Lexborn

Privacy Policy

Last updated: 2026-05-09 | Version: 1.0

This Privacy Policy explains how Lexborn ("we", "us", "our") collects, uses, shares, and protects personal data when you use the Lexborn voice-AI language-learning service available at lexborn.app and its subdomains (the "Service"). It is written to satisfy the EU General Data Protection Regulation (Regulation (EU) 2016/679, "GDPR"), the United Kingdom GDPR, the Swiss Federal Act on Data Protection ("nFADP"), the California Consumer Privacy Act as amended by the CPRA ("CCPA/CPRA"), the Brazilian Lei Geral de Proteção de Dados ("LGPD"), the Canadian Personal Information Protection and Electronic Documents Act ("PIPEDA"), and the Australian Privacy Act 1988.

1. Who we are (Controller)

The data controller for the Service is Bapusaheb Patil, trading as Nuits, a Finnish toiminimi (sole-proprietorship) with business identifier Y-tunnus 3584845-8, established in Finland. Bapusaheb Patil is the founder and the sole responsible person for processing decisions.

Because the controller is established in the European Union, no Article 27 GDPR EU representative is required. Likewise, no UK Article 27 representative is required where Lexborn does not target the UK market within the meaning of Article 3(2) UK GDPR; UK residents may nonetheless contact us directly.

For all enquiries — data-protection, subject-rights, breach reports, and general support: hi@lexborn.app. Postal address available on written request to the same address. The full legal-entity disclosure is at /imprint.

2. What data we collect

2.1 Account data

When you create an account we collect your email address, your chosen display name, a hashed password (handled and stored exclusively by our authentication provider Clerk; we never see plaintext passwords), your Clerk user ID, your authentication provider where you sign in via OAuth (e.g. Google, Apple), the timestamp of account creation and last sign-in, and the IP address and user-agent of the device that signed up (for fraud and abuse detection).

2.2 Voice and transcript data

When you speak to a Lexborn AI persona, your microphone audio is streamed to OpenAI's Realtime API for speech-to-text transcription and conversational response generation. Audio is not retained by Lexborn after the session ends unless you affirmatively opt in via Settings → Privacy → "Save my audio for review" (Article 9(2)(a) GDPR explicit consent — see §4 below). Transcripts of what you said and what the AI replied are stored to power the conversation, the post-session review, and the spaced-repetition flashcards. Transcripts may incidentally contain special-category data (e.g. health, religion, political opinions) if you choose to discuss those topics; we do not solicit such content.

2.3 Memory documents

After each session, the Service generates a short structured summary of what you practised, vocabulary you struggled with, recurring grammar errors, and topics you have discussed before. These "memory documents" are used to maintain conversational continuity between sessions and to personalise your AI partner. You can view, edit, and delete individual memory documents in Settings → Memory.

2.4 Flashcards and level data

The Service derives spaced-repetition flashcards from your transcripts (target-language phrase, your native-language gloss, audio re-render, scheduled review date) and maintains a CEFR-aligned proficiency profile (level A1–C2, sub-skill scores for listening, speaking, vocabulary, grammar). You can export or delete this data at any time.

2.5 Analytics and technical data

With your consent (see /cookies), we collect product-analytics events through PostHog hosted on its EU instance (eu.i.posthog.com). Events include page-views, button clicks, session-start and session-end, and feature-flag exposure. Without consent, no PostHog identifier is set. We additionally collect minimal technical-operational data necessary to run the Service: truncated IP addresses (last octet zeroed for IPv4; last 80 bits zeroed for IPv6), HTTP referrer, browser and OS family, and request timing. Crash reports and error stacks are collected by Sentry and scrubbed of obvious PII before storage.

2.6 Payment data

Payments are processed by Polar.sh, which acts as our Merchant of Record. Polar collects your billing name, billing address, country, the last four digits and brand of your card (or equivalent for other payment methods), the transaction amount, and tax-jurisdiction metadata. Lexborn never receives or stores full card numbers or CVV codes. Polar's privacy notice is available at https://polar.sh/privacy. We receive from Polar only the subscription status, plan, renewal date, customer ID, and invoice metadata necessary to provision your account and meet our Finnish bookkeeping obligations.

2.7 Consent records

We log your consent decisions (cookie preferences, audio-retention opt-in, marketing opt-in if any) together with a timestamp, the policy version in force at the time, the consent-banner version, and a hashed device identifier. These records exist to demonstrate compliance with Articles 5(2) and 7(1) GDPR and are stored in our Convex database under the consentLogs table.

