Privacy Policy

Last Updated: September 7, 2025

1. Introduction

The Vernara Global Technologies project ("we," "our," or "us") is an initiative that operates the Spelly service. At present the Project is run by its founders and is not necessarily a formally incorporated company. References in this Privacy Policy to "Vernara Global Technologies" should be read as referring to the project and its operators until such time as a formal legal entity is created and this policy is updated. The Project provides language learning and speech assessment tools through our website and applications (the "Services"). We are committed to protecting your privacy and handling your personal data with the utmost care, transparency, and security. This Privacy Policy explains in detail what personal data we process, why we process it, how long we keep it, the choices you have, and your rights under applicable privacy laws.

This Privacy Policy has been designed to comply with multiple jurisdictions including the Swiss Federal Act on Data Protection (nDSG), the European Union General Data Protection Regulation (GDPR), the United Kingdom Data Protection Act 2018, and applicable United States privacy laws including state-level legislation such as the California Consumer Privacy Act (CCPA) and Virginia Consumer Data Protection Act (VCDPA). We recognize that privacy laws vary across jurisdictions, and we strive to provide the highest level of protection regardless of where you are located.

Please read this policy carefully before using our Services. By accessing or using the Services, you acknowledge that you have read, understood, and agree to the practices described in this Privacy Policy. We may update this policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors. If we make material changes that affect your rights, we will provide appropriate notice as required by applicable law and, where necessary, obtain your consent.

2. Data Controller and Contact Information

The data controller or processor for the Services is the Vernara Global Technologies project, currently operated by the Project founders. Where formal legal obligations require a registered legal entity as controller, the founders will provide appropriate contact and registration information and will update this Privacy Policy accordingly. For the time being, you may contact the Project at the address and email below for any data protection inquiries.

For all data protection inquiries, requests to exercise your rights, or concerns about this Privacy Policy, please contact us using the information above. We are committed to responding to your inquiries promptly and will address your requests within the timeframes required by applicable law (typically within 30 days for most requests).

3. Personal Data We Process

We apply the principle of data minimization, processing only personal data that is adequate, relevant, and limited to what is necessary for the specific purposes outlined in this Privacy Policy. We collect and process personal data that you provide directly, that is generated through your use of the Services, and that we create or derive for operational and security purposes.

3.1 Data You Provide Directly

• Reference Text: Text content you select or input for pronunciation assessment and practice
• Assessment Audio: Voice recordings submitted for pronunciation analysis. These are processed immediately and automatically deleted unless you subsequently provide explicit consent through feedback submission
• Feedback Data: When you choose to submit feedback, we may process your rating (positive/negative), written comments (up to 500 characters), and your explicit consent regarding audio retention
• Consented Audio: Audio recordings retained only when you explicitly grant permission through the feedback mechanism for the specific purpose of improving our speech recognition models

3.2 Data Generated Automatically

• Assessment Results: Pronunciation scores, accuracy metrics, phoneme analysis, and timing data generated by our algorithms
• Technical Metadata: Session information, processing timestamps, language settings, and service performance metrics
• Network Data: Information necessary for service delivery and security, including approximate location derived from network routing (but not precise geolocation)
• Device Information: Browser type and version, operating system, screen resolution, and other technical specifications necessary for optimal service delivery

3.3 Data We Do Not Collect

• We do not require account creation or personal identification
• We do not collect names, email addresses, phone numbers, or postal addresses unless voluntarily provided in feedback comments
• We do not use third-party tracking cookies, analytics services, or advertising networks
• We do not collect sensitive personal data such as health information, biometric data (beyond voice for assessment), or political opinions

4. Legal Bases for Processing

Under applicable data protection laws, we must have a lawful basis for processing your personal data. We rely on the following legal bases depending on the type of processing:

4.1 Legitimate Interests (GDPR Art. 6(1)(f), UK GDPR, Swiss nDSG)

We process personal data based on our legitimate interests to:

• Provide and operate the core pronunciation assessment service
• Ensure service security, prevent fraud and abuse
• Analyze usage patterns to optimize performance and user experience
• Conduct research and development to improve our algorithms

We have conducted a legitimate interest assessment and determined that these interests are not overridden by your fundamental rights and freedoms.

