Privacy Policy
Effective Date: May 26, 2025
Data Controller: Columbus Trading Co., Limited
This Privacy Policy is intended to clarify how we collect, store, use, and share (collectively referred to as "process") your personal data when you use the "SpeakEasy Application" (hereinafter collectively referred to as the "Service"; no web version is available), as well as to define your rights and how to exercise them.
This Policy is formulated based on Hong Kong (China)'s Personal Data (Privacy) Ordinance (PDPO) as the fundamental compliance framework, and is also adapted to the specific privacy laws and regulations of the region where you are located (see Chapter 9 "Region-Specific Provisions" for details). This Policy applies to you regardless of whether you interact with us by downloading/installing the Application, registering/logging in, using features (including AI interaction and flashcard-based vocabulary review), or making payment for subscriptions.
1. Scope of Services and Principles for Data Processing
Definition of Services
The Service includes AI language interaction, language learning assistance, flashcard-based vocabulary review (including progress tracking, mistake marking, and personalized review plan generation), as well as supporting account management and subscription payment functions (no customer service support function is provided).
Principles for Data Processing
- Minimization: We only collect personal data that is necessary for providing the Service, with no excessive collection
- Prohibition of Sensitive Data Processing: We do not collect or process "sensitive personal data" (including but not limited to financial account information, social security numbers, health data, biometric data, and information of minors under the age of 16). If you inadvertently provide such data, we will delete it immediately upon discovery (unless retention is required by laws and regulations)
- Cross-Border Compliance: If your personal data needs to be transferred to Hong Kong (China) (where our database is located) or other regions, we will comply with the compliance mechanisms required by the laws and regulations of the region where you are located
2. Categories and Sources of Collected Personal Data
2.1 Categories of Collected Personal Data
| Data Category | Collection Scenarios and Specific Content |
|---|---|
| Identity and Contact Data | The email address you provide when contacting us through the feedback channel (we do not collect your name, phone number, or other contact details) |
| Account Data | • Self-registration: Username, nickname, avatar, encrypted login password, and bound email address (phone numbers are not collected) • Third-party quick login (Google, Apple): User ID, avatar, and bound email address shared with our authorization (subject to the scope of third-party authorization; Facebook login is not supported) |
| Technical and Device Data | • Device information: Device model, manufacturer, operating system version, device identifiers (e.g., IDFA/GAID/IDFV) • Access information: IP address, time zone, access timestamp, and usage duration • Operation logs: Feature click paths, search keywords, error reports, and app crash records • Flashcard review-specific data: Review progress, marks for mastered/pending review words, mistake records, and flashcard interaction frequency |
| User-Generated Content | Text (AI conversation prompts) and audio (voice interaction records) uploaded/created by you in the Service (images and study notes are not collected) |
| Transaction Data | Order date, subscription type, payment amount, and billing ID for subscription purchases; payment instrument details (e.g., credit card numbers) are not collected and are processed by third-party payment processors |
| Marketing Identifier Data | We will only collect device advertising identifiers (IDFA/GAID) and Firebase Analytics identifiers if you explicitly consent through the "Privacy Settings Pop-up" when first using the Application. If you do not consent, basic features will not be affected. Such data is collected solely for personalized marketing and advertising performance statistics |
2.2 Sources of Data
- Provided by you: Including account registration, content upload, subscription payment, and consent via privacy settings
- Automatically collected during service use: Including technical and device data, and operation logs
- Shared by third parties with authorization: Including quick login platforms, app stores, and payment processors (limited to data necessary for providing the Service)
3. Purposes of Data Processing and Legal Bases
| Purpose of Processing | Applicable Legal Bases |
|---|---|
| 1. Providing basic services: Account management, AI interaction responses, flashcard review progress synchronization, and order fulfillment | Hong Kong (China) PDPO + Laws of your region: Fulfillment of service contract obligations |
| 2. Ensuring service security: Preventing account theft, identifying malicious operations, fixing technical faults, and ensuring service continuity | Hong Kong (China) PDPO + Laws of your region: Legitimate interests of the data controller (without impairing your core rights) |
| 3. Optimizing service experience: Adjusting personalized review plans and recommending suitable learning content based on flashcard review data | Hong Kong (China) PDPO + Laws of your region: Legitimate interests of the data controller |
| 4. Compliance retention and auditing: Retaining order records and operation logs, and cooperating with regulatory inspections | Hong Kong (China) PDPO + Laws of your region: Fulfillment of legal obligations |
| 5. Personalized marketing and advertising statistics: Sending tailored campaign information and statistics advertising performance based on your explicit consent | Hong Kong (China) PDPO + Laws of your region: Your explicit consent (which may be withdrawn at any time) |
4. Data Storage and Security Measures
4.1 Storage Period
- Service-essential data (account information, flashcard review records, order data): Stored until the "purpose of the Service is achieved" (e.g., account cancellation, subscription expiration) or the retention period required by the laws of your region expires, after which it will be deleted immediately
