Rwendo Privacy Policy

Effective Date: 1 May 2026 Last Updated: 1 May 2026 Version: 1.0

1. WHO WE ARE

Rwendo ("we", "us", "our") is a language learning and AI companion platform operated as a sole trader based in Australia. Our platform is accessible via the Rwendo mobile application ("App") available on iOS and Android.

Contact: Email: privacy@rwendo.app For privacy complaints and data requests, contact us at the above email. We will respond within 30 days.

2. WHAT THIS POLICY COVERS

This Privacy Policy explains:

• What personal information we collect about you
• How and why we use it
• Who we share it with
• How we protect it
• Your rights regarding your information
• How to contact us about your information

By using the Rwendo App, you agree to the collection and use of information as described in this Policy. If you do not agree, you must not use the App.

This Policy applies to all users of the Rwendo App, including:

• Users of language learning features
• Users of AI companion features
• Users of voice features
• Visitors to our website

3. INFORMATION WE COLLECT

3.1 Information You Provide Directly

Account Registration:

• Full name or display name
• Email address
• Password (stored as encrypted hash — we never see your actual password)
• Date of birth / age
• Gender identity (optional — used only to personalise AI responses)

Profile & Preferences:

• Interface language preference
• Language you are learning
• Current language ability level
• Reasons for using Rwendo
• Daily learning goals and time commitment
• Personal learning challenges you identify

Companion Configuration (if using AI Companion features):

• Type of companion you want (friend, study buddy, work support)
• Topics you want to discuss
• Personality preferences for Rwen
• Optional personal context you choose to share (e.g., who you want to speak a language with)
• Any personal information you share during conversations with Rwen

Payment Information:

• We do not directly collect or store payment card details
• Payment is processed via Apple Pay, Google Pay, or through the App Store/Google Play billing systems
• We receive transaction confirmations and subscription status via RevenueCat (our subscription management service)

3.2 Information Collected Automatically

Device & Technical Information:

• Device type, model, and operating system version
• App version
• Device identifier (anonymised)
• IP address (used for security and to estimate your country/region)
• Crash reports and error logs
• App performance data

Usage Information:

• Lessons completed and in-progress
• XP earned and streak data
• Features used and frequency
• Time spent in-app
• Buttons tapped and navigation patterns

3.3 Voice Data

When you use voice features (speech-to-text input):

• We record your voice via your device microphone
• The audio recording is transmitted to ElevenLabs for real-time speech-to-text conversion
• Your voice recording is deleted by ElevenLabs within 24 hours of processing
• We do not store voiceprints — no voice identification profile is created or retained
• We do not use your voice to identify you
• We retain the text transcript of what you said (treated as conversation data per Section 3.1)

3.4 Conversation Data

When you interact with Rwen (our AI companion):

• Your typed or transcribed messages are sent to Anthropic's Claude API for processing
• Rwen's responses generated by Claude are sent back to you
• Conversation history is stored in our database (Supabase) to provide continuity of experience
• Anthropic does not use API conversations to train its AI models

3.5 Children's Information

We do not knowingly collect personal information from children under 13 without verifiable parental consent. See Section 9 (Children's Privacy) for full details.

4. HOW WE USE YOUR INFORMATION

4.1 Providing the Service (Contract)

• Creating and managing your account
• Delivering personalised language lessons based on your level and goals
• Enabling AI companion conversations with Rwen
• Processing subscriptions and payments
• Saving and syncing your learning progress across devices
• Sending transactional communications (account confirmation, receipts, password resets)

4.2 Personalising Your Experience (Legitimate Interests)

• Adapting lesson content and difficulty to your ability level
• Generating AI responses tailored to your learning goals, personal context, and preferences
• Building Rwen's system prompt from your profile data to create relevant, personalised interactions
• Recommending content and features relevant to your learning path
• Tracking streak and XP progress

4.3 Safety and Security (Legitimate Interests)

• Detecting and preventing fraud, abuse, and unauthorised access
• Monitoring conversations for content that violates our Terms of Service
• Protecting the rights and safety of our users and third parties
• Complying with legal obligations

4.4 Service Improvement (Legitimate Interests)

• Analysing anonymised usage patterns to improve features
• Identifying and fixing bugs and errors
• Developing new features and content

4.5 Legal Compliance

• Complying with applicable laws, regulations, and legal processes
• Enforcing our Terms of Service
• Responding to lawful requests from regulatory authorities

4.6 With Your Consent

• Voice processing (speech-to-text and text-to-speech features)
• Any other processing for which we specifically request your consent
• You may withdraw consent at any time (see Section 10)

5. ARTIFICIAL INTELLIGENCE PROCESSING

5.1 How Rwen Works

Rwen's responses are generated by Anthropic's Claude API, a large language model AI system. When you send a message to Rwen:

1. Your message (and relevant conversation history) is sent from our servers to Anthropic's API
2. Anthropic's Claude model processes the request and generates a response
3. The response is returned to our servers and displayed to you

5.2 What Anthropic Receives

Anthropic receives your:

