Privacy Policy

This policy explains how Genielingua collects and uses your personal data, and your rights under UK data protection law (the UK GDPR and the Data Protection Act 2018).

Who we are

Genielingua is an online Spanish course operated by Patricia Martinez Garcia, a sole trader trading as “Genielingua” (“we”, “us”, “our”). We are the data controller for the personal data described in this policy.

If you need to contact us about privacy or to exercise your rights, please use our contact form. Our postal contact address is: Suite 70128, Unit F, Winston Business Park, Churchill Way, Sheffield, South Yorkshire S35 2PS.

The personal data we collect

• Account data — your name and email address, and a password (stored only in encrypted/hashed form; we never see it).
• Learning data — your progress through the course (which lessons you've completed).
• Payment data — handled entirely by our payment provider, Stripe. We do not see or store your card details; we only receive confirmation of your subscription status.
• Enquiries & messages — anything you send us through our forms (school enquiries, the contact form), including your name and email.
• School & pupil data — where a school subscribes, we hold the teacher's account and each pupil's login and progress, on behalf of and at the instruction of the school (see “Schools and children” below).
• Technical data — basic information your browser sends (such as IP address) and minimal server logs, used to keep the service secure and working.

How we use it, and our lawful basis

• To provide your account and the course, and to process payments — performance of a contract.
• To send you essential service messages (e.g. confirmations, password resets) — performance of a contract.
• To respond to enquiries, and to send a single reminder if you started a sign-up or enquiry but didn't finish — our legitimate interests in helping you and running our business. You can opt out of these at any time.
• To keep the service secure and meet legal obligations — legitimate interests and legal obligation.

Who we share it with

We don't sell your data. We use a small number of trusted service providers who process data on our behalf (our “processors”), under contracts that require them to protect it:

• Stripe — payment processing.
• Supabase — secure database and account/authentication storage.
• Vercel — website hosting.
• Resend — sending our emails.
• OpenAI — powers the “Ask Genie” assistant and generates the audio narration. Questions you type into Ask Genie are processed to produce a reply.

International transfers

Some of these providers process data outside the UK (for example in the EU or the United States). Where they do, we rely on appropriate safeguards recognised under UK data protection law (such as the UK International Data Transfer Agreement / Addendum, or an adequacy decision) so your data remains protected.

Schools and children

Our schools product creates an individual login for each pupil. When a school subscribes, the school is responsible for deciding to use Genielingua with its pupils and for any permissions or notices required (for example informing parents). We act on the school's instructions for that pupil data.

We take children's privacy seriously and design with the principles of the ICO's Children's Code in mind: we collect only the minimum data needed (a name and progress), we don't use pupil data for marketing, we don't track location, and we don't use techniques designed to encourage children to share more data. Schools and parents can ask us to access, correct or delete a pupil's data via our contact form.

How long we keep it

We keep your account and learning data for as long as your account is active, and for a reasonable period afterwards, then delete or anonymise it. Enquiry messages are kept only as long as needed to deal with them. Where a school ends its subscription, pupil accounts are deactivated and removed within a reasonable period.

Your rights

Under UK data protection law you have the right to access your data, to have it corrected or deleted, to restrict or object to certain processing, and to data portability. To exercise any of these, use our contact form and we'll respond within the legal time limit (normally one month).

If you're unhappy with how we've handled your data, you can complain to the UK regulator, the Information Commissioner's Office (ICO), at ico.org.uk. We are registered with the ICO under registration number 00014454493.

Cookies and similar technologies

We keep this simple: we use only strictly necessary browser storage to keep you signed in while you use the course. We do not use advertising or analytics cookies, and we don't track you across other websites. Because of this, we don't show a cookie consent banner — none is required for storage that is essential to a service you've asked for. You can clear this storage at any time in your browser settings, though you'll then need to sign in again.

Changes to this policy

We may update this policy from time to time. The “last updated” date at the top shows when it last changed.

This policy is provided in good faith. If anything here is unclear, please get in touch via our contact form.