Privacy Policy (Lexicon)

Effective date: January 10, 2025

This Privacy Policy explains how Arqive Solutions ("we", "us", "our") processes personal data when you use Lexicon at https://uselexicon.app.

We are committed to complying with the General Data Protection Regulation (GDPR) and applicable Dutch and EU data protection laws.

1. Data Controller

Arqive Solutions is the Data Controller for processing related to Lexicon.

Contact:

  • Email: arqive.solutions.app@gmail.com
  • ("Privacy" in subject line recommended.)

2. Categories of Data We Collect

We may collect:

Account Data

  • Email address
  • Password hash / auth identifiers
  • Subscription status, plan type

Usage & Progress Data

  • Session history (logins, timestamps)
  • Practice history (exercises completed, streaks, scores, feedback)

Audio Data

  • Voice recordings captured via your device microphone for real-time or near real-time analysis.
  • Derived data: transcription, pronunciation scoring, fluency metrics, other features generated by AI.

Technical Data

  • IP address, browser type, device info, OS
  • Log files, performance data

Payment & Billing Data

  • Handled primarily by Polar.sh and/or other payment processors.
  • We receive limited data such as transaction IDs, subscription status, country, last 4 digits (if any), but not full card numbers.

Support & Communication

  • Emails, support requests, bug reports, feedback.

We do not intentionally collect:

  • Highly sensitive data (health, religion, etc.).
  • Please do not include such information in recordings or support requests.

3. Legal Bases for Processing (GDPR)

We process your data on the following legal bases:

Contract (Art. 6(1)(b))

  • To create and manage your account.
  • To provide core Lexicon features and support.

Legitimate Interests (Art. 6(1)(f))

  • To secure our Service.
  • To prevent abuse and fraud.
  • To analyze aggregated usage for product improvement (where this does not override your rights).

Consent (Art. 6(1)(a))

  • For certain cookies/analytics where required.
  • For optional use of your data (e.g., if you opt-in to allow voice data to be used for improving models).

Legal Obligation (Art. 6(1)(c))

  • For tax, accounting, and compliance requirements.

4. How We Use Your Data

We use your data to:

  • Authenticate you and manage your sessions.
  • Record and analyze your speech to deliver feedback and progress insights.
  • Maintain your progress history across sessions.
  • Operate subscriptions and payments.
  • Communicate important information (e.g., changes to terms, service updates).
  • Detect, prevent, and respond to security incidents or misuse.
  • Improve Lexicon's accuracy, UX, and reliability (using aggregated/anonymised data where possible).

Model Training / AI Improvement

  • By default, we do not use your identifiable voice recordings for model training without your explicit consent.
  • If you opt in, we may use selected recordings or derived metrics to improve our algorithms and models, potentially in collaboration with third-party AI providers, under appropriate safeguards.
  • You can withdraw consent at any time; this does not affect past processing already performed.

5. Minors & Child Privacy

  • The Service is not directed to children under 15.
  • Users aged 15–17 should only use Lexicon with parental or guardian consent where required by local law.
  • If we learn we have collected personal data from a child under 15 without proper consent, we will delete it.

6. Data Sharing & Processors

We may share data with trusted service providers acting as Data Processors or independent controllers:

Supabase

Authentication, database, storage.

Resend or similar

Transactional and notification emails.

AI Providers (e.g., Gemini / other LLMs)

Processing of audio or derived text for feedback generation.

Payment Processor (Polar.sh)

Billing and subscription handling.

Analytics (e.g., Google Analytics or privacy-friendly alternatives)

Aggregated usage statistics (with consent where required).

Security / Infrastructure

Hosting, logging, and monitoring providers.

We require processors to implement appropriate security measures and process personal data only under our instructions.

We may also disclose data:

  • Where required by law or competent authorities.
  • To protect our rights, users, or the public.
  • In connection with a merger, acquisition, or asset sale (with safeguards).

7. International Transfers

  • Your data may be processed in the EU/EEA and, where necessary, in countries outside the EEA.
  • Where transfers occur to countries without an adequacy decision, we rely on appropriate safeguards such as Standard Contractual Clauses (SCCs) or equivalent mechanisms.

8. Data Retention

We retain personal data as follows:

  • Account & profile data: for as long as your account is active.
  • Audio & progress data: for as long as needed to provide your features, or until you delete it or your account.
  • Analytics data: for a limited period, typically 24 months or as configured.
  • Legal/financial records: as required by law (e.g., 7 years for tax).

If your account remains inactive for more than 36 months, we may anonymise or delete your personal data in accordance with our data retention policies. Before taking action, we will notify you via email at least 30 days in advance. You may reactivate your account at any time before deletion. Legal and financial records may be retained longer as required by law.

9. Your Rights (GDPR & Similar Laws)

You may have the right to:

  • Access your personal data.
  • Rectify inaccurate or incomplete data.
  • Erase your data ("right to be forgotten") in certain cases.
  • Restrict processing in certain cases.
  • Object to processing based on legitimate interests or direct marketing.
  • Data portability.
  • Withdraw consent at any time (where processing is based on consent).
  • Lodge a complaint with your local supervisory authority. In the Netherlands: Autoriteit Persoonsgegevens.

To exercise your rights, contact: arqive.solutions.app@gmail.com

We may need to verify your identity before fulfilling your request.

10. Security

We implement technical and organizational measures to protect your data, including:

  • Encrypted connections (HTTPS).
  • Role-based access controls.
  • Secure storage via reputable providers (e.g., Supabase).
  • Limited access to production data.

However, no system is 100% secure; you use the Service at your own risk.

11. Cookies & Tracking

We use cookies and similar technologies for:

  • Essential functionality (login, sessions, security).
  • Preferences.
  • Analytics (with consent where required).

Details are set out in our Cookie Policy.

12. Changes to this Policy

We may update this Privacy Policy. When we make material changes, we will notify you (e.g., via email or in-app).