Privacy Policy
Last updated: January 2025
1. Data Controller Information
EVOLAMA LIMITED (trading as My Vocabulary Space) is the data controller responsible for your personal data.
Company: EVOLAMA LIMITED
Trading as: My Vocabulary Space
CRO Number: 799903
Address: 4 The Maples, Forest Park, Portlaoise, Co. Laois, R32TD73, Ireland
Email: [email protected]
Subject template: "Privacy Inquiry - [Your Topic]"
2. Data We Collect
2.1 Data You Provide Directly
| Data Category | Specific Data | Purpose |
|---|---|---|
| Account Information | Email address, name, password (encrypted) | Account creation and authentication |
| Profile Information | Display name, language preferences, timezone | Personalizing your experience |
| Vocabulary Data | Words, translations, definitions, notes, example sentences, images, audio | Core service functionality |
| Learning Data | Practice history, game scores, progress statistics, mastery levels | Tracking your learning progress |
| Payment Information | Billing address, payment method details | Processing subscriptions (handled by Stripe) |
| Communications | Support requests, feedback, survey responses | Customer support and service improvement |
2.2 Data Collected Automatically
| Data Category | Specific Data | Purpose |
|---|---|---|
| Device Information | Browser type, operating system, device type | Optimizing our service for your device |
| Usage Data | Pages visited, features used, time spent | Improving our service |
| Log Data | IP address, access times, error logs | Security and troubleshooting |
2.3 Data from Third Parties
If you sign up using Google or Apple:
- Basic profile information (name, email) from your OAuth provider
- We do not access your contacts, calendars, or other personal data
3. Legal Basis for Processing
Under GDPR, we process your personal data based on the following legal grounds:
| Legal Basis | Processing Activities |
|---|---|
| Contract Performance (Article 6(1)(b)) |
|
| Consent (Article 6(1)(a)) |
|
| Legitimate Interests (Article 6(1)(f)) |
|
| Legal Obligation (Article 6(1)(c)) |
|
4. How We Use Your Data
- Service Delivery: Providing and maintaining your vocabulary learning service
- AI-Powered Features: Generating translations, definitions, pronunciation guides, and practice exercises using AI (OpenAI)
- Personalization: Customizing your learning experience based on your progress and preferences
- Communication: Sending account notifications, security alerts, and (with consent) promotional materials
- Analytics: Understanding how our service is used to make improvements
- Security: Protecting against fraud, abuse, and unauthorized access
- Legal Compliance: Meeting our legal and regulatory obligations
5. Data Sharing and Third Parties
We do not sell your personal data. We share data only with:
| Third Party | Purpose | Data Shared | Location |
|---|---|---|---|
| Stripe | Payment processing | Email, billing details, payment info | USA (EU SCCs) |
| OpenAI | AI-powered translations and content generation | Vocabulary words for processing (not stored) | USA (EU SCCs) |
| Contabo | Cloud hosting and storage | All service data | EU (Germany) |
| Cloudflare R2 | Media file storage (images, audio) | User-uploaded and generated media | EU |
| Google Analytics | Website analytics (with consent) | Anonymized usage data | USA (EU SCCs) |
| Google Tag Manager | Tag management (with consent) | Page views, events | USA (EU SCCs) |
| Google Ads | Advertising and conversion tracking (with consent) | Conversion events, anonymized user data | USA (EU SCCs) |
| Meta (Facebook/Instagram) | Advertising and conversion tracking (with consent) | Page views, conversion events | USA (EU SCCs) |
| TikTok | Advertising and conversion tracking (with consent) | Page views, conversion events | USA/Singapore (EU SCCs) |
All third-party processors are bound by data processing agreements and are GDPR compliant.
6. International Data Transfers
Some of our service providers are located outside the European Economic Area (EEA). When transferring data outside the EEA, we ensure appropriate safeguards are in place:
- EU-US Data Privacy Framework: For certified US companies
- Standard Contractual Clauses (SCCs): EU-approved contract terms
- Adequacy Decisions: For countries the EU has deemed to have adequate data protection
Our primary data storage is in Contabo EU (Germany) region.
7. Data Retention
| Data Type | Retention Period | Reason |
|---|---|---|
| Account data | Duration of account + 30 days | Service provision and account recovery |
| Vocabulary and learning data | Duration of account + 30 days | Core service functionality |
| Payment records | 7 years after transaction | Irish tax law requirements |
| Server logs | 90 days | Security and troubleshooting |
| Support communications | 3 years after resolution | Quality assurance and legal protection |
| Marketing consent records | Duration of consent + 3 years | Demonstrating GDPR compliance |
8. Your Rights Under GDPR
As an EU/EEA resident, you have the following rights:
Right of Access
Request a copy of all personal data we hold about you.
Right to Rectification
Request correction of inaccurate or incomplete data.
Right to Erasure
Request deletion of your personal data ("right to be forgotten").
Right to Restriction
Request limitation of processing your data.
Right to Data Portability
Receive your data in a machine-readable format.
Right to Object
Object to processing based on legitimate interests.
Right to Withdraw Consent
Withdraw consent at any time where processing is based on consent.
Rights Related to Automated Decisions
Not be subject to decisions based solely on automated processing.
- Email: [email protected]
- Subject template: "GDPR Data Request - [Your Right] - [Account Email]"
- In-app: Account Settings > Privacy > Data Rights
- We will respond within 30 days (as required by GDPR)
10. Data Security
We implement appropriate technical and organizational measures to protect your data:
- Encryption: All data is encrypted in transit (TLS 1.3) and at rest (AES-256)
- Access Controls: Strict access controls and authentication requirements
- Infrastructure: Secure cloud hosting with regular security audits
- Password Security: Passwords are hashed using industry-standard algorithms (Argon2)
- Monitoring: Continuous security monitoring and logging
- Incident Response: Documented procedures for handling security incidents
11. Children's Privacy
Our service is not intended for children under 16 years of age. We do not knowingly collect personal data from children under 16. If you are a parent or guardian and believe your child has provided us with personal data, please contact us.
If we discover we have collected data from a child under 16 without parental consent, we will delete it immediately.
12. Changes to This Policy
We may update this Privacy Policy from time to time. We will notify you of significant changes by:
- Email notification to your registered email address
- Prominent notice on our website
- In-app notification
The "Last updated" date at the top of this policy indicates when it was last revised.
13. Contact Us
If you have questions about this Privacy Policy or our data practices:
14. Complaints
If you are not satisfied with how we handle your personal data, you have the right to lodge a complaint with a supervisory authority.
Irish Data Protection Commission
21 Fitzwilliam Square South, Dublin 2, D02 RD28, Ireland
Phone: +353 (0)1 765 0100 / 1800 437 737
Email: [email protected]
Website: www.dataprotection.ie
We encourage you to contact us first so we can try to resolve your concerns.