is governed by the laws of Hungary. However, this does not affect your rights under applicable data protection laws in your country of residence, including GDPR for EU residents and state privacy laws for US residents.

Last Updated: January 13, 2025
Version: 1.0

Approved by: Sándor B.
Document ID: WORDY-PRIVACY-EN-2025-01