3. Why we use your data (purposes)

We process personal data only for the following purposes:

  • Run conversations. Stream your audio to OpenAI, return the AI persona's reply, render captions and translations, and present the post-session review.
  • Generate flashcards and proficiency estimates. Parse transcripts into spaced-repetition cards and update your CEFR level profile.
  • Authenticate you. Sign-in, sign-out, multi-factor authentication, session management, and account-recovery flows via Clerk.
  • Charge you and remit tax. Provision paid plans, process renewals, issue invoices, handle refunds, and meet our Finnish VAT and bookkeeping obligations through Polar.sh.
  • Detect abuse, errors, and outages. Rate-limit obviously automated traffic, investigate incidents, debug crashes, and keep the Service running.
  • Comply with law. Retain tax and accounting records under Finnish bookkeeping law, respond to lawful requests from competent authorities, and enforce our Terms.
  • Send transactional email. Sign-up confirmations, password resets, billing receipts, renewal reminders (including the California ARL pre-renewal reminder), session summaries you opted in to, and policy-change notices.

We do not use your conversations to train any third-party AI model. Our agreement with OpenAI is on the API terms, which prohibit OpenAI from training its models on data submitted through the API.

4. Legal bases (GDPR / UK GDPR / nFADP)

We rely on the following legal bases under Article 6 (and, where relevant, Article 9) GDPR:

  • Article 6(1)(b) — Performance of a contract. All processing strictly necessary to deliver the Service you have signed up for: account creation, authentication, running conversations, generating flashcards, billing, and providing customer support.
  • Article 6(1)(b) read together with Article 9(2)(a) — Contract plus explicit consent. Real-time transcription of your voice. We treat voice recordings as ordinary personal data, not as biometric data within the meaning of Article 9(1), because we do not process voice for the purpose of uniquely identifying a natural person. We do not run speaker-identification, voiceprint-matching, or emotion-recognition on your audio.
  • Article 9(2)(a) — Explicit consent. Optional retention of your audio recordings beyond the session, where you opt in via Settings → Privacy. You can withdraw at any time, in which case existing audio is deleted within seven days.
  • Article 6(1)(a) — Consent. Product analytics via PostHog and any non-essential cookies.
  • Article 6(1)(f) — Legitimate interests. Security monitoring, abuse and fraud detection, error monitoring (Sentry), and aggregated service-improvement analysis where consent is not the appropriate basis. Our legitimate-interest balancing assessment is available on request to hi@lexborn.app.
  • Article 6(1)(c) — Legal obligation. Retention of accounting and tax records under the Finnish Bookkeeping Act (Kirjanpitolaki 1336/1997), VAT recordkeeping, and statutory consumer-rights records.

For Swiss residents the equivalent bases under nFADP Articles 30–31 apply; for UK residents, the parallel Article 6 / Schedule 1 of the UK GDPR / Data Protection Act 2018.

5. Sub-processors and recipients

We share data with the vendors listed at /legal/subprocessors. The current list includes Clerk (authentication), Convex (database and serverless functions), OpenAI (real-time speech and language model inference), Polar.sh (payments and tax), PostHog (product analytics on its EU instance), Sentry (error monitoring), Resend (transactional email), and Vercel (hosting and edge network). Each sub-processor is bound by a written data-processing agreement under Article 28 GDPR.

For transfers of personal data outside the EEA, the United Kingdom, or Switzerland to countries without an adequacy decision, we rely on the European Commission's Standard Contractual Clauses Module 2 (controller-to-processor) as adopted by Implementing Decision (EU) 2021/914, supplemented where appropriate by Module 3 (processor-to-processor). Where a sub-processor is certified under the EU–U.S. Data Privacy Framework ("DPF") and its UK and Swiss extensions (e.g. OpenAI, where applicable), we additionally rely on the DPF as a separate transfer mechanism. We carry out transfer-impact assessments for each non-adequate destination and apply technical supplementary measures (encryption in transit and at rest, pseudonymisation where feasible) consistent with the EDPB Recommendations 01/2020.

6. Retention

We keep personal data only as long as we need it for the purpose for which it was collected, plus the periods imposed by law:

  • Audio recordings: not retained after the session by default. Where you have opted in to retention, audio is kept for the period you select (7 / 30 / 90 days) and then deleted automatically.
  • Transcripts: 2 years from the last session in which they were used, then deleted unless required to comply with a legal obligation or to defend a legal claim.
  • Memory documents, flashcards, level profile: retained until you delete your account.
  • Account data: retained until you delete your account, then a 30-day cooling-off period during which a "soft-deleted" account can be restored on request, after which the account record is hard-deleted within a further 30 days.
  • Consent records: 6 years after your last activity, in line with Articles 5(2) and 7(1) GDPR (accountability) and the Finnish general civil-claims limitation period.
  • Polar.sh billing and invoice records: at least 6 years from the end of the financial year, as required by the Finnish Bookkeeping Act (Kirjanpitolaki 2:10).
  • Sentry error data: 90 days, then automatic deletion.
  • PostHog analytics events: 7 years from event date (PostHog default), unless you withdraw consent or delete your account, in which case associated identifiers are deleted within 30 days.

