Privacy Policy
Last updated: 18 July 2026
Supertaal is designed to work without an account. Most learning data can stay on your device. This policy explains what happens when you use the app locally or choose cloud account sync.
Controller
Supertaal is operated by CTW Studio, Amsterdam, the Netherlands.
- Email: [email protected]
- Website: https://ctw.studio
Data we process
Local use without an account
The app stores vocabulary files, learning progress, review history, favourites, display choices, language choices, and study settings in your browser using IndexedDB and local storage. This data remains under your control on that device and is not sent to Supertaal’s account server unless you sign in and enable synchronization.
Account and synchronization
If you create or use an account, we process:
- your email address, account name, authentication identifiers, and encrypted password credentials or Google sign-in identifier;
- vocabulary progress, review events, favourites, study preferences, and synchronization timestamps;
- security and operational records such as IP address, request time, endpoint, response status, and technical error details. Production request logs are normally retained for five days.
We use this data to create and secure your account, synchronize your learning state, prevent abuse, diagnose failures, and respond to support requests. We do not sell personal data, run behavioural advertising, or use learning data to build advertising profiles.
Feedback
If you send feedback, we process the name and email you choose to provide, your message, category, severity, related page URL, basic browser and viewport details, optional screenshots, submission time, and your account identifier if you are signed in. We use this information to investigate and respond to product reports. Feedback is not publicly readable and is retained only while it remains useful for support, security, or product improvement.
Legal bases
We process account and synchronization data to provide the service you request under Article 6(1)(b) GDPR. Security, limited operational logging, abuse prevention, and service improvement rely on our legitimate interests under Article 6(1)(f). Where consent is legally required, you may withdraw it at any time without affecting earlier lawful processing.
Storage technologies and analytics
Supertaal uses browser storage for essential app functions, preferences, offline learning, and authentication. It does not currently use Google Analytics, advertising pixels, or non-essential tracking cookies. Because no optional tracking is active, there is no marketing-cookie banner. If this changes, we will update this policy and obtain consent where required before activating non-essential tracking.
Service providers and external requests
The app may communicate with:
- Vercel and Cloudflare for website delivery, security, and network logs;
- PocketBase infrastructure operated for CTW Studio for optional accounts and synchronization;
- Google only when you choose Google sign-in;
- CTW Studio object storage when vocabulary-card images are requested;
- Hugging Face only when you choose to download the optional Supertonic voice model. Speech synthesis then runs on your device;
- your browser or operating-system speech provider when built-in speech synthesis is used.
These providers process data under their own terms and may process limited network information outside the European Economic Area using applicable safeguards. Avoid Google sign-in and optional external downloads if you do not want those requests.
Retention
Account data is retained while your account is active. You can permanently delete the account from the account page; related synchronized progress, review events, favourites, and preferences are deleted with it. Deleted data may remain temporarily in restricted disaster-recovery backups until those backups rotate. Local browser data remains on your device until you clear it through your browser or site-storage settings.
Support correspondence is retained only as long as needed to resolve the request and meet legal obligations.
Children
The local learning app is available to a general audience. Children should involve a parent or guardian before creating a cloud account or sending personal information. Where applicable law requires parental authorization for a child’s online account, that authorization must be obtained before account use. Contact us to remove a child’s account or data.
Your rights
Subject to the GDPR, you may request access, correction, deletion, restriction, portability, or objection. You may also withdraw consent and complain to the Dutch Data Protection Authority, the Autoriteit Persoonsgegevens.
Use the account page for direct account deletion or email [email protected]. We may need to verify that a request concerns your account.
Security and changes
We use HTTPS, owner-scoped database rules, access controls, short-lived operational logs, and reasonable technical safeguards. No internet service is risk-free. Please report suspected security issues privately to [email protected].
We may update this policy as the service changes. Material changes will be posted here with a revised date.