Privacy Policy
Last updated: March 9, 2026 · Effective date: March 9, 2026 · Operated by MagicusPrime LDA
Independent Platform Notice
Prepilingo is an independent educational platform developed by MagicusPrime LDA. We are not affiliated with, endorsed by, sponsored by, or officially approved by ÖSD, ÖIF, Goethe-Institut, telc GmbH, TestDaF-Institut, BAMF, or any other official examination authority or government body. All exam names are referenced solely for descriptive and educational purposes.
This Privacy Policy explains what personal data Prepilingo collects, why we collect it, who we share it with, and what rights you have over it. We are committed to full transparency and compliance with the General Data Protection Regulation (GDPR), the EU Digital Services Act, and applicable Austrian and Portuguese data protection law.
By using Prepilingo, you agree to the practices described in this policy. If you do not agree, please discontinue use and contact us to delete your account.
1. Who We Are
Data Controller:
MagicusPrime LDA
Rua D. Manuel 115
4485-528 Mindelo, Porto, Portugal
NIF: 518 300 714
Email: help@prepilingo.com
For all privacy-related requests, contact us at help@prepilingo.com. We will respond within 30 days.
2. Data We Collect
We collect only the data necessary to provide and improve the Prepilingo service. The following table maps each data type to its source, purpose, and whether it is linked to your identity — matching our App Store and Google Play privacy declarations exactly.
| Data Type | What We Collect | Purpose | Linked to Identity |
|---|---|---|---|
| Name | Display name you provide on registration | App functionality — personalizing your profile and study dashboard | Yes |
| Email Address | Email address used to create your account | App functionality (authentication, account recovery, support) and sending you study tips and product updates with your consent | Yes |
| Audio Data | Voice recordings you submit for speaking exercises | App functionality — processed by AI to generate speaking feedback. See Section 5 for full audio data policy. | Yes |
| Device Identifier | Firebase installation ID, RevenueCat subscriber ID | Analytics — measuring app usage, unique user counts, and managing subscription state across reinstalls | Yes |
| Product Interaction | Screens visited, exercises started and completed, features tapped, study session events | Analytics — understanding feature usage; Product personalization — adapting your study path to your progress and weak areas | Yes |
| Other Usage Data | Session duration, study streaks, content preferences, CEFR level progress | Analytics — measuring app performance; Product personalization — generating adaptive recommendations | Yes |
| Crash Data | Stack traces, device state at time of crash, Firebase UID (if set) | App functionality — identifying and fixing technical issues | Yes |
| Diagnostic Data | App launch time, network latency, screen rendering performance | App functionality — monitoring and improving app stability and speed | No |
| Purchase History | Subscription plan, purchase date, transaction ID (via RevenueCat) | App functionality — validating and restoring subscription entitlements | Yes |
What we do not collect: We do not collect payment card numbers (handled entirely by Apple App Store or Google Play), biometric data, location data, contacts, photos, or browsing history.
3. Legal Basis for Processing (GDPR)
| Processing Activity | Legal Basis |
|---|---|
| Account creation and authentication | Performance of a contract (Art. 6(1)(b) GDPR) |
| Delivering exam preparation features | Performance of a contract (Art. 6(1)(b) GDPR) |
| AI feedback on writing and speaking exercises | Performance of a contract (Art. 6(1)(b) GDPR) |
| Subscription management and purchase validation | Performance of a contract (Art. 6(1)(b) GDPR) |
| Sending study tips and marketing emails | Consent (Art. 6(1)(a) GDPR) — you may unsubscribe at any time |
| Analytics and product improvement | Legitimate interests (Art. 6(1)(f) GDPR) — improving the service for all users |
| Crash reporting and diagnostics | Legitimate interests (Art. 6(1)(f) GDPR) — maintaining a stable, secure service |
| Compliance with legal and accounting obligations | Legal obligation (Art. 6(1)(c) GDPR) |
4. Third-Party Service Providers
We use the following third-party services to operate Prepilingo. Each acts as a data processor on our behalf under a data processing agreement. They are not permitted to use your data for their own advertising or commercial purposes beyond what is necessary to provide the service to us.
