Privacy Policy

1. Introduction

This Privacy Policy explains how Gamilingo ("we," "us," or "our"), based in Slovakia, collects, uses, stores, and protects your personal data when you use Gamilingo (the "Service"). We are committed to protecting your privacy in compliance with the General Data Protection Regulation (EU) 2016/679 ("GDPR") and applicable Slovak data protection legislation.

Gamilingo is the data controller for the personal data processed through the Service.

2. Data We Collect

2.1 Data You Provide

• Account information: Your name and email address when you create an account.
• Payment information: Processed by our third-party payment processor (Payhip/Stripe). We do not store your credit card number, bank account details, or other financial information on our servers.
• Support communications: Any messages you send us via email or support channels.

2.2 Data Collected Automatically

• Usage data: Information about how you interact with the Service, such as which features you use, lesson packs accessed, and session duration.
• Device and browser data: Browser type, operating system, screen resolution, and language settings.
• IP address: Collected for security, fraud prevention, and approximate location (country level) for analytics.
• Cookies and similar technologies: We use essential cookies for authentication and session management, and may use analytics cookies to understand Service usage. See Section 7 for details.

2.3 Student Data

The Service allows teachers to create student profiles and track lesson progress. The following data may be stored within a teacher's account:

• Student first name or nickname (entered by the teacher — we recommend using first names or nicknames only).
• Student level (e.g., A1, A2, B1).
• Lesson history and scores (which lesson packs were completed, dates, star scores earned, and activities completed).
• Teacher notes about the student (free-text notes entered by the teacher).

For this data, the teacher acts as the data controller and we act as a data processor on the teacher's behalf. We process student data solely to provide the Service and do not use it for any other purpose. Student data is stored within the teacher's account and is not accessible to other users. Teachers can delete individual student profiles and all associated data at any time. Students do not create accounts and are not required to provide any personal data directly to us.

We do not knowingly collect personal data from children under 16. If you become aware that a child has provided us with personal data directly (not through a teacher's account), please contact us immediately.

3. How We Use Your Data

We process your personal data for the following purposes and on the following legal bases:

• To provide and maintain the Service — Legal basis: Performance of contract (Art. 6(1)(b) GDPR). We need your account data to deliver the service you subscribed to.
• To process payments and manage subscriptions — Legal basis: Performance of contract.
• To send service-related communications (e.g., subscription confirmations, lesson pack delivery, important updates) — Legal basis: Performance of contract and legitimate interest.
• To send marketing communications (e.g., newsletters, new feature announcements, promotional offers) — Legal basis: Consent (Art. 6(1)(a) GDPR). You can opt in during registration and unsubscribe at any time.
• To improve the Service — Legal basis: Legitimate interest (Art. 6(1)(f) GDPR). We analyse aggregated usage data to understand which features are most useful and where to improve.
• To ensure security and prevent fraud — Legal basis: Legitimate interest.
• To comply with legal obligations — Legal basis: Legal obligation (Art. 6(1)(c) GDPR).

4. Data Sharing

We do not sell your personal data. We share your data only with the following categories of recipients, and only to the extent necessary:

• Payment processor: Payhip/Stripe — to process your subscription payments. They act as independent data controllers for payment data.
• Email service provider: [MailerLite/Mailchimp] — to deliver lesson packs and service communications. They act as our data processor.
• Analytics provider: [e.g., Plausible Analytics] — to understand Service usage. If using Plausible, no cookies are used and no personal data is shared.
• Hosting provider: Hostinger — to host and serve the application.

All third-party processors are required to protect your data in accordance with GDPR. Where these processors are based outside the EU/EEA, we ensure appropriate safeguards are in place (e.g., Standard Contractual Clauses or EU-US Data Privacy Framework certification).

5. Data Retention

We retain your personal data only for as long as necessary to fulfil the purposes for which it was collected:

• Account data: Retained for the duration of your account. Deleted within 30 days of account deletion request.
• Payment records: Retained for up to 10 years as required by Slovak tax and accounting law.
• Usage data: Aggregated and anonymised after 24 months.
• Marketing consent records: Retained for as long as you remain subscribed to marketing communications, plus 3 years after withdrawal of consent (as evidence of consent).
• Student data: Retained for the duration of the teacher's account. Deleted when the teacher deletes a student profile or within 30 days of account termination.

6. Your Rights Under GDPR

As a data subject under GDPR, you have the following rights:

• Right of access (Art. 15): You can request a copy of the personal data we hold about you.
• Right to rectification (Art. 16): You can ask us to correct any inaccurate or incomplete data.
• Right to erasure (Art. 17): You can request deletion of your personal data, subject to legal retention obligations.
• Right to restriction (Art. 18): You can ask us to restrict processing of your data in certain circumstances.
• Right to data portability (Art. 20): You can request your data in a structured, commonly used, machine-readable format.
• Right to object (Art. 21): You can object to processing based on legitimate interest, including direct marketing.
• Right to withdraw consent (Art. 7(3)): Where processing is based on consent (e.g., marketing), you can withdraw consent at any time without affecting the lawfulness of prior processing.

To exercise any of these rights, contact us at hello@gamilingo.com. We will respond within 30 days. If you are unsatisfied with our response, you have the right to lodge a complaint with the Slovak supervisory authority (Úrad na ochranu osobných údajov Slovenskej republiky, https://dataprotection.gov.sk).

7. Cookies

7.1 Essential Cookies

We use essential cookies that are strictly necessary for the Service to function. These include session cookies for authentication and security. These cookies do not require consent as they are necessary for the service you have requested.

7.2 Analytics Cookies

With your consent, we may use analytics cookies to understand how the Service is used. You can manage your cookie preferences at any time through your browser settings. If we use a privacy-focused analytics tool like Plausible Analytics, no cookies are required for analytics.

7.3 No Advertising Cookies

We do not use advertising or tracking cookies. We do not allow third-party advertisers to place cookies through our Service.

8. International Data Transfers

Some of our third-party service providers may be based outside the EU/EEA. Where personal data is transferred outside the EU/EEA, we ensure appropriate safeguards are in place, including Standard Contractual Clauses (SCCs) approved by the European Commission, or the recipient's certification under the EU-US Data Privacy Framework.

9. Security

We implement appropriate technical and organisational measures to protect your personal data against unauthorised access, alteration, disclosure, or destruction. These measures include encryption of data in transit (HTTPS/TLS), secure password storage, access controls, and regular security reviews. However, no method of electronic transmission or storage is 100% secure, and we cannot guarantee absolute security.

10. Changes to This Policy

We may update this Privacy Policy from time to time. If we make material changes, we will notify you by email or through the Service at least 30 days before the changes take effect. The "Last updated" date at the top of this policy indicates when it was most recently revised.

11. Contact

If you have any questions about this Privacy Policy or wish to exercise your data protection rights, please contact:

[Your Name / Business Name]
Email: hello@gamilingo.com
Country: Slovakia

Supervisory authority: Úrad na ochranu osobných údajov Slovenskej republiky (Office for Personal Data Protection of the Slovak Republic), https://dataprotection.gov.sk