Privacy Policy
Last updated: May 2026
Who we are
PalmSpeak is a small, independent language-learning app that helps people practise conversation in Korean, Thai, Chinese, Japanese, Spanish, French, German, English, Italian, and Portuguese. You can chat with our AI tutor or, if you prefer, jump into a live voice conversation with a real native speaker. This Privacy Policy explains what data we collect when you use PalmSpeak, why we collect it, and what choices you have over it.
We've tried to write this in plain English. If anything is unclear, please email us at [email protected] and we'll do our best to explain.
In this policy, "we", "us", and "PalmSpeak" refer to the operator of palmspeak.com. "You" refers to anyone using the app, whether on the web or as an installed Progressive Web App (PWA).
What data we collect
We try to collect only what we need to run the service well. Here's the breakdown.
Account data. When you sign up, we collect your email address and a hashed version of your password. If you choose to sign in with Google, we receive your Google account ID, email address, and (if available) your name and profile picture through Google's OAuth process. You can optionally provide a display name at any time.
Language and learning preferences. To personalise your lessons, we store your target language, your native language, your self-reported proficiency level, and a gender preference used to select the AI voice you hear. You can change any of this from your settings at any time.
Conversation and session data. When you have a conversation in PalmSpeak (with the AI or with a human partner), we store the text of the messages exchanged, any translations generated, and timestamps for the session. This is what powers your session history and lets you review what you said.
Audio recordings. When you speak into the app, your microphone audio is sent to our servers so it can be transcribed into text. For AI sessions, we may also store the resulting audio file in our cloud storage so you can play the conversation back later. We do not use your audio to train AI models, and we do not share it with advertisers.
Vocabulary. Words and phrases you save to your personal word bank, along with their translations and any associated audio, are stored against your account.
Payment data. If you subscribe to PalmSpeak Unlimited, payment is processed by Stripe. We never see or store your card number, CVC, or full billing details. What we do store on our side is the Stripe customer ID and subscription ID that link your account to your subscription, plus the plan you're on and its renewal date.
Usage analytics. We use PostHog to understand how people use the app — for example which features get used, where people get stuck, and which sessions lead to learning progress. PostHog sets cookies and collects events such as page views, button clicks, and session start/end events, along with a device identifier. You can opt out of analytics from your settings.
Cookies. We use a single secure session cookie (named __Host-session) to keep you signed in. PostHog also sets cookies for analytics purposes. We do not use advertising cookies and we do not sell data to advertisers.
Communications. When we send you a transactional email (such as an email verification link, a password reset, or a billing receipt), we keep a record that the email was sent.
How we use your data
We use your data to provide the service you signed up for. That means transcribing your speech so you can have a conversation, generating responses from our AI tutor, matching you with a human partner when you choose live chat, saving your vocabulary, tracking your subscription status, and letting you review past sessions.
We use analytics data to understand which parts of PalmSpeak are working and which aren't, so we can improve the product. This is aggregated, behavioural data — we're looking at trends, not reading your conversations.
We use communications data (your email address) to send you the operational emails you need to use the service: verification, password resets, billing receipts, and important updates about your account or material changes to the service. We do not send marketing emails unless you've explicitly opted in.
We also use a minimum amount of data to keep the service safe. If we receive a report that a user is harassing a human chat partner, we may review the relevant session transcript to investigate. We don't proactively monitor private conversations.
Third-party services
PalmSpeak is built by a small team and we rely on a handful of trusted third-party services to operate. When you use PalmSpeak, some of your data is necessarily shared with these providers so they can do their job. Each has its own privacy policy, which we encourage you to read.
Stripe handles all payment processing for our paid subscriptions. When you subscribe, your payment details go directly to Stripe — we never see them. Stripe's privacy policy is available at stripe.com/privacy.
Cloudinary is our cloud storage provider for audio files and any images we serve. Audio recordings from your sessions may be stored there. Cloudinary's privacy policy is available at cloudinary.com/privacy.
PostHog is our product analytics provider. Usage events and a device identifier are sent to PostHog so we can understand how the app is being used. PostHog's privacy policy is available at posthog.com/privacy.
Google is the identity provider if you choose to sign in with Google. We receive a minimal profile from Google to create your account; you authenticate with Google directly. Google's privacy policy is available at policies.google.com/privacy.
We may also use a transactional email provider to send verification and password reset emails. We do not share your data with any other parties for marketing or advertising purposes.
How long we keep your data
We keep your account data for as long as your account is active. If you delete your account, we delete your profile, language preferences, vocabulary, and session transcripts within 30 days. Audio recordings stored in Cloudinary are deleted on the same schedule.
We keep billing records (the Stripe customer and subscription IDs, plan history, and receipts) for up to 7 years after the last transaction, because we may be required to retain them for tax and accounting purposes.
Anonymised analytics data may be retained for longer to help us understand long-term product trends, but it is not linked to your account once your account is deleted.
If you have an inactive account with no sign-ins for 24 months, we may email you and, if we don't hear back, delete the account and its associated data.
Your rights
Wherever you are in the world, we want you to have meaningful control over your data. If you're in the EU, UK, or another jurisdiction with similar privacy laws (such as GDPR), you have specific legal rights, which we honour for all our users regardless of location.
You have the right to access the personal data we hold about you. You can see most of it directly in your account settings, and you can email [email protected] to request a full export.
You have the right to correct any data that is wrong. Most fields can be edited directly from your settings; for anything you can't change yourself, email us.
You have the right to have your data deleted You can delete your account from your settings at any time, which triggers the 30-day deletion process described above.
You have the right to portability — to receive your data in a machine-readable format so you can take it elsewhere. Email us and we'll send you a JSON export of your account data, vocabulary, and session history.
You have the right to opt out of analytics at any time from your settings, which stops PostHog from receiving further events from your account.
You also have the right to lodge a complaint with your local data protection authority if you believe we've mishandled your data. We'd much rather hear from you first — please email [email protected].
Children's privacy
PalmSpeak is intended for users aged 13 and older. We do not knowingly collect personal data from children under 13. If you believe a child under 13 has signed up for PalmSpeak, please contact us and we'll delete the account and any associated data.
If you are between 13 and the age of digital consent in your country (which is 16 in some EU countries), you should only use PalmSpeak with the permission of a parent or guardian.
Data security
We take reasonable steps to protect your data. Passwords are hashed using a modern hashing algorithm and never stored in plain text. Connections to our service are encrypted in transit (HTTPS). Our database, audio storage, and analytics provider all support encryption at rest. Access to production data is restricted to the people who need it to operate the service.
No system is perfectly secure, but we work hard to keep yours safe, and we'll notify affected users promptly if we ever experience a breach that puts personal data at risk.
International data transfers
PalmSpeak is operated from one location but serves users worldwide. Our third-party providers (Stripe, Cloudinary, PostHog, Google) may process your data in countries other than your own, including the United States. Where required, we rely on standard contractual clauses and the providers' own compliance frameworks to ensure your data is protected to a standard equivalent to that of your home jurisdiction.
Changes to this policy
We may update this Privacy Policy from time to time. When we make material changes, we'll update the "Last updated" date at the top of this page and, if the change significantly affects your rights, we'll email you in advance. Continuing to use PalmSpeak after a change takes effect means you accept the updated policy.
Contact us
If you have any questions about this policy or about how we handle your data, please email us at [email protected]. We aim to respond to all privacy-related enquiries within 7 days.