Privacy Policy

Last updated: February 15, 2026

Effective date: February 15, 2026

1. Introduction

This Privacy Policy explains how Tathros GmbH ("we," "us," "our," "Tathros") collects, uses, stores, shares, and protects your personal data when you use the Vokabulo mobile application ("App," "Service").

We are committed to protecting your privacy. We only process what is strictly required to operate the App. We do not sell your data. We do not serve advertisements.

This Privacy Policy applies to all users of the App worldwide and addresses the specific requirements of the following data protection laws:

• EU: General Data Protection Regulation (GDPR)
• Germany: TDDDG, BDSG
• Italy: Codice della Privacy (D.Lgs. 196/2003)
• France: Loi Informatique et Libertés, CNIL Recommendations
• Spain: LOPDGDD (Ley Orgánica 3/2018)
• Brazil: LGPD (Lei nº 13.709/2018)
• United Kingdom: UK GDPR, Data Protection Act 2018, PECR
• United States: CCPA/CPRA, state privacy laws, COPPA

Please read this Privacy Policy carefully. By using the App, you acknowledge that you have read and understood this policy.

2. Data Controller

The data controller responsible for your personal data is:

Tathros GmbH, Zum Quellenpark 38, 65812 Bad Soden am Taunus, Germany

Email: privacy@vokabulo.com, Website: www.vokabulo.com

Managing Director: Wolfgang Männel

Commercial Register: Königstein HRB 7391, VAT ID: DE264657778

Data Protection Officer: Wolfgang Männel

3. What Data We Collect

We collect and process the following categories of personal data:

3.1. Account Data (provided by you at registration)

3.2. Learning Data (generated through your use of the App)

3.3. Community Data (generated when you use community features)

3.4. Technical Data (collected automatically)

3.5. Data Processed by Third-Party Services on Our Behalf

4. What We Do NOT Collect

We want to be explicit about what we do not collect:

• No advertising identifiers (IDFA/GAID)
• No precise location data (GPS, Wi-Fi triangulation, or Bluetooth beacons)
• No browsing history or activity outside the App
• No contacts, calendar, or photo library data
• No health or biometric data
• No financial or payment card information (all payments are processed by Apple)
• No advertising networks or ad SDKs
• No cross-app or cross-site tracking
• No audio recordings (voice input is processed on-device via Apple's speech recognition and is not stored or transmitted by us)

5. How We Use Your Data

We use your personal data for the following purposes:

We do not use your data for advertising, profiling for marketing purposes, or automated decision-making that produces legal effects concerning you.

6. Legal Bases for Processing

6.1. EU/EEA, UK, and Switzerland (GDPR / UK GDPR)

We process your data based on the following legal bases under Article 6 GDPR:

• Performance of contract (Art. 6(1)(b)): Processing necessary to provide the Service you signed up for, including account management, vocabulary storage, quiz functionality, sync, community features, AI-powered features, and subscription management.
• Consent (Art. 6(1)(a)): Processing for optional features that require your explicit opt-in, including push notifications, leaderboard participation, and voice input (microphone access). You may withdraw consent at any time (see Section 11).
• Legitimate interest (Art. 6(1)(f)): Processing necessary for our legitimate interests, including ensuring app stability and security, content moderation to maintain community safety, and fraud prevention. We have balanced these interests against your rights and freedoms and determined that processing is proportionate and does not override your interests.

6.2. Brazil (LGPD)

Under the LGPD, we process your data based on: consent (Art. 7(I)), performance of contract (Art. 7(V)), and legitimate interest (Art. 7(IX)), as described in Section 5 above.

6.3. United States

In the United States, we process your data as described in this Privacy Policy to provide the Service under our Terms and Conditions. For California residents, see Section 15.

7. Data Storage and Security

7.1. Where Your Data Is Stored

Your data is stored in the following locations:

7.2. International Data Transfers

Your data may be transferred to and processed in the United States and other countries where our service providers maintain infrastructure. These countries may have data protection laws that differ from those in your jurisdiction.

For transfers from the EEA, we rely on:

• EU-U.S. Data Privacy Framework (Clerk is certified under the EU-U.S. DPF);
• Standard Contractual Clauses (SCCs) approved by the European Commission (Decision 2021/914);
• Adequacy decisions where available.

For transfers from the UK, we rely on:

• UK International Data Transfer Agreements (IDTAs) or the UK Addendum to EU SCCs.

