This Privacy Policy describes how Black Sea Consulting Inc., a corporation incorporated under the laws of the Province of Ontario, Canada (“Black Sea Consulting,” “we,” “us,” or “our”), collects, uses, discloses, and otherwise processes personal information in connection with the Vulpi language-learning application, website at vulpi.app, and related services (collectively, the “Service”).
We are committed to protecting your privacy and handling your personal information in accordance with applicable privacy laws, including Canada's Personal Information Protection and Electronic Documents Act (“PIPEDA”) and Quebec's Act respecting the protection of personal information in the private sector(“Quebec Law 25”). If you are in the European Economic Area, United Kingdom, or California, additional rights are described in Section 9.
By accessing or using the Service, you acknowledge that you have read and understood this Privacy Policy.
1. Information We Collect
1.1 Information you provide directly
- Account information: when you create an account using email and password, we collect your email address and a hashed copy of your password (passwords are stored by our identity provider Clerk, Inc.; we do not have access to the plaintext).
- Google Sign-In information: when you sign in with Google, we receive from Google your name, email address, profile image URL, locale, and Google account identifier. You authorize Google to share that information with us. We do not receive your Google password.
- Onboarding answers: language you want to learn, motivations and reasons, current proficiency level, topics of interest, prior practice history, blockers, learner type, age range, daily time commitment, and similar inputs you provide during onboarding.
- User Content: voice recordings, written text, chat messages, exercise responses, pronunciation samples, and any other material you submit through the Service.
- Support communications: messages and information you send when you contact us, including your name, email address, and the content of your message.
1.2 Payment information
Payments are processed by Stripe, Inc. Stripe collects your full payment card or other payment instrument details directly from you. We do not collect or store full payment card numbers on our servers. We receive limited information from Stripe, including: cardholder name, the brand and last four digits of your card, billing postal / ZIP code, card expiration date, country of issue, subscription identifiers, invoice and charge records, refund records, and subscription status. Stripe's handling of your payment information is governed by Stripe's own privacy policy at https://stripe.com/privacy.
1.3 Information collected automatically
- Device and browser information: device model, operating system, browser type and version, screen size, language preference, time zone.
- Network information: IP address, approximate geographic location derived from IP address, network type, internet service provider.
- Usage data: pages visited, lessons completed, exercises attempted, scores, streaks, time spent, feature interactions, navigation paths, click events, error events, referrer URLs, timestamps.
- Cookies and similar technologies: see Section 6.
1.4 Information from third parties
We may receive information about you from third-party identity providers (such as Google) when you choose to authenticate through them, from our payment processor (Stripe) about transactions on your Account, and from analytics and fraud-prevention providers.
2. How We Use Your Information
We use personal information for the following purposes:
- Provide and operate the Service, including authenticating you, generating your personalized learning plan, delivering lessons, tracking progress, processing payments, providing customer support, and sending you transactional communications (such as trial-ending reminders, payment receipts, security alerts, and important account notices);
- Personalize and improve the Service, including analyzing usage patterns, A/B testing, debugging, improving lessons and content, and tuning recommendations to your level and goals;
- Train, evaluate, and improve our and our service providers' machine-learning and artificial-intelligence models (for example, to improve speech recognition, pronunciation feedback, or conversational responses), in anonymized or aggregated form where reasonably practicable;
- Send marketing and promotional communications about new features, content, or offers, where permitted by law and subject to your right to unsubscribe at any time;
- Detect, prevent, investigate, and address fraud, abuse, security incidents, and other harmful or illegal activity, and enforce our Terms of Service;
- Comply with legal obligations, respond to lawful requests from public authorities, exercise or defend legal claims, and protect our rights and the rights, safety, and property of others; and
- For other purposes for which we obtain your consent or that are otherwise permitted by law.
3. Legal Basis for Processing
Where required by applicable law (such as GDPR or Quebec Law 25), we rely on the following legal bases to process your personal information:
- Performance of a contract — to provide the Service you have requested, including processing your Subscription and billing;
- Legitimate interests — to operate, secure, and improve the Service, develop new features, prevent fraud, and conduct business analytics, where those interests are not overridden by your rights;
- Consent — for marketing communications, optional features, certain cookies and analytics, and other processing for which we ask for your express consent. You may withdraw consent at any time;
- Compliance with legal obligations — for tax, accounting, regulatory, and law-enforcement requirements.
4. How We Share Personal Information
We do not sell your personal information. We share personal information only as described below.
4.1 Service providers
We share personal information with third-party service providers that perform services on our behalf and are contractually obligated to protect it and use it only for the purposes we authorize. Our key service providers (sub-processors) include:
- Stripe, Inc. (United States) — payment processing, subscription billing, fraud prevention;
- Clerk, Inc. (United States) — authentication, identity and session management;
- Google LLC (United States) — Google Sign-In (OAuth);
- cloud hosting and infrastructure providers (including content delivery networks);
- email delivery, customer-support, error-monitoring, and analytics providers (which may include products such as PostHog or equivalent).
We may update our list of sub-processors from time to time. The current list reflects sub-processors used as of the “Last updated” date above.
4.2 Legal and safety
We may disclose personal information when we believe in good faith that disclosure is necessary to: (a) comply with applicable law, regulation, legal process, or governmental request; (b) enforce our Terms of Service, including investigation of potential violations; (c) detect, prevent, or address fraud, security, or technical issues; or (d) protect the rights, property, or safety of us, our users, or others.
4.3 Business transfers
If we are involved in a merger, acquisition, financing, reorganization, bankruptcy, or sale of all or a portion of our assets, your personal information may be transferred as part of that transaction. We will notify you (for example, by email or a notice on the Service) before your personal information becomes subject to a materially different privacy policy.
