Privacy Policy.
Last updated: March 6, 2026
1. Data Controller
The data controller for personal data processed through Savantiva is:
Savantiva OÜ Republic of Estonia
For all privacy-related inquiries and data subject requests, contact us at privacy@savantiva.com.
2. What We Collect
Account data — your email address, display name, and profile photo when you register.
Conversation data — messages you exchange with the AI, your target and source languages, and session metadata (timestamps, duration).
Learning data — your vocabulary library, review history, progress metrics, and language statistics.
Payment data — your billing address and subscription status. Credit card and payment instrument details are handled exclusively by Stripe, Inc. and are never transmitted to or stored on our servers.
Usage data — device type, operating system, app version, and feature interactions.
Push notification tokens — if you grant notification permission on iOS or Android, we store a device token to deliver practice reminders and account notifications. You can withdraw permission at any time in your device's notification settings, which will prevent further notifications without affecting your ability to use the service.
Communications — if you contact us directly, we retain the content of that correspondence.
Notifications we send — we use your email address to send transactional messages (payment receipts, password resets, account security alerts), learning-related notifications (practice reminders, progress summaries), and occasional product announcements. You can manage non-essential notifications in your account settings. Transactional and security messages cannot be disabled.
3. Lawful Basis for Processing
We process your personal data under the following lawful bases under GDPR Article 6:
| Purpose | Legal Basis |
|---|---|
| Providing the service (account, conversations, learning features) | Contract performance |
| Processing payments and managing subscriptions | Contract performance |
| Security, fraud prevention, technical reliability | Legitimate interest |
| Automated personalization (vocabulary selection, difficulty adaptation, forgetting-curve logic) | Legitimate interest |
| Using free-tier conversation data to train AI models | Legitimate interest |
| Sending marketing and promotional communications | Consent |
| Complying with legal obligations (e.g., tax records) | Legal obligation |
When we rely on legitimate interest, we have determined that our interests are not overridden by your rights. You have the right to object to processing based on legitimate interest (see Section 7).
4. AI Training and Your Conversations
If you use the free tier, your conversation data may be used to train and improve Savantiva's AI models. The lawful basis is legitimate interest: we have a genuine interest in improving our AI to deliver a better language learning experience, and this processing is proportionate to that interest.
Paid subscribers: your conversation data is never used for AI training.
Your right to object: you have the right to object to this processing at any time. You may exercise this right by upgrading to a paid subscription or by contacting privacy@savantiva.com. We will honour your objection going forward — data already incorporated into a trained model cannot be retroactively extracted or reversed.
For clarity, regardless of tier, conversation data is always processed to deliver the service itself (generating AI responses, updating your vocabulary). This section concerns only secondary use for AI training purposes.
5. Third-Party Processors
We share your data only with processors necessary to operate the service. All processors are bound by data processing agreements and may only process data on our instructions.
| Processor | Purpose | Data Shared | Location |
|---|---|---|---|
| Google LLC | Authentication, file storage, AI inference, hosting | Account data, conversation data, learning data, usage data | USA / EU |
| Google LLC (Google Play Store) | In-app purchase processing (Android) | Billing address, subscription status (payment instrument handled directly by Google) | USA |
| Apple Inc. (App Store) | In-app purchase processing (iOS) | Billing address, subscription status (payment instrument handled directly by Apple) | USA |
| Stripe, Inc. | Payment processing (web) | Billing address, subscription status (payment instrument handled directly by Stripe) | USA |
| Lambda Labs, Inc. (Lambda.ai) | AI model inference | Conversation data (messages and context window only) | USA |
Legal disclosures: We may also share your data with law enforcement agencies, regulatory bodies, or public authorities when required by law, court order, or to protect the rights and safety of Savantiva, our users, or the public.
Aggregated data: We may generate anonymized or aggregate data derived from personal data and use it for any lawful business purpose. Such data cannot identify you individually and is not subject to this Policy.
6. Data Retention
| Category | Retention Period |
|---|---|
| Account and conversation data | 30 days after account deletion, then permanently deleted |
| Financial and transaction records | 7 years (Estonian and EU accounting regulations) |
| Communications (support, legal) | Duration of relationship + 3 years |
| AI training data (free tier) | Cannot be removed from models once incorporated |
We may retain data for longer periods where required by law, to resolve disputes, or to enforce our agreements.
7. Your Rights Under GDPR
If you are located in the European Union or European Economic Area, you have the following rights:
- Access — request a copy of the personal data we hold about you
- Rectification — request correction of inaccurate or incomplete data
- Erasure — request deletion of your personal data ("right to be forgotten")
- Portability — receive your data in a structured, machine-readable format
- Restriction — request that we limit processing of your data in certain circumstances
- Objection — object to processing based on legitimate interest
- Withdraw consent — withdraw consent at any time where processing is based on consent, without affecting the lawfulness of prior processing
To exercise any of these rights, contact privacy@savantiva.com. We will acknowledge your request within 72 hours and respond within 30 days. We may ask you to verify your identity before processing your request.
