π Last Updated: May 24, 2025
π Jurisdiction: European Union β GDPR Compliant
π Privacy at a Glance
What we collect: Account information, learning progress, payment data (via Stripe), usage data
Why we collect it: To provide the service, manage subscriptions, and improve your experience
Who we share it with: Only essential third-party services (Stripe, YouTube, hosting provider)
Marketing emails: We may send you promotional offers and discounts β you can unsubscribe anytime
Your rights: Access, correct, delete, or export your data at any time
1. Introduction
Welcome to English Play ("we," "our," "us"). We are committed to protecting your personal data and respecting your privacy. This Privacy Policy explains how we collect, use, and protect your information when you use our platform β including when you create an account, purchase a subscription, or use our learning tools.
This policy complies with the General Data Protection Regulation (GDPR) and other applicable data protection laws.
π Your Consent
By using English Play, you consent to this Privacy Policy. You may withdraw consent at any time by contacting us or deleting your account.
2. Information We Collect
π€ Account Data
- Email address β used to create and manage your account
- Password β stored in encrypted (hashed) form, never in plain text
- Account preferences β display settings, language preferences
Legal Basis: Contract β necessary to provide the service
π³ Payment Data (via Stripe)
We use Stripe to process all payments. We do not store your card details on our servers. Stripe handles all payment processing securely and is PCI-DSS certified.
- Subscription status β active, cancelled, or expired
- Billing history β payment dates and amounts
- Stripe customer ID β a reference token, not your card details
Legal Basis: Contract β necessary to process your subscription
Stripe Privacy Policy: stripe.com/privacy
π Learning Data
- Vocabulary progress β words learned, difficulty ratings, completion rates
- Grammar exercises β completed exercises, scores, areas of improvement
- Phrasal verb practice β training history, favourite exercises
- Movie lessons β viewed content, completion status
Legal Basis: Legitimate interest β providing and improving the educational service
π₯οΈ Technical Data
- Browser type and version, operating system
- Pages visited, time spent, interaction patterns
- IP address β used for security and geographic analytics at country/region level only
- Device screen resolution and performance data
Legal Basis: Legitimate interest β service security and improvement
πͺ Cookies and Similar Technologies
- Strictly Necessary: Authentication and session management
- Functional: Remember your preferences and progress
- Analytics: Understand how you use our site (with consent)
- Third-Party: YouTube embedded videos, Stripe payment widgets
More info: See our Cookie Policy
Information We Do NOT Collect
- β Government ID or identification documents
- β Card numbers, CVV, or banking credentials (handled entirely by Stripe)
- β Sensitive personal data (health information, political views, religion, etc.)
- β Biometric or genetic information
3. How We Use Your Information
| Purpose | Data Used | Legal Basis | Retention |
|---|---|---|---|
| Provide the Service | Account data, learning progress | Contract | Until account deletion |
| Process Payments | Stripe data, subscription status | Contract | 7 years (legal/tax requirement) |
| Send Promotional Emails | Email address | Legitimate Interest / Consent | Until unsubscribe |
| Improve the Service | Anonymised usage data | Legitimate Interest | 2 years |
| Security & Fraud Prevention | IP address, technical logs | Legitimate Interest | 1 year |
| Legal Compliance | As required by law | Legal Obligation | As required by law |
π§ Promotional Emails
By creating an account, you may receive occasional emails from us with promotional offers, discounts, or feature announcements. You can unsubscribe at any time by clicking "Unsubscribe" in any email, or by contacting us directly. We will never share your email address with third parties for their own marketing purposes.
4. Data Storage and Security
π Where Your Data is Stored
Your data may be processed by servers in the European Union or by our third-party providers who may operate in other regions (including North America, via Stripe and YouTube/Google). In all cases, appropriate safeguards are in place β see Section 6 on international transfers.
π How We Protect Your Data
- HTTPS encryption for all data in transit
- Password hashing β passwords are never stored in plain text
- Payment security β card data handled exclusively by Stripe (PCI-DSS certified)
- Minimal collection β we only collect what is necessary
- Access controls β limited internal access to user data
β οΈ Security Notice: No internet transmission is 100% secure. We implement strong safeguards and will notify you promptly in the event of a data breach affecting your information.
