Privacy Policy

1. Introduction

Tête-à-Tête ("we," "our," or "us") is committed to protecting your privacy. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our French oral examination practice platform (the "Service").

This policy complies with the UK General Data Protection Regulation (UK GDPR), the Data Protection Act 2018, and other applicable privacy laws.

2. Information We Collect

2.1 Personal Information

We collect the following personal information:

• Account Information: Email address, name, school affiliation, exam board
• Profile Information: Address, postcode (optional)
• Authentication Data: Encrypted passwords, OAuth tokens
• Communication Records: Support emails, feedback submissions

2.2 Educational Data

• Practice Sessions: Audio recordings of French conversations
• Transcripts: Text transcriptions of spoken responses, generated during practice sessions
• Performance Data: Scores, assessments, progress tracking
• Learning Analytics: Time spent, topics practiced, improvement metrics
• Exam Responses: Practice exam submissions and feedback

2.3 Technical Data

• Device Information: Browser type, operating system, device identifiers
• Usage Data: Pages visited, features used, session duration
• Log Data: IP addresses, access times, error logs

3. Legal Basis for Processing

We process your personal data under the following legal bases:

• Contract Performance: To provide educational services you've requested
• Legitimate Interest: Improving our platform features and user experience; detecting and preventing fraud or misuse of our platform; analyzing aggregate usage patterns to enhance educational outcomes; ensuring platform security and stability. We have assessed that these interests outweigh your privacy rights and have implemented safeguards to minimize impact.
• Consent: For marketing communications, analytics beyond what's necessary for service delivery, and optional features
• Legal Obligation: To comply with educational regulations, data protection laws, and exam board requirements

4. How We Use Your Information

• Service Delivery: Provide personalised French learning experiences and practice assessments
• AI Processing: Send audio recordings and transcripts to AI providers (including OpenAI) to generate real-time spoken feedback, scoring, and coaching
• Assessment & Feedback: Generate AI-powered feedback and scoring on your French speaking performance
• Progress Tracking: Monitor learning progress and identify areas for improvement
• Communication: Send service updates, educational content, technical support, and account notifications
• Platform Improvement: Analyse anonymised usage patterns to enhance features and user experience
• Security: Detect fraud, abuse, and ensure platform safety
• Compliance: Meet legal and regulatory requirements

5. Information Sharing and Disclosure

5.1 We DO NOT Sell Your Personal Data

We do not and will not sell, rent, or trade your personal information to third parties for marketing purposes.

5.2 We May Share Information With:

Service Providers (Data Processors):

• AI Processing: OpenAI (US) — for real-time voice interaction, feedback generation, and scoring
• Voice Infrastructure: LiveKit (US) — for real-time audio streaming during practice sessions
• Cloud Hosting: Railway (US) — for application hosting and database infrastructure
• Web Hosting: Vercel (US) — for web application delivery
• Email Communications: Resend — for transactional emails (verification, password reset)
• Payment Processing: Stripe (web payments), Apple App Store (iOS payments), RevenueCat (subscription management)
• Error Monitoring: Sentry — for application error tracking and debugging

These providers act as data processors and process your data only on our instructions. All processors are bound by data processing agreements and are required to handle your data in accordance with applicable data protection law.

Legal Requirements:

When required by law, court order, or to protect the rights and safety of our users and platform.

Business Transfers:

In the event of merger, acquisition, bankruptcy, or asset sale, your data may be transferred as part of that transaction. We will notify you of any such change and any choices you may have regarding your information.

5.3 International Data Transfers

Some of our service providers are located outside the UK/EEA, primarily in the United States. Where personal data is transferred internationally, we ensure appropriate safeguards are in place, including:

• Standard Contractual Clauses (approved by the UK government)
• Adequacy Decisions where applicable
• Data processing agreements with all international processors

6. User Content and Data Ownership

You retain ownership of the content you submit to the Service, including spoken responses, recordings, and transcripts. By using the Service, you grant us a limited licence to store, process, and analyse this content for the purpose of providing the Service.

Anonymised and aggregated usage data may be used to improve the Service and underlying systems. This data cannot be used to identify individual users.

