Legal

Privacy Policy

Last updated: 2026-06-01 · C1 Practice (c1practice.englishclassesonline.co.uk), also marketed as "i-Speak English" · Adaptive Expert Interfaces SL · CIF B22959654

This Privacy Policy explains how Adaptive Expert Interfaces SL processes personal data in connection with the "C1 Practice" application (also marketed as "i-Speak English") at c1practice.englishclassesonline.co.uk (the "Service"). It is issued under and should be read together with our Terms of Service. It is intended to comply with Regulation (EU) 2016/679 ("GDPR") and Spanish Organic Law 3/2018 on Personal Data Protection and Digital Rights Guarantee (LOPDGDD).

1 Data controller

The data controller for the personal data described in this Policy is:

Adaptive Expert Interfaces SL ("we", "us")
Registered office: Plaza Poeta Alfonso Canales 4, Planta 1, Puerta B, 29001 Málaga, Spain
CIF: B22959654
Contact for privacy matters: support.englishclassesonline@aei.dev

We have not appointed a Data Protection Officer as we are not required to do so under Article 37 GDPR. The contact above acts as our point of contact for all data protection matters and may be used to exercise any of the rights described in Section 8.

2 Personal data we process

We process only the categories of data listed below. The Service is not directed at children under 16, and we do not knowingly collect data from them; if you believe a child has provided data to us, please contact us and we will delete it.

Category	Examples	Source
Account data	Name, email address, hashed password (or Google sign-in identifier), terms_agreed_at timestamp	Provided by you at sign-up
Onboarding data	Self-declared learning goals (e.g. target exam month, areas to focus on)	Provided by you in onboarding
Learning data	Exercise responses, scores, time spent, progress, settings, language and product preferences	Generated as you use the Service
Usage data	Anonymous first-party usage analytics written to our flow_events table (see Section 4). Each visit is buffered in your browser's memory and submitted once, when you leave, as a single record holding only: your browser family and operating system (coarse labels such as "Chrome" / "iOS"), the ordered sequence of in-app actions you took, each stamped with the time it occurred in whole seconds since the visit started (a session-relative offset, not a wall-clock time). These records contain no user ID, no session ID, no IP address and no precise timestamp. On signed-in visits they additionally carry a small set of coarse account flags (for example whether the account is a free/comp account or in a developer/test mode) so we can separate staff and test traffic from real usage; these flags are not identifiers.	Generated automatically as you use the Service
Technical data	IP address and request metadata used transiently to deliver the Service and protect against abuse; written to short-lived server logs	Collected automatically
Billing data	Order ID, subscription status, country, last 4 digits / brand of card, billing email. We do not receive your full card number.	Provided to and processed by the Merchant of Record; we receive a limited subset
Support data	Content of emails you send us	Provided by you

No third-party analytics. We do not use Google Analytics or any other third-party analytics, tag-management or advertising service. All usage analytics are first-party and stored in our own EU-hosted database (see Section 4).

No AI processing of your answers. Your exercise responses are not sent to any third-party AI or large-language-model provider. Scoring and feedback are produced by our own deterministic logic.

No special-category data. We do not ask for, and ask that you do not submit, data revealing racial or ethnic origin, political opinions, religion, health, sexual orientation, or other Article 9 GDPR special categories.

3 Purposes and legal bases

We process the data above for the following purposes, on the following legal bases under Article 6(1) GDPR:

(a) Providing the Service — creating and operating your account, presenting exercises tailored to your goals, recording your progress, and providing customer support. Legal basis: performance of the contract with you (Art. 6(1)(b)).

(b) Billing and fraud prevention — managing subscriptions, processing payments via our Merchant of Record, and detecting fraudulent or abusive use. Legal basis: performance of the contract (Art. 6(1)(b)) and our legitimate interest in protecting the Service (Art. 6(1)(f)).

(c) Legal and tax compliance — retaining invoices and related records to meet our Spanish accounting, tax and consumer-law obligations. Legal basis: legal obligation (Art. 6(1)(c)).

