Purpose and scope

This document pertains to https://leyaai.com/ (Leya AI) operated by Oxus.AI, UAB (referred to as "we," "us," or "Company"), with company registration number 305566813, and registered office at Tilžės g. 29-16, LT-78229, Šiauliai, Lithuania. Our primary objective is to safeguard and respect your privacy.

To fulfill this commitment, we outline in this privacy policy (referred to as the "Policy") the types of personal data we collect and the purposes for which we collect them. This applies when we provide you with our products and/or services (referred to as the "Services"), when you use our app or visit our website, or when you contact us in any other manner.

We assure you that all personal data collected by us are processed in compliance with the EU General Data Protection Regulation No. 2016/679 (referred to as the "GDPR"), the Law of the Republic of Lithuania on the Legal Protection of Personal Data, and other applicable legal regulations.

If you have any questions about this Policy or if you wish to make any requests regarding the processing of your personal data, please reach out to us at dpo@leyaai.com. 

Personal data sources
Personal data processed by the Company may come from the following sources:

• Directly from you. For example, to register for a visit, you provide your personal data on the website.
• Automatically generated. For example, you are browsing the Company's app, you are using the Company's app, which generates usage statistics data.
• From third parties. For example, we receive personal data from a third party which is related to you or is dealing with us, for example, business partners, subcontractors, service providers, merchants, etc.

You are responsible for ensuring that the personal data you provide is accurate, correct and complete. You must inform us immediately if there are any changes to the personal data you have provided. If you transmit data to us from third parties, you must inform them and make them aware of this Privacy Policy.

User account management

For the purpose of providing the language learning services and user account management, including creating and managing user accounts, facilitating user authentication, and enabling account recovery, we may process the following personal data of platform users: the name, surname, email address, username, user ID, encrypted password, profile picture (optional), and conversation script.

Legal basis: conclusion of the contract with a data subject under Article 6(1)(b) of GDPR.

Storage terms: user account data will be retained for as long as the user maintains an active account. If an account remains inactive for a period of 2 years, the data will be deleted or anonymized within a reasonable timeframe, unless otherwise required by law. The conversation data and related materials will be stored for a duration of one year from the date of the conversation.

Personalized learning experience

For the purpose of tracking language learning progress, providing personalized learning experiences and suggestions, and improving the app's content and features, we may process the following personal data of platform users: user preferences, language learning interests, study habits, and interaction history, lesson completion data, quiz and exercise results, and proficiency level data.

Legal basis: conclusion of the contract with a data subject under Article 6(1)(b) of GDPR.

Storage terms: user progress data will be retained for as long as the user maintains an active account. If an account remains inactive for a period of 2 years, the data will be deleted or anonymized within a reasonable timeframe, unless otherwise required by law.

Data recipients: learning progress data is also available to other users of the platform.

For detailed information on the rationale, implications, and foreseeable consequences of our profiling and automated decision-making processes, please refer to the "Profiling and Automated Decision-Making" section of this Policy.

Communication and support

For the purpose of  facilitating communication with users, responding to inquiries, providing customer support, and sending relevant notifications, we may process the following personal data of platform users: the name, email address, message content, and support ticket history.

Legal basis: the legitimate interest in ensuring effective communication and support under Article 6(1)(f) of the GDPR.

Storage terms: 120 days.

Performance analysis and Improvement

For the purpose of analyzing aggregated user data, identifying popular features, detecting usage patterns, and improving the app performance, content and features, we may process the following personal data of platform users: the age, sex, aggregated usage data (mouse events, keypresses), pages visited, interaction patterns, and device information (e.g., the IP address, browser type, resolution), geographic location (country only), and usage analytics.

Legal basis: the legitimate interest in enhancing the app functionality and user experience under Article 6(1)(f) of the GDPR.

Storage terms: aggregated performance data will be retained for up to 1 year.

Legal and security purposes

For the purpose of fulfilling legal obligations, enforcing terms of service, protecting against fraud, security threats, and unauthorized access, and complying with applicable laws and regulations, we may process relevant user data associated with legal and security incidents, such as IP addresses, access logs, and account activity records.