- Marketing identifier data: Retained for 7 working days after you withdraw your consent, or deleted immediately after the marketing purpose is achieved
- Other consent-based data: Retained until the purpose of the consent is achieved, or deleted immediately after you withdraw your consent
4.2 Security Measures
Technical Protection:
- Data encryption: Data transmission is encrypted using the SSL/TLS protocol, and data storage is encrypted using the AES-256 algorithm (including account passwords, flashcard review records, and marketing identifier data)
- Access control: Firewalls and hierarchical account permission mechanisms are deployed; only authorized personnel can access sensitive data, and the scope of permissions is strictly aligned with job responsibilities
- Security monitoring: Abnormal access behaviors (e.g., login from an unusual location, bulk queries) are monitored in real time; regular server penetration testing and vulnerability fixes are conducted
- Backup mechanism: Data is backed up offline (stored in compliant Hong Kong (China) cloud nodes); backup data is encrypted to ensure recoverability in case of data loss
Administrative Control:
- Personnel management: Employees with access to data sign confidentiality agreements and receive privacy compliance training at least twice a year; permissions are revoked immediately when employees resign or are transferred
- Breach response: In the event of a data breach, we will notify you and the regulatory authorities through the feedback channel within the time limit required by the laws of your region (e.g., within 72 hours), and cooperate with investigations and provide remediation recommendations
5. Data Sharing and Cross-Border Transmission
5.1 Scope of Data Sharing (Limited to Necessary Scenarios)
| Recipient of Sharing | Sharing Scenarios and Data Types |
|---|---|
| Third-Party Service Providers | • Cloud storage providers (Hong Kong nodes): Technical data and user-generated content (for service deployment) • Payment processors: Transaction data (for order fulfillment; no payment instrument details are shared) • Google Firebase: Anonymized device advertising identifiers (not linked to account information) are shared based on your consent, for marketing performance statistics • Technical support providers: Device data and operation logs (for fault repair; no core personal information is included) |
| Regulatory Authorities | When requested by the Office of the Privacy Commissioner for Personal Data of Hong Kong (China) or the regulatory authorities of your region in accordance with the law, necessary data will be shared to fulfill legal obligations |
| Third-Party Partners | Only "anonymized data" (e.g., flashcard review feature usage rate, learning preference statistics) is shared; such data cannot be linked to specific individuals and may be used for academic research or product optimization |
5.2 Cross-Border Transmission Compliance Mechanisms
Transmission to Hong Kong (China) (database location):
- Users in South Korea: Standard contractual clauses recognized by South Korea's Personal Information Protection Commission (PIPC) are adopted
- Users in Turkey: Cross-border transmission clauses approved by Turkey's Data Protection Authority (KVKK Kurulu) are adopted
- Users in other regions: "Standard contractual clauses" or "adequacy decisions" recognized by the laws of your region are adopted (a copy of the clauses can be requested through the feedback channel)
Transmission to third parties in other regions: Conducted only when necessary for the Service and in compliance with the above-mentioned mechanisms. We ensure that the recipient maintains an equivalent level of data protection (e.g., ISO 27001 certification) and sign a data protection agreement with the recipient.
6. Your Data Rights and How to Exercise Them
You may exercise the following rights through the "Feedback Channel" in Chapter 10. We will respond within the following time limits (extensions are allowed for complex cases, and the extended period will be notified to you):
- Users in Hong Kong (China), Singapore, and Canada: Within 30 days
- Users in Japan, Australia, and South Korea: Within 30 days (extendable to 60 days for complex cases)
- Users in other regions: Within the time limit required by the local laws
| Right Type | Content of the Right |
|---|---|
| Right to Know | Inquire whether your personal data is being processed, the purpose of processing, the source of data, the recipients of shared data, and details of cross-border transmission |
| Right to Rectification | Request correction of inaccurate or incomplete personal data (e.g., updating the email address bound to your account, correcting errors in flashcard review records) |
| Right to Erasure ("Right to be Forgotten") | Request deletion of your personal data after the purpose of the Service is achieved or you withdraw your consent (unless retention is required by laws and regulations) |
| Right to Restriction of Processing | Request suspension of the processing of your personal data if the accuracy of the data is in doubt or the processing is suspected of violating the law |
| Right to Data Portability | Request us to export your personal data in a "structured, machine-readable" format (e.g., CSV/JSON), or transmit it to another service provider designated by you if technically feasible |
| Right to Object | Object to the processing of your personal data based on "legitimate interests" (e.g., unauthorized marketing promotions); we will immediately cease the relevant processing upon receipt of your objection |
| Right to Withdraw Consent | Withdraw your consent to the "collection and use of marketing identifier data" at any time; we will cease the relevant data processing and delete the corresponding data within 7 working days (unless retention is required by laws and regulations) |
Requirements for Exercising Rights: You need to provide clear identity verification information (e.g., username, bound email address); if you authorize an agent to exercise your rights, the agent must provide a written authorization certificate (which can be submitted via the feedback channel as a scanned copy).