4.2 Explicit Consent (GDPR Art. 6(1)(a), Art. 9 where applicable)

We process feedback data and retain audio recordings only when you provide clear, informed, and freely given consent through our feedback mechanism. You can withdraw this consent at any time.

4.3 Performance of Service (GDPR Art. 6(1)(b))

Processing necessary to deliver the pronunciation assessment service you request, including real-time audio analysis and score generation.

4.4 Legal Obligations (GDPR Art. 6(1)(c))

Processing required to comply with applicable laws, regulations, legal processes, or governmental requests.

5. How We Use Your Personal Data

We use your personal data exclusively for the purposes outlined below. We do not use your data for purposes beyond those disclosed in this Privacy Policy without obtaining additional consent where required by law.

5.1 Core Service Provision

• Process audio recordings in real-time to analyze pronunciation accuracy, fluency, and completeness
• Generate phonetic transcriptions and identify pronunciation errors
• Provide immediate feedback, scores, and pronunciation improvement suggestions
• Display visual representations of speech patterns and phoneme accuracy
• Maintain service functionality, performance optimization, and user interface adaptation

5.2 Service Improvement (Consent-Based Only)

• Analyze feedback patterns to identify areas where our assessment algorithms can be enhanced
• Use consented audio recordings and associated feedback to train and improve our speech recognition models
• Conduct research to better understand pronunciation learning challenges across different languages and accents
• Develop new features and assessment capabilities based on user feedback and audio analysis

Important: All service improvement activities using your data require your explicit consent, which you can provide through our feedback mechanism and withdraw at any time.

5.3 Security and Legal Compliance

• Monitor for and prevent fraudulent activities, abuse, and security threats
• Maintain system integrity and protect against cyber attacks
• Comply with applicable legal obligations and respond to lawful requests from authorities
• Resolve disputes and enforce our terms of service

6. Audio Data Processing and Retention

Audio Consent and Retention Policy: This section explains exactly how we handle your voice recordings, which is fundamental to our privacy-first approach.

6.1 Assessment Audio (Never Retained)

• Immediate Processing: Audio is processed in real-time to generate your pronunciation assessment
• Temporary Existence: Audio data exists only in system memory during the assessment process
• Automatic Deletion: All assessment audio is automatically and permanently deleted immediately after processing
• No Storage: We do not save, cache, or retain any audio from pronunciation assessments unless you explicitly consent through feedback
• Grace Period: In rare cases, audio may temporarily persist for up to 24 hours due to technical processing requirements, after which it is automatically purged

6.2 Cookie-Minimal Data Collection

Our approach to cookies and tracking technologies is intentionally minimal, prioritizing your privacy:

• No Third-Party Cookies: We do not use Google Analytics, advertising cookies, social media tracking pixels, or any external tracking services
• Essential Function Only: Minimal session management when absolutely necessary for core functionality
• Local Storage Preference: User preferences (language, theme) stored locally on your device, not in cookies
• No Cross-Site Tracking: No cookies that track you across different websites or services
• Privacy-Friendly Alternatives: We use in-memory processing and session storage instead of persistent cookies
• Full Browser Control: Our service works normally even with cookies completely disabled

6.3 Feedback Audio (Consent-Dependent Retention)

• Explicit Consent Required: Audio is retained only if you explicitly consent when submitting feedback for a specific assessment
• Purpose Limitation: Consented audio is used exclusively to improve our speech recognition models and assessment algorithms
• Per-Assessment Basis: Consent applies only to the specific assessment for which feedback is provided
• Immediate Effect: If you deny consent or provide feedback without consent, any previously uploaded audio for that assessment is immediately deleted
• Withdrawal Rights: You can withdraw consent at any time by contacting us with your assessment identifier