5. Data Sharing and Third Parties
We do not sell, rent, or trade your personal data. We share data only with the following service providers who are essential to operating the platform:
π³ Stripe
Purpose: Payment processing and subscription management
Data Shared: Email address, subscription details, payment events
Privacy Policy: stripe.com/privacy
π₯ YouTube (Google)
Purpose: Embedded educational videos
Data Shared: Video viewing behaviour, device information
Privacy Policy: Google Privacy Policy
π Hosting Provider
Purpose: Website and application hosting
Data Shared: Basic server logs (IP addresses, access times)
βοΈ Legal Requirements
We may disclose your information if required by a valid legal process, court order, or applicable law.
6. International Data Transfers
Some of our service providers operate outside the European Economic Area (EEA). When data is transferred internationally, we ensure adequate protection through:
- Standard Contractual Clauses (SCCs) approved by the European Commission
- Adequacy decisions for countries with equivalent data protection standards
- Certification frameworks applicable to our third-party providers (e.g., Stripe)
7. Your GDPR Rights
π‘οΈ Your Data Protection Rights
1. π Right of Access
Request a copy of the personal data we hold about you.
2. βοΈ Right to Rectification
Request correction of inaccurate or incomplete data.
3. ποΈ Right to Erasure ("Right to be Forgotten")
Request deletion of your account and data. Note: payment records may be retained for up to 7 years to comply with legal and tax obligations.
4. π¦ Right to Data Portability
Receive your data in a structured, machine-readable format.
5. βΈοΈ Right to Restrict Processing
Request that we limit how we process your data in certain circumstances.
6. π« Right to Object
Object to processing based on legitimate interests β including the right to opt out of promotional emails at any time.
7. π Right to Withdraw Consent
Withdraw consent at any time where processing is consent-based.
8. ποΈ Right to Lodge a Complaint
File a complaint with your local data protection authority. Find your national authority at: European Data Protection Board
How to Exercise Your Rights
- Email us at legal@englishplay.app with "GDPR Request" in the subject line
- Describe your request clearly (access, deletion, correction, etc.)
- We may ask for identity verification to protect your account
- We will respond within 30 days
8. Data Retention
| Data Type | Retention Period | Reason |
|---|---|---|
| Account & Learning Data | Until account deletion | Ongoing service |
| Payment Records | 7 years | Legal / tax obligation |
| Usage Analytics | 2 years (anonymised) | Service improvement |
| Technical Logs | 1 year | Security and troubleshooting |
| Email Marketing Records | Until unsubscribe + 1 year | Proof of consent |
9. Children's Privacy
π¨βπ©βπ§βπ¦ Users Under 16
English Play is intended for users aged 13 and older. We do not knowingly collect data from children under 13. For users aged 13β16 in the EU, parental or guardian consent may be required under GDPR. If you believe a child has created an account without appropriate consent, please contact us and we will promptly remove the account and associated data.
10. Automated Decision-Making
English Play uses limited automated systems to personalise your learning experience β such as recommending exercises based on your progress and adjusting difficulty levels. These processes do not produce legal or similarly significant effects on you. You may contact us if you wish to request human review.
11. Updates to This Policy
We may update this Privacy Policy from time to time to reflect changes in our practices, new features, or legal requirements. When we do, we will update the "Last Updated" date and notify registered users by email for significant changes. Your continued use of the service constitutes acceptance of the updated policy.
12. Contact Information
π§ Data Protection Contact
Service: English Play
Email:EnglishPlay.org@proton.me
Subject Line for GDPR Requests: "GDPR Request - English Play"
π Response Times
- General Inquiries: 48β72 hours
- GDPR Requests: Within 30 days
- Urgent Privacy Concerns: Within 24 hours
Privacy Policy β English Play
Version: 2.0 | Last Updated: May 24, 2025
Jurisdiction: European Union (GDPR Compliant)