(d) Usage analytics and service improvement — understanding which features and screens are used, where users drop off in onboarding, and how the subscription funnel performs, so that we can debug and improve the Service. Our usage analytics (Section 4) are anonymous for every visitor, logged-in or not: each record carries no name, email, account identifier, session identifier, IP address or precise timestamp, and cannot be tied to you or linked across visits. It therefore falls outside the GDPR — no legal basis is required because no personal data is processed — and for the same reason it is collected from every visitor, whether or not signed in, with no per-account opt-out (there is nothing tied to an account to opt out of).

(e) Service-related communications — sending transactional emails (e.g. account confirmations, billing notices, security alerts, material changes to these terms). Legal basis: performance of the contract (Art. 6(1)(b)) and, where applicable, legal obligation (Art. 6(1)(c)).

4 Cookies, storage and first-party usage log

We do not show a cookie banner because the Service does not store information on your device for analytics purposes, and the strictly necessary storage we do use is exempt from consent under Article 22.2 of Spanish Law 34/2002 (LSSI-CE) and Article 5(3) of the ePrivacy Directive. Specifically, the only client-side storage we use is:

the Supabase authentication session token (an HTTP-only cookie plus a refresh token in localStorage) that keeps you signed in;
your language preference; and
product preferences such as vocabulary selection.

We do not set any analytics cookies, do not use _ga / _ga_* or any other third-party tracker, do not load gtag.js or any tag-management script, and do not use any persistent client-side identifier for analytics.

Instead, we maintain an anonymous first-party usage log in a Supabase table called flow_events, hosted in the European Union (Ireland). While you use the Service your actions are held only in your browser's memory; when you leave, the whole visit is submitted as a single record containing your browser family and operating system, the ordered list of actions below, each stamped with the time it occurred in whole seconds since the visit started (a session-relative offset, not a wall-clock time). The record has no user ID, no session ID, no IP address and no precise timestamp. On signed-in visits it additionally carries a small object of coarse account flags (such as whether the account is a free/comp account, in developer/test mode, or which subscription flow it uses) so that staff and test traffic can be filtered out of the statistics; these are coarse configuration flags, not identifiers, and most accounts share the same default values. The table is write-only from the client: Row-Level Security permits only INSERT operations and clients cannot read, update or delete any row.

The actions a visit can record:

page_view — on the initial route and every in-app navigation. Parameters: path, title, and query (the entry URL's query string, e.g. a utm campaign tag, when present).
landing_page_view — once per landing-page visit. Parameters: path, title, referrer (reduced to its origin), and query (the URL's query string, e.g. a utm campaign tag, when present).
section_view — when a landing-page section scrolls into view. Parameters: section, prev (previous section), prev_dwell_s (seconds the previous section was visible).
cta_click — when you click a landing-page action button. Parameters: location, action (so the same action is distinguished by where it sits).
onboarding_step_view — when each onboarding step renders. Parameter: step_name.
onboarding_step_completed — when you advance past a step. Parameters: step_name, plus goals_count on the goals step.
onboarding_completed — on final completion. Parameters: goals_count, has_exam_date (boolean).
warmup_finished — when the first practice round ends. Parameters: correct, total, accuracy_pct.
notes_opened / notes_closed — when you open or close the grammar/vocab notes panel. Parameter: kind (grammar / vocab).
button_click — when you click a button in the app. Parameters: label (the button's text or aria-label, capped), context (onboarding / subscription / app).
subscription_modal_opened / subscription_modal_closed — when the subscription window opens or closes. Parameter: variant (default / soft-wall).
soft_wall_shown — when the post-warm-up subscription prompt opens.
soft_wall_dismissed — when you close that prompt without subscribing.
series_finished — when you complete a round of exercises. Parameters: game, total, score.
series_abandoned — when you leave a game before finishing the round. Parameters: game, played (exercises attempted), failed (got wrong or revealed), time_s (seconds spent in the round).
page_left — a terminal marker when you leave (its ts is the length of the visit). Parameters: mid_exercise (whether a round was in progress), and on the landing page last_section / last_dwell_s.
subscribe_clicked — when you click Subscribe. Parameters: plan (monthly / yearly), source (soft-wall / default).

We never write to flow_events: your name, email address, exam date, free-text goal entries, the content of practice answers, or any payment information — nor any identifier that could tie a record to you.