7. Data Sharing and Service Providers

We are committed to transparency about any sharing of personal data. We do not sell, rent, license, or trade your personal data to third parties for commercial purposes. We may share personal data only in the following limited circumstances:

7.1 Service Providers and Processors

• Cloud Infrastructure: We use carefully vetted cloud hosting providers who act as data processors under strict contractual obligations
• Security Services: Providers of security, monitoring, and backup services who have limited access only to technical data necessary for their functions
• No Analytics Partners: We do not share data with third-party analytics, advertising, or marketing services
• Contractual Protection: All service providers are bound by data processing agreements that limit use of your data strictly to providing services to us

7.2 Legal and Safety Requirements

• To comply with applicable laws, regulations, legal processes, or enforceable governmental requests
• To protect the rights, property, or safety of Vernara Global Technologies, our users, or the public
• To detect, prevent, or otherwise address fraud, security, or technical issues
• In connection with a merger, acquisition, or sale of assets, subject to equivalent privacy protections

8. International Data Transfers

As a Swiss-based company, we are committed to ensuring appropriate protection for any international transfers of personal data. Where we transfer personal data outside Switzerland or the European Economic Area, we implement appropriate safeguards:

• Adequacy Decisions: We prefer to transfer data to countries recognized as providing adequate protection by Swiss or EU authorities
• Standard Contractual Clauses: For other transfers, we use European Commission-approved standard contractual clauses
• Additional Safeguards: Technical and organizational measures to protect data during transfer and storage
• User Rights Maintained: Your privacy rights under applicable law remain fully protected regardless of data location

9. Data Retention

We retain personal data only for as long as necessary to fulfill the purposes for which it was collected, comply with legal obligations, resolve disputes, and enforce our terms. Our specific retention practices are:

• Assessment Data: Immediately deleted after processing; no retention of scores, analysis, or metadata beyond the session
• Assessment Audio: Never retained unless explicit consent is provided through feedback; automatic deletion within 24 hours if no consent
• Feedback Data: Retained indefinitely while consent is maintained; immediately deleted upon consent withdrawal
• Consented Audio: Retained for model improvement purposes until consent is withdrawn or no longer necessary for the stated purpose
• Technical Data: Server logs and technical data retained for up to 90 days for security and performance monitoring
• Legal Obligations: Some data may be retained longer if required by applicable law or ongoing legal proceedings

10. Your Rights Under Data Protection Laws

Depending on your location and the applicable data protection laws (GDPR, UK GDPR, Swiss nDSG, US state laws), you have various rights regarding your personal data. We respect and facilitate the exercise of these rights regardless of your location, applying the highest standard of protection.

10.1 Right of Access

You can request information about:

• What personal data we hold about you
• The purposes for which we process your data
• The categories of data and recipients
• The retention periods applicable to your data
• Your rights and how to exercise them

Note: Since we do not store assessment audio or results, we cannot provide access to data that was never retained.

10.2 Right to Rectification

You have the right to request correction of inaccurate personal data and completion of incomplete data. This applies primarily to feedback comments and contact information.

10.3 Right to Erasure (Right to be Forgotten)

You can request deletion of your personal data in the following circumstances:

• The data is no longer necessary for the original purposes
• You withdraw your consent for consent-based processing
• The data has been unlawfully processed
• Erasure is required for compliance with legal obligations
• You object to processing and there are no overriding legitimate grounds

10.4 Right to Restrict Processing

You can request restriction of processing in certain circumstances, such as when you contest the accuracy of data or object to processing.

10.5 Right to Data Portability

You can request your personal data in a structured, machine-readable format for transfer to another service provider, applicable to data processed based on consent or contract.

10.6 Right to Object

You can object to processing based on legitimate interests or for direct marketing purposes. We will cease processing unless we demonstrate compelling legitimate grounds.

10.7 Rights Related to Automated Decision-Making

You have the right not to be subject to decisions based solely on automated processing that produce significant effects. Our pronunciation assessments are tools to assist learning, not automated decisions affecting your rights.