Legal basis: the legal basis for processing this personal data is compliance with legal obligations and our legitimate interest in ensuring the app and user security under Article 6(1)(f) of the GDPR.

Storage terms: data will be retained for as long as necessary to fulfill legal obligations or until it is no longer required for security purposes. 

Payment processing

For the purpose of processing payments and managing financial transactions, we may process the following personal data of platform users: the name, surname, payment account identifier (e.g. PayPal), payment information (e.g., credit card details, billing address) and transaction history.

Legal basis: the performance of a contract with the data subject (Article 6(1)(b) of the GDPR).

Storage terms: payment data will be retained for as long as necessary to process the payment and fulfill legal obligations.

Data recipients: Payment process providers (e.g., payment gateways, banks) will receive the necessary payment information to complete the transaction.

Feedback

For the purpose of managing user reviews and feedback, we may process the following personal data of platform users: the review content, username, and rating.

Legal basis: the legal basis for processing reviews is our legitimate interest in managing and improving our services (Article 6(1)(f) of the GDPR).

Storage terms: 1 year.

Cookies and similar technologies

This part of the Policy explains how we use cookies and similar tracking technologies on our language learning app and website.

What are cookies?

Cookies are small text files that are stored on your device (computer, smartphone, or tablet) when you visit a website or use an app. They are widely used to make websites and apps work more efficiently and provide a better user experience. Cookies can be session cookies (which are temporary and deleted when you close your browser) or persistent cookies (which remain on your device until they expire or are deleted).

How do we use cookies?

We use cookies and similar tracking technologies to enhance your experience on our language learning app and website and to collect information about how you use them. The cookies we use may be categorized as follows:

• Essential Cookies: These cookies are necessary for the functioning of our app and website and enable you to navigate and use their features. They are essential for providing the services you have requested.
• Analytical and Performance Cookies: These cookies collect information about how you use our app and website and help us improve their performance. They allow us to analyze user behavior, measure usage, and optimize functionality.
• Functionality Cookies: These cookies allow our app and website to remember choices you make (such as your language preference) and provide enhanced features to personalize your learning experience.
• Advertising and Targeting Cookies: We may partner with third-party advertising networks that use cookies and similar tracking technologies to deliver targeted advertisements to you on our website and other websites or apps based on your interests and browsing history.

The following table provides an overview of the specific cookies used on our app and website:

Cookie name

Purpose

Type

Duration

Collection Type

_ga_#

Used to distinguish individual users by means of designation of a randomly generated number as client identifier, which allows calculation of visits and sessions

http_cookie

1 year 1 month 4 days

Analytical and Performance Cookies

_ga

Records a particular ID used to come up with data about website usage by the user

http_cookie

1 year 1 month 4 days

Analytical and Performance Cookies

_fbp

Facebook tracking pixel used to identify visitors for personalized advertising.

http_cookie

2 months 29 days

Advertising and Targeting Cookies

sentryReplaySession

Sentry error collection used to report bugs and exceptions to the developers

html_session_storage

session

Essential Cookies

anonymous_user_id

An anonymous id of leyaai.com user used to provide quiz completion functionality

http_cookie

1 year 1 month 4 days

Essential Cookies

Your cookie choices

You can change your cookie settings at any time by clicking on the "Cookie settings" button on this page. You can later adjust your settings by ticking the existing boxes or unticking them by clicking on the "Accept checked" or "Accept all" button. You may need to refresh the page for your settings to take effect. You can also control the use of performance cookies, functional cookies, targeting cookies or advertising cookies by adjusting your browser settings.

However, please note that disabling cookies may impact the functionality and user experience of our app.

Data recipients

We may disclose your personal data to the following recipients:

• Public authorities and supervisory authorities: We may be required to disclose your personal data to public authorities or supervisory authorities if required by law or to comply with legal obligations.
• Attorneys, notaries, and auditors: In certain circumstances, we may disclose personal data to our attorneys, notaries, or auditors for legal or compliance purposes.
• Data processors. Please note that we do not store or retain your payment card details. The processing of your payment information is subject to the privacy policies and terms of use of the respective payment service providers.
• Payment service providers.

