Privacy Policy.
Last updated: 8 July 2026
Privacy Policy
This Privacy Policy explains how Savantiva collects, uses, discloses, and otherwise processes personal data when you use our websites, applications, and related services (together, the "Services"), and describes the rights and choices available to you. Please read it carefully.
Capitalised terms not defined in this Policy have the meaning given to them in our Terms of Service.
1. Who We Are
Savantiva is an AI-powered language-learning platform. The controller responsible for your personal data is:
Savantiva [Yazılım Ltd. Şti.] [Registered address], [City], Republic of Türkiye [Trade Registry No.: ____]
For the purposes of this Policy, "Savantiva", "we", "us", and "our" refer to that entity, which determines the purposes and means of processing your personal data (a "data controller" under the EU and UK General Data Protection Regulation ("GDPR") and a veri sorumlusu under the Turkish Law No. 6698 on the Protection of Personal Data ("KVKK")).
For all privacy inquiries and requests, contact privacy@savantiva.com. Details of our representatives and supervisory authorities are set out in Sections 15 and 17.
"Personal data" means any information relating to an identified or identifiable individual. This Policy applies to individuals who use the Services or otherwise interact with us.
2. Personal Data We Collect
We collect personal data in the following ways.
2.1 Data you provide to us
- Account data — when you register, we collect your email address, a display name, and a username. Authentication (including login credentials) is handled by our identity provider; we do not store your password.
- Profile data — a profile photo and other profile details you choose to add, your native and target languages, your self-reported proficiency levels, and free-text fields such as your learning motivation.
- Inputs and Content — the messages, prompts, and other content you submit to the Services, including your dialogue with the AI ("Inputs"). Inputs generate responses and other output ("Outputs", and together with Inputs, "Content"). If you include personal data in your Inputs, we will process it as part of your Content.
- Communications — if you contact us for support or otherwise, we collect your contact details and the contents of your correspondence.
- Billing information — a limited set of transaction details, such as your subscription tier and status. Your payment-card and payment-instrument details are collected and processed directly by our payment providers (see Section 7) and are never transmitted to or stored on our servers.
2.2 Data we generate or infer about you
- Learning data — your vocabulary library, review and spaced-repetition scheduling data, progress metrics, error and correction records derived from your Inputs, and related learning statistics.
- Inferred information ("Memory") — to personalise the Service, we use automated processing to infer and retain certain durable information about you — such as your interests, goals, profession, or learning context — from the content of your interactions. You may also add such information yourself. You can review, correct, pin, or delete individual items at any time in your settings, and you can disable automated inference entirely, which stops further inference and deletes previously inferred items (items you added or pinned yourself are retained). We do not intentionally infer or store special categories of data (see Section 5), and we take steps to exclude such data from the Memory we generate. See Sections 6 and 11.
- Usage data — information about how you interact with the Services, such as features used, actions taken, and session metadata (timestamps and duration).
2.3 Data collected automatically
- Device and technical data — device type, operating system, and application version, and, on our websites and applications, similar technical information necessary to deliver and secure the Services.
- IP address — we process your IP address for security purposes, such as rate-limiting and abuse prevention, and retain it only as long as necessary for those purposes. We do not use it to profile you.
- Analytics and similar technologies — where you consent, we collect product-analytics and session-replay data as described in Section 12. This may include marketing-attribution parameters (such as campaign and click identifiers) present in the address you used to reach us.
- Push notification tokens — if you grant notification permission on a mobile device, we store a device token to deliver the notifications you have enabled.
2.4 Public and social information
Certain features are social. Your profile is private by default, and you control its visibility with a setting in Settings that makes your whole profile either private or public. On a private profile, other signed-in users who do not follow you see only an identity card — your display name, username, profile photo — together with your follower and following counts; anyone wishing to follow you must send a request that you approve or decline. On a public profile, your username, display name, profile photo, native language, and related profile information are visible and searchable, as are your followers and the accounts you follow, and others may follow you without approval. Where you have shared access — because your profile is public, or because you approved someone's follow request — that follower can see your individual aggregate learning statistics (such as words produced and mastered, and struggle-category counts) through the community "Following" view. The community-wide "Everyone" view is different: the insights shown there are drawn only from aggregated, de-identified data governed by a minimum-group-size (k-anonymity) threshold, so they do not identify you individually. Please consider this before including personal information in fields that others can see.
