How2Spanish Privacy Policy
Last Updated: August 2, 2025
Brief Information
- Data Controller: Artem Garnyshev, NIF: Z1094454G, Address: Av. de l'Orxata, 20, 46120 Alboraia, Valencia, Email: legal@how2espanol.com.
- Purposes of Processing: To provide you with personalized language learning services, manage your account, process payments, analyze and improve our Service, and send communications (with your consent).
- Legal Basis: Performance of a contract, your consent, and our legitimate interest in improving the product.
- Recipients of Data: We only transfer data to necessary service providers: payment systems (Stripe, PayPal), cloud hosting (AWS), analytics and error tracking services (Google Analytics, Sentry). We do not transfer your personal data and the content of your requests to our artificial intelligence provider (LLM).
- Your Rights: You have the right to access, rectify, erase, data portability, restrict processing, and object to it.
- Additional Information: For more detailed information, please read the full version of our Privacy Policy below.
Full Information
1. Data Controller
The Data Controller for your personal data is Artem Garnyshev, registered at Av. de l'Orxata, 20, 46120 Alboraia, Valencia, with tax identification number (NIF) Z1094454G. You can contact us regarding data protection matters by email: legal@how2espanol.com.
2. Our Commitment to Your Privacy: The RAG Architecture
We understand the importance of privacy in the age of artificial intelligence. Our platform uses advanced AI technologies to create unique exercises, but our architecture is designed with your right to privacy as the highest priority.
When you interact with our AI, your personal data and the content of your requests are never sent to external AI providers, such as OpenAI (ChatGPT). Instead, our system uses a secure internal process known as Retrieval-Augmented Generation (RAG). This process accesses our own expert-vetted knowledge base to generate learning materials. This ensures that your data always remains under our control, on our secure servers located within the European Union.
3. What Personal Data We Collect and for What Purposes
We adhere to the principle of data minimization and only collect the information necessary for the functioning and improvement of our Service. The table below provides a detailed description of our data processing activities.
Table 2: Register of Processing Activities
| Purpose of Processing | Categories of Data Collected | Legal Basis (Art. 6 GDPR) | Retention Period |
|---|---|---|---|
| Account management and authentication | Name, email address, password (encrypted). | Performance of a contract. | For the entire duration of the account and a subsequent period established by law for fulfilling legal obligations. |
| Providing personalized learning | Data on learning progress (words learned, exercise answers, mistakes made, chosen learning goals). | Performance of a contract. | For the entire duration of the account. |
| Processing payments and managing purchases | Transaction data (amount, date, credit package purchased). Payment details (e.g., card data) are processed directly by our payment partners (Stripe/PayPal) and are not stored by us. | Performance of a contract. | For the period established by tax and accounting legislation (usually 6 years). |
| Analytics and Service improvement | Anonymized usage data (interface interaction, sections visited), technical data (browser type, OS), error reports. | Legitimate interest (improving the quality and stability of our product). | Data is stored in an aggregated and anonymized form and is not deleted as it is not personal data. |
| Marketing communications | Email address. | Consent. | Until you withdraw your consent. |
| Technical support | Name, email address, content of your request. | Performance of a contract. | For the time necessary to resolve your issue. |
4. Who We Transfer Your Data To (Third Parties and Processors)
We do not sell your personal data. We only transfer it to trusted service providers (processors) who help us provide the Service and act on our behalf:
- Cloud Hosting: Our servers and databases are hosted on Amazon Web Services (AWS) in their data center within the EU (Spain).
- Payment Systems: We use Stripe and PayPal to process your purchases. They receive the transaction information necessary to complete the payment.
- Analytics and Error Tracking: We use Google Analytics to analyze user behavior and Sentry for automatic error tracking in the code. These services process anonymized or pseudonymized data.
- AI Providers: As stated in Section 2, we do not transfer your personal data to external LLM providers.
5. International Data Transfer
All your data is stored and processed on servers within the European Union. If we are required to use the services of providers located outside the European Economic Area (e.g., in the USA), we will ensure that such transfers are conducted in strict compliance with the GDPR, using approved legal mechanisms such as Standard Contractual Clauses or the EU-U.S. Data Privacy Framework.
6. Your Data Protection Rights
You have the following rights regarding your personal data:
- Right to Access: To request a copy of the data we hold about you.
- Right to Rectification: To demand the correction of inaccurate or incomplete data.
- Right to Erasure ("Right to be Forgotten"): To request the deletion of your data from our systems. You can do this directly through your account settings.
- Right to Data Portability: To receive your data in a machine-readable format.
- Right to Object: To object to the processing of your data based on our legitimate interest.
- Right to Restrict Processing: To request the temporary cessation of processing your data.
- Right to Withdraw Consent: If processing is based on your consent (e.g., for marketing), you can withdraw it at any time.
To exercise these rights, please contact us at legal@how2espanol.com or use the relevant functions in your account settings.
You also have the right to lodge a complaint with a supervisory authority, specifically the Spanish Data Protection Agency (AEPD), if you believe your rights have been violated. The AEPD website is: www.aepd.es.
7. Data Security
We take serious technical and organizational measures to protect your data from unauthorized access, alteration, disclosure, or destruction. These measures include encrypting data in transit (SSL/TLS) and at rest (AES-256), strict access control to databases, and regular training for our employees.
8. Cookies and Similar Technologies
Our website uses cookies to ensure its functionality, analyze traffic, and personalize content. For detailed information on the types of cookies we use and how you can manage them, please see our separate Cookie Policy.
9. Changes to this Policy
We may update this Privacy Policy from time to time. In the event of material changes, we will notify you by email or through a notice in the Service.