Google Firebase
Authentication · Database · Storage · Analytics · Crash ReportingProvides user authentication (Firebase Auth), data storage (Firestore), file storage (Firebase Storage), app usage analytics (Firebase Analytics), and crash reporting (Firebase Crashlytics). All data is stored on Google Cloud Platform servers.
Data processed: Name, email address, audio files (temporarily), device identifiers, usage events, crash reports, performance metrics.
Google Privacy Policy →Google Gemini API
AI Writing & Speaking FeedbackProcesses user-submitted text (essays, written exercises) and audio recordings (speaking exercises) to generate AI-powered feedback. Data is transmitted securely and processed on Google's servers solely to return feedback to the user.
Data processed: Written exercise content, audio recordings submitted for speaking feedback.
Retention: Google Gemini API does not retain submitted data for model training by default under our API usage agreement. Data is processed transiently and not stored beyond the request lifecycle.
Google Privacy Policy →OpenRouter
AI Model RoutingRoutes AI inference requests to third-party large language model providers (which may include models from Mistral AI, Meta, Anthropic, and others) for generating exam preparation feedback. User-submitted content may be processed by OpenRouter's upstream model providers.
Data processed: Text content submitted for AI feedback. Audio data is not routed through OpenRouter.
Note: OpenRouter's upstream providers may vary. We select providers that do not use submitted data for model training under their API terms.
OpenRouter Privacy Policy →RevenueCat
Subscription Management · In-App PurchasesManages in-app purchase validation, subscription entitlements, and purchase restoration across devices. RevenueCat receives the minimum data necessary to validate subscription status.
Data processed: Device identifier, app user ID (Firebase UID), purchase history, subscription status. RevenueCat does not receive your name or email address directly from us.
RevenueCat Privacy Policy →Apple App Store & Google Play
App Distribution · Payment ProcessingIn-app purchases are processed entirely by Apple and Google through their respective payment systems. We do not receive or store your payment card details. Transaction confirmations are passed to RevenueCat for entitlement validation only.
We do not sell your personal data to any third party. We do not share your data with advertising networks, data brokers, or any entity that would use it for cross-app or cross-site tracking.
5. Audio Data — Dedicated Policy
Because audio recordings are a sensitive data type, we are providing a dedicated explanation of how they are handled.
What is recorded
When you complete a speaking exercise in Prepilingo, you voluntarily initiate a voice recording within the app. No audio is recorded passively or in the background. The microphone is only accessed when you actively tap the record button.
How it is processed
- Your recording is uploaded securely to Firebase Storage over an encrypted TLS connection, stored temporarily under your authenticated user account.
- The audio file is transmitted to Google Gemini API for speech analysis. Gemini returns a feedback response covering pronunciation, fluency, vocabulary, and CEFR alignment.
- The AI feedback is saved to your account in Firestore so you can review it.
- The original audio file in Firebase Storage is deleted within 24 hours of processing. It is not retained for quality review, model training, or any other purpose.
What it is not used for
- Audio is never used for advertising or user profiling
- Audio is never shared with third parties beyond Google Gemini for the sole purpose of generating your feedback
- Audio is never used to train AI models (covered under our API usage agreement with Google)
- Audio is never retained after the 24-hour processing window
6. Data Storage and Security
All user data is stored on Google Cloud Platform (Firebase) servers. Primary data residency is in the European Union where Firebase regional configuration allows. Some data may be processed in the United States where Google operates global infrastructure.
