Privacy Policy

We are committed to protecting your privacy and handling personal information in a transparent and responsible manner. This Privacy Policy explains how we collect, use, disclose, and protect personal information when you access or use Yapr's mobile applications, websites, and related services (collectively, the "Service").

By accessing or using the Service, you acknowledge that you have read and understood this Privacy Policy and agree to the collection, use, and disclosure of your information as described below.

GDPR Notice for EU/EEA Residents

If you are located in the European Union or European Economic Area, the following additional provisions apply under Regulation (EU) 2016/679 ("GDPR").

Data Controller

Thea Soft Inc. is the data controller for personal data collected through the Service — not our AI or infrastructure providers. We have Data Processing Agreements (DPAs) in place with our key processors, including Anthropic PBC, Google LLC, Cloudflare, Inc., and Supabase, Inc.

Data protection enquiries: support@yapr.ca

Data Protection Contact

Thea Soft Inc. does not currently meet the threshold requiring a formal Data Protection Officer under GDPR Article 37. Data protection enquiries are handled by our founding team. You may contact us at support@yapr.ca.

EU Representative

Thea Soft Inc. is a small early-stage company that does not actively target EU/EEA residents and processes EU personal data only on an occasional and limited basis. We have determined that the appointment of an EU representative under Article 27 GDPR is not currently required pursuant to the exception in Article 27(2)(a). We will revisit this assessment as our user base grows. EU/EEA residents may contact us directly at support@yapr.ca.

Supervisory Authority

EU/EEA residents have the right to lodge a complaint with their local data protection supervisory authority. A list of EU supervisory authorities is available at: https://edpb.europa.eu/about-edpb/about-edpb/members_en

1. Information We Collect

1.1 Account Registration Information

When you create an account, we may collect:

• Email address
• Age or age range (to determine eligibility and comply with applicable laws)

You may also register or sign in using third-party authentication providers such as Google or Apple. In such cases, we receive limited information (such as your email address), subject to your privacy settings with those providers.

Consent records: When you provide consent to our Terms of Service, Privacy Policy, or AI features, we record the timestamp of consent, the version of the document presented, and your user identifier. This record is retained for the duration of your account and for a period thereafter as required for legal compliance, dispute resolution, and regulatory purposes.

Legal basis (GDPR): Contract performance (Art. 6(1)(b)); Legal obligations (Art. 6(1)(c)); Legitimate interests in maintaining consent records (Art. 6(1)(f)).

1.2 Account and Usage Information

We collect information related to your use of the Service, including:

• Languages you are learning
• Lesson progress, learning statistics, and achievements
• Custom lesson content and preferences
• Feature usage and interaction data

Legal basis (GDPR): Contract performance (Art. 6(1)(b)); Legitimate interests in improving the Service (Art. 6(1)(f)).

1.3 Audio-Based Functionality (Core Feature)

Yapr is a fully voice-based language learning application. Audio input is required to use the Service. When you use Yapr:

• You are required to provide voice input through your device microphone
• Audio recordings are collected and processed to deliver core functionality, including conversation practice, speech recognition, pronunciation feedback, and AI-powered interactions
• The Service cannot function without audio input
• Audio data is transmitted to third-party service providers solely to enable these features

Legal basis (GDPR): Explicit consent (Art. 6(1)(a) and Art. 9(2)(a)). Audio data may constitute special category data in certain contexts. We obtain your explicit consent at onboarding and prior to audio processing. Consent may be withdrawn at any time (see Section 9).

1.4 Artificial Intelligence Features

Yapr uses AI to power conversational and instructional features. Our current AI providers are:

• Anthropic PBC ("Claude") — used for AI conversation and language instruction
• Google LLC ("Gemini") — used for AI conversation and language instruction

Either or both providers may be active at any given time depending on the feature and session. Both providers are contractually bound by Data Processing Agreements and GDPR-compliant safeguards. When you interact with AI features, your voice input and transcribed text may be transmitted to these providers solely to provide AI functionality. Audio data transmitted to AI providers may be retained and processed after a session to generate personalised learning feedback, pronunciation analysis, and performance summaries delivered to you. Such feedback is AI-generated and may be inaccurate or incomplete.

We do not use your audio recordings or transcripts to train AI models. Our third-party AI providers (Anthropic PBC and Google LLC) process your data solely to deliver the Service under Data Processing Agreements that restrict use to service delivery purposes.

Automated decision-making (Art. 22): AI-generated responses are automated outputs used to deliver language instruction and conversation feedback. They do not produce legal or similarly significant effects on users. If this changes, we will update this Policy and provide an opt-out mechanism.

Legal basis (GDPR): Explicit consent (Art. 6(1)(a)); Contract performance (Art. 6(1)(b)).