You also have the right to lodge a complaint with the Estonian Data Protection Inspectorate (Andmekaitse Inspektsioon): www.aki.ee, or with the supervisory authority in your country of residence.
8. Automated Decision-Making
Service delivery profiling. We use automated processing to deliver core features of the service, including selecting vocabulary for spaced-repetition review, adapting conversation complexity and topic to your proficiency level, and generating your learning statistics. These processes constitute profiling under GDPR Article 4(4) but do not produce decisions with legal or similarly significant effects on you — they are routine to delivering a personalised learning experience. The lawful basis is legitimate interest (see Section 3).
Automated decisions with significant effects. Where automated processing produces a decision that significantly affects you — such as restricting or suspending your account for a potential Acceptable Use violation — you have the right under GDPR Article 22 to request human review of that decision before it becomes permanent. To exercise this right, contact privacy@savantiva.com. We will review the decision and respond within 14 days.
We do not use your personal data for automated decisions relating to creditworthiness, employment, insurance, or any purpose unrelated to the language learning service.
9. Rights for California Residents (CCPA/CPRA)
If you are a California resident, you have the following additional rights:
- Right to know — request disclosure of the categories and specific pieces of personal information we collect, use, and share
- Right to delete — request deletion of your personal information, subject to certain exceptions
- Right to correct — request correction of inaccurate personal information
- Right to opt out of sale or sharing — we do not sell your personal information to third parties, and we do not share it for cross-context behavioral advertising
- Right to limit use of sensitive personal information — we do not use sensitive personal information beyond what is necessary to provide the service
- Right to non-discrimination — we will not discriminate against you for exercising your CCPA rights
To exercise these rights, contact privacy@savantiva.com. We will respond within 45 days.
10. Minors
Savantiva is not intended for use by children under 13. We do not knowingly collect personal data from children under 13. If we discover that a user is under 13, we will promptly delete their account and associated data.
If you are located in the EU/EEA and are between 13 and 15 years old, we require verifiable parental or guardian consent before you may use the service. If you believe a minor is using Savantiva without appropriate consent, please contact privacy@savantiva.com.
11. Cookies
We use session cookies strictly to maintain your authenticated session. We do not use cookies for advertising, cross-site tracking, or profiling. No third-party advertising or marketing trackers are present on our platform.
Do Not Track: The service does not respond to browser "Do Not Track" signals. However, because we do not engage in cross-site behavioral tracking for advertising purposes, the practical effect is equivalent — your activity on Savantiva is not tracked across other websites.
12. Security
We implement appropriate technical and organizational security measures to protect your personal data against unauthorized access, disclosure, alteration, or destruction. These include encryption of data in transit and at rest, access controls, and regular security reviews.
No method of electronic transmission or storage is completely secure. While we work to protect your data, we cannot guarantee absolute security. If you believe your account has been compromised, contact us immediately at privacy@savantiva.com.
Data breach notification: In the event of a personal data breach, we will notify the Estonian Data Protection Inspectorate within 72 hours of becoming aware of it, as required by GDPR Article 33. Where a breach is likely to result in a high risk to your rights and freedoms, we will also notify you directly without undue delay, as required by GDPR Article 34, unless an applicable exemption applies (for example, because the affected data was encrypted).
13. International Data Transfers
Where possible, we process your data within the EU/EEA. Transfers to processors located outside the EU/EEA — including Google LLC, Stripe, Inc., and Lambda Labs, Inc. (all USA-based) — are governed by Standard Contractual Clauses (SCCs) approved by the European Commission, which provide an adequate level of protection for your data under GDPR Article 46.
14. Business Transfers
If Savantiva OÜ is involved in a merger, acquisition, or sale of assets, your personal data may be transferred to the acquiring entity as part of that transaction. We will notify you by email before your data becomes subject to a materially different privacy policy, and where required, seek fresh consent.
15. Changes to This Policy
We may update this Privacy Policy from time to time. For material changes, we will notify you by email. Where a change affects processing based on consent, we will seek fresh consent before the new processing begins. The "Last updated" date at the top of this page reflects the most recent revision.
16. Contact and Complaints
Privacy inquiries and data subject requests: privacy@savantiva.com
We aim to respond to all requests within 30 days. We encourage you to contact us first with any concerns so we can address them directly.
Estonian Data Protection Inspectorate (Andmekaitse Inspektsioon): www.aki.ee
You have the right to lodge a complaint with any EU supervisory authority, including the authority in your country of residence.