Privacy Policy

Last updated: November 1, 2025

This is the privacy policy for SayLocal Inc. ("we", "us"). It explains what we collect, what we do with it, and how to make us stop. Plain English, no lawyer fog.

1. What we collect

Account data. Your email address, the day you created an account, and whether you signed in via email magic-link, 6-digit code, or an OAuth provider (Apple, Google). We do not store passwords.

Trip profile. Destination, target language, dialect, dates, purpose, current level — whatever you tell us during onboarding so we can build your plan.

Practice data. Every roleplay turn (your message + the AI reply), every flashcard review, every comprehension answer, every voice transcript. We use this to compute your "Trained on You" model and to schedule reviews.

Audio clips. When you use voice features, we send your audio to OpenAI's Whisper for transcription. We do NOT store the raw audio after transcription — only the resulting text and a pronunciation score.

Usage events. Each AI call we make on your behalf logs token counts + estimated cost. This is what powers your budget meter on /account.

Payment data. Stripe handles all card data — we never see it. We do see your subscription status, plan price ID, billing cycle dates, and Stripe customer ID.

Operational telemetry. Request IDs, error stack traces (PII-scrubbed), IP-derived hashes (SHA-256, not raw IPs) in our audit log for forensic purposes.

2. What we don't do

• We don't sell your data. Not to data brokers, not to advertisers, not to anyone.
• We don't train third-party AI models on your private transcripts.
• We don't run ads inside the product.
• We don't read your roleplay conversations. The AI generates the reply; humans aren't in the loop.

3. Third-party subprocessors

We process your data through these services. Each has its own privacy policy:

• · Anthropic — AI roleplay + tutoring (Claude API)
• · OpenAI — voice transcription (Whisper) + text-to-speech
• · Stripe — payments + billing
• · Resend — transactional email (magic links, lifecycle)
• · Railway / Netlify — hosting
• · Sentry — error monitoring (PII-scrubbed payloads)

Anthropic + OpenAI commit (under their data-processing terms) to NOT train their models on API requests we send them. We treat your transcripts as confidential at the contract level.

4. Your rights

Whether or not you're in the EU, UK, or California, you have all of these:

• Access. Hit "Download a copy" on your /account page. You'll get a JSON dump of everything we have on you.
• Erasure. Hit "Delete account" on /account, type DELETE, and we cascade-delete every row. Stripe subscription is canceled. No retention beyond legally-required tax records (~7 years for invoices in some jurisdictions).
• Portability. The export above is machine-readable JSON.
• Correction. Email privacy@saylocal.app with what's wrong.
• Objection / restriction. Same email. We respond within 30 days as required by GDPR / CCPA.

5. Cookies

We use a minimal set of cookies + localStorage entries: your session token (so you stay signed in), a visitor ID (so A/B tests are sticky), and optionally a referral / affiliate code if you arrived via someone else's link. We do not use third-party tracking cookies. Analytics, if enabled, run via Plausible — privacy-preserving, no individual tracking, no cookies.

6. Children

SayLocal is not intended for users under 13. If you discover that a child under 13 has created an account, email privacy@saylocal.app and we'll delete it.

7. International transfers

Our servers are in the US (Railway). If you use the product from the EU or UK, your data is transferred there under the standard contractual clauses our subprocessors are bound by.

8. Breach notification

If a breach affects your personal data, we notify you within 72 hours of becoming aware, as required by GDPR Article 33.

9. Changes

We'll update this page when the practice changes. The "Last updated" timestamp at the top is the canonical change date. Material changes also go out via email.

10. Contact

Data Protection inquiries: privacy@saylocal.app
General support: hello@saylocal.app

EU users: under GDPR you have the right to lodge a complaint with your local supervisory authority.