Privacy Policy

1. Data we collect

We collect the minimum data necessary for the Service to function:

• Identification: name, phone number, email, date of birth (optional), profile photo.
• Account credentials: username, password hash, session and authentication tokens.
• Learning data: enrolled courses, lesson progress, quiz and homework results, loyalty points, leaderboard rank.
• Payment data: purchase history, subscription status, transaction ID. We do NOT collect or store card details — payments are processed by Apple App Store, Google Play, or third-party payment providers.
• Technical data: IP address, device type, device ID, OS, app version, locale, time zone, push token.
• Behavioral data: login time, opened screens, button clicks, session duration, lesson completions (used for anonymized analytics).
• Crash data: automatically collected error reports (error type, OS version, device model, stack trace).
• User content: photos and files uploaded as homework submissions or quiz answers.

2. Purposes of processing

• Registration and authentication.
• Providing access to courses, lessons, quizzes, homework, and other educational content.
• Payment and subscription processing.
• Notifications (push, email, SMS, WhatsApp) about learning status, new lessons, deadlines, bonuses, birthday rewards.
• Customer support.
• Anonymized analytics for product improvement.
• Compliance with applicable laws.

3. Sharing data with third parties

We do not sell your personal data. We share data with the following processors acting on our behalf under data-protection agreements:

• Supabase Inc. (account storage, user content, primary database).
• Google LLC / Firebase (Cloud Messaging, Crashlytics, Google Sign-In).
• Apple Inc. (APNs push, App Store payments).
• Google Play / Google Payments (Play Store payments).
• RevenueCat Inc. (subscription and in-app purchase tracking).
• Cloudflare Inc. (CDN, R2 media storage, DDoS protection).
• Sentry / Vercel Inc. (error reporting, web hosting).
• SMS/WhatsApp delivery providers (Twilio, our own baileys-based WhatsApp service).
• Government authorities — only when legally required (court orders, prosecutorial requests).

4. Data retention

Account credentials and learning history are retained while the user account is active. After account deletion we erase personal data within 30 days, except for data we are legally required to retain longer (e.g. payment accounting records — 5 years).

Logs and technical reports are anonymized or deleted within 90 days.

5. Your rights

You have the right to:

• Access your personal data (Profile section in the app).
• Correct inaccurate data (same section).
• Delete your account and all associated data — "Delete account" button in the app, or by request via email/WhatsApp listed in the Contacts section.
• Request a machine-readable export of your data.
• Withdraw consent for data processing (results in account closure).
• Opt out of marketing messages (app settings or unsubscribe link in email).
• Lodge a complaint with the data-protection authority of the Republic of Kazakhstan.

6. Children

The Service is intended for users 13 years and older. We do not knowingly collect data from children under 13 without parental consent. If you believe we have received such data, contact us — we will delete it.

7. Security

Data transmission is encrypted using TLS 1.2+. Passwords are stored as cryptographic hashes. Mobile authentication tokens are protected via Keychain (iOS) and EncryptedSharedPreferences (Android). Database access is limited to a minimal set of personnel under NDA.

8. International transfers

Some data may be processed on servers outside Kazakhstan (USA, Europe), where Supabase, Firebase, Cloudflare and other processors host their data centers. We use providers offering data-protection levels equivalent to RK law and GDPR.

9. Changes to this Policy

We may update this Policy. We will notify users of material changes in the app or by email at least 14 days before they take effect. The last-updated date is shown at the top.