pra:tar

Legal

Privacy Policy

Effective: April 21, 2026  ·  Last updated: May 3, 2026

This Privacy Policy explains how Sergus Tolmberg, sole trader ("pra:tar", "we", "us", "our") collects, uses, shares, and protects personal data when you use the pra:tar mobile app and related services.

1. Scope

This policy applies to pra:tar mobile applications, backend APIs, and related support operations (collectively, the "Service"). By using the Service you acknowledge this policy.

2. Data We Collect

Data you provide directly

  • Account and identity: email address, full name (if provided), and authentication provider details (Apple or Google sign-in).
  • Profile and learning preferences: native languages, practice languages, and in-app settings.
  • User content: chat messages, AI chat inputs and outputs, replies, reactions, correction notes, and media you upload (photos, GIF URLs).
  • Contacts (optional): if you grant Contacts permission, local contact names, phone numbers, and email addresses are read to help you find friends on pra:tar.

Data collected automatically

  • Device metadata: push notification token, notification status, and app state signals needed to deliver notifications and badges.
  • Service activity: chat read timestamps, message timestamps, reaction counts, and progress/scoring signals.
  • Technical logs: basic API request/response metadata and security logs for fraud prevention, debugging, and reliability.

Analytics

The pra:tar website uses Vercel Analytics and Vercel Speed Insights. These tools collect aggregated, anonymised performance and usage data. They do not use cookies, do not track individuals across sites, and do not share data with advertising networks.

Sensitive data and minimum age

pra:tar is intended for users aged 16 and older. We do not knowingly collect personal data from anyone under 16. If you believe a child under 16 has provided us with data, please contact us at support@pratar.app and we will delete it promptly. We do not intentionally collect special-category data unless you choose to include it in messages or profile fields.

3. How We Use Personal Data

  • Create and manage accounts and authentication sessions.
  • Provide messaging, language practice, AI-assisted suggestions and translations, practice-partner bot replies, text-to-speech playback, proficiency-related learning feedback, and other progress features.
  • Match your contacts with registered users (when permission is granted).
  • Deliver push notifications and maintain unread/badge state.
  • Store and deliver user-uploaded media.
  • Maintain safety, prevent abuse, troubleshoot issues, and improve reliability.
  • Comply with legal obligations and enforce our Terms of Service.

3A. AI Processing and Language Models

pra:tar uses OpenAI (including chat-completions and text-to-speech APIs) as part of core chat and language-learning features. To provide message suggestions, translations, practice-partner replies, spoken playback of text, proficiency-related feedback, and related support, we process certain data through our backend and OpenAI.

This may include:

  • The message text or other content you submit or ask us to improve, translate, read aloud, or assess.
  • Your selected or detected practice language and related profile signals (for example native vs practice language, and proficiency level indicators used in the product).
  • A limited amount of recent chat context when needed to generate a relevant suggestion, reply, or assessment (typically a small number of recent messages in the same conversation).
  • Feature settings you use, such as suggestion style or similar options exposed in the app.

What these features do (summary):

  • Practice-partner bot replies — AI-generated responses in your practice language, using recent messages and your current proficiency level where the app provides it.
  • Suggestions and rewrites — AI-assisted edits and explanations to help you write in the practice language.
  • Translations — AI-assisted translation between languages supported by the app.
  • Text-to-speech — generation of audio from text you choose to play.
  • Proficiency-related signals — model-assisted evaluation of your written messages that feeds into learning feedback and progress shown in the app, together with other scoring. This is for learning and UX and is not used to make legal or similarly significant decisions about you under GDPR Article 22.

We use this data only to provide and support pra:tar features described in this policy, together with related safety, reliability, moderation, and abuse-prevention operations.

Processing for these features is part of providing the Service and is generally based on contract and, where applicable, legitimate interests (see Section 4). Optional device permissions remain subject to your consent in device settings.

3B. Safety, Blocking, and Reporting

pra:tar provides in-app tools that let users block other users and report accounts or messages for review.

  • If you block another user, we store the block relationship so that further messaging between the two accounts can be stopped.
  • If you submit a report, we store the report details you provide, including the report reason and any optional description.
  • To investigate reports, we may also store relevant conversation context and message evidence, including selected message IDs and nearby messages from the same conversation.
  • Safety and moderation data may be reviewed by authorised personnel or internal moderation tools solely for abuse prevention, policy enforcement, and legal compliance.

5. How and With Whom We Share Data

We share data only as needed to provide the Service:

  • Supabase — authentication, database, storage, and serverless functions.
  • OpenAI API — chat completions for suggestions, rewrites (including structured correction explanations), translations, practice-partner replies, CEFR-style proficiency assessment inputs, and text-to-speech generation; see Section 3A.
  • Apple and Google — authentication flows you choose to use.
  • GIPHY — GIF picker and media metadata.
  • Apple Push Notification service (APNs) — delivery of push notifications.
  • Vercel — hosting, edge infrastructure, and privacy-preserving analytics.

