CringePrivacy Policy

Privacy Policy

Version 0.2 · Last updated 12 June 2026 · Effective 12 June 2026

Privacy at a Glance

  • We collect only the data needed to provide and improve your language learning experience.
  • You control your data: access, update, export, or delete your account at any time.
  • We never sell your personal data.
  • Friend messages are encrypted at rest (AES-256-GCM).
  • Payment details are never seen or stored by Cringe — all payments are processed by Apple, Google, or Stripe.
  • Questions? Contact support@cringeapp.ai or our Data Protection Officer at dpo@cringeapp.ai.

1. Introduction

Cringe ("we," "our," "us") operates the Cringe language learning application (the "App"). This Privacy Policy explains what personal data we collect, why we collect it, how we use it, and your rights. By using the App, you agree to this policy. If you disagree, please do not use the App.

2. Data We Collect

2.1 Account & Profile Data

CategoryExamplesPurpose
IdentityName, email, password (bcrypt-hashed)Account creation, authentication, transactional email
Profile (optional)Display name, pronouns, location, bio, profile/banner images, social linksProfile display, community features
Demographics (optional)Age/birth date, timezone, education level, profession, interests, learning goals, learning style, motivation, daily study timeLesson personalisation, scheduling, motivation modelling

All profile and demographic fields are optional. You can edit or remove them in Settings at any time.

2.2 Learning & Progress Data

CategoryPurpose
Target/native language, CEFR levelCore lesson delivery
Completed lessons, accuracy, time per step, response timingProgress tracking, spaced-repetition scheduling
Vocabulary & grammar review schedulesAdaptive review reminders
Topic mastery scoresContent recommendation
XP, streak, gems, lives, achievementsGamification
Session patterns, preferred study timesEngagement-based recommendations

2.3 Social & Communication Data

CategoryPurpose
Friend connections (mutual follows)Friends list, leaderboards
Friend chat messagesEncrypted messaging (AES-256-GCM at rest)
AI tutor conversation historyContinuity between AI sessions
League tier, division, weekly rankLeaderboards

2.4 Device & Technical Data

CategoryPurpose
IP address (short-term)Security, fraud prevention, rate limiting
Device identifier (IDFV via RevenueCat)Subscription sync across devices
Push notification tokenLesson reminders
Session tokens (hashed)Authentication

2.5 Payment Data (Processed by Partners)

DataHeld ByPurpose
Card / payment detailsApple / Google / StripePayment processing
Subscription status, expiry, provider, subscription IDCringe (via RevenueCat webhooks)Feature access, receipts, audit
We never receive or store full card numbers.

3. How We Use Your Data

PurposeLegal Basis (GDPR)
Provide the App (auth, lessons, progress, social, gamification)Contract (Art. 6(1)(b))
Personalise content, difficulty, pacing, recommendationsLegitimate interest (Art. 6(1)(f)) / Consent for optional demographics
Spaced-repetition schedulingContract / Legitimate interest
Transactional email (verification, receipts, password reset)Contract
Security, fraud prevention, rate limitingLegitimate interest
Legal compliance (tax, audit, law enforcement)Legal obligation (Art. 6(1)(c))

We do not use your data for advertising, profiling for third-party marketing, or selling to data brokers.

4. Third-Party Processors

Each processor receives only the minimum data necessary:

ProcessorCategoryData Shared
RevenueCatSubscription infrastructureUser ID, purchase events, device ID (IDFV)
Google GeminiAI lesson generationPseudonymised learning context (level, topic, language) — no identifiers
Anthropic ClaudeFallback AI lesson generationPseudonymised learning context — no identifiers
ResendTransactional emailEmail address only
Neon (PostgreSQL)Database hostingAll stored application data (processor only)
VercelServerless hostingServerless function logs (no persistent personal data)
Google Analytics (optional)Aggregated usage analyticsPseudonymous event data — opt-out available

We have Data Processing Agreements (DPAs) with each processor and rely on Standard Contractual Clauses for transfers outside the EEA/UK.

