Privacy Policy

ChirPolly – AI-Powered Language Learning

Last Updated: April 28, 2026
Effective Date: April 28, 2026

This Privacy Policy explains how ChirPolly ("Company," "we," "us," or "our") collects, uses, stores, and protects your personal data when you use ChirPolly ("Service"). This policy is designed to comply with the General Data Protection Regulation (GDPR), the Digital Personal Data Protection Act, 2023 (DPDP Act), and other applicable data protection laws.

By using the Service, you consent to the practices described in this Policy.

1. Data Controller / Fiduciary Information

Role	Details
Controller / Data Fiduciary	ChirPolly
Registered Address	No 32, 5th Main, Jayamahal, Bengaluru 560046
Grievance / Data Protection Officer	info@chirpolly.com
General Support	info@chirpolly.com

For DPDP Act purposes, ChirPolly is the Data Fiduciary responsible for your personal data.

2. Data We Collect

We collect only data that is necessary to provide and improve the Service.

2.1 Data You Provide Directly

Account Information: Name, email address, and password (stored as a hashed credential via Firebase Authentication).
Profile Data: Chosen learning language(s), proficiency level, and learning goals.
Payment Information: Billing name and email (collected by Paddle; see Section 6). We do not store your card number, bank account, or other sensitive payment details on our servers.
Support Communications: Any information you share when contacting our support team.

2.2 Data Collected Automatically

Usage Data: Pages visited, features used, session duration, and interactions with the AI Tutor (anonymised and aggregated).
Device & Technical Data: Browser type, operating system, IP address, and device identifiers.
Performance Data: Crash reports and app performance metrics collected via Firebase Analytics and Firebase Crashlytics.

2.3 Data We Do NOT Collect

We do not collect biometric data, precise geolocation, or sensitive personal categories as defined under GDPR Article 9 / DPDP Act.
We do not knowingly collect personal data from children under 13 years of age. If you believe we have inadvertently collected such data, contact us immediately at info@chirpolly.com.

3. Firebase – Authentication & Analytics

ChirPolly uses Firebase, a platform provided by Google LLC, for core infrastructure:

3.1 Firebase Authentication

Firebase Authentication manages your login credentials. When you sign in (via email/password or Google Sign-In), Firebase securely stores your authentication tokens and user ID. Firebase's handling of this data is governed by the Google Privacy Policy.

We use Firebase Authentication solely for:

Verifying your identity on login.
Associating your progress and subscription status with your account.
Securing access to paid features.

3.2 Firebase Analytics

Firebase Analytics collects anonymised and aggregated usage statistics to help us understand how users interact with the Service. This includes:

Screen views and feature usage patterns.
Session length and frequency.
General geographic region (country-level only).

Firebase Analytics data is pseudonymised and does not directly identify you. You can opt out of Analytics data collection through your device settings.

3.3 Firebase Crashlytics

Crash logs are collected to identify and fix technical issues. These reports may include device type, OS version, and app state at the time of a crash, but are not linked to your name or email address.

4. AI Data Usage

4.1 How We Use AI Session Data

Interaction data from the AI Tutor (e.g., the types of exercises completed, response patterns, and error rates) is collected in anonymised and aggregated form and may be used to:

Monitor AI Tutor performance and accuracy.
Improve the quality of AI-generated responses.
Train and refine our language models over time.

We do not use your personal conversations or personal identifiers to train AI models. All data used for model improvement is stripped of personally identifiable information before processing.

4.2 No Sale of Personal Data

We do not sell, rent, lease, or otherwise trade your personal data to any third party for commercial purposes — ever.

We may share anonymised, aggregated, non-personal statistical data with research partners or in published reports, but this data cannot be used to identify you.

5. Legal Basis for Processing (GDPR)

For users in the European Economic Area (EEA) and United Kingdom, we rely on the following legal bases:

Processing Activity	Legal Basis
Account creation and authentication	Performance of a contract (Art. 6(1)(b))
Delivering the Service and curriculum	Performance of a contract (Art. 6(1)(b))
Analytics and service improvement	Legitimate interests (Art. 6(1)(f))
Marketing communications	Consent (Art. 6(1)(a))
Legal compliance	Legal obligation (Art. 6(1)(c))

For users in India, processing is based on consent as provided under the DPDP Act, 2023, except where processing is necessary for the performance of a contract or a legal obligation.