We may engage third-party data processors who process personal data on our behalf. These data processors act as our service providers and are authorized to process personal data only as instructed by us. We have entered into data processing agreements with these processors to ensure the appropriate handling and protection of your personal data. These data processors are required to implement appropriate technical and organizational measures to safeguard the confidentiality and security of your data.

International data transfers 

If your personal data is transferred outside the European Economic Area (EEA), we will take the necessary steps to ensure that your data is treated securely and in accordance with this Policy and we will ensure that it is protected and transferred in a manner consistent with the legal requirements applicable to the personal data. This can be done in several different ways, for example:

• the third country to which we send the personal data, a territory or one or more specified sectors within that third country, or the international organization is approved by the European Commission as having an adequate level of protection;
• the recipient has signed or contains in its terms of service (service agreement) the standard contractual clauses (SCC) adopted by the European Commission (for more information please see here: https://ec.europa.eu/info/law/law-topic/data-protection/international-dimension-data-protection/standard-contractual-clauses-scc_en); 
• special permission has been obtained from a supervisory authority. 

We may transfer personal data to a third country by taking other measures if it ensures appropriate safeguards as indicated in the GDPR or on the basis of derogations.

Profiling and automated decision making

We may engage in profiling and automated decision-making processes to provide you with a personalized learning experience on our language learning platform. These processes involve the analysis of your personal data, such as your language learning preferences, progress, and usage patterns, to tailor the content, recommendations, and learning materials to your specific needs.

The purpose of profiling and automated decision making is to enhance your learning experience, improve the performance of our platform, and provide you with relevant and personalized recommendations. This allows us to optimize the content and features of the platform to better help you achieve your individual language learning goals.

Please not that these processes take place based on the performance of the contract between you and us.

It's important to clarify that the profiling and automated decision making we employ do not create legal consequences or significantly impact your rights and freedoms. They are designed to improve your learning experience and provide personalized recommendations, but they do not result in decisions that have substantial legal or similar effects on you.

It's vital to state that due to the necessary nature of profiling for the conclusion or performance of the contract, you do not have the right to object to such processing. Profiling is an integral part of our service and is essential for us to deliver the personalized learning experience and tailored recommendations that you expect.

While profiling and automated decision making are necessary for the performance of the contract between you and us, we take appropriate measures to ensure the accuracy, fairness, and transparency of these processes. They are subject to regular review to assess their impact on your rights and freedoms.

Data subject rights (for EU / EEA citizens and residents)

If you are a resident or citizen of the European Union (EU), you have these rights regarding your personal data under the General Data Protection Regulation (GDPR):

• The right to be informed. You have the right to be provided with clear, transparent and easily understandable information about how we process your personal data. 
• The right to access. You have the right to request from us a copy of your personal data. Where your requests are excessive, in particular if they are repetitive, we may refuse to act on the request, or charge a reasonable fee taking into account the administrative costs for providing the information.
• The right to rectification. You have the right to request us to correct or update your personal data at any time, in particular if your personal data is incomplete or incorrect.
• The right to data portability. When a legal basis for data processing is consent or contract, you have the right to request that we transfer your data that we have collected to another organization, or directly to you, under certain conditions.
• The right to be forgotten. When there is no good reason for us to process your personal data any more, you can ask us to delete your data. We will take reasonable steps to respond to your request. 
• The right to restrict processing. You have the right to restrict the processing of your personal data in certain situations (e.g., when you want us to investigate whether that data is accurate; we no longer need your personal data, but you want us to continue holding it for you in connection with a legal claim).
• The right to object to processing. Under certain circumstances you have the right to object to certain types of processing (e.g., to receive our marketing communications). 
• The right to lodge a complaint with a supervisory authority. You have the right to lodge a complaint with a competent supervisory authority, if you believe that your personal data is processed in a way that violates your rights and legitimate interests stipulated by applicable legislation. Our data processing is supervised by the State Data Protection Inspectorate of the Republic of Lithuania (address: L. Sapiegos g. 17, LT-10312 Vilnius, phone +370 5 271 2804 / 279 1445, e-mail address: ada@ada.lt, for more information, visit https://vdai.lrv.lt/en/).
• Right to withdraw your consent. If personal data is processed on the basis of your consent, you can withdraw it at any time. Withdrawal will not affect the lawfulness of processing of your data before the withdrawal.