2.5 Data we do not collect
We do not collect voice recordings or other biometric data. Audio in the Services is machine-generated (text-to-speech) and is played to you; it is not recorded from you. We do not collect precise geolocation, and we do not use advertising identifiers or cross-site tracking.
3. How We Use Personal Data
We use personal data to:
- provide, maintain, personalise, and improve the Services, including generating AI responses, maintaining your learning progress, and tailoring content to your level;
- create and administer your account and authenticate you;
- process transactions and manage subscriptions;
- communicate with you, including sending transactional, security, and service messages and, where permitted, product updates;
- ensure the security, integrity, and reliability of the Services, and prevent, detect, and address fraud, abuse, and violations of our terms;
- develop new features and improve the Services;
- comply with our legal obligations and establish, exercise, or defend legal claims.
Transactional and security communications are part of the Services and cannot be disabled. You can manage non-essential communications in your settings.
4. Legal Bases for Processing
Where the GDPR or KVKK applies, we rely on the following legal bases. Where a listed basis is unavailable under the law that applies to you, we rely on another lawful basis, including your consent.
| Purpose | Legal Basis |
|---|---|
| Providing the Services (account, conversations, learning features) | Performance of a contract |
| Processing payments and managing subscriptions | Performance of a contract |
| Security, fraud prevention, and technical reliability | Legitimate interests; legal obligation |
| Personalising the Service, including vocabulary selection, difficulty adaptation, and inferred Memory | Legitimate interests |
| Server-side measurement of conversions and monitoring of errors and reliability | Legitimate interests |
| Product analytics and session replay on our websites and applications | Consent |
| Complying with legal obligations (e.g., accounting and tax) | Legal obligation |
Where we rely on legitimate interests, we have assessed that those interests are not overridden by your rights and freedoms. You may object to processing based on legitimate interests as described in Section 11.
5. AI Features
To provide the Services, your Inputs are processed by AI model providers that generate responses, corrections, and synthesised audio (see Section 7). These providers act on our behalf and are contractually restricted from using your Content to train their own models, except as necessary to provide the service to us.
We do not use your Content to train or develop our own AI models. This applies whether you use a free or paid plan. Your Content is processed only to deliver and support the Services themselves.
Because your Inputs are sent to these providers to generate responses, we recommend that you do not enter sensitive personal information — such as data revealing your health, religious or political beliefs, sexual orientation, or racial or ethnic origin — or other confidential information into your conversations. We do not intentionally infer or store such data (see Sections 2.2 and 11), and the Memory we generate is designed to exclude it, but the Services do not restrict what you choose to type.
6. Automated Processing and Personalisation
We use automated processing to deliver core features of the Services, including selecting vocabulary for review, adapting the complexity and topic of conversations to your proficiency, generating your learning statistics, and inferring the Memory described in Section 2.2. These activities constitute profiling under Article 4(4) GDPR but do not produce legal or similarly significant effects on you; they are routine to delivering a personalised learning experience, and our legal basis is legitimate interests.
We also run automated safety checks on conversation messages and AI replies, and may decline to answer or withdraw an individual message that violates our content guidelines. These checks run on our own infrastructure and affect only the individual message; our logs record the outcome of the check.
Where an automated process would produce a decision with a legal or similarly significant effect on you — for example, restricting or suspending your account for a suspected violation of our terms — you have the right to request human review before the decision becomes final by contacting privacy@savantiva.com.
We do not use your personal data for automated decisions relating to creditworthiness, employment, insurance, or any purpose unrelated to the Services.
7. Recipients and Disclosure of Personal Data
We disclose personal data only as described below, and only to recipients bound by appropriate confidentiality and data-protection obligations.
- Service providers and processors — we engage vendors to process personal data on our behalf and on our instructions, in the following categories: cloud hosting, storage, and infrastructure; AI model and text-to-speech providers; authentication and push-notification providers; and product-analytics and error-monitoring providers. A current list of our principal service providers is available on request.
