Privacy Policy

1. Introduction

LearnThai ("we", "our", or "us") operates the LearnThai mobile application and web application (collectively, the "Service"). This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our Service.

2. Data We Collect

We collect the following types of data:

• Account Information: Email address, display name, profile picture (if provided via OAuth)
• Learning Progress: Lesson completions, exercise results, vocabulary mastery, XP, streaks, and study time
• Subscription Data: Premium status, subscription plan, and expiration date (if applicable)
• Authentication Tokens: OAuth tokens from Google, Facebook, or Apple (used solely for authentication)
• Technical Data: Device type, browser type, IP address, and usage analytics (anonymized where possible)

3. How We Use Your Data

We use your data to:

• Provide and maintain the Service (authentication, progress tracking, content delivery)
• Sync your learning progress across devices (mobile and web)
• Deliver premium features to subscribers
• Improve and optimize the Service through analytics
• Send important notifications (e.g., streak reminders, if enabled)
• Comply with legal obligations

4. Third-Party Authentication

We use OAuth 2.0 authentication with Google, Facebook, and Apple. When you sign in with these providers, we receive only the information you authorize (typically email, name, and profile picture). We do not store your passwords. Your use of these providers is subject to their respective privacy policies:

• Google Privacy Policy
• Facebook Privacy Policy
• Apple Privacy Policy

5. Data Sharing and Disclosure

We do not sell, rent, or trade your personal data. We may share your data only in the following cases:

• Service Providers: We use PocketBase (self-hosted) for backend services and DigitalOcean for hosting. These providers have access to data only to perform tasks on our behalf.
• Legal Requirements: We may disclose data if required by law or in response to valid legal requests.
• Business Transfers: In the event of a merger, acquisition, or sale of assets, user data may be transferred (you will be notified).

6. Your Rights (GDPR Compliance)

If you are in the European Economic Area (EEA), you have the following rights:

• Right to Access: Request a copy of your personal data
• Right to Rectification: Request correction of inaccurate data
• Right to Erasure: Request deletion of your data (see Section 7)
• Right to Restriction: Request limitation of data processing
• Right to Data Portability: Receive your data in a structured, machine-readable format
• Right to Object: Object to certain data processing activities
• Right to Withdraw Consent: Withdraw consent at any time (without affecting prior processing)

To exercise these rights, contact us at [email protected].

7. Data Deletion

You can request deletion of your account and all associated data at any time. To do so:

• Go to the Profile page in the app and tap "Delete Account", or
• Visit our Data Deletion Instructions page, or
• Email us at [email protected] with the subject "Data Deletion Request"

We will process your request within 30 days. Note that some data may be retained for legal or security purposes (e.g., transaction records for accounting).

8. Data Security

We implement industry-standard security measures to protect your data, including:

• Encrypted data transmission (HTTPS/TLS)
• Secure authentication (OAuth 2.0, bcrypt password hashing)
• Regular security audits of our backend infrastructure

However, no method of transmission or storage is 100% secure. We cannot guarantee absolute security.

9. Data Retention

We retain your data for as long as your account is active or as needed to provide the Service. After account deletion, we will delete or anonymize your data within 90 days, except where retention is required by law (e.g., tax records, fraud prevention).

10. Children's Privacy

Our Service is not directed to children under 13 (or 16 in the EEA). We do not knowingly collect data from children. If you believe we have inadvertently collected such data, contact us immediately.

11. International Data Transfers

Your data is stored on servers located in the European Union (DigitalOcean Frankfurt region). If data is transferred outside the EEA, we ensure adequate safeguards (e.g., Standard Contractual Clauses).

12. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of material changes by posting the new policy on this page and updating the "Last updated" date. Continued use of the Service after changes constitutes acceptance of the updated policy.

13. Contact Us

If you have questions or concerns about this Privacy Policy, contact us at:

Email: [email protected]