Privacy Policy
Version 0.2 · Last updated 12 June 2026 · Effective 12 June 2026
Privacy at a Glance
- We collect only the data needed to provide and improve your language learning experience.
- You control your data: access, update, export, or delete your account at any time.
- We never sell your personal data.
- Friend messages are encrypted at rest (AES-256-GCM).
- Payment details are never seen or stored by Cringe — all payments are processed by Apple, Google, or Stripe.
- Questions? Contact support@cringeapp.ai or our Data Protection Officer at dpo@cringeapp.ai.
1. Introduction
Cringe ("we," "our," "us") operates the Cringe language learning application (the "App"). This Privacy Policy explains what personal data we collect, why we collect it, how we use it, and your rights. By using the App, you agree to this policy. If you disagree, please do not use the App.
2. Data We Collect
2.1 Account & Profile Data
| Category | Examples | Purpose |
|---|---|---|
| Identity | Name, email, password (bcrypt-hashed) | Account creation, authentication, transactional email |
| Profile (optional) | Display name, pronouns, location, bio, profile/banner images, social links | Profile display, community features |
| Demographics (optional) | Age/birth date, timezone, education level, profession, interests, learning goals, learning style, motivation, daily study time | Lesson personalisation, scheduling, motivation modelling |
All profile and demographic fields are optional. You can edit or remove them in Settings at any time.
2.2 Learning & Progress Data
| Category | Purpose |
|---|---|
| Target/native language, CEFR level | Core lesson delivery |
| Completed lessons, accuracy, time per step, response timing | Progress tracking, spaced-repetition scheduling |
| Vocabulary & grammar review schedules | Adaptive review reminders |
| Topic mastery scores | Content recommendation |
| XP, streak, gems, lives, achievements | Gamification |
| Session patterns, preferred study times | Engagement-based recommendations |
2.3 Social & Communication Data
| Category | Purpose |
|---|---|
| Friend connections (mutual follows) | Friends list, leaderboards |
| Friend chat messages | Encrypted messaging (AES-256-GCM at rest) |
| AI tutor conversation history | Continuity between AI sessions |
| League tier, division, weekly rank | Leaderboards |
2.4 Device & Technical Data
| Category | Purpose |
|---|---|
| IP address (short-term) | Security, fraud prevention, rate limiting |
| Device identifier (IDFV via RevenueCat) | Subscription sync across devices |
| Push notification token | Lesson reminders |
| Session tokens (hashed) | Authentication |
2.5 Payment Data (Processed by Partners)
| Data | Held By | Purpose |
|---|---|---|
| Card / payment details | Apple / Google / Stripe | Payment processing |
| Subscription status, expiry, provider, subscription ID | Cringe (via RevenueCat webhooks) | Feature access, receipts, audit |
3. How We Use Your Data
| Purpose | Legal Basis (GDPR) |
|---|---|
| Provide the App (auth, lessons, progress, social, gamification) | Contract (Art. 6(1)(b)) |
| Personalise content, difficulty, pacing, recommendations | Legitimate interest (Art. 6(1)(f)) / Consent for optional demographics |
| Spaced-repetition scheduling | Contract / Legitimate interest |
| Transactional email (verification, receipts, password reset) | Contract |
| Security, fraud prevention, rate limiting | Legitimate interest |
| Legal compliance (tax, audit, law enforcement) | Legal obligation (Art. 6(1)(c)) |
We do not use your data for advertising, profiling for third-party marketing, or selling to data brokers.
4. Third-Party Processors
Each processor receives only the minimum data necessary:
| Processor | Category | Data Shared |
|---|---|---|
| RevenueCat | Subscription infrastructure | User ID, purchase events, device ID (IDFV) |
| Google Gemini | AI lesson generation | Pseudonymised learning context (level, topic, language) — no identifiers |
| Anthropic Claude | Fallback AI lesson generation | Pseudonymised learning context — no identifiers |
| Resend | Transactional email | Email address only |
| Neon (PostgreSQL) | Database hosting | All stored application data (processor only) |
| Vercel | Serverless hosting | Serverless function logs (no persistent personal data) |
| Google Analytics (optional) | Aggregated usage analytics | Pseudonymous event data — opt-out available |
We have Data Processing Agreements (DPAs) with each processor and rely on Standard Contractual Clauses for transfers outside the EEA/UK.
