Privacy Policy

1. Data Controller

Semeion Ltd is the Data Controller for all personal data collected through the App.

If third-party processors are used (e.g., cloud service providers, analytics tools), they will only process data under our written instructions and under legally binding agreements.

2. Age Requirements

Semeion is intended for users aged 13 or older. We do not knowingly collect personal data from children under 13. If you believe a child under 13 has used the App, please contact us immediately so we can delete the account and associated data.

3. Personal Data We Collect

We only collect personal data necessary for providing the App's functionality.

3.1 Account Information

• Email address
• Password hash (never stored in plain text)
• Basic device metadata required for secure login

3.2 Learning Activity Data

To deliver language-learning features, we store:

• Review history and study performance
• Flashcard usage and spaced-repetition metrics
• Content progress and categories learned

This data is not "sensitive data" within the meaning of privacy law and is required to provide core functionality.

3.3 Device and Technical Data

• IP address and connection metadata
• Device model identifiers and system logs necessary to maintain security, fraud prevention, error logging and service continuity

3.4 Purchases

If you make in-app purchases:

• Apple's App Store processes the financial transaction directly
• We only receive non-financial transaction identifiers required to validate a purchase
• We never receive or store payment card details

Financial data is controlled by Apple, not Semeion.

3.5 Push Notifications

We may send service notifications (e.g., reminders, account messages). Marketing push notifications require separate opt-in and may be turned off at any time.

4. No Third-Party Analytics

At present, Semeion does not use any third-party analytics or telemetry providers.

If we later introduce privacy-compliant analytics or diagnostics, we will:

• update this Privacy Policy
• request an independent consent
• allow settings-based opt-out where required

5. Purposes and Legal Bases for Processing

We process personal data under the following legal bases:

Contractual Necessity

To deliver the core App functionality:

• Account registration & authentication
• Learning progress storage
• Study session tracking
• Purchase validation

Without this data, Semeion cannot function.

Legitimate Interests

To maintain and secure the App:

• Fraud prevention
• Server diagnostics
• System integrity and abuse prevention
• Performance monitoring and error resolution

Where legitimate interest applies, it is balanced against user rights.

Consent

We will use consent as the legal basis for:

• Marketing push notifications
• Marketing communications
• Any optional analytics that may be added in future

Consent will always be freely given, unbundled, recorded, and withdrawable at any time without affecting core service use.

6. Data Storage Location

All personal data stored by Semeion is hosted using Supabase, a cloud database provider.

Our Supabase project is hosted in the United Kingdom (eu-west-2 region).

This means:

• user data remains within the UK jurisdiction
• no international transfers take place
• no Standard Contractual Clauses are required

If we later use a provider in a non-adequate jurisdiction, we will add legally required safeguards and update this Policy before processing begins.

7. Retention Policy

We retain personal data only as long as needed for:

• provision of the App
• compliance with legal obligations
• prevention of abuse or fraud

When an account is deleted:

• learning data and personal identifiers are erased from active systems
• backup retention may apply for up to 90 days, after which data is fully purged unless required for legal reasons

We do not retain unnecessary historical records beyond operational need.

8. Push Notifications & Marketing

Service Notifications

You may receive reminders relating to:

• study schedules
• spaced repetition queues
• account security or service changes

These notifications do not require consent.

Marketing Notifications

Marketing push notifications require separate opt-in.

All marketing consent is:

• optional
• revocable at any time from device settings or inside the App
• not tied to core service access

We do not send emails without consent.

9. Data Subject Rights

Under UK GDPR and EU GDPR, you have the following rights:

• Access: request a copy of your personal data
• Erasure ("Right to be Forgotten"): request deletion of your account and learning data
• Rectification: correct inaccuracies
• Objection or restriction: request processing limitation under certain circumstances
• Portability: receive your data in a machine-readable format upon request
• Withdraw Consent: applicable where processing is based on consent (e.g., marketing)

You may exercise rights by:

• using in-App account settings (where provided), or
• emailing admin@semeion.co.uk

We respond within 30 days unless legally permitted to extend response time. Identity verification may be required for security.

10. Security Measures

We use industry-standard technical and organisational security measures including:

• encrypted transport (TLS)
• password hashing
• least-privilege access controls
• secure cloud database infrastructure
• access logging and role-based data permissions
• physical and logical separation of environments
• monitoring for abuse patterns

No internet service can guarantee absolute security, but we continuously improve safeguards.

11. Data Breaches

In the event of a personal data breach that is likely to present a risk to individuals, we will:

1. assess and classify severity
2. notify the UK Information Commissioner's Office (ICO) within 72 hours where legally required
3. communicate with affected users when required by law

We maintain internal procedures for breach assessment, response and documentation.

12. Third-Party Processors

The following categories of third parties may process data under written instruction:

• cloud hosting providers (currently Supabase UK)
• payment intermediaries (Apple)
• service providers necessary for fraud prevention, customer support, or system administration (if used in future)

All processors are bound by confidentiality, security requirements and data protection agreements.

We do not sell personal data and we never permit third parties to use data for their own independent purposes.

13. International Use

Although Semeion is based in the UK, users worldwide may access the App.

Processing remains governed by:

• UK GDPR, and
• EU GDPR for EU-based users or where EU rules apply extra-territorially

Users outside the UK/EU are still protected with equivalent safeguards.

14. Changes to This Policy

We may update this Privacy Policy from time to time.

When material changes occur:

• we will update the "Last Updated" date
• we may request renewed consent if required by law
• the latest version will always be available via the in-App link and publicly accessible URL

Continued use of the App after changes constitutes acceptance of the updated Policy.