10.8 Right to Withdraw Consent

Where processing is based on consent, you can withdraw it at any time without affecting the lawfulness of processing before withdrawal. For feedback audio, withdrawal results in immediate deletion.

10.9 Additional Rights for US Residents

If you are a resident of certain US states (California, Virginia, Colorado, etc.), you may have additional rights including:

• Right to know what personal information is collected and how it is used
• Right to delete personal information (subject to certain exceptions)
• Right to opt-out of the sale or sharing of personal information (we do not sell or share)
• Right to non-discrimination for exercising privacy rights
• Right to correct inaccurate personal information

11. Security Measures

We implement comprehensive technical and organizational security measures designed to protect your personal data against unauthorized access, alteration, disclosure, or destruction:

11.1 Technical Safeguards

• Encryption: All data transmission uses industry-standard TLS encryption; stored data is encrypted at rest
• Access Controls: Strict access controls and authentication mechanisms limit data access to authorized personnel only
• Network Security: Firewalls, intrusion detection systems, and regular security monitoring
• Secure Infrastructure: Use of reputable cloud providers with certified security standards (ISO 27001, SOC 2)
• Data Minimization: Processing only the minimum data necessary reduces exposure risk

11.2 Organizational Measures

• Privacy by Design: Privacy considerations integrated into system design and development processes
• Staff Training: Regular privacy and security training for all personnel with data access
• Incident Response: Comprehensive procedures for detecting, responding to, and reporting security incidents
• Regular Audits: Periodic review and testing of security measures and procedures
• Third-Party Oversight: Due diligence and contractual requirements for service providers

You can request limitation of processing in certain circumstances.

10.5 Right to Data Portability (Article 20)

You can request your data in a structured, machine-readable format for transfer to another service.

10.6 Right to Object (Article 21)

You can object to processing based on legitimate interests or for direct marketing purposes.

10.7 Rights Related to Automated Decision-Making (Article 22)

You have the right not to be subject to decisions based solely on automated processing that produce legal or significant effects.

10.8 Right to Withdraw Consent

You can withdraw consent for feedback data storage (including audio recordings) at any time by contacting us. Upon withdrawal, we will delete all stored feedback data and audio recordings associated with you.

12. Cookies and Digital Technologies

We maintain a minimal approach to cookies and tracking technologies, prioritizing essential functionality while respecting your privacy preferences.

12.1 What Are Cookies?

Cookies are small text files stored on your device when you visit websites. They help websites remember your preferences and provide functionality. We use only essential cookies necessary for basic website operation.

12.2 Essential Cookies Only

• Session Management: Temporary cookies to maintain your session while using the service
• User Preferences: Cookies to remember your language and theme settings
• Security Functions: Cookies necessary for fraud prevention and security
• Functionality: Cookies required for core website features to work properly

12.3 What We Don't Use

• Third-party analytics cookies (no Google Analytics, Adobe Analytics, etc.)
• Advertising or marketing cookies
• Social media tracking pixels or widgets
• Cross-site tracking technologies
• Behavioral profiling cookies

12.4 Managing Your Cookie Preferences

You can control cookies through:

• Browser Settings: Most browsers allow you to view, delete, and block cookies
• Browser Privacy Mode: Use incognito or private browsing mode
• Cookie Controls: Adjust settings in your browser's privacy section

Note: Blocking essential cookies may affect website functionality, but since we only use necessary cookies, the impact is minimal.

13. Children's Privacy Protection

We are committed to protecting the privacy of children and comply with applicable children's privacy laws including COPPA (US), GDPR requirements for children (EU/UK), and Swiss data protection law provisions for minors.

• Age Restriction: Our service is not intended for children under 16 years of age
• No Intentional Collection: We do not knowingly collect personal data from children under 16
• Immediate Deletion: If we discover we have collected data from a child under 16, we will delete it immediately
• Parental Rights: Parents/guardians can contact us to inquire about or request deletion of their child's data
• Enhanced Protection: Additional safeguards apply if we become aware that a user may be under 16

For Parents/Guardians: If you believe your child has provided personal data to us, please contact us immediately at vernaraglobal@gmail.com with "Child Privacy Concern" in the subject line.