- Payment providers — for purchases made through our website, Paddle — the Paddle entity applicable to your location under Paddle's Buyer Terms — acts as the merchant of record and reseller and processes your payment. For purchases made through mobile app stores, Apple Inc. and Google LLC process your payment under their own terms. These providers handle your payment-instrument details directly.
- Other users — the public and social information described in Section 2.4 is disclosed to other users through the ordinary operation of the Services.
- Legal, safety, and compliance — we may disclose personal data to law-enforcement agencies, regulators, courts, or other authorities where we believe in good faith it is necessary to comply with applicable law or legal process, enforce our terms, prevent fraud or harm, or protect the rights, property, or safety of Savantiva, our users, or others.
- Business transfers — if we are involved in a merger, acquisition, financing, reorganisation, or sale of assets, personal data may be disclosed or transferred as part of that transaction, subject to this Policy.
- Aggregated or de-identified data — we may create and use aggregated or de-identified data, which does not identify you and is not subject to this Policy, for any lawful business purpose.
We do not sell your personal data, and we do not share it for cross-context behavioural advertising.
8. International Data Transfers
Savantiva is established in the Republic of Türkiye. Türkiye is located outside the European Economic Area ("EEA") and is not, at the date of this Policy, the subject of a European Commission adequacy decision. Our service providers may also process personal data in the United States and other countries.
Where we transfer the personal data of users in the EEA, the United Kingdom, or Switzerland to Savantiva in Türkiye, or to service providers in a country that does not benefit from an adequacy decision, we implement appropriate safeguards, including the Standard Contractual Clauses approved by the European Commission (and, for UK data, the UK International Data Transfer Addendum), together with supplementary measures where required. Onward transfers made under Turkish law rely on the transfer mechanisms provided by Article 9 of the KVKK, including the KVKK standard contract or other appropriate safeguards.
You may request a copy of the relevant safeguards by contacting privacy@savantiva.com.
9. Data Retention
We retain personal data for as long as is necessary to fulfil the purposes described in this Policy, and thereafter for the period required to comply with our legal obligations, resolve disputes, and enforce our agreements. When personal data is no longer required, we delete or de-identify it.
| Category | Retention |
|---|---|
| Account, profile, learning, and conversation data | For the duration of your account; after you delete it, deleted or de-identified within 90 days, except records we must retain (see below) |
| Inferred information (Memory) | Until you delete it or disable automated inference; AI-inferred items are also refreshed periodically |
| Financial and transaction records | For the periods required by Turkish law — up to 10 years for commercial records (Turkish Commercial Code No. 6102) and 5 years for tax records (Tax Procedure Law No. 213) |
| Communications | Duration of our relationship plus a reasonable period thereafter |
A short grace period may precede erasure. Where we are required or permitted to retain specific records — for example, financial and transaction records (for the periods in the table above), or data needed for security, dispute resolution, or legal compliance — we retain only those records, and for no longer than necessary.
10. Security
We implement appropriate technical and organisational measures designed to protect personal data against unauthorised access, disclosure, alteration, or destruction, including encryption of data in transit and at rest, access controls, and regular security reviews. No method of transmission or storage is completely secure, and we cannot guarantee absolute security. If you believe your account has been compromised, contact us immediately at privacy@savantiva.com.
Where required, we will notify the competent supervisory authority of a personal data breach without undue delay and, where the breach is likely to result in a high risk to your rights and freedoms, we will notify you, unless an applicable exemption applies.
11. Your Rights and Choices
Subject to the law that applies to you, you may have the following rights in relation to your personal data:
- Access — obtain confirmation of whether we process your personal data and a copy of it;
- Rectification — request correction of inaccurate or incomplete data;
- Erasure — request deletion of your personal data;
- Portability — receive certain data in a structured, machine-readable format;
- Restriction — request that we restrict processing in certain circumstances;
- Objection — object to processing based on legitimate interests, including profiling;
- Withdraw consent — withdraw consent at any time where processing is based on consent, without affecting the lawfulness of prior processing.