4.4 With your consent
We may share personal information for any other purpose disclosed to you and with your consent.
5. International Transfers
We are based in Canada, but some of our service providers (such as Stripe, Clerk, and Google) operate from or store data in the United States and other jurisdictions outside Canada and your country of residence. As a result, your personal information may be transferred to, stored in, and processed in countries whose data-protection laws may differ from those in your home jurisdiction.
Where required, we put in place appropriate safeguards (such as standard contractual clauses and data-processing agreements) to ensure that personal information receives an adequate level of protection. By using the Service, you acknowledge that your information may be transferred outside your country of residence, including to the United States, and you consent to such transfers where consent is required.
6. Cookies and Similar Technologies
We and our service providers use cookies, local storage, and similar technologies to operate the Service, remember your preferences, understand usage, and improve performance. We categorize them as follows:
- Strictly necessary — required for the Service to function (for example, to authenticate you, maintain your session, and remember your onboarding progress). These cannot be disabled without breaking the Service.
- Functional — remember preferences and provide enhanced features.
- Analytics — help us understand how the Service is used so we can improve it.
You can disable cookies through your browser settings; however, parts of the Service may not function correctly without them.
7. Data Retention
We retain personal information for as long as is reasonably necessary to fulfil the purposes set out in this Privacy Policy, to provide the Service, to comply with our legal, accounting, tax, and reporting obligations, and to resolve disputes and enforce our agreements.
- Account data — retained while your account is active. If you close your account, we delete or anonymize it within a reasonable period (typically within 90 days), subject to legal retention requirements.
- Billing and transaction records — retained for as long as required by applicable tax, accounting, and financial laws (typically 6 to 7 years in Canada).
- Voice recordings and learning content — retained to provide the Service, deliver feedback, and improve our models. You may request deletion as described in Section 9.
- Backups — copies of information may persist in encrypted backups for a limited period after deletion, after which they are overwritten.
8. Data Security
We use commercially reasonable administrative, technical, and physical safeguards to protect personal information against unauthorized access, use, disclosure, alteration, and destruction. These include encryption in transit (TLS), encryption at rest where appropriate, access controls, secrets management, and regular review of our security practices.
Despite these measures, no method of transmission over the internet or method of electronic storage is 100% secure. We cannot guarantee absolute security. In the event of a security incident affecting your personal information, we will notify you and applicable regulators as required by law.
9. Your Privacy Rights
9.1 All users — PIPEDA (Canada)
Under PIPEDA, you have the right to:
- access personal information we hold about you;
- request correction of personal information that is inaccurate or incomplete;
- withdraw consent to our processing of your personal information (subject to legal or contractual restrictions; withdrawing consent may mean we can no longer provide the Service);
- file a complaint with the Office of the Privacy Commissioner of Canada at https://www.priv.gc.ca/.
9.2 Quebec residents — Law 25
If you reside in Quebec, you have additional rights under Quebec Law 25, including the right to: be informed of automated decision-making that has a significant effect on you; request portability of your personal information; and request that we cease disseminating your personal information or de-index links to it where the dissemination contravenes the law or a court order.
You may also file a complaint with the Commission d'accès à l'information du Québec at https://www.cai.gouv.qc.ca/.
9.3 EEA / UK residents — GDPR
If you are in the European Economic Area or United Kingdom, you have the right to: access your personal data; request rectification, erasure, or restriction of processing; object to processing; request data portability; and withdraw consent at any time (without affecting the lawfulness of processing before withdrawal). You also have the right to lodge a complaint with a supervisory authority in your country of residence.
9.4 California residents — CCPA / CPRA
If you are a California resident, you have the right to: know what personal information we have collected, used, disclosed, and sold or shared about you; request deletion of personal information we have collected from you; correct inaccurate personal information; limit the use and disclosure of sensitive personal information; opt out of the “sale” or “sharing” of personal information (we do not sell personal information); and not be subject to discrimination for exercising your rights.
9.5 How to exercise your rights
To exercise any of these rights, please contact us at info@blackseaconsulting.ca with a description of your request. We may require additional information to verify your identity before responding. We will respond within the timeframes required by applicable law (typically within 30 days). There is no fee for most requests, but we may charge a reasonable fee or refuse a request that is manifestly unfounded, excessive, or repetitive, as permitted by law.
10. Children's Privacy
The Service is intended for users who are at least 18 years of age, or the age of majority in their jurisdiction (whichever is greater). We do not knowingly collect personal information from children below that age. If we become aware that we have collected personal information from a child below the applicable age without verified consent of a parent or legal guardian, we will take steps to delete that information. If you believe we may have collected personal information from such a child, please contact us at info@blackseaconsulting.ca.
11. Third-Party Links and Services
The Service may contain links to or integrations with third-party websites, applications, or services that we do not own or control. This Privacy Policy does not apply to those third parties. We encourage you to read their privacy policies before providing them with personal information.
12. Changes to this Privacy Policy
We may update this Privacy Policy from time to time. The “Last updated” date at the top reflects the most recent revision. If we make material changes, we will notify you by email or through the Service before the changes take effect. Your continued use of the Service after the effective date constitutes your acknowledgement of the revised Privacy Policy.
13. Contact Us / Privacy Officer
If you have questions, concerns, requests, or complaints regarding this Privacy Policy or our handling of your personal information, please contact our Privacy Officer:
Privacy Officer
Black Sea Consulting Inc.
Province of Ontario, Canada
Email: info@blackseaconsulting.ca
We will respond to inquiries within a reasonable time and, where required, within the timeframes prescribed by applicable law.