6. Payment Data – Processed by Paddle

All financial transactions are handled by Paddle.com Market Limited, our authorised Merchant of Record. Paddle processes:

Credit/debit card details.
Bank transfer information.
Billing address and tax information.

ChirPolly does not receive, store, or have access to your full payment credentials. We receive only a confirmation of payment status and a transaction reference ID from Paddle.

For full details on how Paddle handles your financial data, please refer to the Paddle Privacy Policy.

7. Data Sharing & Disclosure

We share your data only in the following limited circumstances:

Recipient	Purpose	Safeguard
Firebase (Google LLC)	Auth, analytics, crash reporting	Google Data Processing Agreement
Paddle	Payment processing	Paddle DPA; PCI-DSS compliant
Legal authorities	When required by law or court order	Minimum necessary data only

We do not share your personal data with advertisers, data brokers, or unaffiliated third parties for marketing purposes.

8. Data Retention

We retain your personal data for as long as your account is active, or as necessary to provide the Service and comply with our legal obligations.

Data Type	Retention Period
Account & profile data	Until account deletion + 30 days
AI session logs (anonymised)	Up to 24 months
Payment records (transaction reference)	7 years (statutory requirement)
Support communications	3 years
Analytics data	14 months (Firebase default)

When data is no longer required, it is securely deleted or irreversibly anonymised.

9. Your Rights

Depending on your jurisdiction, you have the following rights regarding your personal data:

9.1 Right to Access

You may request a copy of the personal data we hold about you.

9.2 Right to Correction

You may request that we correct inaccurate or incomplete personal data. Profile information can be updated directly in your Account Settings.

9.3 Right to Erasure ("Right to be Forgotten")

You may request that we delete your personal data. We will honour such requests unless retention is required by law (e.g., financial records). Account deletion can be initiated from Account Settings or by emailing info@chirpolly.com.

9.4 Right to Restrict Processing

You may request that we limit the processing of your data in certain circumstances (e.g., while a dispute is being resolved).

9.5 Right to Data Portability

You may request your personal data in a structured, machine-readable format.

9.6 Right to Object

You may object to processing based on legitimate interests, including direct marketing.

9.7 Right to Withdraw Consent

Where processing is based on consent, you may withdraw it at any time without affecting the lawfulness of prior processing.

9.8 How to Exercise Your Rights

Submit a request to: info@chirpolly.com

We will respond within:

30 days for GDPR requests.
30 days for DPDP Act requests (extendable by a further 15 days in complex cases).

We will not charge a fee for reasonable requests. We may require identity verification before processing your request.

10. Data Security

We implement appropriate technical and organisational measures to protect your personal data against unauthorised access, loss, or destruction, including:

Encryption in transit (TLS/HTTPS for all data transfers).
Encryption at rest for sensitive stored data.
Role-based access controls to limit internal data access.
Regular security assessments and dependency updates.

However, no method of transmission over the internet is 100% secure. While we strive to protect your data, we cannot guarantee absolute security.

11. International Data Transfers

Your data may be processed and stored in servers outside your home country (including in the United States, where Google/Firebase infrastructure operates). When transferring data from the EEA, we rely on:

Standard Contractual Clauses (SCCs) approved by the European Commission.
Google's Data Processing Agreement for Firebase services.

12. Cookies & Tracking

ChirPolly uses:

Strictly Necessary Cookies: Required for authentication and session management.
Analytics Cookies: Firebase Analytics (anonymised). You can disable these via your browser or device settings.

We do not use third-party advertising or tracking cookies.

13. Changes to This Policy

We may update this Privacy Policy periodically. We will notify you of material changes via email or in-app notification at least 14 days before the change takes effect. The "Last Updated" date at the top of this page will always reflect the most recent revision.

14. Grievance / Data Protection Officer Contact

For any privacy-related queries, complaints, or to exercise your data rights, please contact:

Grievance & Data Protection Officer
ChirPolly
Email: info@chirpolly.com

If you are located in the EEA and believe we have not adequately addressed your complaint, you have the right to lodge a complaint with your local Data Protection Authority (DPA).

For users in India, complaints may also be filed with the Data Protection Board of India once operational under the DPDP Act, 2023.