5. Data Storage & Security

MeasureDetail
Passwordsbcrypt (12 rounds), never plaintext
Session tokensSHA-256 hashed at rest; access tokens 15 min, refresh tokens 90 days
Friend messagesAES-256-GCM encrypted at rest
Auth cookiesHttpOnly, Secure, SameSite=Strict
Rate limiting5 failed logins → 15 min lockout
TransportTLS 1.2+ everywhere
DatabaseNeon (PostgreSQL) — encryption at rest, role-based access control
Input sanitisationXSS prevention, prototype pollution protection

6. Data Retention

CategoryRetention
Active account dataWhile account is active
Inactive accountsDeleted 2 years after last activity
IP / rate-limit logsRolling 14-day window
Subscription event payloads7 years (tax/audit)
Deleted account dataErased within 30 days of request
BackupsRetained per backup rotation (max 30 days post-deletion)

7. International Transfers

Your data may be processed in the US (RevenueCat, Anthropic, Google, Vercel) and EU (Neon). We rely on Standard Contractual Clauses and each processor's certifications to ensure adequate protection.

8. Cookies & Local Storage

Name / TechTypePurposeDuration
cringe_sessionStrictly necessaryShort-lived access token15 min
cringe_refreshStrictly necessaryLong-lived refresh token90 days
Google Analytics (optional)AnalyticsAggregated usage statsPer GA settings
LocalStorage / IndexedDBFunctionalityOffline PWA content, UI preferencesUntil cleared
Service WorkersFunctionalityOffline sync, push notificationsUntil app uninstalled

Disable strictly necessary cookies → you cannot log in. Opt out of Analytics in Settings or via the GA Opt-out Add-on.

9. Your Rights

9.1 Rights

RightHow to Exercise
AccessRequest a copy of your data
PortabilityExport learning progress, vocab, grammar bank, progress charts
CorrectionEdit profile in Settings; contact us for other data
Deletion"Delete Account" in Settings or email us — erased within 30 days
Restrict / ObjectDisable social features, analytics, or optional profiling in Settings
Withdraw consentFor optional demographics / analytics — anytime in Settings

9.2 Region-Specific

  • GDPR (UK/EEA) — lodge a complaint with the ICO (UK) or your local DPA.
  • CCPA (California) — right to know, delete, opt-out of sale (we don't sell), non-discrimination.
  • LGPD (Brazil) — confirmation, access, correction, anonymisation, portability, info on sharing.

Contact: support@cringeapp.ai (subject "PRIVACY REQUEST") or in-app Settings → Privacy.

10. Children's Privacy

Cringe is for users 13+. We do not knowingly collect data from children under 13. If discovered, we delete it immediately. Parents: contact support@cringeapp.ai.

11. Data Breach Notification

If a breach affects your personal data, we will:

  1. Notify you within 72 hours of discovery
  2. Report to the relevant supervisory authority
  3. Take immediate steps to contain and remediate

12. Changes to This Policy

We may update this policy. Material changes will be posted with a new version number and effective date, and we'll notify you in-app or by email. Continued use after the effective date constitutes acceptance.

13. Progressive Web App (PWA)

Installing Cringe as a PWA stores offline content and caches assets locally on your device. This data remains until you clear browser data or uninstall the PWA. No additional personal data is collected by the PWA mechanism itself.

14. Data Protection Officer

Data Protection Officer, Cringe

📧 dpo@cringeapp.ai

Response within 30 days (or as required by law).

15. Contact Us

PurposeContact
General supportsupport@cringeapp.ai
In-app feedbackfeedback@cringeapp.ai
Privacy / DPO / GDPR / CCPAdpo@cringeapp.ai
Urgent privacy mattersSubject line: URGENT – PRIVACY

General enquiries: 48 hours. Formal rights requests: 30 days (or statutory deadline).

16. Consent

By using Cringe, you acknowledge this Privacy Policy (v0.2) and consent to the processing described. If you do not agree, please discontinue use.