1.5 Audio Processing and Third-Party Providers

To provide speech recognition, audio analysis, and AI functionality, your audio recordings may be processed by the following third-party providers:

• Apple Inc. — device-level speech recognition and processing
• Google LLC — speech recognition and AI (Gemini)
• Cloudflare, Inc. — cloud infrastructure and audio storage (R2)
• Anthropic PBC — AI conversation features (Claude)
• Supabase, Inc. — database and backend infrastructure

Audio is processed for the purpose of delivering the Service. Data shared with third-party providers is governed by contractual safeguards, including DPAs where required by applicable law.

1.6 Referral and Creator Program Data

We may operate a referral program and engage content creators or affiliates to promote the Service. Participants are subject to separate written agreements and are independent contractors with no access to user personal data. Referral conversion data (link identifiers and conversion events) is processed to administer the program and handled in aggregate and anonymized form where possible. Fraudulent referral activity will result in forfeiture of accrued benefits and may result in account termination.

Legal basis (GDPR): Legitimate interests (Art. 6(1)(f)); Contract performance with creators/affiliates (Art. 6(1)(b)).

1.7 Push Notifications

With your permission, we may send push notifications to your device to deliver reminders, learning streak updates, and service-related communications. You may withdraw consent and disable push notifications at any time through your device settings (Settings › Notifications › Yapr).

Legal basis (GDPR): Consent (Art. 6(1)(a)).

1.8 Device, Log, and Activity Data

We automatically collect certain technical and usage information, including:

• Device type, operating system, and app version
• Log data, timestamps, and feature interactions
• IP address (used to infer general location only, not precise location)

Legal basis (GDPR): Legitimate interests in maintaining security and improving the Service (Art. 6(1)(f)).

1.9 Cookies

We use only essential cookies necessary to operate the Service website. We do not use tracking, advertising, or analytics cookies.

1.10 Payments and Subscriptions

If you purchase a subscription or paid feature, payments are processed by:

• Apple Inc. — via the App Store (iOS)
• Google LLC — via Google Play (Android)

We do not collect, store, or have access to your payment card details. Payment data is handled solely in accordance with the applicable provider's privacy policies and terms of service.

Legal basis (GDPR): Contract performance (Art. 6(1)(b)).

2. How We Use Information

We use personal information to:

• Provide, operate, and maintain the Service
• Deliver voice-based learning and AI-driven features
• Personalize learning content and user experience
• Improve accuracy, performance, and reliability of the Service and AI features
• Send push notifications and service communications (with consent)
• Detect, prevent, and address fraud, abuse, or security issues
• Maintain records of consent for legal and compliance purposes
• Administer referral and creator programs
• Comply with legal obligations

Purpose Limitation (GDPR Art. 5(1)(b)): We process personal data only for the purposes described in this Policy. Call transcripts are used solely to deliver learning feedback and allow users to review their sessions — not for marketing, profiling, or any unrelated purpose.

Data Minimisation (GDPR Art. 5(1)(c)): We collect only the personal data necessary for the purposes described in this Policy.

We may aggregate or anonymize information for analytics, research, and lawful business purposes. Aggregated or anonymized data is not considered personal data and is not subject to this Policy.

3. Legal Bases for Processing

Canadian Law (PIPEDA)

We process personal information in accordance with the Personal Information Protection and Electronic Documents Act (PIPEDA) based on your consent, the necessity of processing to provide the Service, our legitimate business interests, and compliance with legal obligations.

EU/EEA (GDPR)

For users in the EU/EEA, our legal bases are mapped per data type in Section 1. In summary:

• Art. 6(1)(a) — Consent: audio processing, AI features, push notifications
• Art. 6(1)(b) — Contract performance: account registration, payments, core Service delivery
• Art. 6(1)(c) — Legal obligation: age verification, regulatory compliance
• Art. 6(1)(f) — Legitimate interests: security, service improvement, consent recordkeeping, referral program administration
• Art. 9(2)(a) — Explicit consent: audio data where it may constitute special category data

4. Disclosure of Information

We may disclose personal information to:

• AI and speech recognition providers: Anthropic PBC (Claude), Google LLC (Gemini), Apple Inc.
• Cloud infrastructure: Cloudflare, Inc. (R2), Supabase
• Payment processors: Apple Inc. (App Store), Google LLC (Google Play)
• Legal or governmental authorities where required by law or to protect rights, safety, or property

All third parties are required to protect personal information in accordance with applicable laws and contractual safeguards, including DPAs where required under GDPR.

Internal Access: Access to personal data within Thea Soft Inc. is strictly limited by purpose. Analytics are accessed only in anonymised or aggregated form. Support access to account information is restricted to support and compliance purposes and is not used for general analytics or product development. Call transcripts may be accessed for support, compliance, safety, or product quality purposes, and are not used for marketing, advertising profiling, or any purpose unrelated to the direct delivery of the Service.

We do not sell personal data to third parties. We do not use personal data for advertising or marketing profiling.

5. International Data Transfers

Your information may be processed or stored outside your country of residence, including in the United States and other jurisdictions with different data protection standards.

