Privacy Policy

1. Introduction

Welcome to One Who Learns ("we", "us", "our"). We operate the website onewholearns.com (the "Service"). This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our Service.

We are committed to protecting your privacy and complying with the General Data Protection Regulation (GDPR) and other applicable data protection laws.

2. Data Controller

The data controller responsible for your personal data is:

3. Data We Collect

3.1 Account Data

When you create an account, we collect:

• Email address — used for authentication and account recovery
• Password — stored as a cryptographic hash, never in plain text

3.2 Learning Data

As you use the Service, we store:

• Course progress and lesson completion status
• Vocabulary words you add and their review history
• Spaced repetition scheduling data
• Exercise results and scores

3.3 Technical Data

We automatically collect certain technical information:

• IP address (for security and abuse prevention)
• Browser type and version
• Device type
• Pages visited and timestamps

3.4 Local Storage

We use your browser's localStorage to store session-level preferences such as sidebar state and UI settings. This data remains on your device and is not transmitted to our servers.

4. How We Use Your Data

We use your personal data for the following purposes:

• Providing the Service — delivering courses, tracking your progress, and scheduling vocabulary reviews
• Authentication — verifying your identity and securing your account
• Service improvement — understanding usage patterns to improve the learning experience
• Communication — sending essential account-related emails (password reset, security alerts)

We do not use your data for advertising or sell it to third parties.

5. Legal Basis for Processing (GDPR Art. 6)

• Contract performance (Art. 6(1)(b)) — processing necessary to provide the Service you signed up for
• Legitimate interest (Art. 6(1)(f)) — security, fraud prevention, and service improvement
• Consent (Art. 6(1)(a)) — where applicable, for optional features

6. Third-Party Services

We use the following third-party services to operate the platform:

6.1 Supabase (Database & Authentication)

Our backend infrastructure is powered by Supabase, which provides database hosting and authentication services. Supabase processes your account data and learning data on our behalf. Data is stored in the EU region.

6.2 Vercel (Hosting)

Our website is hosted on Vercel. Vercel may process technical data (IP addresses, request metadata) as part of serving the website. Vercel's infrastructure uses edge locations globally.

7. Cookies

We use essential cookies only — specifically, an authentication session cookie managed by Supabase to keep you logged in. We do not use tracking cookies, advertising cookies, or third-party analytics cookies.

8. Data Retention

We retain your personal data for as long as your account is active. If you delete your account, we will delete your personal data within 30 days, except where we are required by law to retain it longer.

9. Your Rights (GDPR)

Under the GDPR, you have the following rights:

• Access — request a copy of your personal data
• Rectification — correct inaccurate personal data
• Erasure — request deletion of your personal data ("right to be forgotten")
• Restriction — request restriction of processing
• Data portability — receive your data in a structured, machine-readable format
• Objection — object to processing based on legitimate interest

To exercise any of these rights, please contact us at ayk@maray.ai. We will respond within 30 days.

10. Data Security

We implement appropriate technical and organizational measures to protect your personal data, including:

• Encrypted data transmission (HTTPS/TLS)
• Cryptographic password hashing
• Row-level security policies on the database
• Regular security reviews

11. International Data Transfers

Your data may be processed outside the European Economic Area (EEA) through our hosting provider Vercel. Where this occurs, we ensure appropriate safeguards are in place in accordance with GDPR requirements.

12. Children's Privacy

Our Service is not directed to children under 16. We do not knowingly collect personal data from children under 16. If you believe we have collected data from a child, please contact us immediately.

13. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of significant changes by posting the new policy on this page and updating the "Last updated" date. Your continued use of the Service after changes constitutes acceptance of the updated policy.

14. Contact & Supervisory Authority

For privacy-related inquiries, contact us at ayk@maray.ai.

If you believe your data protection rights have been violated, you have the right to lodge a complaint with a supervisory authority. The competent authority for Berlin is: