Last Update: 11.08.2025

Introduction

Sopu Academy Oy (“we”, “us”, “our”) is committed to protecting your privacy in accordance with GDPR (EU) 2016/679 and applicable laws. This Privacy Policy describes what we collect, why we collect it, how we use and share it, and your rights.

1) Data Controller

Sopu Academy Oy
Business ID: 3238016-7
Address: Kalatorppa 1 E53, Finland
Email: info@sopuacademy.com
Phone: +358 41 757 8824

2) Legal Bases for Processing

Contract performance: Providing your account, core learning features (including speaking and writing evaluation), and purchases.

Legitimate interests: App security, fraud prevention, analytics for product improvement, and performance monitoring. We balance these interests against your rights.

Legal obligation: Tax/accounting and compliance.

Consent: Website cookies and any optional marketing communications.

3) Categories of Personal Data We Process

Identity and contact: Name, email; Firebase UID; social sign‑in basic profile (Google/Apple) if used.

Account and profile: Display name, avatar, preferred learning level and languages, onboarding completion. Stored in Firestore collections such as users and userprofiles.

Authentication data: Email/password (handled by Firebase Auth), token/credential metadata from Google/Apple to sign you in.

Purchase metadata: Subscription status and entitlement checks via RevenueCat/App Store/Google Play. We do not process card numbers.

Technical data: Device/OS, app version, platform; security signals via Firebase App Check.

Analytics data: Screen views and events via Firebase Analytics; may associate analytics with your Firebase user ID and user properties such as subscription-tier and locale.

Crash data: Crash/error reports, device model/OS, stack traces via Firebase Crashlytics.

Audio data (Speaking feature): Short audio recordings captured on your device and sent transiently to Google Vertex AI strictly for evaluation; not stored by us after processing.

Text content (AI features): Your prompts/text for translation and writing feedback sent to Google services to generate responses.

In‑app web content: If you open external content in a WebView, the external site’s own privacy policy applies.

4) How We Use Your Data

Create and authenticate your account; manage sessions.

Provide and personalize learning features across speaking, writing, reading, listening, conjugations, etc.

Manage subscriptions and entitlements with RevenueCat; verify purchases with Apple/Google.

Provide speaking evaluation and chat experiences using Vertex AI in the EU region; provide writing feedback and dictionary/translation using Google services.

Analyze usage and performance (Firebase Analytics) and improve reliability (Firebase Crashlytics).

Protect the service (Firebase App Check, fraud/abuse prevention).

Comply with legal obligations.

Marketing: We do not sell personal data. Promotional messages are sent only with your consent.

5) Data Sharing and Processors

We share data only as needed to operate the app, under appropriate contracts (e.g., DPAs/SCCs):

Google Firebase: Auth, Firestore (profiles), Analytics, Crashlytics, App Check, and Storage (provisioned; not used for your personal content at present).

Google Cloud Vertex AI (via firebaseai): Processes audio and text content for speaking/chat features.

Google Translate API (v2): Processes text you choose to translate.

RevenueCat: Subscription management and entitlement checks; linked to your user identifier.

Apple App Store and Google Play: Purchase processing and receipts.

Shorebird (code push): Delivers app updates; no user content is uploaded by us to Shorebird.

Other service providers (infrastructure, error logging): Only as necessary and under contract.

6) International Transfers

In‑app AI (speaking/chat) is configured for EU processing at europe-north1 for Vertex AI.

A scheduled backend function that generates daily news runs in us-central1 and uses Vertex AI there; it does not process your personal data.

Firebase Analytics and Crashlytics may process data outside the EU. Where transfers occur, we use appropriate safeguards (e.g., SCCs).

7) Retention

Account and profile: Kept while your account is active; deleted on account deletion and otherwise within a reasonable period (up to 24 months) of inactivity.

Purchases/entitlements: Kept per store/RevenueCat records and legal requirements.

Analytics/Crash reports: Retained per Firebase service defaults/configuration.

Audio recordings (Speaking): Used transiently for evaluation and not stored by us after processing.

Logs from scheduled backend tasks do not contain your personal data.

8) Cookies and Tracking

Website: Functional/analytical cookies; manage preferences via the cookie banner.

Mobile app: No cookies. SDK analytics (Firebase Analytics) and error reporting (Crashlytics) are used. No advertising SDKs. IP addresses may be processed by processors at the network layer.

9) Your Rights (GDPR)

Access your data; rectification; erasure.

Restrict or object to processing (including analytics on legitimate interests).

Withdraw consent at any time (where processing is based on consent).

Data portability.

Lodge a complaint with the Finnish DPA (Tietosuojavaltuutetun toimisto).

To exercise rights: [info@sopuacademy.com](mailto:info@sopuacademy.com).

10) Children

The service is not intended for children under 13. If you believe such data was provided, contact us for deletion.

11) Security

Encryption in transit (TLS).

Firebase App Check to reduce abuse.

Least‑privilege access controls and regular reviews.

Crash/error logs are limited to technical diagnostics.

12) How to Manage Your Choices

Account deletion: You can request deletion; we will remove your Firebase Auth account and associated Firestore profile and cease RevenueCat entitlement association.

Analytics: You may object to analytics based on legitimate interests. Contact us and we will take steps to stop associating analytics with your user ID and to minimize further collection.

Microphone permission: You can deny microphone access; speaking features will not function.

Marketing emails (if any): You can withdraw consent via unsubscribe or by contacting us.

13) What We Do Not Collect

Payment card numbers (handled by Apple/Google).

Precise location, contacts, photos, or health data.

Advertising identifiers for targeted advertising.

14) Updates

We may update this policy. Updates will be posted at the in‑app link and on our website.

Contact

Sopu Academy Oy
Email: info@sopuacademy.com
Phone: +358 41 757 8824