7. Data Retention

• Account Data: Retained while your account is active, plus 2 years after account closure
• Educational Records: Retained for up to 7 years for educational continuity and safeguarding purposes
• Audio Recordings: Deleted after 30 days by default, unless saved. Teachers (for classes), parents/guardians (for their child's account), or students (for their own account) can save recordings. If saved, recordings are retained for the duration of the account plus 2 years. You can request deletion of saved recordings at any time.
• Transcripts: Retained for the duration of your account to support progress tracking and review. Deleted within 2 years of account closure.
• Performance & Assessment Data: Retained for up to 7 years for educational continuity and safeguarding purposes
• Marketing/Communications Data: Retained until you withdraw consent
• Log Files & Technical Data: Retained for up to 90 days for security purposes
• Legal Compliance Data: Retained as long as required by applicable law

8. Your Rights Under UK GDPR

You have the following rights regarding your personal data:

• Access: Request a copy of your personal data held by us
• Rectification: Correct inaccurate or incomplete data
• Erasure: Request deletion of your data ("right to be forgotten"), subject to legal retention obligations
• Restriction: Limit how we process your data while we handle your request
• Portability: Receive your data in a structured, commonly-used electronic format
• Objection: Object to processing based on legitimate interests (we will stop unless we have compelling reasons)
• Withdraw Consent: Withdraw consent for consent-based processing at any time

To exercise these rights, contact us at privacy@tete-a-tete.ai with details of your request. We will respond within 30 days of receipt. If you're not satisfied with our response, you have the right to lodge a complaint with the ICO.

9. Children's Privacy

We take special care with data from users under 18. This section explains our approach:

Users Under 13

• We require verifiable parental consent before collecting any data
• Parents/guardians can review, modify, or delete their child's information at any time
• We do not use data from users under 13 for marketing or profiling

Users Aged 13-17

• We require parental consent for collection of personal data
• We provide a simplified version of privacy controls for young users
• Parents can request copies of educational data and recordings

Retention for Educational Purposes

• Educational data (performance records, learning analytics) may be retained longer (up to 7 years) to support continued learning and exam preparation
• Parents can request deletion at any time by contacting us

Parental Contact: To exercise parental rights regarding your child's data, contact us at privacy@tete-a-tete.ai

10. Data Security

We implement security measures appropriate to the size and nature of our organisation to protect your information:

Encryption

• All data encrypted in transit using TLS/SSL
• Sensitive data encrypted at rest

Access Controls

• Access to personal data is restricted to authorised personnel only
• Password-protected accounts with enforced complexity requirements

Monitoring & Response

• Application error monitoring and logging
• Procedures for identifying and responding to data breaches
• Notification to the Information Commissioner's Office (ICO) and affected individuals within 72 hours where legally required

No security system is 100% secure. While we take reasonable steps to protect your information, we cannot guarantee absolute security.

11. Cookies and Tracking

We use cookies and similar technologies (such as local storage) to:

• Remember your login and preferences
• Enhance your user experience
• Detect security issues and fraud

12. Third-Party Links

Our platform may contain links to third-party websites and services. This Privacy Policy applies only to Tête-à-Tête. We are not responsible for the privacy practices of third-party sites. We encourage you to review their privacy policies before providing your information.

13. Changes to This Policy

We may update this Privacy Policy periodically to reflect changes in our practices, technology, legal requirements, or other factors. We will notify you of significant changes by:

• Sending an email notification to your registered email address
• Posting a notice on the platform
• Requiring your acceptance of the updated policy upon login (if material changes)

The "Last updated" date indicates when this policy was last revised. Your continued use of the Service after changes constitutes your acceptance of the updated Privacy Policy.

14. Contact Information

Data Controller

We have not appointed a Data Protection Officer as we are not required to do so under UK GDPR. Privacy enquiries can be directed to privacy@tete-a-tete.ai.

Supervisory Authority

If you're not satisfied with our response to your privacy concerns or believe we have violated your rights under UK GDPR, you can lodge a complaint with the Information Commissioner's Office (ICO):