Falandia

Privacy Policy

Effective date / Last updated: 27 June 2026

1. Who we are

Falandia ("Falandia", "we", "us", "our") is a daily language-learning service operated by Falandia, based in Portugal. Falandia is the data controller for the personal data described in this policy.

Contact for privacy matters: hello@falandia.com.

This policy explains what personal data we collect, why, how we use and protect it, and the rights you have. It applies to the Falandia website and app at falandia.com.

2. The data we collect

We aim to collect as little as possible. We collect:

  • Account data — your email address, and (if you sign in with Google) the basic profile information Google shares (name, email). If you sign up with email/password, we store a securely hashed password (handled by our authentication provider; we never see your plain password).
  • Profile & preferences — an optional display name, your timezone, your chosen daily-reminder time, and your difficulty preference.
  • Learning activity — which sentences you've been served and viewed, your streak, and similar progress data, so we can serve you the next sentence and show your history.
  • Consent records — a record of the consents you give (terms/privacy acceptance and any marketing-email opt-in), with timestamps, as required by law.
  • Communications & demand signals — if you ask to be notified about a not-yet-available language pair, the language pair requested and (if you provide it) your email; and your subscription status for our daily email.
  • First-party usage analytics — privacy-preserving events about how the app is used (e.g. a lesson opened, a section expanded), stored on our own systems. We do not use third-party advertising or tracking SDKs.
  • Payment data (future) — if and when we offer paid plans, payments will be handled by a third-party Merchant of Record (Paddle); they process your payment details, and we receive only limited information (e.g. your plan/entitlement status). We do not store full card details.
  • Technical data — limited information such as IP address (used transiently for security/rate-limiting) and basic device/browser information needed to deliver and secure the service.

We do not knowingly collect special-category (sensitive) personal data.

3. How we use your data, and our legal bases (GDPR)

PurposeLegal basis
Create and run your account; serve your daily lessons; keep your streak/historyPerformance of a contract with you
Send transactional emails (verify your email, password reset, account notices)Performance of a contract
Send the daily learning email and launch notificationsYour consent (separate opt-in; withdrawable any time)
Keep the service secure, prevent abuse, rate-limit, debugOur legitimate interests in a safe, working service
Understand and improve the product via first-party analyticsOur legitimate interests (we keep this data minimal and non-intrusive)
Keep records of consent, handle tax/payments, respond to legal requestsLegal obligation

We do not sell your personal data, and we do not use it for third-party advertising.

4. Email & marketing

  • Transactional emails (verification, password reset, important account or service notices) are part of providing the service and are sent on the basis of our contract with you.
  • The daily learning email and launch notifications are sent only if you opt in (a separate, optional checkbox at sign-up, or by joining a waitlist). You can withdraw consent at any time via your settings or the unsubscribe link in any such email — without affecting your account.

Our daily/marketing email is delivered through Beehiiv (see subprocessors below).

5. Cookies & similar technologies

We use only essential cookies/local storage needed to sign you in, keep your session, and remember basic preferences. We do not use third-party advertising or cross-site tracking cookies, which is why you won't see a tracking-consent banner. (Legal review: confirm whether a short cookie/ePrivacy notice is still required under Portuguese law even for essential-only cookies.)

6. Who we share data with (processors / subprocessors)

We share data only with service providers who process it on our behalf under appropriate agreements, including:

  • Lovable Cloud / Supabase — database, authentication, and file storage (hosts your account and app data).
  • Beehiiv — delivery of the daily/marketing email (processes your email and name if you opt in).
  • Google — if you choose Google sign-in (authentication).
  • ElevenLabs — text-to-speech generation of lesson audio (processes lesson content, not your personal data).
  • Lovable AI — generation of lesson content (processes lesson content, not your personal data).
  • Cloudflare — domain, DNS, and edge security.
  • Paddle (future, if/when paid plans launch) — Merchant of Record for payments.
  • Resend (if/when added) — transactional email delivery.

(Legal review: confirm this subprocessor list, the agreements in place, and keep it current.)

We may also disclose data if required by law, to protect our rights or users' safety, or in connection with a business transfer (e.g. merger or acquisition), in which case we'll notify you.

7. International data transfers

Some of our providers are located outside Portugal / the EEA (for example, in the United States). Where personal data is transferred internationally, we rely on appropriate safeguards such as the EU Standard Contractual Clauses, the EU–US Data Privacy Framework, or an adequacy decision. (Legal review: confirm the transfer mechanism for each provider.)

8. How long we keep your data

We keep your personal data for as long as your account is active. If you delete your account, we delete your personal data and associated learning data, except where we must retain limited records to meet legal obligations (e.g. tax/payment records) or to resolve disputes. Some anonymised/aggregated data may be retained as it no longer identifies you.

9. Your rights

Under the GDPR you have the right to access, rectify, erase, restrict or object to processing, data portability, to withdraw consent at any time (e.g. for the daily email), and to complain to a supervisory authority — in Portugal, the CNPD (Comissão Nacional de Proteção de Dados, www.cnpd.pt).

How to exercise them: Most are available directly in the app —

  • Access / portability: Settings → Download my data gives you a JSON export of your data.
  • Erasure: Settings → Delete my account permanently deletes your account and data.
  • Rectification: edit your profile in Settings.
  • Withdraw marketing consent: the reminder/marketing toggle in Settings or any email's unsubscribe link.

For anything else, contact hello@falandia.com and we'll respond within the timeframe required by law (generally one month).

10. Security

We protect your data with measures including encryption in transit, row-level access controls so users can only access their own data, restricted server-side access to sensitive operations, and rate-limiting against abuse. No system is perfectly secure, but we take reasonable steps to protect your information.

11. Children

Falandia is not directed at children under 16, and we do not knowingly collect their data. If you believe a child has provided us data, contact us and we'll delete it.

12. A note on AI-generated learning content

Lesson sentences, translations, grammar notes and audio are AI-assisted and human-reviewed. They may occasionally contain errors and are provided for learning, not as professional translation or certified instruction. This note is about the content itself; it doesn't change how we handle your personal data.

13. Changes to this policy

We may update this policy from time to time. We'll post the new version here with an updated date and, for material changes, notify you (e.g. by email or in-app).

14. Contact

Questions or requests: hello@falandia.com