Privacy Policy

Last Updated: April 22, 2026

This Privacy Policy explains how Collapsing Wave ("we", "us", or "our") collects, uses, stores, and protects your personal data when you use the Collapsing Wave mobile application and related services (the "Service"). This policy is provided in accordance with the General Data Protection Regulation (GDPR) and other applicable data protection laws.

1. Data Controller

Collapsing Wave is the data controller responsible for your personal data. For questions regarding data protection, please contact us through the feedback feature within the Service.

2. Data We Collect

2.1 Data You Provide

• Account information: email address and password (stored in hashed form)
• Language preferences: your native language selection
• Feedback: any messages you submit through the Service's feedback feature

2.2 Data Generated Through Use

• Learning progress: chapters viewed, completed, and downloaded; publication subscriptions
• Subscription status: your current licence tier (Basic or Premium)
• Content interactions: votes and opinions on publications and chapters
• Quiz results: answers and scores from language quizzes

2.3 Automatically Collected Data

• Crash reports: application crash data collected through Firebase Crashlytics, including device type, operating system version, and app state at the time of the crash
• Usage analytics (with consent): anonymous usage data collected through Firebase Analytics, including screens visited, features used, and general interaction patterns. This data is collected only with your explicit consent and does not include personally identifiable information.
• Advertising data: for Basic (free) tier users, Google AdMob collects device advertising identifiers, ad interaction data (impressions, clicks), and general device information to serve and measure advertisements. AdMob may use this data for personalised or non-personalised advertising depending on your consent preferences. Premium users are not shown advertisements.
• Device language: used to provide content in your preferred language

2.4 Data Stored On-Device Only

• Biometric authentication: if you enable biometric login (fingerprint or face recognition), your credentials are stored in your device's secure keystore. Biometric data never leaves your device and is not transmitted to our servers.
• Text-to-speech: the Service uses your device's built-in text-to-speech engine for word pronunciation. No audio data is sent to our servers for this feature.

3. How We Use Your Data

We use your personal data for the following purposes:

• Account management: to create and manage your account, authenticate your identity, and communicate with you (e.g. email verification, password reset)
• Service delivery: to provide language learning content, track your learning progress, and manage your subscriptions
• Payment processing: to manage your subscription status through in-app purchase platforms
• Advertising: to display advertisements to Basic tier users through Google AdMob
• Security: to protect against unauthorised access, fraud, and abuse (e.g. reCAPTCHA verification)
• Improvement: to identify and fix technical issues through crash reporting and, with your consent, to understand how users interact with the Service through anonymous usage analytics
• Communication: to send you service-related emails (account verification, password reset)

4. Legal Basis for Processing (GDPR)

We process your personal data on the following legal bases:

• Contract performance (Article 6(1)(b) GDPR): processing necessary to provide the Service you have requested, including account management, content delivery, and subscription management
• Consent (Article 6(1)(a) GDPR): where you have given explicit consent, such as agreeing to these terms during registration, consenting to usage analytics, or consenting to personalised advertising
• Legitimate interests (Article 6(1)(f) GDPR): for security measures, fraud prevention, and service improvement through crash analytics, where these interests are not overridden by your rights

5. Data Sharing and Third Parties

We share your data with the following categories of third-party service providers, who process data on our behalf:

• Microsoft Azure: cloud hosting, data storage, email delivery, and speech services. Data shared: account data, content, email address.
• Google Firebase (Crashlytics): crash reporting. Data shared: crash logs, device information.
• Google Firebase (Analytics): anonymous usage analytics (only when you have given consent). Data shared: screen views, feature usage, device type.
• Google AdMob: advertising for Basic tier users. Data shared: device advertising identifier, ad interaction data, general device information. AdMob's use of data is governed by Google's privacy policy.
• Google reCAPTCHA: bot protection during registration and login. Data shared: browser/device interaction data.
• RevenueCat: subscription management. Data shared: user ID, subscription status.
• Apple App Store / Google Play Store: payment processing. Payments are handled entirely by the respective store.

We do not sell your personal data to third parties.

6. International Data Transfers

Your data may be processed in countries outside your country of residence, including within the European Economic Area (EEA) and the United States. Where data is transferred outside the EEA, we ensure appropriate safeguards are in place, such as Standard Contractual Clauses (SCCs) approved by the European Commission, or adequacy decisions.

7. Data Retention

• Account data: retained for as long as your account is active. Upon account deletion, your personal data is deleted within 30 days.
• Crash reports: retained for up to 90 days for diagnostic purposes.
• Payment records: subscription status records are retained as required by applicable law.

8. Your Rights

Under the GDPR, you have the following rights regarding your personal data:

• Right of access: request a copy of the personal data we hold about you
• Right to rectification: request correction of inaccurate or incomplete data
• Right to erasure ("right to be forgotten"): request deletion of your personal data. You can delete your account at any time through the Service.
• Right to restriction: request that we limit the processing of your data
• Right to data portability: request your data in a structured, commonly used, machine-readable format
• Right to object: object to processing based on legitimate interests
• Right to withdraw consent: withdraw your consent at any time, without affecting the lawfulness of processing based on consent before its withdrawal

To exercise any of these rights, contact us through the feedback feature within the Service. We will respond to your request within 30 days.

You also have the right to lodge a complaint with your local data protection supervisory authority if you believe your data protection rights have been violated.

9. Children's Privacy

The Service is not intended for children under 16 years of age. We do not knowingly collect personal data from children under 16. If we become aware that we have collected data from a child under 16 without parental consent, we will take steps to delete that data.

10. Cookies and Similar Technologies

The Service uses HTTP-only cookies for authentication purposes (session management). These are strictly necessary cookies required for the Service to function and do not require separate consent. We do not use advertising or tracking cookies directly. However, Google AdMob may use advertising identifiers and similar technologies on the device to serve and measure ads for Basic tier users, subject to your consent preferences.

11. Data Security

We implement appropriate technical and organisational measures to protect your personal data, including:

• Password hashing
• Encrypted data transmission (HTTPS/TLS)
• HTTP-only authentication cookies
• Access controls and authentication
• Secure on-device credential storage for biometric login
• Regular security reviews

While we take reasonable precautions, no method of transmission over the internet or electronic storage is completely secure.

12. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of material changes through the Service or via email. The "Last Updated" date at the top indicates when this policy was last revised.

13. Contact

For questions about this Privacy Policy or to exercise your data protection rights, please contact us through the feedback feature within the Service.