Your request will be granted or refused (by specifying the reasons for such refusal) within 30 (thirty) calendar days from the date of submission of the request that complies with our internal rules and the GDPR. The afore-mentioned term may be extended by 60 (sixty) calendar days taking into account the complexity and number of the requests. The Company will inform you of any such extension within 30 (thirty) calendar days of receipt of the request, together with the reasons for the delay.

We may refuse to grant your request if the exceptions and/or limitations to exercising of data subjects' rights set out in the GDPR apply, and/or if your request is found to be manifestly unfounded or disproportionate. If we refuse to grant your request, we will give you our reasons for such refusal in writing.

What are your privacy rights (California residents)?

All terms used in this section pertaining to the privacy rights of California residents have the definitions given to them in the California Consumer Privacy Act of 2018 ("CCPA"), unless otherwise clearly indicated.

The Company's status under the CCPA is normally that of a "service provider." Accordingly, the Company confirms that it currently complies and will continue to comply with applicable provisions of the statute with respect to its function as a service provider. Specifically, the Company confirms that when it receives personal information from its merchant customers or authorized distributors, it processes that information only for authorized business purposes in accordance with the contracts it has with those businesses. The Company does not sell or otherwise use the personal information so received for any purpose other than providing the services to its customers or distributors pursuant to the contracts it has with those businesses. The Company will take such actions and provide information as its customers and distributors may reasonably request to assist those businesses in complying with their relevant obligations under the statute.

To the extent that the Company otherwise receives personal information directly from a consumer, the Company states that:

• The Company has and will maintain reasonable administrative, technical, and physical safeguards to ensure the data's confidentiality, integrity, and availability, that are designed in accordance with applicable industry standards to prevent unauthorized or inappropriate access or use by, or disclosure to, third parties.
• The Company has and will maintain security measures appropriate to (i) protect data against accidental or unlawful destruction or loss, unauthorized alteration, unauthorized disclosure or access, in particular where the handling of or access to data involves the transmission of data over a network, and against all other unlawful forms of processing, and (ii) ensure a level of security appropriate to the risks presented by the services and the nature of the data to be protected having regard to the state of the art and the cost of implementation.
• The Company has processes to receive and timely respond to Consumer requests to access, correct, modify, delete, or opt out of the sale of their personal information, and will comply with its statutory obligations with respect thereto.

The Company will not sell or otherwise disclose or use personal information received from a consumer other than as necessary to fulfill the specific purposes for which it was supplied to the Company.

To request access, correction, modification, deletion, or opt-out, you can use the phone, email, or physical address indicated below in this Policy for privacy questions. Under the CCPA, the Company may deny a request (but comply to the greatest extent that it can) if the consumer is unable or unwilling to verify his/her identity in conjunction with making such a request.

The Company honors "do not track" signals and does not track, use cookies, or use advertising when a "do not track" mechanism is in place.

The Company does not authorize the collection of personally identifiable information from our users for third-party use through advertising technologies.

Data Protection Officer (DPO)

We have appointed a Data Protection Officer (DPO) to oversee our data protection practices and ensure compliance with applicable data protection laws and regulations. The DPO serves as a point of contact for you regarding any matters related to the processing of your personal data and the exercise of your data subject rights.

You can contact our Data Protection Officer using the following contact details:

Email: dpo@leyaai.com 

Final provisions

Our website may contain links to other websites which are not operated by the Company. When you decide to click on these links and be led to such websites, we recommend familiarizing yourself with their privacy policies or notices, cookie policies and/or other documents. The Company assumes no responsibility for the content, policies or practices of such third-party websites or services.

We regularly review this Policy and reserve the right to modify it at any time in accordance with applicable laws and regulations. Any changes will take effect immediately upon their publication on our website. Please review this Policy from time to time to stay updated regarding any changes.

Last updated: 2023-06-05