Contents
- 1. Introduction
- 2. Data Controller
- 3. Information We Collect
- 4. How We Use Your Information
- 5. Legal Basis (GDPR)
- 6. Data Storage
- 7. Third-Party Services
- 8. End-to-End Encryption
- 9. Push Notifications
- 10. Billing & Subscriptions
- 11. Data Security
- 12. Data Retention
- 13. Account & Data Deletion
- 14. Your Privacy Rights
- 15. App Permissions
- 16. Children's Privacy
- 17. International Transfers
- 18. Changes to This Policy
- 19. Contact
1 Introduction
Prasad Mahankal ("I", "me", or "the developer") operates the mobile application Ortio, available on Android (Google Play Store) (the "Service").
Ortio is a multilingual language learning app that helps users practice and prepare for official language certifications including Goethe-Institut (German), DELF/DALF (French), DELE (Spanish), HSK (Chinese), JLPT (Japanese), and more.
This Privacy Policy describes how I collect, use, store, and protect your personal information, and the rights you have regarding your data.
This policy aims to comply with:
- General Data Protection Regulation (GDPR) — EU/EEA users
- California Consumer Privacy Act (CCPA) — California residents
- Google Play Developer Program Policies
- Children's Online Privacy Protection Act (COPPA)
2 Data Controller
App Name: Ortio
Developer: Prasad Mahankal (individual / sole developer)
Contact: support.ortio@gmail.com
3 Information We Collect
3.1 Account Information
Creating an account is required to use Ortio. I collect:
- Email address — for authentication and communication
- Display name / username — displayed on your public profile
- Password — stored as a secure hash by Supabase; never stored in plaintext
- Profile photo — optional, only if you choose to upload one
- Supabase User ID — internal identifier used to link all your data
- Google account details (name, email, Google ID) — only if you sign in with Google
Public Visibility: Your display name / username and profile photo (if uploaded) are public and visible to other users on the community feed and in chat features.
3.2 Practice & Learning Data
- Your answers to quizzes, mock tests, and practice questions
- Test scores, completion times, and attempt history
- Language preferences and learning progress
- Notes you save within the app
3.3 Social & Communication Data
- Posts, comments, and reactions you create in the community feed. These are visible to all registered users of the app.
- Human Chat messages — sent to other users. These are end-to-end encrypted (E2EE) using TweetNaCl. Message content is stored as ciphertext on the server — I cannot read your messages.
- AI Chat conversations — your messages to the AI tutor are sent to third-party AI providers in real time to generate responses (see Section 7)
3.4 Technical & Device Information
- Device model and operating system version
- App version
- Advertising identifiers (such as Android Advertising ID / GAID) used by advertising networks like Google AdMob
- Crash logs and error reports (Firebase Crashlytics)
- App usage events (Firebase Analytics)
- Network type (WiFi / cellular)
- Firebase Cloud Messaging (FCM) push notification token
4 How I Use Your Information
- To authenticate and maintain your account
- To provide all app features (mock tests, quizzes, AI chat, human chat, community feed, notes, language games)
- To send push notifications — practice reminders, chat messages, activity updates — only with your permission
- To process your text and audio inputs through AI services and return learning responses
- To improve the app using anonymous usage analytics and crash data
- To display advertisements and measure advertising performance
- To detect and prevent abuse or unauthorized access
- To respond to your support requests
5 Legal Basis for Processing (GDPR)
| Purpose | Legal Basis |
|---|---|
| Account creation & core app features | Contract (Art. 6(1)(b)) |
| Analytics & crash reporting | Legitimate Interest (Art. 6(1)(f)) |
| Push notifications | Consent (Art. 6(1)(a)) |
| Advertising personalization (where required by applicable law) | Consent (Art. 6(1)(a)) |
| Non-personalized advertising | Legitimate Interest (Art. 6(1)(f)) or Consent depending on jurisdiction |
| Security & abuse prevention | Legitimate Interest (Art. 6(1)(f)) |
| Legal compliance | Legal Obligation (Art. 6(1)(c)) |
6 Data Storage
Server-Side (Supabase)
Your account details, practice history, posts, notes, and encrypted chat messages are stored in a Supabase PostgreSQL database hosted on secure cloud infrastructure. All data in transit is protected by TLS/HTTPS. Supabase Row-Level Security (RLS) ensures each user can only access their own data.
On Your Device (Local Storage)
Using AsyncStorage and react-native-keychain, the following is stored locally:
- Session token — secured in Android Keystore
- Your E2EE private key for Human Chat — this key never leaves your device
- App settings (audio speed, auto-play preferences)
- Cached content for performance
7 Third-Party Services
Note on AI Processing: Messages and voice recordings submitted to AI-powered features (such as AI Chat and mock tests) are transmitted to the respective AI providers (Google and Groq) solely to produce transcriptions or replies, and are governed by their respective policy terms. Ortio does not retain audio files after processing.
