Privacy Policy

Introduction

Eevi B.V. (also "we," "our," or "us") is a private company with limited liability incorporated in the Netherlands, providing an AI-powered language learning service. This Privacy Policy explains what personal data we collect, why we collect it, how we use it, who we share it with, and the rights you have over it.

Data controller: Eevi B.V., KvK 42037120, VAT (BTW) NL869417149B01, postal address Postbus 15659, 1001 ND Amsterdam, the Netherlands. Contact: privacy@eevi.ai.

If you are located in the EU or EEA, the General Data Protection Regulation (GDPR) governs our handling of your data. If you are located in the United Kingdom, the UK GDPR applies and our lead supervisory authority for UK matters is the UK Information Commissioner's Office (ICO).

Information We Collect

Information you give us

Account information: your email address, name, and password (when you sign up directly) or the equivalent information shared by Google or Apple if you sign in with them.
Profile and preferences: the languages you want to learn, your interface language, learning goals, and optional details you choose to share.
Voice input: the audio of your voice when you practise speaking. The audio is sent in real time to our AI providers (OpenAI and Google) to produce the AI tutor's response. We do not save your audio. Once OpenAI or Google has produced the response, the audio is discarded. We save the written transcript so you can review what you said and we can show your progress. See "Voice Data and AI Conversations" below.
Payment information: processed directly by Stripe; we receive a subscription record and last-four card digits, never your full card number.
Support and communications: messages you send us by email or in the app.

Information collected automatically

Learning data: lessons completed, vocabulary practised, time spent, errors made, progress against your goals.
Conversation transcripts: text transcripts of voice lessons (what you said and what the AI responded), generated automatically by our AI providers and stored by us so we can show your progress and personalise future lessons.
Device and log data: device type, operating system, app version, IP address, access times, crash and error reports.
Product usage: which features you use, when, and for how long.

Lawful Basis for Processing (GDPR)

Under GDPR Article 6, we process your personal data on the following legal grounds:

Performance of a contract (Art. 6(1)(b)): to provide the service you signed up for. This covers account creation, running your voice lessons in real time through our AI providers (including sending your microphone audio to them for inference and receiving the AI tutor's response), generating and storing transcripts, tracking your progress, and processing your subscription.
Legitimate interest (Art. 6(1)(f)): for (a) keeping the service secure, detecting fraud, and preventing abuse; and (b) improving product quality through aggregated and anonymised analytics. We have weighed these interests against your rights and consider them proportionate. You can object to any of this processing at any time by contacting privacy@eevi.ai.
Consent (Art. 6(1)(a)): for processing that requires your active opt-in. This covers marketing emails and any optional analytics that go beyond what is strictly necessary. You can withdraw consent at any time from your privacy settings in the app.
Legal obligation (Art. 6(1)(c)): to keep billing records for the period required by Dutch tax and accounting law, and to respond to lawful requests from authorities.

How We Use Your Information

We use your information to:

Provide and operate the eevi service.
Run your voice lessons in real time through our AI providers (OpenAI and Google).
Generate and store text transcripts so you can review what you said and so we can show your progress.
Personalise lessons, vocabulary, and difficulty to your level.
Process payments and manage your subscription.
Send service messages (account, billing, important updates) and, if you opt in, product news and learning tips.
Respond to your questions and provide support.
Keep the service safe, detect and prevent abuse, and improve quality.
Comply with our legal obligations.

Voice Data and AI Conversations

Eevi works by letting you talk with an AI tutor. To make this possible, your microphone audio is streamed in real time to one of our AI providers, currently OpenAI (Realtime API) or Google (Gemini Live), which produces the AI tutor's spoken response and a written transcript of the exchange.

What we do

We send your audio to OpenAI and Google in real time to generate the AI tutor's response and a written transcript. Both providers are listed below as sub-processors with links to their own privacy policies. Under their API terms applicable to business customers, they do not use your audio to train their general-purpose models. OpenAI may temporarily retain content for up to 30 days for abuse-monitoring purposes only; Google's terms apply to the Gemini Live processing path.
We do not save your audio. Once OpenAI or Google has produced the AI tutor's response, the audio is discarded. eevi does not keep a copy of the audio in its own storage.
We store the written transcripts of your sessions, so you can review your conversations, see your progress, and get personalised lessons next time.
We tell you before your first voice lesson. The first time you start a voice lesson, we explain that your audio will be sent to OpenAI and Google in real time and that we do not save it. You confirm you understand by starting the lesson.
You can delete transcripts and your account. You can delete any session transcript from your privacy settings in the app. Deleting your account removes your transcripts and other data within 30 days.

You can use parts of eevi without voice features, but this limits the core experience.

Sensitive content in conversations

Anything you say to the AI tutor is processed by our AI providers and transcribed into text that we store. People learning a language often mention topics that are special-category data under GDPR Art. 9, such as health, religion, sexuality, political views, or ethnic origin. We do not analyse your transcripts for these attributes and we do not use them to profile you. We ask you not to share information of this kind unless you want it included in your stored transcript. You can delete any session transcript at any time from your privacy settings in the app. Staff access to transcripts is limited to narrow debugging on a need-to-know basis and is logged.