For transfers from Brazil, we rely on:

• Standard contractual clauses approved by the ANPD, or other appropriate safeguards under Article 33 of the LGPD.

7.3. Security Measures

We implement appropriate technical and organizational measures to protect your data, including:

• Encrypted data transmission (TLS/HTTPS) for all network communications;
• Encrypted local storage via Apple's data protection framework;
• Authentication tokens stored in iCloud Keychain with hardware-backed security;
• Backend infrastructure with SOC 2 Type II compliance (Convex);
• Role-based access controls for internal systems;
• Regular security reviews of third-party dependencies.

No system is 100% secure. While we strive to protect your data, we cannot guarantee absolute security.

8. Data Retention

When you delete your account, we perform a soft deletion immediately and permanently purge all personal data within 30 days, unless longer retention is required by applicable law (e.g., tax or financial regulations).

9. Data Sharing and Disclosure

9.1. We Do NOT Sell Your Data

We do not sell, rent, or trade your personal data to any third party. This applies globally, including under the definitions of "sell" and "share" in the California Consumer Privacy Act (CCPA/CPRA).

9.2. Service Providers (Data Processors)

We share data with the following categories of service providers who process data on our behalf, under contractual obligations to protect your data:

We may change service providers at any time. We will update this Privacy Policy to reflect material changes.

9.3. Other Users

When you use community features, the following data is visible to other users:

• Your username and profile photo (if set) — on Community Sets you create or contribute to;
• Your username, streak data, and points — on the leaderboard (if you have not opted out);
• Vocabulary content you share in Community Sets.

You can hide yourself from the leaderboard at any time in Settings > Privacy.

9.4. Legal Disclosure

We may disclose your data if required to do so by law, court order, or governmental authority, or if we believe in good faith that disclosure is necessary to: (a) comply with a legal obligation; (b) protect our rights or property; (c) prevent fraud or address security issues; or (d) protect the safety of our users or the public.

9.5. Business Transfers

In the event of a merger, acquisition, or sale of assets, your personal data may be transferred to the acquiring entity. We will notify you via email and/or prominent notice within the App of any change in ownership or use of your personal data and your choices regarding your data.

10. Cookies and Tracking Technologies

The App does not use cookies, web beacons, pixel tags, or similar browser-based tracking technologies.

The App stores data locally on your device using:

• SwiftData (Apple's local database framework) — for vocabulary, quiz sessions, and other app data;
• UserDefaults — for app preferences and settings;
• iCloud Keychain — for authentication tokens (cross-device sync).

These are standard, on-device storage mechanisms and do not constitute tracking technologies. They are strictly necessary for the operation of the Service.

Under § 25 TDDDG (Germany) and PECR (UK): The local storage described above falls within the exception for technologies that are strictly necessary to provide a service explicitly requested by the user. No consent is required for these mechanisms.

11. Your Data Protection Rights

You have the following rights regarding your personal data. The specific rights available to you depend on your location.

11.1. Rights Available to All Users

Regardless of your location, you can:

• Access your data: View your account information, vocabulary, and learning data within the App at any time.
• Correct your data: Edit your profile, vocabulary, and other content directly in the App.
• Delete your account: Use Settings > User Account > Delete Account to permanently delete your account and all associated data.
• Export your data: Use the export feature in language pair settings to download your vocabulary data.
• Control notifications: Enable or disable push notifications in your device settings.
• Control leaderboard visibility: Toggle leaderboard participation in Settings > Privacy.
• Revoke permissions: Disable microphone and speech recognition access in your device settings.

11.2. Additional Rights Under EU/EEA Law (GDPR)

If you are in the EEA, you also have the right to:

• Restriction of processing (Art. 18) — request that we limit how we process your data;
• Data portability (Art. 20) — receive your data in a structured, commonly used, machine-readable format;
• Object to processing (Art. 21) — object to processing based on legitimate interests;
• Withdraw consent (Art. 7(3)) — withdraw consent for optional features at any time, without affecting the lawfulness of processing based on consent before withdrawal;
• Lodge a complaint with your local supervisory authority (see Section 14).

We will respond to GDPR rights requests within one month, extendable by two further months for complex requests.

11.3. Additional Rights Under German Law

• All rights under Section 11.2 apply.
• Under § 34 BDSG, you have the right to obtain information about data stored about you.
• Under § 35 BDSG, you have the right to correction, deletion, and restriction of processing.