7. Your rights

If you are in the EEA, the United Kingdom, or Switzerland you have the right to:

  • request access to your personal data and a copy of it (Article 15 GDPR);
  • request rectification of inaccurate or incomplete data (Article 16);
  • request erasure ("right to be forgotten", Article 17);
  • request restriction of processing (Article 18);
  • receive your data in a structured, machine-readable format and port it to another controller (Article 20);
  • object to processing based on legitimate interests (Article 21);
  • withdraw consent at any time, without affecting the lawfulness of processing carried out before withdrawal (Article 7(3)).

Exercise these rights from Settings → Privacy in the app or by emailing hi@lexborn.app. We respond within 30 days. Where a request is complex or numerous, we may extend the period by a further two months under Article 12(3) GDPR and will tell you why within the first 30 days.

If you believe we have infringed your data-protection rights you may lodge a complaint with the Finnish Data Protection Ombudsman (Tietosuojavaltuutetun toimisto, https://tietosuoja.fi). UK residents may complain to the Information Commissioner's Office (https://ico.org.uk). Swiss residents may complain to the Federal Data Protection and Information Commissioner (https://www.edoeb.admin.ch).

8. Automated decision-making

We do not make any decisions producing legal or similarly significant effects about you that are based solely on automated processing within the meaning of Article 22 GDPR. The CEFR level estimate, the flashcard scheduler, and the content-safety filter are decision-support systems whose outputs you can see, override, or ignore.

9. Security

We protect personal data with measures appropriate to the risk, including:

  • Transport encryption. All connections to lexborn.app use HTTPS/TLS 1.2+. WebSocket and WebRTC streams to OpenAI are encrypted in transit.
  • Encryption at rest. Convex, Polar.sh, and our other sub-processors encrypt data at rest using AES-256 or equivalent.
  • Authentication and access. User authentication is handled by Clerk and supports multi-factor authentication. Administrative access to our infrastructure is restricted to the founder and protected by hardware-backed MFA.
  • Least-privilege architecture. Convex functions are scoped per-user; cross-tenant access is impossible at the query layer.
  • Audit logging. Access to administrative tooling is logged.
  • Vulnerability management. Dependency upgrades are automated; we monitor security advisories continuously.

In the event of a personal-data breach likely to result in a risk to your rights and freedoms, we will notify the Finnish Data Protection Ombudsman within 72 hours of becoming aware of it (Article 33 GDPR) and notify affected users without undue delay where the risk is high (Article 34).

10. Children

The Service is not directed at children. You must be at least 16 years old if you reside in the European Economic Area (Article 8(1) GDPR — Finland has not lowered the age of consent for information-society services), and at least 13 years old elsewhere. We ask for date-of-birth confirmation at sign-up; if we learn we have collected personal data from a person below the applicable age, we will delete it without undue delay. Parents and guardians may request deletion at hi@lexborn.app.

11. CCPA / CPRA disclosure (California residents)

In the past 12 months we have collected the categories of personal information described in §2 above (identifiers, commercial information limited to subscription metadata, internet or other electronic-network activity, audio information when retained, and inferences derived from your usage to estimate proficiency). We collect these categories from you directly, from your device, and from our sub-processors as listed at /legal/subprocessors. We use them for the purposes described in §3.

We do not "sell" personal information and we do not "share" it for cross-context behavioural advertising as those terms are defined in the CCPA/CPRA. We honour the Global Privacy Control (GPC) signal as a valid opt-out request. We do not knowingly sell or share the personal information of consumers under 16. The "Do Not Sell or Share My Personal Information" disclosure is available at /cookies#do-not-sell.

California residents have the right to know, to delete, to correct, to limit use of sensitive personal information, to opt out of sale/sharing, and to non-discrimination. To exercise these rights, email hi@lexborn.app or use Settings → Privacy. We will verify your identity through the email address on file before responding.

12. Other jurisdictions

  • United Kingdom (UK GDPR / DPA 2018): treated as substantively equivalent to the EU GDPR. Complaints to the Information Commissioner's Office at https://ico.org.uk.
  • Switzerland (nFADP): treated as substantively equivalent. Complaints to https://www.edoeb.admin.ch.
  • Brazil (LGPD): rights of confirmation, access, correction, anonymisation, portability, deletion, and information about sharing under Article 18 LGPD are honoured equivalently to GDPR rights.
  • Canada (PIPEDA): access and correction rights honoured; complaints to the Office of the Privacy Commissioner of Canada.
  • Australia (Privacy Act 1988): Australian Privacy Principles 1, 6, 11, 12, and 13 honoured.

In every case, contact hi@lexborn.app and we will route your request to the equivalent process.

13. Changes to this policy

When we change this Privacy Policy in a way that materially affects you, we will bump the version number, update the "Last updated" date, display an in-app banner for at least 30 days, and email all account holders. The full revision history is tracked in our public git repository so you can compare versions byte-for-byte.

14. Contact

  • All enquiries (data-subject rights, privacy, general support): hi@lexborn.app
  • Legal-entity details: /imprint