SayLocal

Privacy Policy

Last updated: June 4, 2026

This is the privacy policy for SayLocal Inc. ("we", "us"). It explains what personal data we collect, what we do with it, who we share it with, and how to make us stop. Written in plain English; the legal precision is in the specifics below.

1. What we collect

Account data. Your email address, the date you created an account, and whether you signed in via email magic-link, six-digit code, a password, or an OAuth provider (Apple, Google). If you set a password, we store only a salted, hashed version — never the plaintext. For OAuth, we store the provider's subject ID and the email they release to us.

Trip profile. Destination, target language, dialect, dates, purpose, and current language level — whatever you tell us during onboarding so we can build your plan.

Practice data. Every roleplay turn (your message + the AI reply), every flashcard review with rating + duration, every comprehension answer, every voice transcript. We use this to personalize your practice and to schedule reviews with a spaced-repetition algorithm.

Audio clips. When you use voice features, your audio is sent to a third-party speech-to-text provider for transcription. We do not persist the raw audio after transcription — only the resulting text and a pronunciation score.

Usage events. Each AI call we make on your behalf logs token counts and estimated cost. This powers your budget meter on /account and our cost-cap enforcement.

Payment data. Stripe handles all card information — we never see it. We do store your Stripe customer ID, subscription status, plan price ID, billing cycle dates, and (in encrypted form) the email Stripe associates with your customer record.

Operational telemetry. Request IDs, HTTP method/path, response status, error stack traces (PII-scrubbed before they reach our error monitoring), and a hashed IP in audit logs for security forensics. We do not store raw IP addresses long-term.

Referral / affiliate code. If you arrive via someone else's link, we store the referrer's user ID or affiliate code to attribute rewards or revenue share. You can clear this from your account.

2. What we don't do

3. Legal bases for processing (EEA / UK)

4. Third-party subprocessors

We rely on a small set of vetted third-party providers to operate the Service. By category, these are:

Each subprocessor is bound by a Data Processing Agreement, and we review the list quarterly. For the current itemized list of named subprocessors with effective dates, email privacy@saylocal.app and we'll send it over.

5. Security practices

We implement defense in depth, including: encryption in transit and at rest, hardened httpOnly + Secure session cookies with signed session tokens, sanitation of user-supplied content before it reaches AI models, validation of AI outputs, per-user spend caps and rate limits, brute-force throttling on sign-in, verified payment webhooks, and scrubbing of sensitive fields from error reports.

No system is bulletproof. If we discover a breach affecting your personal data, we will notify you and the relevant supervisory authority within 72 hours of confirming the breach, per GDPR Article 33.

Report a vulnerability to security@saylocal.app. We respond within 48 hours and credit researchers in our changelog when requested.

6. Data retention

7. Your rights

Regardless of where you live, you have all of the rights below. Where local law (GDPR, UK GDPR, CCPA/CPRA, PIPEDA, LGPD, etc.) creates additional rights, they apply to you in full.

We don't charge fees for honoring these rights. We verify identity by sending a confirmation email to the address on file.

8. California residents (CCPA / CPRA)

Categories of personal information collected in the last 12 months (per CCPA § 1798.140):

Sources: directly from you (sign-up, practice), automatically generated when you use the Service (telemetry), or from Stripe (payment metadata).

Business purposes: running the Service, billing, abuse prevention, debugging, complying with law.

Sale / sharing for cross-context behavioral advertising: none. We do not sell personal information and we do not share it for cross-context behavioral advertising. You don't need to invoke a "Do Not Sell or Share" right because there's nothing to opt out of — but we honor the Global Privacy Control signal as a "do not sell or share" request anyway.

You have the right to access, delete, correct, and request portability of your personal information, and the right to non-discrimination for exercising those rights. Authorized agents may submit requests on your behalf with verifiable written authorization, sent to privacy@saylocal.app.

9. Cookies + local storage

We use a minimal set of first-party cookies + localStorage entries:

Analytics, if enabled, are cookieless with no individual tracking and IP anonymized at collection. No third-party tracking cookies are set by the Service.

10. Children

SayLocal is not directed at children under 13 (or 16 in the EEA/UK) and we don't knowingly collect their personal information. If you become aware that a child under 13 has created an account, please email privacy@saylocal.app and we'll delete the account and associated data promptly.

11. International transfers

Our primary servers are in the United States. If you use the Service from the EEA, UK, Switzerland, or another jurisdiction with cross-border transfer rules, your data is transferred under Standard Contractual Clauses (and the UK International Data Transfer Addendum or Swiss FDPIC equivalent where applicable), backed by our subprocessors' own SCCs.

12. Changes

We update this page when our practices change. The "Last updated" date at the top is the canonical change date. Material changes — adding a subprocessor with new data exposure, new categories of collection, reduced user rights — also go out via email at least 14 days before the change takes effect.

13. Contact

Data Protection: privacy@saylocal.app
Security: security@saylocal.app
General: hello@saylocal.app

EU/UK users: you have the right to lodge a complaint with your local supervisory authority (ICO in the UK, your data protection authority in each EEA member state).