Privacy Policy
Last updated July 8, 2026
This Privacy Policy explains how Hablalo (“the Service”, hablalo.io) handles your personal data. We care about privacy and collect only what we need to run the Service well.
1. Who is responsible (Controller)
The data controller is Wiktor Piotr Pawlikowski, a self-employed individual (autónomo) based in Spain — Calle Martínez Maldonado 11, 3A, 29007 Málaga, Spain. For any privacy question or to exercise your rights, contact us at hello@hablalo.io.
2. What data we process
- Account data — your email address, a hashed password (we never store it in the clear), and basic profile and learning preferences (such as your target language and level).
- Learning activity — your progress, reviews, word lists, streak, and similar data that make the Service work for you.
- AI interaction content — the text you submit to AI features (for example, writing you ask us to review or messages in a practice conversation) and the responses generated for you.
- Payment data — your subscription is handled by Polar as merchant of record. Polar processes your payment details; we never see or store your card data. We receive limited information such as your subscription status, plan, and the country/currency Polar reports for tax purposes.
- Diagnostics & device data — to keep the Service stable, we collect technical and error information, including a randomly generated device identifier, browser/OS type, language, time zone, approximate session activity (a periodic “still here” heartbeat), and error reports. Error monitoring is also performed via Sentry.
3. Why we process it, and our legal bases
- To provide the Service — create and manage your account, deliver learning features, process the text you submit to AI features, and handle your subscription. Legal basis: performance of our contract with you (GDPR Art. 6(1)(b)).
- To keep the Service secure and reliable — diagnostics, error monitoring, abuse and fraud prevention, and enforcing usage allowances. Legal basis: our legitimate interests in a secure, working Service (GDPR Art. 6(1)(f)).
- To comply with the law — for example, keeping records needed for tax and accounting (largely handled by Polar as merchant of record). Legal basis: compliance with a legal obligation (GDPR Art. 6(1)(c)).
- With your consent — where we ask for it (for example, optional emails). You can withdraw consent at any time. Legal basis: consent (GDPR Art. 6(1)(a)).
4. AI processing
To provide AI-assisted features, the text you submit is sent to our AI providers — currently Google (Gemini) and DeepSeek — which process it to generate the feature you asked for (for example, a correction, explanation, or story). We do not use your content to train our own models. We select providers that operate on a service basis rather than using customer content to train their foundation models for this use; their own terms also govern that processing. Please avoid submitting sensitive personal data you would not want processed this way.
5. Who we share data with (Processors)
We do not sell your personal data. We share it only with service providers who process it on our behalf to run the Service, under appropriate data-processing terms:
- Polar — payment processing and billing, as merchant of record (also an independent controller for the payment relationship and tax compliance).
- Google (Gemini) and DeepSeek — AI processing of submitted text to provide features.
- Sentry — error monitoring and crash reporting.
- Hetzner — hosting and infrastructure (servers located in Germany / the EU).
We may also disclose data where required by law, to protect our rights or users’ safety, or in connection with a business transfer (in which case we will tell you).
6. International transfers
Our hosting is in the EU (Germany). Some processors — in particular AI providers and Polar — may process data outside the European Economic Area. Where that happens, we rely on appropriate safeguards under the GDPR, such as the European Commission’s Standard Contractual Clauses or an adequacy decision, so your data stays protected. You can ask us for more detail.
7. How long we keep it
We keep your account data for as long as your account exists. You can delete your account at any time from Settings, which removes your personal data from the Service, subject to limited retention where the law requires it (for example, billing records kept for tax purposes, largely by Polar) or where we need it briefly to resolve disputes or enforce our terms. Diagnostic and error data are kept only as long as needed for security and reliability and are then deleted or aggregated.
8. Your rights
Under the GDPR you have the right to:
- access the personal data we hold about you;
- have inaccurate data corrected;
- have your data erased (you can delete your account in Settings);
- receive your data in a portable format and ask us to transfer it where technically feasible;
- object to, or ask us to restrict, processing based on legitimate interests; and
- withdraw any consent you have given, at any time.
To exercise these rights, email hello@hablalo.io. You also have the right to lodge a complaint with a supervisory authority — in Spain, the Spanish Data Protection Agency (Agencia Española de Protección de Datos, AEPD) — or with the authority in your country of residence.
9. Cookies & similar technologies
We use only what the Service needs to function. Specifically:
- Essential session cookies — used to keep you signed in and to maintain your session. The Service does not work without these, so they do not require consent.
- First-party diagnostics — we store a randomly generated device identifier in your browser’s local storage and use it for first-party reliability telemetry (error reporting and a session heartbeat), as described above. This is not shared with advertisers and is not used to track you across other websites.
- No third-party advertising or analytics trackers — we do not use Google Analytics, advertising pixels, or cross-site tracking cookies. Error monitoring is provided by Sentry strictly to detect and fix problems, not to profile you.
10. Children
The Service is not intended for children under 16. We do not knowingly collect personal data from anyone under 16. If you believe a child has provided us data, contact us and we will delete it.
11. Changes to this Policy
We may update this Policy from time to time. We will update the “last updated” date above and, for material changes, take reasonable steps to let you know.
12. Contact
For any privacy question, write to hello@hablalo.io. The controller is Wiktor Piotr Pawlikowski, Calle Martínez Maldonado 11, 3A, 29007 Málaga, Spain.