Legal

Privacy Policy

Last updated: 26 May 2026

1. Who is responsible for your data

The data controller for HearSay is HearSay Learn B.V., Nieuwe Achtergracht 184, 1018WV Amsterdam, the Netherlands, registered with the Dutch Chamber of Commerce under number 98853244.

For privacy questions, write to team@hearsaylearn.com. For messages sent over WhatsApp, Meta Platforms Ireland Ltd. acts as an independent controller of the messaging layer under its own terms.

2. What data we collect and why

We collect only what we need to run the Service:

Identity data

Your WhatsApp phone number and display name, your name, and (if you have an account on our web app) your email address. We use this to deliver lessons to the right person and to contact you about your subscription. Lawful basis: performance of contract.

Learning data

Your target language, level, goals, the topics you choose to practise, your message history with the HearSay agent, lesson progress, transcripts of your role-play calls, and the AI's feedback on them. We use this to personalise your lessons and to show you your progress. Lawful basis: performance of contract; legitimate interest in improving the lessons you receive next.

Payment data

When you subscribe, our payment processor (Stripe) handles the card details — we never see or store your full card number. We do keep a record of the transaction (amount, date, plan, billing address) for accounting and tax purposes. Lawful basis: legal obligation (Dutch tax and accounting law).

Technical data

When you interact with our web pages we log basic technical information such as IP address, device type, and browser type. We use this to keep the service secure, prevent fraud, and debug problems. Lawful basis: legitimate interest.

3. Voice calls and audio

When you end a lesson with a role-play call on WhatsApp, your voice is streamed in real time through our voice infrastructure (LiveKit, hosted in the EU) and converted to text by a speech-to-text provider so the AI can understand what you said and reply. The AI's spoken reply is synthesised by a text-to-speech provider and streamed back to you.

We do not retain the audio of your voice after the call ends. We do retain the text transcript of the call and the AI's pronunciation and feedback assessment, as part of your learning history.

Lawful basis: performance of contract for delivering the call; legitimate interest for keeping transcripts so your future lessons build on what you've already practised. You can object to the retention of transcripts at any time — see Section 8.

4. Who we share data with

To run HearSay we use the following service providers ("sub-processors"). Each one only processes data on our instructions, under a data processing agreement.

Provider What it does Location
CloudflareHosting, edge compute (Workers), and private object storage (R2) for generated lesson audio.Global edge; EU jurisdiction for storage
NeonManaged PostgreSQL database storing your account and learning data.EU
ConvexReal-time backend used for lesson delivery and account state.United States
StripePayment processing.Ireland / United States
Meta (WhatsApp Business)Sends and receives the WhatsApp messages and voice calls that carry your lessons.Ireland / United States
Meta (Facebook Pixel)Marketing analytics and conversion tracking from our website. Only loads after you accept marketing cookies.Ireland / United States
Google (Vertex AI and Cloud Text-to-Speech)Generates lesson text and synthesises spoken audio.EU and United States
OpenRouterRoutes our prompts to different large-language-model providers (which may include OpenAI, Anthropic, and Google) so we can use the best model for each task.United States
LiveKitReal-time voice infrastructure for the end-of-lesson role-play calls.EU
DeepgramSpeech-to-text for role-play calls. Audio is processed in real time. We do not retain it after the call, and under our data processing agreement Deepgram does not retain it for its own purposes or use it to train its models.United States
ResendSends transactional emails (account, billing, support).United States
PostHogProduct analytics. Sent to PostHog's EU instance.EU
AxiomApplication logs and observability data, used to keep the service running and to debug issues.United States

We do not sell your data. When you accept marketing cookies, Meta receives website events for ad measurement and targeting — see Section 7.

5. International data transfers

Some of the providers above are based outside the European Economic Area, mainly in the United States. When we transfer your data to a US-based provider, we rely on the EU–US Data Privacy Framework where that provider is certified, or on Standard Contractual Clauses approved by the European Commission. Together these mechanisms are designed to give your data essentially the same level of protection it has in the EU.

6. How long we keep data

  • Account and learning data: for as long as your account is active. When you ask us to delete it (see Section 8), we remove it from our production systems within 30 days.
  • Voice-call audio: not retained — it is processed in real time during the call and discarded.
  • Role-play transcripts and feedback: retained until you ask us to delete them, or until your account is deleted.
  • Financial records (invoices, payment metadata): retained for seven years, as required by Dutch tax law (Belastingdienst).
  • Server and application logs: retained for up to 90 days for security, debugging, and fraud prevention, then deleted automatically.

7. Cookies

Our marketing website uses a small number of cookies:

  • Essential cookies — needed for the site to work. These include PARAGLIDE_LOCALE (remembers the language you chose) and hearsay-cookie-consent (remembers your cookie preferences).
  • Analytics cookies — placed by PostHog when you agree, so we can understand which parts of the site work and which don't. Sent to PostHog's EU instance.
  • Marketing cookies — placed by the Meta Pixel when you agree, used to measure the effectiveness of our ads on Facebook and Instagram and to target ads to you on those platforms. Data is sent to Meta Platforms Ireland Ltd.

You can change your cookie choices at any time through the cookie banner.

8. Your rights

Under the GDPR, you have the right to:

  • Access the personal data we hold about you.
  • Correct data that is wrong or out of date.
  • Erase your data ("right to be forgotten").
  • Restrict or object to certain types of processing — including objecting to the legitimate-interest processing described in this policy.
  • Portability — receive your data in a structured, commonly used format.
  • Withdraw consent at any time, where we rely on consent.

To use any of these rights, email team@hearsaylearn.com. Because we identify you in WhatsApp by your phone number, please write to us from the number you use with HearSay or include enough information for us to confirm who you are. We respond within one month, as required by the GDPR; if a request is complex we may extend that by up to two further months and will tell you why.

You also have the right to lodge a complaint with a supervisory authority — in the Netherlands, the Autoriteit Persoonsgegevens.

9. Automated personalisation

HearSay uses AI to personalise your lessons based on your level, goals, the topics you have chosen, and your recent practice. This personalisation does not produce legal or similarly significant effects for you — it only changes the lessons you receive next. You can change your goals, topics, and level at any time inside the WhatsApp conversation.

10. Data breaches

If something goes wrong and a breach of your personal data is likely to result in a risk to your rights, we will notify the Autoriteit Persoonsgegevens within 72 hours of becoming aware of it, as required by the GDPR, and we will tell you directly if the risk to you is high.

11. Children's data

HearSay is intended for adults aged 18 or older. We do not knowingly collect personal data from minors. If you believe a minor has used HearSay, please contact us and we will remove their data.

12. Changes to this policy

We update this policy when our practices change. The "Last updated" date at the top tells you when the current version was published. When changes are material — for example, a new sub-processor or a change to how voice data is handled — we will let you know by email or on WhatsApp before the change takes effect.

13. Contact

For any privacy question or to exercise the rights above, email team@hearsaylearn.com.

HearSay Learn B.V. · Nieuwe Achtergracht 184, 1018WV Amsterdam, the Netherlands · KvK 98853244 · VAT NL868671654B01

This policy is published in English. We may publish translations for convenience, but in case of any difference between the English version and a translation, the English version prevails.