8 End-to-End Encryption (Human Chat)
Human Chat messages in Ortio are protected with end-to-end encryption (E2EE) powered by TweetNaCl:
- Messages are encrypted on your device using the recipient's public key before being transmitted
- Only the encrypted ciphertext is stored on the server — I cannot read your messages
- Messages are decrypted only on the recipient's device using their private key, which is stored exclusively in their device's secure keychain
- This is a zero-knowledge design: even in the event of a server breach, your message content remains unreadable
9 Push Notifications
With your permission, Ortio may send push notifications for:
- Daily practice reminders
- New Human Chat messages
- Community activity (comments, reactions on your posts)
- Account-related updates
You can disable notifications at any time in Settings → Apps → Ortio → Notifications on your Android device.
10 Billing & Subscriptions
Ortio offers paid subscription plans through a credit-based system. In-app purchases are processed through Google Play Billing.
When you make a purchase:
- Payment is handled entirely by Google Play — I never see or store your card number or financial details
- I receive only confirmation of the purchase and your subscription status from Google Play
- Purchase receipts are retained while your subscription is active, plus 1 year for tax and legal compliance
- Refunds are managed by Google Play according to their refund policy
11 Data Security
- All data in transit is encrypted using TLS/SSL
- Passwords are hashed and salted by Supabase — never stored in plaintext
- Human Chat uses zero-knowledge E2EE (TweetNaCl)
- Session tokens are stored in the Android Keystore
- Supabase Row-Level Security restricts all data access per user
- Dependencies are regularly reviewed and updated for known security vulnerabilities
12 Data Retention
| Data Type | Retention Period |
|---|---|
| Account & profile data | Retained while your account exists |
| Practice history & notes | Retained while your account exists |
| Social posts & comments | Retained until you delete them or your account |
| Human Chat messages (ciphertext) | Retained until deleted by users or upon account deletion |
| Firebase Analytics data | 14 months (Firebase default) |
| Crash reports (Crashlytics) | 90 days |
| Purchase receipts | While subscription is active + 1 year for tax/legal compliance |
| AI Chat conversations | Retained while your account exists or until deleted by you |
| Audio recordings & Transcriptions | Audio recordings are not stored by Ortio after processing; transcriptions are kept while your account exists |
| Local device data (AsyncStorage, Keychain) | Until app is uninstalled or app data is cleared |
13 Account & Data Deletion
When you request and confirm account deletion within the app (by entering the required confirmation phrase), your account data, profile details, messages, and progress are deleted from our systems. Account deletion requests are typically processed immediately or within 30 days, except where limited retention is required for legal, security, fraud-prevention, tax, or regulatory obligations.
You can also request account deletion using our online request form: Ortio Account Deletion Request Form.
Alternatively, you may request account deletion by emailing support.ortio@gmail.com with the subject "Account Deletion Request". We will process your request within 30 days.
14 Your Privacy Rights
Your Privacy Rights
| Right | What It Means |
|---|---|
| Access | Request a copy of your personal data |
| Rectification | Ask me to correct inaccurate data |
| Erasure | Request deletion of your account and all data |
| Portability | Receive your data in a structured, portable format |
| Objection | Object to certain types of processing |
| Restriction | Request restriction of processing your personal data |
| Withdraw Consent | Disable push notifications at any time via device Settings |
Advertising Consent & Choices
Users in the EEA, UK, and Switzerland may grant, refuse, or withdraw consent for personalized advertising at any time through the in-app "Manage Privacy Choices" option in the Settings menu.
CCPA Rights (California Residents)
- Right to know what data I collect and how it is used
- Right to request deletion of your personal information
- Right to opt out of the sale of personal information — I do not sell your data
- Right to non-discrimination for exercising these rights
To exercise any right, email support.ortio@gmail.com. I will respond within 30 days.
15 App Permissions
You can revoke any permission at any time from Settings → Apps → Ortio → Permissions on your Android device.
16 Children's Privacy
Ortio is not intended for children under 13 years of age (or 16 in the EU). I do not knowingly collect personal information from children.
If you are a parent or guardian and believe your child has created an account, please contact me immediately at support.ortio@gmail.com and I will delete the account and all associated data promptly.
17 International Data Transfers
Your data is processed and stored on infrastructure operated by Supabase and Google (Firebase), which may be located in the United States or other countries outside your country of residence.
For EU users, such transfers are covered by appropriate safeguards (such as Standard Contractual Clauses) as implemented by these providers. By using Ortio, you acknowledge this.
18 Changes to This Policy
If I make significant changes to this Privacy Policy, I will:
- Notify you via a push notification or in-app message
- Update the "Last Updated" date at the top of this page
Continued use of Ortio after changes constitutes your acceptance of the updated policy.
19 Contact
Questions or Requests?
For any privacy-related questions, data access requests, or account deletion, reach out directly:
support.ortio@gmail.comEU Residents: You have the right to lodge a complaint with your national data protection authority. Find your DPA at: edpb.europa.eu
California Residents: Contact the CPPA at: cppa.ca.gov