AI Disclosure

Your conversation partner in eevi is an AI, not a human. The AI is built on third-party large language models (currently OpenAI and Google), tuned by us for language learning. The AI can make mistakes, including in pronunciation and grammar, and should not be used as the sole authority for any language. This disclosure is provided in line with Article 50 of the EU AI Act.

Sub-processors

We rely on the following sub-processors to operate the service. Each is bound by a Data Processing Agreement and, where data leaves the EU/EEA, by either the EU-US Data Privacy Framework (DPF) certification or the European Commission's Standard Contractual Clauses (SCCs), or both.

Provider	Purpose	Data categories	Transfer basis
OpenAI	AI voice tutor (Realtime API) and text generation. Real-time transit only — eevi does not store audio.	Real-time audio (in transit), conversation text, account identifier.	SCCs (US).
Google (Gemini Live)	Alternative AI voice tutor used in some sessions. Real-time transit only — eevi does not store audio.	Real-time audio (in transit), conversation text.	DPF + SCCs (US/EU).
Google Cloud / Vertex AI	Backend hosting and AI orchestration (europe-west4).	Service logs, AI inference requests (no direct user identifiers).	EU region; DPF + SCCs.
Anthropic	Lesson and content generation (no live user data).	Content prompts only; no personal data sent.	SCCs (US).
Supabase	Database, authentication, and transcript storage.	Account, profile, progress, and transcript data.	EU region (Frankfurt); SCCs.
Stripe	Payment processing.	Billing data, last-four card digits, subscription state.	DPF + SCCs (US/EU).
Sentry	Crash and error reporting.	Stack traces, device info, scrubbed account identifier.	DPF + SCCs (US).
Loops	Lifecycle and marketing emails (only if you opt in).	Email, name, lifecycle events.	DPF + SCCs (US).
Vercel	Web hosting, performance and usage analytics.	Aggregated page views, performance metrics, IP (truncated).	DPF + SCCs (US/EU).
Google Tag Manager	Marketing-site analytics container (eevi.ai only).	Aggregated browsing data on the marketing site.	DPF + SCCs (US).

We may add or change sub-processors as the service evolves. When we add a new sub-processor that handles personal data, we update this list and the "Last updated" date at the top of this page. Significant additions will also be communicated by email or in-app notice.

International Data Transfers

Our core data is held in the EU (Supabase Frankfurt and Google Cloud europe-west4). Some of our sub-processors are based outside the EU/EEA, primarily in the United States. Where personal data is transferred outside the EU/EEA, we rely on one or both of the following legal mechanisms:

EU-US Data Privacy Framework (DPF): for sub-processors that are self-certified to the DPF and its UK and Swiss extensions.
Standard Contractual Clauses (SCCs): the 2021 EU Commission SCCs are included in our agreements with sub-processors, together with supplementary technical and organisational measures where appropriate.

You can ask us for a copy of the transfer mechanism applicable to a specific provider by writing to privacy@eevi.ai.

Data Storage and Security

We use appropriate technical and organisational measures to protect your data:

All data in transit is encrypted with TLS.
Data at rest is encrypted using industry-standard AES-256 by our infrastructure providers.
Access to personal data is restricted to a small number of authorised team members, audited, and granted on a need-to-know basis.
Production systems are separated from development; secrets are stored in managed secret stores.
We review our security posture regularly and respond to incidents within the 72-hour notification window required by GDPR Art. 33.

Data Retention

We keep your data only for as long as we need it. Specific retention periods:

Account, profile, progress, and vocabulary: for as long as your account is active. When you delete your account, this data is permanently deleted within 30 days.
Conversation transcripts: kept while your account is active. Transcripts older than 24 months that you have not opened or referenced are anonymised (account identifier removed) so they can no longer be linked to you, while we keep aggregate quality metrics. When you delete your account, all transcripts that are still linked to you are deleted within 30 days.
Voice audio in transit: streamed to OpenAI or Google during the session; not retained by eevi at all; not retained by the AI providers beyond their own short abuse-monitoring window (see "Voice Data and AI Conversations" above).
Billing and subscription records: retained for 7 years to comply with Dutch tax and accounting law (after that period, they are deleted or fully anonymised).
Server and application logs: up to 90 days.
Crash and error reports (Sentry): up to 90 days.
Support correspondence: up to 24 months after the last contact, unless retention is required to comply with legal obligations.
Marketing consent state: while you remain opted in; if you withdraw, we keep the proof of withdrawal for audit purposes.

After these periods, we either delete the data or anonymise it irreversibly so it can no longer be linked to you.

Backups

Our database provider keeps short-term encrypted backups of our database for disaster-recovery purposes. When you delete your data, the live records are removed immediately, but a copy may remain in backups until they rotate (typically within 28 days). We do not restore deleted personal data from backups except where required for legal or audit reasons.