Under the KVKK (Article 11), residents of Türkiye additionally have the right to learn whether their data is processed, request information about the processing, learn its purpose and whether it is used accordingly, know the third parties to whom data is transferred, request correction or deletion and notification of such action to third parties, object to results arising exclusively from automated analysis, and claim compensation for damage arising from unlawful processing.
To exercise your rights, contact privacy@savantiva.com. We will respond within the period required by applicable law. We may need to verify your identity before acting on your request, and certain rights are subject to legal exceptions and limitations. You may also lodge a complaint with your competent supervisory authority (see Section 17).
12. Cookies and Analytics
Essential storage. We use strictly necessary cookies and device storage to authenticate you and maintain your session, and to record your analytics choice. These are necessary for the Services to function and are not subject to consent.
Product analytics and session replay. On our websites and applications, we use an EU-hosted product-analytics provider to understand how the Services are used, including, where enabled, session replays in which all on-screen text and inputs — including payment and credential fields — are masked and never captured. Analytics is off until you consent (a banner on the web, a setting in our applications), you may withdraw consent at any time, and declining does not reduce functionality.
Error monitoring and server-side measurement. Separately, under our legitimate interests, we monitor errors and stability (on the web, via an EU-hosted error-monitoring provider that scrubs identifying fields such as email, IP address, and username; on Android, via a crash-reporting provider keyed to your account identifier that collects device, operating-system, and diagnostic data such as stack traces), and we measure conversions on our servers. These events are pseudonymous — keyed to an internal account identifier, with no payment details or message content — and do not rely on advertising cookies. You may object by contacting privacy@savantiva.com.
We do not use cookies or similar technologies for advertising or cross-site behavioural tracking, and no advertising or marketing trackers are present in the Services. Because we do not track your activity across other websites, the Services do not respond to browser "Do Not Track" signals.
13. Children
The Services are intended solely for adults and are not directed to children. You must be at least 18 years old to use the Services, and we do not knowingly collect personal data from anyone under 18. If we become aware that we have collected personal data from a person under 18, we will take steps to delete it and close the account. If you believe someone under 18 has provided us with personal data, contact privacy@savantiva.com.
14. Regional Disclosures
14.1 European Economic Area, United Kingdom, and Switzerland
Sections 4, 8, 11, and 17 describe the legal bases, transfer safeguards, rights, and complaint mechanisms that apply to you, including your right to withdraw consent at any time.
14.2 Türkiye (KVKK)
We process personal data in accordance with the KVKK. Your rights under Article 11 of the KVKK are described in Section 11, and cross-border transfers are addressed in Section 8. You may lodge a complaint with the Personal Data Protection Authority (Kişisel Verileri Koruma Kurumu), kvkk.gov.tr.
14.3 California
If you are a California resident, you have the right to know the categories and specific pieces of personal information we collect, use, and disclose; the right to request deletion and correction of your personal information; and the right not to be discriminated against for exercising your rights. We do not "sell" or "share" your personal information for cross-context behavioural advertising, as those terms are defined under California law, and we do not use sensitive personal information beyond what is necessary to provide the Services. To exercise your rights, contact privacy@savantiva.com. We will respond as required by applicable law and may verify your identity before responding.
15. Our Representatives
Where and to the extent we are required to appoint a representative under Article 27 of the GDPR or Article 27 of the UK GDPR, we will do so and will publish that representative's name and contact details in this Section. Until then, you may direct any matter relating to the processing of your personal data to privacy@savantiva.com.
16. Changes to This Policy
We may update this Privacy Policy from time to time. For material changes, we will provide notice as required by applicable law, and where a change affects processing based on consent, we will seek fresh consent before the new processing begins. The "Last updated" date at the top of this page reflects the most recent revision.
17. Contact and Complaints
Privacy inquiries and data-subject requests: privacy@savantiva.com
We encourage you to contact us first so that we can address your concerns directly. You also have the right to lodge a complaint with a supervisory authority:
- In Türkiye, the Personal Data Protection Authority (Kişisel Verileri Koruma Kurumu): kvkk.gov.tr
- In the EEA, your local data protection authority
- In the United Kingdom, the Information Commissioner's Office (ICO): ico.org.uk