For transfers of personal data from the EU/EEA to third countries, we require our third-party processors to maintain appropriate safeguards. Where we transfer data to processors in the United States (including Anthropic PBC, Google LLC, Supabase Inc., and Cloudflare, Inc.), we ensure appropriate transfer mechanisms are in place, which may include Standard Contractual Clauses (SCCs) as approved by the European Commission.

Canada is recognized by the European Commission as providing an adequate level of data protection for commercial organizations subject to PIPEDA. Transfers from the EEA to Thea Soft Inc. in Canada are covered by this adequacy decision.

You may request information about the safeguards in place for international transfers by contacting us at support@yapr.ca.

6. Data Retention

We retain personal information for as long as necessary to fulfill the purposes for which it was collected, to provide the Service, and to comply with legal obligations or legitimate business interests.

Standard retention practices:

Audio retention carve-out: We may retain audio beyond 7 days solely where: (a) we have a reasonable good-faith belief the data is relevant to suspected abuse, harassment, or a Terms violation; (b) an active safety investigation requires the data; (c) a legal hold, regulatory inquiry, or litigation requires preservation; or (d) retention is necessary to protect safety from imminent harm. Audio retained under this carve-out will be held only for the minimum period necessary and deleted as soon as the relevant purpose is fulfilled.

You may request deletion of your account and associated personal information by contacting support@yapr.ca or through the account deletion flow in the app. Deletion periods stated above apply to live systems. Personal data contained in encrypted system backups may persist for up to 90 days as part of routine backup rotation. Such data will not be accessed or processed during this period and will be permanently overwritten in the ordinary course of backup rotation.

7. Data Security

We use commercially reasonable administrative, technical, and organizational safeguards to protect personal information against unauthorized access, disclosure, alteration, or destruction. These measures include encryption in transit, access controls, and contractual security obligations with our service providers.

No system can be guaranteed to be completely secure. In the event of a personal data breach likely to result in a risk to your rights and freedoms, we will notify affected users and applicable supervisory authorities within 72 hours of becoming aware of the breach, as required under GDPR Article 33.

Responsible Disclosure: If you discover a potential security vulnerability in the Service, please report it to us at support@yapr.ca before any public disclosure. We will acknowledge your report within 5 business days and work to address valid vulnerabilities in a timely manner.

8. Children's Privacy

The Service is not intended for children under the age of 13 (or the minimum age required by applicable law in your jurisdiction).

For users in the EU/EEA: In accordance with GDPR Article 8, where we rely on consent as the legal basis for processing, we do not knowingly collect personal data from children under the age of 16 without verifiable parental or guardian consent. If your country has set a lower age of digital consent (minimum 13 under GDPR), that lower age applies.

If you believe a child has provided personal information to us without appropriate consent, please contact us at support@yapr.ca so we can take appropriate action, including deletion of that data.

9. Your Rights and Choices

Depending on your jurisdiction, you may have the following rights with respect to your personal information:

• Right of access — Request a copy of the personal data we hold about you
• Right to rectification — Request correction of inaccurate or incomplete information
• Right to erasure ("right to be forgotten") — Request deletion of your personal data, subject to legal retention obligations
• Right to restriction — Request that we limit processing of your data in certain circumstances
• Right to data portability (GDPR Art. 20) — Receive your personal data in a structured, machine-readable format where technically feasible
• Right to object (GDPR Art. 21) — Object to processing based on legitimate interests
• Right to withdraw consent — Withdraw consent at any time without affecting the lawfulness of prior processing
• Right to lodge a complaint — With your local data protection supervisory authority (GDPR Art. 13(2)(d))

How to Exercise Your Rights

To exercise any of the above rights, contact us at support@yapr.ca with the subject line "Data Privacy Request". We will respond within 30 days (or within 1 month as required under GDPR). We may request verification of your identity before processing your request.

How to Withdraw Consent

You may withdraw consent for audio processing and AI features at any time by navigating to: More › Settings › Privacy & Safety within the Yapr app. Withdrawing consent will disable voice-based features and may result in loss of access to core Service functionality, as audio input is required for operation.

You may also withdraw consent for push notifications through your device settings: Settings › Notifications › Yapr.

Withdrawal of consent does not affect the lawfulness of any processing carried out prior to withdrawal.

10. Third-Party Links

The Service may include links to third-party websites or services not operated by us. We are not responsible for their content or privacy practices and encourage you to review their policies independently.

11. Changes to This Privacy Policy

We may update this Privacy Policy from time to time at our sole discretion. The "Last Updated" date at the top of this document will reflect any revisions. Material changes will be communicated through the Service or by email to your registered address prior to taking effect, except where we are legally required to make changes with immediate effect.

Where required by applicable law (including GDPR), we will seek renewed consent before processing your data under materially changed terms. If you do not agree with a material change, you may delete your account before the change takes effect.