Privacy Policy

We collect the following types of information to provide our AI English tutoring service:

• Personal Information: Name, email address, and profile picture (via authentication providers like Clerk).
• Onboarding Data: Age, nickname, English experience level, learning goals, and avatar preferences collected during registration.
• Audio Data: Voice recordings captured during practice sessions for pronunciation analysis. These are processed in real-time by Azure AI Speech Services and may be stored temporarily for feedback purposes.
• Chat Data: Conversations with our AI tutor, including text messages and voice messages exchanged during learning sessions.
• Learning Progress Data: Lesson completion, pronunciation scores (accuracy, fluency, completeness, prosody), XP points, streaks, achievements, and daily goals.
• Usage Data: Information about how you interact with our service, including session duration and feature usage.
• Technical Data: IP address, browser type, device information, and cookies.

We process your data for the following specific purposes:

• To provide and personalize the AI tutoring experience based on your learning level and goals.
• To analyze pronunciation and provide detailed feedback (using Azure AI Speech Services).
• To power AI-driven conversations with our tutoring chatbot (using OpenAI).
• To manage your account and track your learning progress, achievements, and streaks.
• To improve our services and develop new features.
• To ensure the security and integrity of our platform.
• To comply with legal obligations.
• To detect and prevent fraud, abuse, or illegal activities.

Heartman is designed as an educational platform that may be used by children learning English. We take children's privacy seriously and comply with applicable child protection laws including COPPA (Children's Online Privacy Protection Act).

• We collect only the minimum information necessary to provide our educational services.
• For users under 13 years of age, we require parental consent before collecting personal information.
• Parents or guardians may review, modify, or request deletion of their child's personal information by contacting us.
• We do not target advertising to children or share children's data with third parties for marketing purposes.
• Voice recordings from children are processed solely for pronunciation assessment and are not used for any other purpose.

If you are a parent or guardian and believe we have collected information from your child without proper consent, please contact us immediately at privacy@heartman.com.

In accordance with Israeli law, GDPR, and other applicable privacy laws, you have the following rights regarding your personal data:

• Right to Access: You may request to review the information we hold about you. This right may normally be exercised free of charge.
• Right to Rectification: You may request to correct any inaccurate or incomplete data.
• Right to Deletion (Right to be Forgotten): You may request the deletion of your personal information, subject to legal retention requirements.
• Right to Object: You may object to the processing of your data for direct marketing purposes or profiling.
• Right to Data Portability: You may request to receive your personal data in a structured, commonly used, and machine-readable format, and transmit it to another controller.
• Right to Restrict Processing: You may request that we limit the processing of your personal data in certain circumstances.
• Right to Withdraw Consent: Where processing is based on consent, you may withdraw your consent at any time without affecting the lawfulness of prior processing.
• Right to Lodge a Complaint: You have the right to lodge a complaint with your local data protection supervisory authority.

To exercise these rights, please contact our Privacy Officer at: privacy@heartman.com

You may use an authorized agent to submit a request on your behalf if you provide the authorized agent written permission signed by you. We will respond to your request within the timeframes required by applicable law.

We implement robust information security measures in accordance with the Privacy Protection Regulations (Data Security), 5777-2017. These measures include encryption, access controls, secure protocols (HTTPS), and regular security assessments to protect your data from unauthorized access, alteration, or destruction.

However, please note that no method of transmission over the internet or electronic storage is 100% secure. While we strive to protect your personal data, we cannot guarantee absolute security. Please take appropriate measures to protect your login credentials and device security.

We retain your personal data as follows:

• Account Data: Retained until you delete your account or request deletion.
• Learning Progress: Retained for the duration of your account to provide continuity in your learning journey.
• Voice Recordings: Processed in real-time for pronunciation assessment; temporary recordings may be stored for up to 30 days for quality improvement.
• Chat Sessions: Retained for 30 days after completion, then automatically cleaned up.
• Audit Logs: Retained for up to 2 years for security and compliance purposes.

We may retain your data for longer periods where required by law, for legal claims, or for legitimate business purposes such as tax and accounting requirements.

We may share your data with trusted third-party service providers who assist us in operating our service. Some of these providers may be located outside of Israel (e.g., cloud infrastructure in the US or EU).

Key third-party processors include:

• Microsoft Azure: Cloud hosting, AI Speech Services for pronunciation assessment and text-to-speech.
• OpenAI: Large language model (LLM) powering our AI tutor conversations.
• Clerk: Secure user authentication and identity management.
• Vercel: Website hosting and analytics (privacy-friendly analytics).
• Langfuse: LLM observability and monitoring for service quality.
• PostgreSQL Database: Secure storage of user data and learning progress.

We ensure that any international transfer of data complies with the Privacy Protection Regulations (Transfer of Data to Databases Abroad), ensuring adequate protection for your information through appropriate contractual safeguards.

We may also share data with regulators, courts, or law enforcement when required by law, or with professional advisors, or in connection with business transactions such as mergers or acquisitions.

We use cookies to enhance your browsing experience and analyze site traffic. You have the option to accept or decline non-essential cookies through our cookie consent banner. Essential cookies required for the site's functionality (e.g., login sessions) cannot be disabled.

Types of cookies we use:

• Essential Cookies: Required for authentication and core functionality.
• Analytics Cookies: Help us understand how visitors interact with our website.
• Preference Cookies: Remember your settings and preferences.

Vercel Analytics: We use Vercel Analytics, a privacy-friendly analytics tool that helps us understand website usage patterns without collecting personally identifiable information. Vercel Analytics is designed to be GDPR-compliant and does not use cookies for tracking.

Langfuse: We use Langfuse to monitor and improve our AI tutor's performance. This tool helps us track conversation quality and identify areas for improvement in our educational content. Data processed through Langfuse is used solely for service improvement.

We reserve the right to add or remove analytics tools as needed to improve our services. Any significant changes will be reflected in updates to this Privacy Policy.

If you are a California resident, you have additional rights under the California Consumer Privacy Act (CCPA):

• Right to Know: You can request information about the categories and specific pieces of personal information we have collected about you.
• Right to Delete: You can request deletion of your personal information, subject to certain exceptions.
• Right to Opt-Out: You have the right to opt-out of the sale of your personal information. Note: We do not sell your personal information.
• Right to Non-Discrimination: You will not receive discriminatory treatment for exercising your privacy rights.

California Civil Code Section 1798.83 permits California residents to request certain information regarding our disclosure of personal information to third parties for their direct marketing purposes. We do not share personal information with third parties for their direct marketing purposes.

To exercise your California privacy rights, please contact us at privacy@heartman.com.

Should you decide to delete your account, you may do so by emailing privacy@heartman.com with the subject line "Account Deletion Request".

Upon account deletion:

• Your profile information and learning progress will be permanently deleted.
• Voice recordings and chat history associated with your account will be removed.
• Some anonymized, aggregated data may be retained for analytics purposes.
• Data required for legal compliance may be retained for the legally mandated period.

Marketing Opt-Out: To stop receiving marketing emails, you can use the unsubscribe link in any marketing email, or send an email with the subject "UNSUBSCRIBE" to privacy@heartman.com.

If you have any questions about this Privacy Policy, wish to exercise your rights, or have concerns about our data practices, please contact us:

We encourage you to contact us first before reaching out to regulatory authorities. We will make every reasonable effort to address your concerns and resolve any issues promptly.

This Privacy Policy may be updated from time to time. We will notify you of significant changes by posting a notice on our website or through other appropriate means. Please check back periodically for updates.