Privacy Policy
Last updated: May 2026
1. Introduction
NERRA (nerra.online) is an AI-powered English language assessment platform. This Privacy Policy explains what data we collect, how we use it, and your rights regarding your personal information. This policy applies to all users of the platform, including those in the European Union (GDPR), Thailand (PDPA), and Russia (152-FZ).
2. Data Controller
The data controller is Elena Malgina (sole proprietor, self-employed under Russian NPD tax regime).
Contact email: nerra.mobile.dev@gmail.com
3. Data We Collect
3.1 Registration Data
When you sign in via Google or LINE OAuth, we receive and store:
- Email address
- Display name
- Profile picture URL
- OAuth provider ID (Google ID or LINE ID)
- Timestamp of account creation and last login
- Timestamp of privacy policy acceptance
3.2 Assessment Data
When you take the CEFR assessment, we collect:
- Written text responses (Writing module)
- Transcribed text from voice responses (Speaking module)
- Multiple-choice answers (Usage, Reading, Listening modules)
- AI-generated scores and feedback for each module
- Test session metadata (start time, completion status, CEFR result)
3.3 Voice Recordings
This is important: during the Speaking module, your voice is recorded and sent to OpenAI Whisper for transcription. The audio file is stored temporarily on our server and deleted immediately after successful transcription. We do not store your voice recordings permanently. Only the text transcript is saved.
3.4 User-Generated Content
- Personal vocabulary (words saved via the dictionary feature)
- Flashcard sets
- Messages in the curator chat
3.5 Technical Data
- IP address (used for rate limiting only, not stored in the database)
- JWT authentication token (stored in browser localStorage)
4. How We Use Your Data
We use your data for the following purposes:
- To provide the CEFR language assessment service
- To generate AI-powered evaluation and feedback
- To store your test history and learning progress
- To enable communication with a human curator (if you opt in)
- To send service-related emails (via Resend)
- To monitor errors and improve service quality (via Sentry)
- To understand user behavior and improve the product (via PostHog)
5. Third-Party Data Processing
We share your data with the following third-party services:
| Service | Data Shared | Purpose & Region |
|---|---|---|
| OpenAI Whisper | Voice audio (temporary) | Speech-to-text transcription. Servers in USA. |
| OpenAI GPT-4o | Text responses + task prompts | AI evaluation of Speaking and Writing. Servers in USA. |
| Supabase | All user data (database) | Data storage (PostgreSQL). Region: verify with provider. |
| Cloudflare R2 | Audio files for Listening module | Static file hosting. No user data stored. |
| PostHog (EU) | Anonymous usage events | Product analytics. EU servers. |
| Sentry (EU) | Error logs (may include request context) | Error monitoring. EU servers. |
| Resend | Email address | Transactional emails. |
Cross-border transfer: your text responses and voice recordings are processed by OpenAI, whose servers are located in the United States. By using the Speaking and Writing modules, you consent to this transfer.
6. Cookies and Analytics
We use PostHog for product analytics. PostHog tracking is disabled by default and activated only after you provide consent (opt-in model).
We use JWT tokens stored in your browser's localStorage for authentication. These are not cookies but serve a similar purpose. We do not use Google Analytics or Yandex.Metrica.
7. Data Retention
- Account data: stored until you request account deletion
- Test results and transcripts: stored until account deletion
- Voice recordings: deleted immediately after transcription (not stored)
- Vocabulary and flashcards: stored until account deletion
- Authentication tokens: user tokens expire after 4 hours; curator tokens after 8 hours
8. Your Rights
Depending on your jurisdiction, you have the following rights:
Under GDPR (EU)
- Right to access your personal data
- Right to rectification of inaccurate data
- Right to erasure (right to be forgotten)
- Right to data portability
- Right to object to processing
Under PDPA (Thailand)
- Right to access and obtain a copy of your data
- Right to request deletion
- Right to withdraw consent
- Right to data portability
Under 152-FZ (Russia)
- Right to access your personal data
- Right to request correction or deletion
- Right to withdraw consent for data processing
To exercise any of these rights, contact us at nerra.mobile.dev@gmail.com.
9. Data Security
We implement the following security measures:
- Row Level Security (RLS) on all database tables ensures users can only access their own data
- Passwords (curator) are hashed with bcrypt
- Content Security Policy (CSP) with nonce-based script validation
- Rate limiting on API endpoints to prevent abuse
- HTTPS encryption in transit (via Vercel and Render)
Known limitation: JWT tokens are stored in browser localStorage, which may be vulnerable to XSS attacks. We plan to migrate to httpOnly cookies in a future update.
10. Children's Privacy
This service is not intended for children under the age of 13. We do not knowingly collect personal data from children. If you believe a child has provided us with personal data, please contact us at nerra.mobile.dev@gmail.com.
11. Changes to This Policy
We may update this Privacy Policy from time to time. The updated version will be posted at nerra.online/privacy with a revised date.
12. Contact
If you have questions about this Privacy Policy or want to exercise your rights:
- Email: nerra.mobile.dev@gmail.com
- Data Controller: Elena Malgina