← Back to lexovo.app

Privacy Policy

Last updated: 2026-05-22

This Privacy Policy explains what personal data Lexovo — operated by Digitly Media Kft, registered at 1131 Budapest, Béke utca 73. V/13., Hungary — collects, why we collect it, who we share it with, and the rights you have under the EU General Data Protection Regulation (GDPR).

1. Data controller

Digitly Media Kft is the data controller for personal data collected through lexovo.app. You can contact us at hello@lexovo.app on any privacy matter, including to exercise the rights described in section 8 below.

2. What we collect

We collect the following categories of personal data:

  • Account data: email address, display name, password hash, preferred interface language, account type (individual or company).
  • Learning data: CEFR level (self-reported or measured by placement test), lessons completed, XP, streaks, quiz answers, transcripts of AI roleplay scenarios, and related metadata such as time spent and timestamps.
  • Billing data:subscription plan, status, renewal dates, redemption codes used. Card numbers are handled by Stripe Payments Europe Ltd. and never stored on our servers — we only receive a non-sensitive token plus the last four digits and brand of your card.
  • Technical data: IP address, browser type, log timestamps, cookie identifiers used for authentication and (optionally, with your consent) analytics.

3. Why we use it

We process personal data for the following purposes:

  • To deliver the service (Art. 6(1)(b) contract): authenticating you, serving lessons, generating AI roleplay responses, tracking your progress, processing payments.
  • To comply with law (Art. 6(1)(c) legal obligation): issuing VAT-compliant invoices, retaining accounting records, responding to regulator requests.
  • To improve the product (Art. 6(1)(f) legitimate interest): aggregate analytics on lesson completion, error rates, and feature usage. Where individual tracking is involved (e.g., session-level analytics), we ask for your consent.
  • To communicate with you (contract + legitimate interest): transactional emails (password reset, subscription receipts, trial-end reminders). Marketing emails are sent only with your consent and can be unsubscribed at any time.

4. AI roleplay processing

When you use the AI roleplay feature, the conversation you produce (your messages plus generated assistant turns) is sent to OpenRouter (operated by OpenRouter Ltd.) which routes it to a large-language-model provider (currently Anthropic for both turn and evaluation models). OpenRouter and the underlying provider process your messages solely to generate a response and do not train their general-purpose models on this data per their contractual terms. We log token usage and cost server-side; we do not store data on third-party servers beyond what is required for that single API call.

5. Cookies

We use the following categories of cookies:

  • Strictly necessary: authentication session cookies, CSRF tokens. These cannot be disabled.
  • Analytics (optional): enabled only with your consent via the cookie banner. We use PostHog (operated by PostHog Inc.) to understand product usage. You can withdraw consent at any time from the privacy settings in your profile.

6. Who we share data with

We share the minimum necessary data with the following sub-processors, each bound by an EU-compliant data-processing agreement:

  • Supabase (Singapore-based, EU regional hosting): database and authentication.
  • Vercel (US-based, with EU edge): application hosting.
  • Stripe Payments Europe Ltd. (Ireland): payment processing and Stripe Customer Portal.
  • OpenRouter Ltd. + underlying LLM provider: AI roleplay and evaluation.
  • Resend (US-based with EU region): transactional and (optionally) marketing email delivery.
  • PostHog Inc. (EU-hosted): product analytics, consent-gated.

Where data leaves the European Economic Area, we rely on Standard Contractual Clauses or equivalent safeguards as required by GDPR Chapter V.

7. Retention

We retain personal data while your account is active and for as long as needed to comply with legal obligations (e.g., 8 years for accounting records in Hungary). When you delete your account, we delete or anonymise your learning data and account record within 30 days, except for records we must keep for legal compliance.

8. Your rights

Under GDPR you have the right to:

  • access your personal data and receive a copy of it;
  • have inaccurate data corrected;
  • have your data deleted (subject to legal retention);
  • restrict or object to certain processing, in particular to processing based on legitimate interest;
  • receive your data in a portable format (CSV/JSON);
  • withdraw consent at any time for consent-based processing;
  • lodge a complaint with the Hungarian National Authority for Data Protection and Freedom of Information (NAIH), or with the supervisory authority in your country of residence.

To exercise these rights, email hello@lexovo.app. We respond within 30 days.

9. Security

We protect personal data with industry-standard measures including TLS encryption in transit, row-level security in the database, password hashing with bcrypt or argon2, and principle-of-least-privilege access for our team. No system is perfectly secure; in the unlikely event of a personal data breach affecting your rights and freedoms, we will notify you and the supervisory authority as required by GDPR Art. 33-34.

10. Changes

We may update this Privacy Policy from time to time. Material changes will be communicated by email or in-app notice. The effective date appears at the top of this page.

11. Contact

Privacy questions or rights requests: hello@lexovo.app. Postal address: Digitly Media Kft, 1131 Budapest, Béke utca 73. V/13., Hungary.

TermsPrivacyRefundContact