Legal
This Privacy Policy explains how we collect, use, and protect your personal data when you use dojo (the “Service”). The controller responsible for your personal data is:
[YOUR_COMPANY_LEGAL_NAME] [STREET_ADDRESS] [POSTAL_CODE] [CITY] Switzerland
For any privacy question or to exercise your rights, contact us at [YOUR_EMAIL].
We are not legally required to appoint a Data Protection Officer, and we have not appointed one. The contact above handles all privacy matters. As we are established in Switzerland and also offer the Service to people in the EU/EEA, this policy is designed to comply with both the Swiss Federal Act on Data Protection (revFADP) and the EU General Data Protection Regulation (GDPR).
You sign in with Google. We receive your name and email address from Google to create and identify your account. We do not receive or store your Google password.
The Service exists to grade your writing, so the content you create is central to it. This includes the text you write, the prompts and source texts you work from, the language and level you practise, your scores and the feedback and corrections you receive, the mistakes we log to track your progress, and the study summaries we generate.
Your chosen interface theme, target language, daily goal, practice streak, selected model and tutor character, and similar preferences.
AI grading uses your own Google Gemini API key, which you supply in Settings. We encrypt this key before storing it (AES-256-GCM, application-layer encryption) so it is never held in plaintext in our database. It is used only to make Gemini requests on your behalf and is never sent to your browser or to any third party other than Google.
To run the Service reliably and securely we process limited technical data such as request metadata, rate-limit and usage counters, and aggregate, privacy-friendly analytics about how the site is used (see the sub-processor table below). Our analytics provider does not use cookies and does not build a cross-site profile of you.
Under the GDPR we must have a legal basis for each use of your data. Under the revFADP we process your data in good faith, proportionately, and for the purposes set out below.
| Purpose | Data used | GDPR legal basis |
|---|---|---|
| Create your account and provide the Service | Account data, writing and learning data, settings, API key | Performance of a contract (Art. 6(1)(b)) |
| Grade your writing and generate corrections and summaries | Your writing, your API key | Performance of a contract (Art. 6(1)(b)) |
| Keep the Service secure and prevent abuse (rate limits, usage ceilings) | Usage and technical data | Legitimate interests (Art. 6(1)(f)) |
| Understand and improve the Service (aggregate analytics) | Aggregate, cookieless usage data | Legitimate interests (Art. 6(1)(f)) |
| Comply with our legal obligations | As required | Legal obligation (Art. 6(1)(c)) |
We do not sell your personal data. We share it only with the service providers (processors) below, each of which processes data on our behalf and under contract. Some of them are located outside Switzerland and the EU/EEA — see “International transfers”.
| Provider | Purpose | Data involved / location |
|---|---|---|
| Supabase | Authentication and database hosting | All stored account, writing, learning, and settings data. Hosted in [SUPABASE_REGION]. |
| Vercel | Application hosting and delivery | Request data and technical metadata required to serve the app. Hosted in [VERCEL_REGION]. |
| Vercel Analytics | Aggregate, cookieless usage analytics | Anonymised page-view and interaction data. No cookies; no cross-site tracking. |
| Google (Gemini API) | AI grading and correction of your writing | The writing and prompts you submit for grading, sent using your own Gemini API key. United States / Google global infrastructure. |
When you submit writing for grading, the content is sent to Google’s Gemini API using the API key you provided. Google’s handling of that data is governed by the terms of the Google API plan associated with your key. [Confirm the applicable Google/Gemini API terms and data-use commitments and link them here.]
Some of our providers process data outside Switzerland and the EU/EEA, including in the United States. Where we transfer personal data to a country without an adequacy decision, we rely on appropriate safeguards — in particular the European Commission’s Standard Contractual Clauses (and the equivalent recognised by the Swiss Federal Data Protection and Information Commissioner) — to ensure your data receives an adequate level of protection. You can request a copy of the relevant safeguards using the contact details above.
We keep your account and learning data for as long as your account is active, because the Service is built around your saved writing history and progress. When you delete your account, all of your personal data is permanently and irreversibly erased from our database, including your profile, writing sessions, mistake logs, summaries, stored API key, and usage counters. We may retain limited records where we are legally required to do so, for the period required by law.
Under the revFADP and the GDPR you have the following rights regarding your personal data:
To exercise any of these rights, contact us at [YOUR_EMAIL]. We will respond within the timeframes required by applicable law.
If you believe we have mishandled your personal data, you may lodge a complaint with a supervisory authority. In Switzerland this is the Federal Data Protection and Information Commissioner (FDPIC), Feldeggweg 1, 3003 Bern. In the EU/EEA you may contact the supervisory authority in your country of residence, place of work, or where the alleged infringement took place.
We use technical and organisational measures appropriate to the risk, including transport encryption (HTTPS), row-level access controls so each user can only ever reach their own data, application-layer encryption of your stored API key, and a strict content-security policy. No system is perfectly secure, but we work to protect your data against unauthorised access, loss, and misuse.
We use only the cookies strictly necessary to keep you signed in and to operate the Service securely (for example, authentication and session cookies). These are essential and do not require consent. We do not use advertising or cross-site tracking cookies, and our analytics provider operates without cookies.
The Service is not directed to children under [16 / AGE], and we do not knowingly collect personal data from them. If you believe a child has provided us with personal data, please contact us so we can delete it.
We may update this Privacy Policy from time to time. When we make material changes, we will update the “Last updated” date above and, where appropriate, notify you. Your continued use of the Service after an update means you have read the revised policy.
This document is a draft and does not constitute legal advice. Replace every [BRACKETED] placeholder with your real details and have it reviewed by qualified counsel before publishing.