- All data in transit is encrypted using TLS 1.2 or higher
- All data at rest is encrypted using AES-256
- Firebase Security Rules restrict database access to authenticated users accessing only their own data
- Firebase Storage rules restrict file access to the authenticated user who uploaded the file
- We conduct regular reviews of access controls and third-party SDK permissions
7. Data Retention
| Data Type | Retention Period |
|---|---|
| Account data (name, email) | Until you delete your account, then within 30 days |
| Learning progress and exercise history | Until you delete your account, then within 30 days |
| Audio recordings | Deleted within 24 hours of AI processing |
| AI feedback results | Stored in your account until deletion |
| Purchase and transaction records | 7 years (legal and accounting obligation under Portuguese and EU law) |
| Firebase Analytics data | Aggregated and anonymized after 14 months (Firebase default) |
| Crash reports (Crashlytics) | 90 days (Firebase Crashlytics default) |
8. International Data Transfers
MagicusPrime LDA is based in Portugal (EU). Some of our third-party processors operate infrastructure in the United States, including Google (Firebase, Gemini), OpenRouter, and RevenueCat.
Transfers to the United States are covered by:
- Google's participation in the EU–U.S. Data Privacy Framework
- Standard Contractual Clauses (SCCs) approved by the European Commission, where applicable
- RevenueCat's Data Processing Agreement
- OpenRouter's data processing terms
9. Your Rights Under GDPR
If you are in the EU or EEA, you have the following rights. To exercise any of them, email help@prepilingo.com. We will respond within 30 days.
| Right | What It Means |
|---|---|
| Access | Request a copy of all personal data we hold about you |
| Rectification | Correct inaccurate or incomplete information |
| Erasure | Request deletion of your personal data. You can also delete your account directly at prepilingo.com/delete-account |
| Data Portability | Receive your learning data in a structured, machine-readable format |
| Restrict Processing | Ask us to pause processing of your data in certain circumstances |
| Object | Object to processing based on legitimate interests, including direct marketing |
| Withdraw Consent | Withdraw marketing consent at any time by unsubscribing from emails or contacting us |
| Lodge a Complaint | File a complaint with your national Data Protection Authority. In Portugal: CNPD (cnpd.pt). In Austria: DSB (dsb.gv.at) |
10. Marketing Communications
If you have subscribed to our newsletter or opted in during registration, we will send you study tips, exam preparation guides, and product updates by email. This is first-party marketing — we do not share your email with advertising networks for retargeting.
You can unsubscribe at any time by:
- Clicking the unsubscribe link in any marketing email
- Emailing help@prepilingo.com with the subject "Unsubscribe"
Unsubscribing from marketing emails does not affect transactional emails such as account confirmations or subscription receipts.
11. Cookies and Tracking (Website Only)
The Prepilingo mobile app does not use browser cookies. Our website (prepilingo.com) uses the following:
- Essential cookies: Required for the website to function (session management, security)
- Analytics cookies: Firebase Analytics / Google Analytics to understand how visitors use the site. These are anonymized and do not identify individual users.
We do not use advertising cookies or third-party retargeting cookies on our website. You can manage cookie preferences through our cookie consent banner.
12. Children's Privacy
Prepilingo is intended for users aged 16 and older. We do not knowingly collect personal data from children under 16. If you believe we have inadvertently collected data from a child under 16, please contact us immediately at help@prepilingo.com and we will delete it promptly.
13. Account Deletion and Data Removal
You can delete your Prepilingo account and all associated personal data at any time by visiting:
Upon deletion:
- Your account, profile, learning progress, and exercise history are deleted within 30 days
- Audio recordings are deleted within 24 hours of processing (independently of account deletion)
- Transaction records are retained for 7 years for legal and accounting obligations, in anonymized form where possible
- Anonymized analytics data that cannot be re-linked to you may be retained
14. Changes to This Policy
We will update this Privacy Policy when our data practices change or when required by law. When we make material changes, we will:
- Update the "Last updated" date at the top of this page
- Send an email notification to registered users
- Display an in-app notification for significant changes
We encourage you to review this policy periodically.
15. Contact Us
MagicusPrime LDA (Prepilingo)
Rua D. Manuel 115
4485-528 Mindelo, Porto, Portugal
General support: help@prepilingo.com
Privacy requests: help@prepilingo.com
Website: prepilingo.com
Account deletion: prepilingo.com/delete-account