5. Data Storage & Security
| Measure | Detail |
|---|---|
| Passwords | bcrypt (12 rounds), never plaintext |
| Session tokens | SHA-256 hashed at rest; access tokens 15 min, refresh tokens 90 days |
| Friend messages | AES-256-GCM encrypted at rest |
| Auth cookies | HttpOnly, Secure, SameSite=Strict |
| Rate limiting | 5 failed logins → 15 min lockout |
| Transport | TLS 1.2+ everywhere |
| Database | Neon (PostgreSQL) — encryption at rest, role-based access control |
| Input sanitisation | XSS prevention, prototype pollution protection |
6. Data Retention
| Category | Retention |
|---|---|
| Active account data | While account is active |
| Inactive accounts | Deleted 2 years after last activity |
| IP / rate-limit logs | Rolling 14-day window |
| Subscription event payloads | 7 years (tax/audit) |
| Deleted account data | Erased within 30 days of request |
| Backups | Retained per backup rotation (max 30 days post-deletion) |
7. International Transfers
Your data may be processed in the US (RevenueCat, Anthropic, Google, Vercel) and EU (Neon). We rely on Standard Contractual Clauses and each processor's certifications to ensure adequate protection.
8. Cookies & Local Storage
| Name / Tech | Type | Purpose | Duration |
|---|---|---|---|
| cringe_session | Strictly necessary | Short-lived access token | 15 min |
| cringe_refresh | Strictly necessary | Long-lived refresh token | 90 days |
| Google Analytics (optional) | Analytics | Aggregated usage stats | Per GA settings |
| LocalStorage / IndexedDB | Functionality | Offline PWA content, UI preferences | Until cleared |
| Service Workers | Functionality | Offline sync, push notifications | Until app uninstalled |
Disable strictly necessary cookies → you cannot log in. Opt out of Analytics in Settings or via the GA Opt-out Add-on.
9. Your Rights
9.1 Rights
| Right | How to Exercise |
|---|---|
| Access | Request a copy of your data |
| Portability | Export learning progress, vocab, grammar bank, progress charts |
| Correction | Edit profile in Settings; contact us for other data |
| Deletion | "Delete Account" in Settings or email us — erased within 30 days |
| Restrict / Object | Disable social features, analytics, or optional profiling in Settings |
| Withdraw consent | For optional demographics / analytics — anytime in Settings |
9.2 Region-Specific
- GDPR (UK/EEA) — lodge a complaint with the ICO (UK) or your local DPA.
- CCPA (California) — right to know, delete, opt-out of sale (we don't sell), non-discrimination.
- LGPD (Brazil) — confirmation, access, correction, anonymisation, portability, info on sharing.
Contact: support@cringeapp.ai (subject "PRIVACY REQUEST") or in-app Settings → Privacy.
10. Children's Privacy
Cringe is for users 13+. We do not knowingly collect data from children under 13. If discovered, we delete it immediately. Parents: contact support@cringeapp.ai.
11. Data Breach Notification
If a breach affects your personal data, we will:
- Notify you within 72 hours of discovery
- Report to the relevant supervisory authority
- Take immediate steps to contain and remediate
12. Changes to This Policy
We may update this policy. Material changes will be posted with a new version number and effective date, and we'll notify you in-app or by email. Continued use after the effective date constitutes acceptance.
13. Progressive Web App (PWA)
Installing Cringe as a PWA stores offline content and caches assets locally on your device. This data remains until you clear browser data or uninstall the PWA. No additional personal data is collected by the PWA mechanism itself.
14. Data Protection Officer
15. Contact Us
| Purpose | Contact |
|---|---|
| General support | support@cringeapp.ai |
| In-app feedback | feedback@cringeapp.ai |
| Privacy / DPO / GDPR / CCPA | dpo@cringeapp.ai |
| Urgent privacy matters | Subject line: URGENT – PRIVACY |
General enquiries: 48 hours. Formal rights requests: 30 days (or statutory deadline).
16. Consent
By using Cringe, you acknowledge this Privacy Policy (v0.2) and consent to the processing described. If you do not agree, please discontinue use.