14. Data Breach Notification and Response

We have implemented comprehensive procedures to detect, respond to, and notify about potential data breaches in compliance with applicable laws:

• Rapid Detection: Monitoring systems to quickly identify potential security incidents
• Immediate Response: Established procedures to contain and assess any breach
• Authority Notification: Report to relevant supervisory authorities within 72 hours (GDPR/UK GDPR/Swiss nDSG requirements)
• User Notification: Inform affected individuals without undue delay if high risk to rights and freedoms
• Detailed Communication: Provide clear information about the nature of the breach and recommended actions
• Remediation Measures: Implement immediate steps to address vulnerabilities and prevent recurrence

15. Updates to This Privacy Policy

We may update this Privacy Policy to reflect changes in our practices, technology, legal requirements, or other factors. Our commitment to transparency includes clear communication about any changes:

• Version Control: Each update includes a new effective date
• Material Changes: Significant changes affecting your rights will be prominently announced
• Notice Period: 30 days advance notice for material changes where required by law
• Continued Use: Continued use after changes indicates acceptance of the updated policy
• Archive Access: Previous versions available upon request for comparison

16. Contact Information and Data Protection Officer

For any privacy-related questions, requests to exercise your rights, complaints, or concerns about this Privacy Policy, please contact us:

Response Time: We will respond to your inquiry within 30 days (1 month) as required by GDPR, or sooner when possible. For complex requests, we may extend this period by an additional two months with explanation.

16.1 Right to Lodge a Complaint

You have the right to lodge a complaint with your local data protection authority if you believe we have processed your personal data unlawfully:

• Switzerland: Federal Data Protection and Information Commissioner (FDPIC) - edoeb.admin.ch
• EU/EEA: Your national data protection authority - ec.europa.eu/justice/data-protection
• UK: Information Commissioner's Office (ICO) - ico.org.uk
• US: State Attorney General's office or relevant state privacy authority

17. Jurisdiction-Specific Provisions

17.1 For EU/EEA and UK Residents

This Privacy Policy complies with GDPR and UK GDPR requirements. Your rights under these regulations are fully preserved regardless of where processing occurs.

17.2 For Swiss Residents

This Privacy Policy complies with the Swiss Federal Act on Data Protection (nDSG). You have the right to request information about automated decision-making and profiling (though we do not engage in such activities).

17.3 For California Residents

Under the California Consumer Privacy Act (CCPA) and other California privacy laws, you have additional rights including the right to know, delete, and opt-out of sale (we do not sell personal information).

17.4 For Other US State Residents

Residents of Virginia, Colorado, Connecticut, Utah, and other states with comprehensive privacy laws have similar rights to those described above, adapted to the specific requirements of your state's legislation.

• Notify the relevant supervisory authority within 72 hours
• Inform affected individuals without undue delay if high risk is involved
• Provide clear information about the nature of the breach and mitigation steps
• Take immediate action to contain and remedy the breach

15. Updates to This Policy

We may update this Privacy Policy to reflect changes in our practices or applicable laws. We will:

• Post the updated policy on our website with a new "Last updated" date
• Notify users of material changes via email or prominent website notice
• Obtain new consent where required by law
• Maintain previous versions for reference

16. Contact Information and Complaints

For any privacy-related questions, requests to exercise your rights, or complaints, please contact us:

• Email: vernaraglobal@gmail.com
• Subject Line: Include "Data Protection Request" for faster processing
• Response Time: We will respond within 30 days (1 month) as required by GDPR

Right to Lodge a Complaint: You have the right to lodge a complaint with your local data protection authority if you believe we have processed your personal data unlawfully.

• EU: Contact your national data protection authority
• UK: Information Commissioner's Office (ICO) - ico.org.uk