• Conversation messages (text)
• A system prompt we provide that includes relevant profile information (your name, learning goals, language level) to personalise responses
• No payment information
• No voice recordings (voice is converted to text before reaching Claude)

5.3 Anthropic's Data Practices

Critically important: Anthropic's API service does not use your conversations to train its AI models. This is confirmed in Anthropic's API usage policy. Your conversations are:

• Processed in real-time to generate your response
• Retained by Anthropic for up to 30 days for safety monitoring and abuse detection
• Deleted after 30 days
• Never used for model training

We have incorporated Anthropic's data processing terms into our service. You can review Anthropic's privacy practices at: privacy.claude.com

5.4 AI Accuracy and Limitations

Rwen may provide inaccurate language guidance, incorrect translations, or culturally inappropriate suggestions. AI responses should not be treated as authoritative teaching. We accept no liability for reliance on AI-generated content. See our Terms of Service for full disclaimer.

5.5 AI Transparency

As required by the EU AI Act (Article 50) and applicable regulations: Rwen is an artificial intelligence system, not a human. You are interacting with AI software, not a person. We will never conceal this fact.

6. VOICE PROCESSING (ELEVENLABS)

6.1 Text-to-Speech (Rwen's Voice)

When Rwen speaks to you:

• Rwen's response text is sent to ElevenLabs' API
• ElevenLabs converts the text to voice audio using a pre-configured voice model
• The audio file is returned and played on your device
• No personal data about you is sent to ElevenLabs for text-to-speech

6.2 Speech-to-Text (Your Voice Input)

When you speak to Rwen:

• Your voice recording is captured on your device
• The audio is sent to ElevenLabs' speech-to-text service
• ElevenLabs transcribes your speech to text
• The text transcript is returned to us and used as your message input
• Your voice audio is deleted by ElevenLabs within 24 hours
• We do not retain audio recordings
• We do store the text transcript as part of your conversation history

6.3 Voice Consent

Your consent to voice processing is required and recorded separately before you use voice features. You may withdraw this consent at any time in Settings → Privacy → Voice Features. Withdrawing consent disables voice input/output.

6.4 Illinois BIPA Compliance

For users in Illinois, USA: Your voice data constitutes biometric information under the Illinois Biometric Information Privacy Act (BIPA, 740 ILCS 14). By consenting to voice features, you consent to the collection, processing, and limited retention of your voice as described above. Our voice data retention policy: audio is deleted within 24 hours; no voiceprints are created or stored beyond this period.

7. THIRD-PARTY SERVICES

We share your information with the following services to provide the Rwendo platform. Each is a data processor acting on our instructions:

7.1 Supabase (Database & Authentication)

• What they receive: Account credentials (encrypted), learning progress, conversation history, profile data
• Purpose: Secure database storage and user authentication
• Location: USA (with appropriate transfer safeguards)
• Their policy: supabase.com/privacy
• DPA: supabase.com/dpa

7.2 Anthropic (Claude AI)

• What they receive: Conversation messages, personalised system prompt (including your name and learning context)
• Purpose: Generating AI responses for Rwen
• Location: USA
• Their policy: privacy.claude.com
• Data training: API data is NOT used for model training
• Retention: 30 days for safety monitoring only

7.3 ElevenLabs (Voice Processing)

• What they receive: Text (for TTS); Voice audio (for STT)
• Purpose: Converting text to Rwen's voice; transcribing your voice to text
• Location: USA
• Their policy: elevenlabs.io/privacy
• Voice retention: Audio deleted within 24 hours

7.4 RevenueCat (Subscription Management)

• What they receive: User ID, subscription status, purchase events
• Purpose: Managing subscriptions and in-app purchases across iOS and Android
• Location: USA
• Their policy: revenuecat.com/privacy
• Payment data: RevenueCat does not receive full payment card details; these are handled by Apple/Google

7.5 Apple App Store / Google Play

• What they receive: Payment information for in-app purchases
• Purpose: Processing subscription payments
• Their policies: apple.com/privacy | policies.google.com/privacy

7.6 No Other Sharing

We do not sell, rent, or trade your personal information to any third party for their marketing purposes. We do not share your data with advertisers. We do not share your data with data brokers.

We may share information if legally required (e.g., valid court order, law enforcement request). We will notify you of such requests where legally permitted.

8. DATA RETENTION

| Data Type | Retention Period | Why | |---|---|---| | Account information (name, email, age) | Duration of account + 30 days after deletion | To resolve disputes after closure | | Learning progress (XP, lessons, streaks) | Duration of account + 30 days | Continuity and dispute resolution | | Conversation history | 12 months rolling | To provide continuity of companion experience | | Voice audio recordings | 24 hours maximum | Deleted by ElevenLabs after STT processing | | Voice text transcripts | 12 months rolling (part of conversation history) | Conversation continuity | | Payment records | 7 years | Australian tax law and accounting requirements | | Device logs and crash data | 90 days | Bug fixing and security monitoring | | Anonymised analytics | Indefinitely (not linked to you) | Product improvement |

Account Deletion: When you delete your account, we delete your personal information within 30 days, except where we are required by law to retain it (e.g., financial records for 7 years).

