
Privacy Policy
Last updated: June 4, 2026
This is the privacy policy for SayLocal Inc. ("we", "us"). It explains what personal data we collect, what we do with it, who we share it with, and how to make us stop. Written in plain English; the legal precision is in the specifics below.
1. What we collect
Account data. Your email address, the date you created an account, and whether you signed in via email magic-link, six-digit code, a password, or an OAuth provider (Apple, Google). If you set a password, we store only a salted, hashed version — never the plaintext. For OAuth, we store the provider's subject ID and the email they release to us.
Trip profile. Destination, target language, dialect, dates, purpose, and current language level — whatever you tell us during onboarding so we can build your plan.
Practice data. Every roleplay turn (your message + the AI reply), every flashcard review with rating + duration, every comprehension answer, every voice transcript. We use this to personalize your practice and to schedule reviews with a spaced-repetition algorithm.
Audio clips. When you use voice features, your audio is sent to a third-party speech-to-text provider for transcription. We do not persist the raw audio after transcription — only the resulting text and a pronunciation score.
Usage events. Each AI call we make on your behalf logs token counts and estimated cost. This powers your budget meter on /account and our cost-cap enforcement.
Payment data. Stripe handles all card information — we never see it. We do store your Stripe customer ID, subscription status, plan price ID, billing cycle dates, and (in encrypted form) the email Stripe associates with your customer record.
Operational telemetry. Request IDs, HTTP method/path, response status, error stack traces (PII-scrubbed before they reach our error monitoring), and a hashed IP in audit logs for security forensics. We do not store raw IP addresses long-term.
Referral / affiliate code. If you arrive via someone else's link, we store the referrer's user ID or affiliate code to attribute rewards or revenue share. You can clear this from your account.
2. What we don't do
- We don't sell or share your personal information for cross-context behavioral advertising (as those terms are defined under CCPA / CPRA). This has never happened and it isn't on our roadmap.
- We don't train third-party AI models on your private transcripts. Our AI subprocessors commit to the same under their API terms.
- We don't run ads inside the product.
- We don't read your roleplay conversations. The AI generates the reply; humans aren't in the loop except when you explicitly contact support and share the conversation.
- We don't use third-party tracking cookies. No Meta pixel, no GA, no Hotjar, no Intercom.
3. Legal bases for processing (EEA / UK)
- Contract — running the Service you signed up for (account, practice, billing).
- Legitimate interests — security telemetry, abuse prevention, product analytics in aggregate form.
- Consent — optional marketing emails; you can withdraw anytime via the unsubscribe link.
- Legal obligation — tax records (~7 years for invoices in some jurisdictions) and lawful requests we are required to honor.
4. Third-party subprocessors
We rely on a small set of vetted third-party providers to operate the Service. By category, these are:
- · AI model providers — power roleplay and tutoring. Bound by their commercial terms; they do not train their models on our API inputs.
- · Speech-processing provider — voice transcription and text-to-speech. Bound by a data-processing addendum; no training on inputs.
- · Payments processor — card payments and billing.
- · Transactional email provider — sign-in links, lifecycle, and receipts.
- · Cloud hosting + database infrastructure — runs the app and stores your data.
- · Error monitoring — receives crash reports with personal data scrubbed.
- · Privacy-preserving analytics — aggregate, cookieless, no personal data.
Each subprocessor is bound by a Data Processing Agreement, and we review the list quarterly. For the current itemized list of named subprocessors with effective dates, email privacy@saylocal.app and we'll send it over.
5. Security practices
We implement defense in depth, including: encryption in transit and at rest, hardened httpOnly + Secure session cookies with signed session tokens, sanitation of user-supplied content before it reaches AI models, validation of AI outputs, per-user spend caps and rate limits, brute-force throttling on sign-in, verified payment webhooks, and scrubbing of sensitive fields from error reports.
No system is bulletproof. If we discover a breach affecting your personal data, we will notify you and the relevant supervisory authority within 72 hours of confirming the breach, per GDPR Article 33.
Report a vulnerability to security@saylocal.app. We respond within 48 hours and credit researchers in our changelog when requested.
6. Data retention
- Account + profile — kept while your account is active; deleted within 30 days of account deletion request, except where retention is legally required.