7. Special Groups and Push Notifications
Age Restrictions
Global General Rule: Minors under the age of 16 are prohibited from using the Service; minors aged 16-18 may use the Service only with the consent of their legal guardians, who shall assist in managing their personal data (e.g., exercising data rights).
Regional Adaptations:
- Users in Japan (per APPI requirements): Minors under the age of 16 require explicit consent from their legal guardians
- Users in South Korea (per PIPA requirements): Minors under the age of 16 require explicit consent from their legal guardians
Push Notifications
We may send service notifications (e.g., reminders for flashcard review plans). You may disable such notifications through "device system settings" or "in-app notification settings"; once disabled, you will no longer receive relevant information.
8. Updates to the Policy and Notification
- Reasons for Updates: Changes in laws and regulations (e.g., amendments to Hong Kong's PDPO), adjustments to service features, and optimization of data processing practices
- Publicity of Updates: The updated Policy will be posted on the "Settings - Privacy Policy" page of the Application, with the "Effective Date" clearly marked
- Notification of Material Changes: If an update involves "expanding the scope of data collection, changing cross-border transmission mechanisms, or restricting user rights", we will notify you through appropriate channels
- Acceptance of Updates: Your continued use of the Service after the effective date of the updated Policy shall be deemed your acceptance of the updated Policy; if you do not accept the updated Policy, you must immediately cease using the Service and cancel your account
9. Region-Specific Provisions
This Chapter applies only to users in the corresponding regions. In case of any conflict between this Chapter and other provisions of the Policy, this Chapter shall prevail.
9.1 Asia Region
9.1.1 Users in Japan (Applicable to the Act on the Protection of Personal Information (APPI))
- Personal Information Consultation: Contact us through the feedback channel; we will respond within 15 days
- Cross-Border Transmission: Your personal data will be transmitted to Hong Kong (China) only after obtaining your consent
- Breach Notification: In the event of a data breach, we will notify you within 72 hours and report to Japan's Personal Information Protection Commission (PIPC)
9.1.2 Users in South Korea (Applicable to the Personal Information Protection Act (PIPA))
- Cross-Border Transmission: Standard contractual clauses recognized by South Korea's Personal Information Protection Commission (PIPC) are adopted
- Exercise of Rights: We will respond within 15 days of receiving your request
- Purpose Change: If the purpose of processing changes, we will send separate email notification and obtain written consent
9.1.3 Users in Singapore (Applicable to the Personal Data Protection Act (PDPA))
- Data Retention: Flashcard review records will be deleted immediately after account cancellation
- Withdrawal of Consent: We will cease processing and delete data within 7 working days
- Complaint Channel: You may file a complaint with Singapore's Personal Data Protection Commission (PDPC)
9.1.4 Users in Malaysia (Applicable to the Personal Data Protection Act 2010 (PDPA 2010))
- Implementation of the Seven Principles: We have established systems to ensure compliance with the seven data protection principles under PDPA 2010
- Cross-Border Transmission: We confirm that Hong Kong (China) meets the "adequate protection" standard
9.2 Oceania Region
9.2.1 Users in Australia (Applicable to the Privacy Act 1988)
- Breach Notification: In the event of a "serious data breach", we will notify you within 72 hours and inform Australia's Office of the Australian Information Commissioner (OAIC)
- Small Business Exemption: If our annual turnover does not exceed AUD 3 million, simplified requirements apply to certain provisions
10. Feedback Channel
If you have questions about this Policy, need to exercise your data rights (e.g., withdrawing consent for marketing), report data security issues, or request a copy of the cross-border transmission clauses, you may contact us through the following exclusive channel:
General Feedback Email: ligaili1217@163.com
We will respond within the time limit specified in Chapter 6 and support multilingual inquiries (you may send feedback in any language, and we will assign staff with corresponding language proficiency to handle your inquiry).