Privacy Policy

Effective: 2026-05-09 · Operator: IGEARS TECHNOLOGY LIMITED, Hong Kong SAR, China · Governing law: Hong Kong.

Last updated: 2026-05-09

This Privacy Policy explains what personal information IGEARS TECHNOLOGY LIMITED ("we", "us") collects when you use Lingocast on the web, iOS, or Android (the "Service"), how we use it, and the choices you have. We follow the principles of the GDPR, the UK GDPR, PIPEDA, and the California Consumer Privacy Act (CCPA) regardless of where you live.

1. Who we are and how to contact us

IGEARS TECHNOLOGY LIMITED, Hong Kong SAR, China. Privacy and data-rights contact: [email protected].

2. What data we collect

2.1 Account data

Required: email and either a password (hashed with bcrypt) or a verified SSO provider ID (Google, Apple, or Facebook).
Profile: full name, native language, learning language, English level (CEFR self-assessment).

2.2 Usage data

Listening history, vocabulary cards you save, daily usage counters used to enforce free-tier limits.
Crash logs and basic device info (app version, OS, device language) for debugging.
Server-side request logs retained for 30 days for security and abuse prevention.

2.3 Payment data

We never see or store your full card number. Payment processors handle all card data on our behalf:

Web: Stripe collects card details directly. We retain your Stripe customer ID, last-four digits, card brand, and expiry month/year for receipts and tax compliance.
iOS: Apple App Store / StoreKit handles all payment. We receive only a subscription status and an opaque transaction identifier.
Android: Google Play Billing handles all payment. We receive only a subscription status and an opaque purchase token.

2.4 Optional data

OAuth profile data (name, email, avatar) if you sign in with Google, Apple, or Facebook.
Private RSS feed URLs you provide as a Plus subscriber. These are never published; only you can see content generated from them.
Messages you send through the contact form.

3. How we use your data

We use your data strictly to provide and improve the Service, personalise your learning, process payments, and send transactional email (receipts, password reset, security notices). We do not sell or rent personal data, do not run third-party advertising, and do not use your listening history to train AI models.

4. Legal bases (GDPR / UK GDPR)

Purpose	Lawful basis
Provide the Service (login, audio generation, billing)	Contract performance
Service-critical email (receipts, password reset, security)	Contract / Legal obligation
Detect abuse, prevent fraud, keep the Service available	Legitimate interest
Aggregate metrics for product improvement	Legitimate interest
Marketing email (only if you opt in)	Consent (withdrawable any time)

5. Third-party processors

We rely on the following processors. Each is bound by a data-processing agreement, and each maintains its own privacy policy linked below.

Stripe, Inc. — payments (web). stripe.com/privacy
Apple Inc. — App Store / StoreKit subscriptions (iOS). apple.com/legal/privacy
Google LLC — Google Play Billing (Android subscriptions). policies.google.com/privacy
Google LLC — Sign-In SDK (auth). policies.google.com/privacy
Apple Inc. — Sign in with Apple. apple.com/legal/privacy/data/en/sign-in-with-apple
Meta Platforms, Inc. — Facebook Login. facebook.com/privacy/policy
OpenAI, L.L.C. — translation, summarisation, and text-to-speech. We use the API mode that opts out of model training.
Canadian hosting provider — server, database, and object-storage hosting in Canada.

We do not use Google Analytics, Meta Pixel, or any other third-party tracking technology on the Service.

6. Data retention

Account data: kept while your account is active. Deleted within 30 days of account deletion (see Data Deletion).
Server logs: 30 days.
Payment records: up to 7 years to comply with Canadian tax and financial-record-keeping law.
Anonymised aggregate usage statistics may be retained indefinitely (no longer linked to you).
Contact-form messages: 24 months unless an active matter requires longer.

7. Your rights

Subject to local law, you have the right to access, correct, port, restrict processing of, object to processing of, and erase your personal data, and to withdraw any consent you have given. To delete your account immediately, see Data Deletion. For all other requests email [email protected]; we respond within 30 days. We may verify your identity by emailing the address on file.

You also have the right to lodge a complaint with a data-protection authority (e.g. the Office of the Privacy Commissioner of Canada, the ICO in the UK, or your local EU supervisory authority).

8. International transfers

Our backend, database, and object storage run on a Canadian hosting provider with servers located in Canada. When we transfer personal data outside your country (for example to Apple, Google, Meta, Stripe, or OpenAI, which operate global infrastructure) we rely on the GDPR's Standard Contractual Clauses, Canada's PIPEDA accountability framework, or an equivalent safeguard.

9. Children's privacy

The Service is not directed to children under 13, and we do not knowingly collect personal data from them. In the EU/UK, the minimum age is 16, or the lower age set by your country (see Children's Privacy). If you believe a child has created an account, contact us and we will delete it.

10. Security

We encrypt data in transit (TLS 1.2+) and at rest. Passwords are hashed with bcrypt. API keys for paid third parties are encrypted at rest. We run regular vulnerability scans. Despite reasonable safeguards, no system is perfectly secure; we will notify affected users and regulators of any qualifying breach within 72 hours.

11. Changes to this policy

We will email account holders at least 14 days before any material change to this policy. The effective date at the top of this page tracks the current version.

12. Contact

Privacy enquiries: [email protected]. Postal: IGEARS TECHNOLOGY LIMITED, Hong Kong SAR, China.

Questions about this document? Email [email protected].