- Roleplay turns + practice data — kept while your account is active. Deleted on request or on account closure.
- Voice audio — not stored at all. Transcripts retained as practice data above.
- Usage events (cost meter) — kept for 13 months for billing, forecasting, and abuse-pattern review, then aggregated.
- Audit logs — kept for 12 months for security forensics, then deleted.
- Stripe records + invoices — kept for up to 7 years as required by tax law.
- Email logs (delivery metadata) — kept for 90 days for deliverability troubleshooting.
7. Your rights
Regardless of where you live, you have all of the rights below. Where local law (GDPR, UK GDPR, CCPA/CPRA, PIPEDA, LGPD, etc.) creates additional rights, they apply to you in full.
- Access. "Download a copy" on /account returns a JSON dump of every row we hold about you.
- Erasure. "Delete account" on /account, type DELETE, and we cascade-delete every row tied to your user ID. Stripe subscription is canceled. Retention beyond deletion is limited to the periods in Section 6.
- Portability. The export above is machine-readable JSON.
- Correction. Email privacy@saylocal.app with the field to update.
- Objection / restriction. Same email. We respond within 30 days as required by GDPR Article 12.
- Withdrawal of consent. For anything we rely on consent for (marketing email), you can withdraw at any time.
- Right not to be subject to automated decision-making. We don't make legal or significant decisions about you using only automated processing. AI is used to generate practice content, not to deny service.
We don't charge fees for honoring these rights. We verify identity by sending a confirmation email to the address on file.
8. California residents (CCPA / CPRA)
Categories of personal information collected in the last 12 months (per CCPA § 1798.140):
- Identifiers — email, user ID, hashed IP.
- Customer records — Stripe customer ID, subscription status.
- Commercial information — purchases + refunds.
- Internet activity — pages visited (aggregate, cookieless), error reports.
- Audio / electronic information — voice clips (transient, not retained) and roleplay transcripts.
- Inferences — your personal lexicon model + readiness scores derived from your practice.
Sources: directly from you (sign-up, practice), automatically generated when you use the Service (telemetry), or from Stripe (payment metadata).
Business purposes: running the Service, billing, abuse prevention, debugging, complying with law.
Sale / sharing for cross-context behavioral advertising: none. We do not sell personal information and we do not share it for cross-context behavioral advertising. You don't need to invoke a "Do Not Sell or Share" right because there's nothing to opt out of — but we honor the Global Privacy Control signal as a "do not sell or share" request anyway.
You have the right to access, delete, correct, and request portability of your personal information, and the right to non-discrimination for exercising those rights. Authorized agents may submit requests on your behalf with verifiable written authorization, sent to privacy@saylocal.app.
9. Cookies + local storage
We use a minimal set of first-party cookies + localStorage entries:
- A single session cookie — httpOnly, Secure, SameSite, signed, with a 30-day lifetime, never readable by JavaScript.
- A non-secret presence flag in localStorage so the client can render the right navigation without a round-trip.
- Referral / affiliate codes in localStorage if you arrived via someone's link — used once at signup and ignorable thereafter.
Analytics, if enabled, are cookieless with no individual tracking and IP anonymized at collection. No third-party tracking cookies are set by the Service.
10. Children
SayLocal is not directed at children under 13 (or 16 in the EEA/UK) and we don't knowingly collect their personal information. If you become aware that a child under 13 has created an account, please email privacy@saylocal.app and we'll delete the account and associated data promptly.
11. International transfers
Our primary servers are in the United States. If you use the Service from the EEA, UK, Switzerland, or another jurisdiction with cross-border transfer rules, your data is transferred under Standard Contractual Clauses (and the UK International Data Transfer Addendum or Swiss FDPIC equivalent where applicable), backed by our subprocessors' own SCCs.
12. Changes
We update this page when our practices change. The "Last updated" date at the top is the canonical change date. Material changes — adding a subprocessor with new data exposure, new categories of collection, reduced user rights — also go out via email at least 14 days before the change takes effect.
13. Contact
Data Protection: privacy@saylocal.app
Security: security@saylocal.app
General: hello@saylocal.app
EU/UK users: you have the right to lodge a complaint with your local supervisory authority (ICO in the UK, your data protection authority in each EEA member state).