We may also share data if required by law, legal process, or governmental request; to protect rights, safety, or prevent fraud; or in connection with a merger, acquisition, or sale of assets (with notice where required by law).

We do not sell personal data for money or share it for cross-context behavioural advertising.

6. International Data Transfers

Some of our service providers — including Supabase and OpenAI — are based in the United States. When personal data is transferred outside the European Economic Area (EEA), we rely on appropriate safeguards, primarily Standard Contractual Clauses (SCCs) approved by the European Commission, to ensure your data receives an equivalent level of protection.

7. Data Retention

We retain data for as long as needed for the purposes described above:

  • Account and profile data — while your account is active, then as required by legal or security obligations.
  • Messages and media — until deleted by you or removed under our security and retention policies.
  • Push tokens — until disabled, replaced, or removed on sign-out or account changes.
  • Contact data used for matching — processed for matching only; not stored beyond what is operationally required.
  • Logs and diagnostics — limited to a period appropriate for security and reliability purposes.
  • Block relationships — until removed by the blocking user, or retained longer where needed for security or legal reasons.
  • Reports and moderation evidence — for as long as reasonably needed to investigate abuse, enforce platform rules, respond to legal requests, and protect users, even if related content or accounts are later removed.

When data is no longer needed, we delete, anonymise, or securely isolate it.

8. Security

We apply technical and organisational measures to protect personal data, including access controls and transport security (TLS). No method of transmission or storage is completely secure. In the event of a personal data breach that affects your rights, we will notify you and the relevant supervisory authority as required by applicable law.

8A. Moderation and Restricted Access

Safety and moderation records are access-restricted. Access is limited to personnel, service-role processes, and systems that need the information to investigate abuse, enforce platform rules, maintain service integrity, or comply with law.

9. Your Privacy Rights

Under GDPR and equivalent laws, you have the right to:

  • Access — request a copy of the personal data we hold about you.
  • Rectification — correct inaccurate or incomplete data.
  • Erasure — request deletion of your data, subject to legal exceptions. If you have a registered account, use the self-service account deletion flow in Section 12 (Account Deletion).
  • Portability — receive your data in a structured, machine-readable format where technically feasible.
  • Objection or restriction — object to or restrict certain processing activities.
  • Withdraw consent — at any time for consent-based processing, without affecting the lawfulness of prior processing.

To exercise access, rectification, portability, objection or restriction, or withdrawal of consent — or if you cannot complete in-app account deletion or need an erasure-related request outside that flow — contact us at support@pratar.app. We will respond within 30 days, or as required by applicable law.

You also have the right to lodge a complaint with the Swedish data protection authority, IMY (Integritetsskyddsmyndigheten), if you believe we have not handled your personal data lawfully: www.imy.se. If you reside in another EU/EEA country, you may also contact your local supervisory authority.

10. Automated Decision-Making

pra:tar does not make solely automated decisions that produce legal or similarly significant effects about you (as described in GDPR Article 22). AI features — including language suggestions, translations, practice-partner replies, text-to-speech, and model-assisted proficiency indicators — are tools to assist you and support learning. They are not used to make binding determinations about your rights, eligibility, or legal status.

11. Third-Party Services

Third-party services integrated into pra:tar have their own privacy policies. We encourage you to review them:

12. Account Deletion

You can delete your account directly inside the app: Profile → Danger Zone → Delete Account. Deletion is self-service and does not require contacting support.

When you delete your account, we aim to permanently remove or de-identify the account-linked personal data we no longer need — including your profile, authentication credentials, learning preferences, messages, and media — as promptly as technically and operationally feasible.

Some records may be retained after account deletion where reasonably necessary for fraud prevention, abuse investigation, dispute handling, safety enforcement, or legal compliance. This may include moderation reports, related evidence snapshots, and audit or security records.

If you encounter problems with in-app deletion, or have a privacy-related deletion request (such as a GDPR erasure request), contact us at support@pratar.app.

13. Changes to This Policy

We may update this policy from time to time. When we do, we will revise the "Last updated" date at the top of this page. For material changes, we will provide additional notice (such as an in-app notification) where required by law. Continued use of the Service after changes take effect constitutes acceptance of the updated policy.

14. Contact Us

If you have questions, requests, or concerns about this Privacy Policy or how we handle your data, please reach out:

Sergus Tolmberg, sole trader

Operating as pra:tar · Sweden

Email: support@pratar.app