11.4. Additional Rights Under Italian Law

• All rights under Section 11.2 apply.
• You may lodge a complaint with the Garante per la protezione dei dati personali (www.garanteprivacy.it).
• Under the Codice della Privacy (D.Lgs. 196/2003, as amended by D.Lgs. 101/2018), you may seek judicial remedy before the ordinary courts.

11.5. Additional Rights Under French Law

• All rights under Section 11.2 apply.
• You may lodge a complaint with the CNIL (www.cnil.fr).
• Under the Loi Informatique et Libertés (Loi n° 78-17), you have the right to define directives regarding the storage, deletion, and communication of your personal data after your death (Article 85).

11.6. Additional Rights Under Spanish Law

• All rights under Section 11.2 apply.
• You may lodge a complaint with the Agencia Española de Protección de Datos (AEPD) at www.aepd.es.
• Under Title X of the LOPDGDD, you benefit from digital rights including the right to digital security and the right to digital education.

11.7. Additional Rights Under Brazilian Law (LGPD)

If you are in Brazil, you have the following rights under Article 18 of the LGPD:

• Confirm the existence of data processing;
• Access your personal data;
• Correct incomplete, inaccurate, or outdated data;
• Anonymize, block, or delete unnecessary or excessive data;
• Data portability to another service provider;
• Delete personal data processed with your consent;
• Obtain information about third parties with whom data is shared;
• Obtain information about the possibility and consequences of denying consent;
• Withdraw consent at any time.

Data Protection Officer (Encarregado): Wolfgang Männel, see above

Response Time: We will respond within 15 days, extendable by an additional 15 days.

You may file complaints with the ANPD at www.gov.br/anpd.

11.8. Additional Rights Under UK Law

• You have the same rights as listed in Section 11.2, as adapted under the UK GDPR and Data Protection Act 2018 (as amended by the Data (Use and Access) Act 2025).
• You may lodge a complaint with the Information Commissioner's Office (ICO) at www.ico.org.uk.
• Age of digital consent in the UK is 13 years old.

11.9. Additional Rights Under US Law

(a) California Residents (CCPA/CPRA)

If you are a California resident, you have the right to:

• Know what personal information is collected, used, and disclosed;
• Delete your personal information;
• Correct inaccurate personal information;
• Opt out of the sale or sharing of personal information;
• Limit the use of sensitive personal information;
• Non-discrimination for exercising your rights.

We do not sell or share your personal information as defined by the CCPA/CPRA. We do not use sensitive personal information for purposes other than providing the Service.

Categories of Personal Information Collected (preceding 12 months):

Categories of Personal Information Sold or Shared: None. We have not sold or shared any personal information in the preceding 12 months.

Categories of Personal Information Disclosed for Business Purposes:

We do not knowingly collect personal information from consumers under 16.

(b) Other US State Privacy Laws

If you reside in Virginia, Colorado, Connecticut, Texas, or another state with a comprehensive privacy law, you may have rights including access, correction, deletion, data portability, and the right to opt out of targeted advertising, profiling, and the sale of personal data. We honor applicable rights. Contact us at privacy@vokabulo.com.

(c) COPPA

The App is not directed at children under 13 in the United States. We do not knowingly collect personal data from children under 13. If we learn we have collected such data, we will promptly delete it. If you believe a child under 13 has provided us with personal data, contact us at privacy@vokabulo.com.

12. Children's Privacy

12.1. The App is intended for users aged 16 and older. We do not knowingly collect personal data from children under 16 without parental consent.

12.2. EU/EEA: Under the GDPR, the age of digital consent varies by member state (generally 13-16). We apply a minimum age of 16.

12.3. Germany: Under § 20 TDDDG, additional safeguards apply to the processing of minors' data.

12.4. UK: Under the Data Protection Act 2018, the age of digital consent is 13.

12.5. Brazil: Under Article 14 LGPD, processing personal data of children under 12 requires specific and prominent consent from a parent or legal guardian. Users aged 12-18 are considered adolescents and their data must be processed in their best interest.

12.6. USA: Under COPPA, we do not knowingly collect personal data from children under 13.

12.7. If you believe that a minor has provided us with personal data without appropriate consent, please contact us at privacy@vokabulo.com and we will take steps to delete such data.