9. CHILDREN'S PRIVACY

9.1 Age Requirements

• Minimum age: 13 years old (or equivalent in your jurisdiction)
• Full features (including AI Companion): 18 years old recommended; users aged 13-17 may have companion features restricted
• Under 13: We do not knowingly collect personal information from children under 13 without verified parental consent

9.2 Age Verification

We ask for your date of birth or age during registration to comply with applicable children's privacy laws. We implement a neutral age-screening mechanism (date of birth entry).

9.3 Under-13 Users

If we learn that a user is under 13 without verified parental consent:

• We immediately restrict data collection
• We suspend access to personal-data-collecting features
• We prompt the user to have a parent or guardian contact us
• We delete any data collected without consent

To obtain parental consent for a child's account, parents should contact: privacy@rwendo.app

9.4 Users Aged 13-17

For users between 13 and 17:

• Language learning features are available
• AI Companion features may be restricted or limited to age-appropriate interactions
• We do not use data of users under 18 for behavioural advertising or profiling for commercial purposes
• A parent or guardian may request access to, correction of, or deletion of their child's data

9.5 Children's Data Rights

Parents and guardians of users under 18 may:

• Request access to their child's data by contacting privacy@rwendo.app
• Request deletion of their child's data
• Withdraw consent for ongoing data collection
• We will respond to verified parental requests within 30 days

10. YOUR RIGHTS

10.1 Rights Available to All Users

Right to Access: Request a copy of the personal information we hold about you. Access via: Settings → Privacy → Download My Data, or email privacy@rwendo.app

Right to Deletion: Delete your account and all associated personal data. Available via: Settings → Account → Delete Account. Note: some data may be retained for legal compliance (see Section 8).

Right to Correction: Update inaccurate personal information via: Settings → Edit Profile, or contact privacy@rwendo.app

Right to Withdraw Consent: Withdraw consent for specific processing (e.g., voice features) via: Settings → Privacy. Note: withdrawal does not affect processing completed before withdrawal.

10.2 Additional Rights for EU/UK Users (GDPR)

Right to Restrict Processing: Request temporary restriction of processing while disputing data accuracy.

Right to Data Portability: Receive your data in a structured, machine-readable format (JSON/CSV).

Right to Object: Object to processing based on legitimate interests.

Automated Decision-Making: You have the right not to be subject to decisions made solely by automated processing where those decisions significantly affect you. Rwendo does not make significant automated decisions about users without human oversight.

Right to Complain: Lodge a complaint with your relevant supervisory authority:

• UK: Information Commissioner's Office — ico.org.uk
• EU: Your national data protection authority
• Australia: Office of the Australian Information Commissioner — oaic.gov.au

10.3 Additional Rights for Australian Users

Under the Australian Privacy Act 1988:

• You may request access to your personal information we hold
• You may request correction of inaccurate information
• You may complain to the OAIC if we do not resolve your complaint satisfactorily
• We will respond to access and correction requests within 30 days

10.4 Exercising Your Rights

To exercise any right, contact: privacy@rwendo.app Response time: 30 days (we aim for faster) We may need to verify your identity before acting on requests.

11. INTERNATIONAL DATA TRANSFERS

Your information may be transferred to and processed in countries outside your own, including the United States of America, where our service providers (Anthropic, ElevenLabs, Supabase, RevenueCat) operate.

For EU/UK Users: We transfer data to the USA under:

• EU-US Data Privacy Framework (where vendors participate)
• Standard Contractual Clauses (SCCs) approved by the European Commission

For Australian Users: We take reasonable steps to ensure overseas recipients handle your information consistently with the Australian Privacy Principles, including reviewing vendor privacy policies and data processing agreements.

For All Users: Each third-party service we use (see Section 7) has its own data transfer compliance mechanisms. We have reviewed these and are satisfied they provide adequate protection.

12. SECURITY

We implement reasonable security measures including:

• Encryption of data in transit (TLS/SSL)
• Encryption of data at rest
• Access controls limiting who can access your data
• Regular security reviews
• Secure authentication (password hashing, session management)

No method of transmission over the internet is 100% secure. We cannot guarantee absolute security. In the event of a data breach that poses a risk of harm to you, we will notify you and relevant authorities as required by law.

13. CHANGES TO THIS POLICY

We may update this Privacy Policy from time to time. We will:

• Update the "Last Updated" date at the top of this Policy
• Notify you of material changes via in-app notification and/or email
• Where required by law, obtain your fresh consent for material changes

Continued use of the App after changes take effect constitutes your acceptance of the updated Policy.

14. CONTACT AND COMPLAINTS

Privacy contact: privacy@rwendo.app

Response time: We aim to respond within 14 business days, and will respond within 30 days as required by law.

If you are not satisfied with our response:

• EU/UK: Contact your national data protection authority or the ICO
• Australia: Contact the OAIC (oaic.gov.au)
• USA: Contact the FTC (ftc.gov) for COPPA matters

This Privacy Policy was last reviewed on 1 May 2026 and is written in plain English to be as clear and accessible as possible.