← Back to home

Privacy Policy

Last updated: May 3, 2026

This policy explains what personal data Phraze collects, why, and what rights you have over it. It covers both the marketing site you are reading now and the Phraze mobile app (currently in development).

1. Controller

The data controller is:
[FULL NAME]
[STREET]
[POSTAL_CITY]
[COUNTRY]
Email: hallo@phraze.app

No Data Protection Officer is required at this time. You can reach us for all privacy matters at the email address above.

2. Marketing Site — Waitlist

When you submit your email address to join the waitlist, we collect:

  • Email address — to notify you when Phraze launches and, where you consent, to send updates about the product.
  • Browser locale — to understand which language markets are most interested (e.g. "de" or "en").
  • User agent string — device and browser type, for aggregate analytics (no individual profiling).
  • Daily-rotating IP hash — a one-way SHA-256 hash of your IP address salted with the current date. This is not reversible and cannot identify you. We use it to detect duplicate or abusive submissions.
  • Signup source — which section of the page you used (e.g. hero, pricing). For internal funnel analysis only.

Legal basis: Art. 6(1)(b) GDPR (processing necessary to take steps at your request prior to entering a contract) for the waitlist entry itself; Art. 6(1)(f) GDPR (legitimate interest in preventing fraud and abuse) for the IP hash and user agent.

Retention: Waitlist data is kept until Phraze launches and for up to 12 months thereafter, or until you ask us to delete it.

Storage: Stored in NeonDB, hosted on AWS in the EU (eu-central-1, Frankfurt). NeonDB Inc. acts as a data processor under a Data Processing Agreement.

3. Mobile App (when it launches)

The following describes processing that will take place once the Phraze app is live. We will update this policy before launch if anything changes.

3.1 Account Data

Authentication is handled by Clerk, Inc. (US). When you sign in with Apple or Google, Clerk receives your Apple ID or Google account identifier and, where available, your name and email address. Phraze receives a user identifier, email address, and OAuth provider token from Clerk. We store your user ID, email, preferred language, app locale, and tutor personality preference.

Legal basis: Art. 6(1)(b) GDPR (performance of the service contract).

3.2 Learning Activity

We store which phrases you have collected, your pronunciation scores per phrase, your learning streak, and quiz results. This data powers the core features of the app and is linked to your account.

Legal basis: Art. 6(1)(b) GDPR.

3.3 Audio Recordings

When you use the pronunciation practice feature, your voice recording is transmitted to Microsoft Azure Cognitive Services (pronunciation assessment) for scoring. The audio is processed in transit and is not stored by Phraze beyond the duration of the scoring round-trip. Azure returns a structured score result; the raw audio is discarded. We do not use your recordings to train AI models.

Legal basis: Art. 6(1)(b) GDPR (delivering the pronunciation feedback you requested).

3.4 AI Tutor Interactions

Tutor reactions (short 1–2 sentence responses to your pronunciation attempt) are generated by Anthropic's Claude API using your score data and the phrase you practiced. Multi-turn AI chat sessions use Anthropic Claude as well. The content of these interactions is not stored by Phraze beyond your active session unless you are in a chat session where conversation history is required for coherence. Anthropic acts as a data processor under a Data Processing Agreement and standard contractual clauses (SCCs).

AI transparency:Tutor feedback and chat responses are generated by an AI system, not a human. The app makes this clear in the interface. Phraze's AI tutor is a limited-risk AI system as defined under the EU AI Act. You are not required to use the AI features; they can be avoided by not triggering pronunciation practice or AI chat.

Legal basis: Art. 6(1)(b) GDPR.

3.5 Subscriptions

Subscription billing is handled by RevenueCat, Inc. (US) via Apple App Store or Google Play billing. Phraze receives only your subscription status and tier from RevenueCat — we never see or store payment card details. RevenueCat acts as a data processor under a Data Processing Agreement.

Legal basis: Art. 6(1)(b) GDPR.

3.6 Product Analytics

We use Bananalytics, a self-hosted analytics tool operated by us, to understand how the app is used — for example, which screens are visited and which features are engaged. No data is sent to a third party. Analytics events do not include raw recordings, payment details, or message content. Analytics are based on pseudonymous identifiers.

Legal basis: Art. 6(1)(f) GDPR (legitimate interest in improving the product).

4. Third-Party Processors

We share data with the following processors only to the extent necessary to provide the service:

  • NeonDB, Inc. — database hosting (EU, Frankfurt). All waitlist and app data at rest.
  • Clerk, Inc. (US) — authentication. Receives Apple/Google identity tokens and provides user management. Transfer basis: SCCs.
  • Anthropic, PBC (US) — AI language model API. Receives phrase text, score data, and chat messages. Transfer basis: SCCs.
  • Microsoft Azure Cognitive Services — pronunciation assessment. Audio processed in transit only; EU region used where available. Transfer basis: SCCs / EU adequacy mechanisms.
  • ElevenLabs, Inc. — text-to-speech for pre-generated phrase audio. Phrase text is sent to generate audio files; no user personal data is involved.
  • RevenueCat, Inc. (US) — subscription management. Receives device identifiers and subscription state. Transfer basis: SCCs.
  • Bananalytics — self-hosted by the operator. No data leaves our infrastructure for this service.

5. International Transfers

Several processors are based in the United States. We transfer data to these processors on the basis of Standard Contractual Clauses (SCCs) approved by the European Commission under Art. 46(2)(c) GDPR, or other applicable transfer mechanisms. You can request a copy of the relevant SCCs by emailing hallo@phraze.app.

6. Local Storage (Marketing Site)

The marketing site stores your theme preference and detected locale in browser localStorage. This is strictly necessary for the site to function as you expect across page loads and does not require a cookie consent banner under the ePrivacy Directive. No tracking or advertising data is stored in local storage.

7. Your Rights

Under GDPR you have the right to:

  • Access (Art. 15) — request a copy of the data we hold about you.
  • Rectification (Art. 16) — correct inaccurate data.
  • Erasure (Art. 17) — ask us to delete your data. In the app, you can also delete your account directly from the profile screen, which triggers immediate deletion of all associated data.
  • Restriction (Art. 18) — ask us to restrict processing in certain circumstances.
  • Portability (Art. 20) — receive your data in a structured, machine-readable format where technically feasible.
  • Objection (Art. 21) — object to processing based on legitimate interest at any time.

To exercise any of these rights, email hallo@phraze.app. We will respond within one month.

8. Right to Lodge a Complaint

You have the right to lodge a complaint with a data protection supervisory authority. The competent authority is the [STATE_DPA — insert the supervisory authority for your federal state, e.g. Berliner Beauftragte für Datenschutz und Informationsfreiheit if domiciled in Berlin]. You can also contact the federal authority: Der Bundesbeauftragte für den Datenschutz und die Informationsfreiheit (BfDI), Graurheindorfer Str. 153, 53117 Bonn, www.bfdi.bund.de.

9. Automated Decision-Making

We do not use automated decision-making or profiling that produces legal or similarly significant effects on you (Art. 22 GDPR).

10. Changes to This Policy

We may update this policy when we launch the mobile app or when our processing changes. Material changes will be communicated via email to waitlist subscribers and, once the app is live, via an in-app notice. The "last updated" date at the top of this page reflects the most recent revision.