13. AI-Powered Features and Data Processing

13.1. The App uses third-party AI language models to power the AI Translate Service (automatic translation and context generation) and Moments (situation-based vocabulary generation). We also use AI for content moderation of Community Sets.

13.2. What we send to AI providers: Only the text content necessary to generate the requested output — e.g., a word to translate, a situation description, or community content to moderate. We do not send your name, email, user ID, or any other personal identifiers to AI providers.

13.3. Multiple providers: We use multiple AI providers and may change, add, or replace providers at any time. The choice of AI provider is an implementation detail that does not affect your privacy rights.

13.4. No training on your data: We do not permit AI providers to use your prompts or outputs to train their models. We use API-level access with data processing agreements that prohibit training use.

13.5. EU AI Act (Article 50): Content generated by AI is disclosed as AI-generated within the App interface. We comply with the transparency obligations of the EU AI Act regarding the labeling and marking of AI-generated content.

13.6. Automated Decision-Making (GDPR Art. 22): The App uses automated processing for spaced repetition scheduling (determining when to show a word for review) and AI-generated content suggestions. These automated processes do not produce legal effects or similarly significant effects on you. All AI-generated content is presented as suggestions that you review and choose to accept or discard.

14. Supervisory Authorities

If you believe we have violated your data protection rights, you have the right to lodge a complaint with the competent supervisory authority:

15. California-Specific Disclosures (CCPA/CPRA)

This section provides additional disclosures required under California law:

15.1. Right to Know: See Section 11.9(a) for categories of personal information collected.

15.2. Right to Delete: You may delete your account and personal data through Settings > User Account > Delete Account, or by emailing privacy@vokabulo.com.

15.3. Right to Correct: You may correct your personal information through the App, or by emailing privacy@vokabulo.com.

15.4. Right to Opt Out of Sale/Sharing: We do not sell or share your personal information. No opt-out mechanism is required.

15.5. Sensitive Personal Information: We collect email addresses as account identifiers. We do not use sensitive personal information for purposes other than providing the Service.

15.6. Financial Incentives: We do not offer financial incentives related to the collection of personal information.

15.7. Shine the Light (Cal. Civ. Code § 1798.83): We do not share personal information with third parties for their direct marketing purposes.

15.8. Accessibility: This Privacy Policy is provided in a format accessible on mobile devices and is designed for readability.

15.9. How to Submit Requests: Email privacy@vokabulo.com or use the in-app account management features. We will verify your identity before fulfilling requests. We will respond within 45 days, extendable by an additional 45 days for complex requests.

15.10. Authorized Agents: You may designate an authorized agent to make requests on your behalf. Agents must provide a signed written authorization or power of attorney.

16. Germany-Specific Provisions

16.1. TDDDG Compliance (§§ 19-26)

The App constitutes a "digital service" under the TDDDG. We comply with the following:

• § 25 TDDDG: We do not store information on or access information from your device beyond what is strictly necessary for the provision of the Service. The local storage mechanisms described in Section 10 are exempt from the consent requirement as they are strictly necessary for providing the Service you explicitly requested.
• § 19 TDDDG: We implement appropriate technical and organizational measures to protect your personal data.
• § 20 TDDDG: We apply additional safeguards for the processing of minors' data.

16.2. BDSG Compliance

We comply with the Federal Data Protection Act (BDSG), including:

• § 26 BDSG: Employee data processing (applicable to our internal operations only);
• § 34 BDSG: Right to information;
• § 35 BDSG: Right to correction, deletion, and restriction;
• § 38 BDSG: Data Protection Officer requirement [state whether DPO is appointed].

17. France-Specific Provisions (CNIL Compliance)

In accordance with the CNIL's recommendations on mobile applications (April 2025):

17.1. Privacy by Design: Data protection has been integrated into the App from the earliest design stages. We minimize data collection to what is strictly necessary for each feature.

17.2. Data Processing Map: We maintain a comprehensive record of all processing activities, including identification of data types, purposes, legal bases, recipients, and retention periods, as set out in this Privacy Policy.

17.3. SDK Transparency: All third-party SDKs integrated into the App and their data processing activities are disclosed in Section 3.5 and Section 9.2. No SDK processes data for purposes that are not strictly necessary for the Service without your explicit consent.