Account deletion cascade

When you delete your account, we propagate the deletion across our sub-processors. Practical timing: transcripts and other account data in our storage are removed within 30 days; Stripe retains billing records for the period required by Dutch tax law; OpenAI may keep audio that passed through their abuse-monitoring window for up to 30 days from when it was processed; Sentry purges associated diagnostic data within its retention window; Loops removes you from marketing lists. We do not restore any of this from backups.

How to Delete Your Account or Export Your Data

You can delete your eevi account at any time:

In the app: open your account settings and choose to delete your account.
By email: write to privacy@eevi.ai.

You can also request a copy of your personal data in a portable format (JSON) by writing to the same address. We respond within 30 days.

What happens when you delete your account:

Your personal information is permanently deleted within 30 days.
Your learning progress, transcripts, and vocabulary are removed.
Billing and subscription records are retained only as required for tax, accounting, fraud-prevention, and dispute purposes.
Account deletion is separate from subscription cancellation. If you bought a subscription through Apple's App Store, cancel it through your Apple ID or App Store Subscriptions. If you bought through Google Play, cancel it through Google Play subscriptions. If you bought on the web through Stripe, manage it through your eevi subscription settings or the Stripe-backed customer portal.
You are signed out of all devices.
This action cannot be undone.

Your Rights

If GDPR applies to you, you have the following rights over your personal data:

Access (Art. 15): ask us what data we hold about you and receive a copy.
Rectification (Art. 16): ask us to correct inaccurate or incomplete data.
Erasure (Art. 17): ask us to delete your data, also known as the right to be forgotten.
Restriction (Art. 18): ask us to limit how we process your data while a question is being resolved.
Portability (Art. 20): receive your data in a structured, machine-readable format and ask us to transmit it to another controller where technically feasible.
Objection (Art. 21): object to processing based on legitimate interest, including marketing or profiling.
Withdraw consent (Art. 7): where we rely on your consent, withdraw it at any time. Withdrawing consent does not affect the lawfulness of processing before the withdrawal.
Lodge a complaint (Art. 77): file a complaint with a supervisory authority. Our lead authority is the Dutch Data Protection Authority (Autoriteit Persoonsgegevens, autoriteitpersoonsgegevens.nl). You can also complain to the supervisory authority in your country of residence.

To exercise any of these rights, write to privacy@eevi.ai. We respond within 30 days and will not charge you for the first request in a 12-month period.

Children's Privacy

Eevi is not intended for children under 16. We do not knowingly collect personal information from children under 16. If you are a parent or guardian and believe your child has provided us with personal information, please contact us at privacy@eevi.ai and we will delete the information.

Government and Lawful Access Requests

Some of our sub-processors are based in the United States and may be subject to legal-access requests by US authorities (including under FISA Section 702 and the CLOUD Act). We do not voluntarily disclose personal data to any government and we will challenge overbroad or unlawful requests where possible. If we are required to disclose your data, we will notify you unless the law forbids us. We aim to publish a transparency report once our scale and request volume make one meaningful.

Change of Control

If Eevi B.V. is acquired by, merged with, or transfers substantially all of its assets to another entity, or if Eevi B.V. is wound up, your personal data may be transferred to the successor entity. Any successor will be bound by terms no less protective than this Privacy Policy with respect to your personal data. We will notify you in advance of any such transfer where required by law, so that you can delete your account before the transfer if you wish.

Third Parties Mentioned in Your Lessons

Please do not include personal information about other people (such as full names, addresses, or contact details) in your voice lessons. If you do, you are the controller of that information; eevi processes it on your instructions only and you remain responsible for the lawfulness of including it. If a third party asks us to remove their personal data from a transcript, please contact privacy@eevi.ai and we will act on the request.

Eevi is not designed for use by or with children. Please do not invite children into your voice lessons. If a child's words end up in a transcript, please delete the transcript immediately from your privacy settings in the app and contact us to confirm.

Automated Decision-Making

We use automated systems to personalise your lessons (which words and topics to show you next), and to generate AI tutor responses. These decisions do not have legal or similarly significant effects on you within the meaning of GDPR Art. 22, but if you have questions about how a decision was made, you can write to us at privacy@eevi.ai and we will explain.

Changes to This Privacy Policy

We may update this Privacy Policy as the service evolves or the law changes. When we do, we update the "Last updated" date at the top of this page. For significant changes (such as adding a new category of processing or a new sub-processor handling personal data), we will also notify you by email or in-app.

Your continued use of the service after a change means you accept the updated Privacy Policy. If you do not accept it, you can delete your account.

Contact Us

For privacy questions, requests, or complaints:

Privacy inquiries: privacy@eevi.ai
General support: info@eevi.ai
Postal address: Eevi B.V., Postbus 15659, 1001 ND Amsterdam, the Netherlands.
KvK: 42037120

This Privacy Policy is effective as of May 21, 2026 and remains in effect until updated.