5 Recipients and processors

We do not sell personal data. We share data only with the following recipients, each acting under a written data processing agreement where they act as our processor:

(a) Supabase (Supabase, Inc.) — backend hosting, authentication, database storage for account, onboarding, learning and usage data, including the flow_events table. Processed in the European Union (Ireland region). Acts as our processor.

(b) Merchant of Record — payment processing, invoicing and tax handling. Our Merchant of Record is Creem (operated by Armitage Labs OÜ, a company incorporated in Estonia), identified at checkout and on your purchase receipt. Creem acts as an independent controller for the billing data it collects directly from you at checkout; please see Creem's own privacy notice, linked from the checkout page. We act as controller of the subset of order data Creem shares back with us.

(c) Professional advisers and authorities — accountants, lawyers, tax authorities and courts where required by law or to defend our legal interests.

6 International transfers

Personal data we control (account, onboarding, learning and usage data) is stored with Supabase in the European Union (Ireland) and is not transferred outside the EEA by us. Billing data handled by our Merchant of Record may be transferred outside the EEA, including to the United States. For those transfers we rely on appropriate safeguards under Chapter V GDPR, in particular the European Commission's Standard Contractual Clauses (Decision 2021/914) and, where applicable, the EU–U.S. Data Privacy Framework. You may request a copy of the relevant safeguards by contacting us.

7 Retention

We retain personal data only as long as needed for the purposes for which it was collected:

Account, onboarding and learning data: for as long as your account is active, and for up to 12 months after deletion or prolonged inactivity, after which it is deleted or anonymised. Anonymised, aggregated learning statistics may be kept indefinitely.
Usage data (flow_events): these records are already anonymous when written. We keep them for up to 14 months to produce trend statistics, after which the underlying records are deleted; aggregate statistics derived from them may be kept indefinitely. This aligns with European data-protection guidance on audience-measurement retention.
Billing records and invoices: 6 years from issuance, to comply with Spanish commercial and tax law (notably Art. 30 Código de Comercio and the General Tax Law).
Support emails: up to 24 months after the matter is closed.
Server and security logs: typically up to 12 months.

8 Your rights

Under the GDPR you have the right to: (a) access your data; (b) rectify inaccurate data; (c) request erasure ("right to be forgotten"); (d) restrict processing; (e) object to processing based on our legitimate interests (Art. 21 GDPR); (f) data portability for data you provided to us and that we process by automated means on the basis of your consent or the contract; and (g) withdraw consent at any time, without affecting the lawfulness of processing before withdrawal.

Because our usage analytics are anonymous (Section 4), there is no personal data there to access, correct, erase or object to. To exercise any right over your other personal data, please email support.englishclassesonline@aei.dev from the address associated with your account, or delete your account in-product where available. We will respond within one month, extendable by two months for complex requests.

You also have the right to lodge a complaint with a supervisory authority, in particular the Spanish data protection authority, Agencia Española de Protección de Datos (AEPD), C/ Jorge Juan 6, 28001 Madrid, www.aepd.es, or the authority of your country of residence or place of the alleged infringement.

9 Security

We use technical and organisational measures appropriate to the risk, including encryption in transit (TLS), encryption at rest where supported by Supabase, hashed and salted passwords, Row-Level Security on the flow_events table (insert-only from clients; no client read, update or delete), access controls and logging. No internet-based service can guarantee absolute security; we ask that you use a strong, unique password and notify us promptly of any suspected compromise.

10 Automated decision-making

We do not carry out automated decision-making producing legal or similarly significant effects concerning you within the meaning of Article 22 GDPR.

11 Children

The Service is intended for users aged 16 or older (or the applicable age of digital consent in your country, if higher). We do not knowingly process personal data from children below that age. If you believe a child has provided us with personal data, please contact us at support.englishclassesonline@aei.dev and we will take steps to delete it.

12 Changes to this Policy

We may update this Policy from time to time. Where changes are material, we will notify you by email or in-app notice in advance of the effective date. The latest version is always available in the Service.

13 Contact

Adaptive Expert Interfaces SL — Plaza Poeta Alfonso Canales 4, Planta 1, Puerta B, 29001 Málaga, Spain — CIF B22959654 — support.englishclassesonline@aei.dev. For payment, refund and order matters, please also see our Merchant of Record's privacy notice, linked from your purchase receipt and from our checkout page.