17.4. Role Clarification: Tathros GmbH is the data controller for all personal data processing. Our service providers (Clerk, Convex, AI providers, ElevenLabs, RevenueCat) act as data processors under appropriate data processing agreements.

17.5. Post-Mortem Directives (Art. 85 Loi Informatique et Libertés): French users have the right to define directives regarding the storage, deletion, and communication of their personal data after death. You may submit such directives to privacy@vokabulo.com.

18. Italy-Specific Provisions

18.1. Processing of your personal data complies with the Codice della Privacy (D.Lgs. 196/2003, as amended by D.Lgs. 101/2018) and the GDPR.

18.2. In accordance with the Garante's guidelines on cookies and tracking tools (Provvedimento n. 229/2021), we confirm that the App does not use cookies or tracking technologies beyond the strictly necessary on-device storage described in Section 10.

18.3. You have the right to lodge a complaint with the Garante per la protezione dei dati personali and to seek judicial remedy before the ordinary courts.

19. Spain-Specific Provisions

19.1. Processing of your personal data complies with the LOPDGDD (Ley Orgánica 3/2018) and the GDPR.

19.2. In accordance with the LSSI-CE (Ley 34/2002), we do not send unsolicited commercial communications. Push notifications are sent only with your explicit consent and can be disabled at any time.

19.3. You benefit from digital rights under Title X of the LOPDGDD, including the right to digital security and the right to digital education.

19.4. You may file complaints with the AEPD at www.aepd.es.

20. Brazil-Specific Provisions (LGPD)

20.1. We process personal data in accordance with the LGPD (Lei nº 13.709/2018). All processing is based on the legal bases identified in Section 6.2.

20.2. Data Protection Officer (Encarregado): Wolfgang Männel, see above. The Encarregado can be contacted for any questions regarding the processing of your personal data.

20.3. International Transfer: Your data is transferred to the United States for processing. We rely on standard contractual clauses and other appropriate safeguards under Article 33 LGPD.

20.4. Data Breach Notification: In the event of a security incident that may create risk or relevant damage to data subjects, we will notify the ANPD and affected individuals within a reasonable timeframe, as required by Article 48 LGPD.

20.5. Consumer Protection: This Privacy Policy complies with the transparency requirements of the Código de Defesa do Consumidor (Lei nº 8.078/1990).

21. United Kingdom-Specific Provisions

21.1. Your data is processed in accordance with the UK GDPR and the Data Protection Act 2018, as amended by the Data (Use and Access) Act 2025.

21.2. PECR Compliance: In accordance with the Privacy and Electronic Communications Regulations 2003, we confirm:

• The App does not use cookies or equivalent tracking technologies beyond strictly necessary on-device storage;
• Push notifications are sent only with your explicit consent;
• We do not send direct marketing communications without consent.

21.3. International Transfers: Where your data is transferred outside the UK, we rely on UK adequacy regulations or UK International Data Transfer Agreements (IDTAs).

21.4. You may lodge a complaint with the ICO at www.ico.org.uk.

22. Apple App Store and Privacy Labels

22.1. In accordance with Apple's App Privacy requirements, we provide accurate privacy nutrition labels for the App on the App Store. These labels disclose the types of data linked to your identity and the purposes for which data is used.

22.2. Apple processes certain data in connection with App Store transactions, including your Apple ID, purchase history, and device information. Apple's data practices are governed by Apple's Privacy Policy at www.apple.com/legal/privacy.

22.3. All payments for subscriptions are processed by Apple. We do not receive or store your payment card details.

23. Changes to This Privacy Policy

23.1. We may update this Privacy Policy from time to time. Material changes will be communicated through the App and/or by email at least 30 days before they take effect.

23.2. The "Last updated" date at the top of this policy indicates when it was most recently revised.

23.3. Your continued use of the App after changes take effect constitutes your acceptance of the updated Privacy Policy. Where applicable law requires explicit consent for material changes, we will obtain such consent.

23.4. We encourage you to review this Privacy Policy periodically.

24. Contact Us

If you have questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us:

Tathros GmbH, Zum Quellenpark 38, 65812 Bad Soden am Taunus, Germany

Email: privacy@vokabulo.com, Website: www.vokabulo.com

For data protection inquiries specifically: Wolfgang Männel, see above.

For Brazilian users (Encarregado): Wolfgang Männel, see above.

Appendix: Summary Table of Data Processing Activities