Privacy Policy
Last updated: June 2026
1. Introduction
NERRA is an AI-powered English language learning platform available as a web application (nerra.online) and mobile applications (iOS and Android). This Privacy Policy explains what data we collect, how we use it, and your rights regarding your personal information. This policy applies to all users of the platform across all platforms (web, iOS, Android), including those in the European Union (GDPR), Thailand (PDPA), and Russia (152-FZ).
2. Data Controller
The data controller is Elena Malgina, individual developer based in Thailand.
Contact email: privacy@nerra.online
3. Data We Collect
3.1 Registration Data
When you sign in via Google or LINE OAuth, we receive and store:
- Email address
- Display name
- Profile picture URL
- OAuth provider ID (Google ID or LINE ID)
- Timestamp of account creation and last login
- Timestamp of privacy policy acceptance
3.2 Assessment Data
When you take the CEFR assessment, we collect:
- Written text responses (Writing module)
- Transcribed text from voice responses (Speaking module)
- Multiple-choice answers (Usage, Reading, Listening modules)
- AI-generated scores and feedback for each module
- Test session metadata (start time, completion status, CEFR result)
3.3 Voice Recordings
This is important: during the Speaking module, your voice is recorded and sent to OpenAI Whisper for transcription. The audio file is stored temporarily on our server and deleted immediately after successful transcription. We do not store your voice recordings permanently. Only the text transcript is saved.
3.4 User-Generated Content
- Personal vocabulary (words saved via the dictionary feature)
- Flashcard sets
- Messages in the curator chat
3.5 Technical Data
- IP address (used for rate limiting only, not stored in the database)
- JWT authentication token (stored in browser localStorage on web; in encrypted Keychain/Keystore on mobile)
3.6 Mobile App Data
When you use the NERRA mobile app (iOS/Android), we additionally collect:
- Game results and vocabulary learning progress
- Device push notification tokens (for lesson reminders, if enabled)
- Locally cached word sets (stored on-device for offline play, not transmitted)
The mobile app does not access your contacts, camera, microphone, or location. Advertising (Google AdMob) uses the device advertising identifier only with your consent (ATT prompt on iOS).
4. How We Use Your Data
We use your data for the following purposes:
- To provide the CEFR language assessment service
- To generate AI-powered evaluation and feedback
- To store your test history and learning progress
- To enable communication with a human curator (if you opt in)
- To send service-related emails (via Resend)
- To monitor errors and improve service quality (via Sentry)
- To understand user behavior and improve the product (via PostHog)
5. Third-Party Data Processing
We share your data with the following third-party services:
| Service | Data Shared | Purpose & Region |
|---|---|---|
| OpenAI Whisper | Voice audio (temporary) | Speech-to-text transcription. Servers in USA. |
| OpenAI GPT-4o | Text responses + task prompts | AI evaluation of Speaking and Writing. Servers in USA. |
| Supabase | All user data (database) | Data storage (PostgreSQL). Region: verify with provider. |
| Cloudflare R2 | Audio files for Listening module | Static file hosting. No user data stored. |
| PostHog (EU) | Anonymous usage events | Product analytics. EU servers. |
| Sentry (EU) | Error logs, session replays (anonymized screen recordings of user interactions for debugging) | Error monitoring and session replay. EU servers. Replays capture page interactions but mask all text input fields by default. |
| Resend | Email address | Transactional emails. |
| Lemon Squeezy | Email address, payment data (processed by Lemon Squeezy, not stored by us) | Subscription and payment processing for web purchases. Subject to Lemon Squeezy's Privacy Policy. |
| Google AdMob | Advertising ID (GAID/IDFA), approximate location | Ad serving in mobile app. ATT consent required on iOS. Servers in USA. Subject to Google's Privacy Policy. |
Cross-border transfer: your text responses and voice recordings are processed by OpenAI, whose servers are located in the United States. By using the Speaking and Writing modules, you consent to this transfer.
6. Cookies and Analytics
We use PostHog for product analytics. PostHog tracking is disabled by default and activated only after you provide consent (opt-in model).
On the web, we use JWT tokens stored in your browser's localStorage for authentication. On mobile apps (iOS/Android), tokens are stored in the platform's encrypted secure storage (Keychain on iOS, Keystore on Android). We do not use Google Analytics or Yandex.Metrica.
7. Data Retention
- Account data: stored until you request account deletion
- Test results and transcripts: stored until account deletion
- Voice recordings: deleted immediately after transcription (not stored)
- Vocabulary and flashcards: stored until account deletion
- Authentication tokens: user tokens expire after 4 hours; curator tokens after 8 hours
8. Your Rights
Depending on your jurisdiction, you have the following rights:
Under GDPR (EU)
- Right to access your personal data
- Right to rectification of inaccurate data
- Right to erasure (right to be forgotten)
- Right to data portability
- Right to object to processing
Under PDPA (Thailand)
- Right to access and obtain a copy of your data
- Right to request deletion
- Right to withdraw consent
- Right to data portability
Under 152-FZ (Russia)
- Right to access your personal data
- Right to request correction or deletion
- Right to withdraw consent for data processing
Under CCPA (California, USA)
- Right to know what personal data is collected and how it is used
- Right to delete personal data
- Right to opt-out of the sale of personal data
- Right to non-discrimination for exercising your privacy rights
We do not sell your personal data. We do not share personal data for cross-context behavioral advertising.
To exercise any of these rights, contact us at privacy@nerra.online or use the account deletion page.
9. Data Security
We implement the following security measures:
- Row Level Security (RLS) on all database tables ensures users can only access their own data
- Passwords (curator) are hashed with bcrypt
- Content Security Policy (CSP) with nonce-based script validation
- Rate limiting on API endpoints to prevent abuse
- HTTPS encryption in transit (via Vercel and Render)
Web: JWT tokens are stored in browser localStorage. Mobile: tokens are stored in encrypted platform secure storage (iOS Keychain / Android Keystore), which is not accessible to other apps.
10. Children's Privacy
This service is not intended for children under the age of 13. We do not knowingly collect personal data from children. If you believe a child has provided us with personal data, please contact us at privacy@nerra.online.
11. Changes to This Policy
We may update this Privacy Policy from time to time. The updated version will be posted at nerra.online/privacy with a revised date.
12. Contact
If you have questions about this Privacy Policy or want to exercise your rights:
- Email: privacy@nerra.online
- Data Controller: Elena Malgina