1. Introduction

Tête-à-Tête ("we," "our," or "us") is committed to protecting your privacy. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our French and Spanish oral examination practice platform (the "Service").

This policy complies with the UK General Data Protection Regulation (UK GDPR), the Data Protection Act 2018, and other applicable privacy laws.

2. Information We Collect

2.1 Personal Information

We collect the following personal information:

• Account Information: Email address, name, school affiliation, year group, exam board
• Authentication Data: Encrypted passwords, session tokens
• Communication Records: Support emails, feedback submissions

2.2 Educational Data

• Practice Sessions: Audio recordings of French and Spanish conversations
• Transcripts: Text transcriptions of spoken responses, generated during practice sessions
• Performance Data: Scores, assessments, progress tracking
• Learning Analytics: Time spent, topics practiced, improvement metrics
• Exam Responses: Practice exam submissions and feedback

2.3 Technical Data

• Device Information: Browser type, operating system, device identifiers
• Usage Data: Pages visited, features used, session duration
• Log Data: IP addresses, access times, error logs

2.4 Optional Permissions (Mobile App)

The mobile app may request the following permissions. All are optional and can be declined without affecting core functionality:

• Notifications: To send practice reminders, streak alerts, and feature updates. You can enable or disable notifications at any time in your device settings. No notification data is shared with third parties.

3. Legal Basis for Processing

We process your personal data under the following legal bases:

• Contract Performance: To provide educational services you've requested
• Legitimate Interest: Improving our platform features and user experience; detecting and preventing fraud or misuse of our platform; analysing usage patterns and account profiles to enhance educational outcomes, inform product priorities, and identify partnership opportunities; ensuring platform security and stability. We have assessed that these interests outweigh your privacy rights and have implemented safeguards to minimise impact.
• Consent: For marketing communications, analytics beyond what's necessary for service delivery, and optional features
• Legal Obligation: To comply with educational regulations, data protection laws, and exam board requirements

4. How We Use Your Information

• Service Delivery: Provide your French and Spanish learning experience and generate your scores, feedback, and progress
• AI Processing: Send audio recordings and transcripts to AI providers (including OpenAI) to generate real-time spoken feedback, scoring, and coaching
• Assessment & Feedback: Generate AI-powered feedback and scoring on your French and Spanish speaking performance
• Progress Tracking: Monitor learning progress and identify areas for improvement
• Communication: Send service updates, score notifications, progress reminders, technical support, account notifications, and — where you have granted permission — push notifications for practice reminders. These messages may be tailored based on your scores, usage patterns, and progress
• Platform Improvement: Analyse account profiles, scores, and usage patterns (including signup sources, school distribution, and engagement) to inform product priorities, identify partnership opportunities, and improve features
• Quality Assurance & Technical Debugging: Authorised Tête-à-Tête staff may access live session data — including audio streams and event logs — to diagnose technical issues and maintain service quality. Any such access is restricted to authorised personnel only and is conducted under our legitimate interest to ensure a reliable and high-quality educational service.
• Security: Detect fraud, abuse, and ensure platform safety
• Compliance: Meet legal and regulatory requirements
• Other Legitimate Purposes: Other purposes consistent with the operation, improvement, and reasonable evolution of the Service, including future business models and partnerships, subject to applicable law and where you have given any required consent

5. Information Sharing and Disclosure

5.1 We Do Not Sell Personal Data for Behavioural Advertising

We do not sell your personal data to third parties for behavioural advertising or profiling, including any advertising directed at children.

5.2 We May Share Information With:

Service Providers (Data Processors):

• AI Processing: OpenAI, LLC (US) — providing AI services per our instructions. OpenAI does not use API data to train its models. Data processed by OpenAI may be retained for a limited period for safety and abuse monitoring purposes, then permanently deleted.
• Voice Infrastructure: LiveKit, Inc. (US) — providing voice infrastructure. LiveKit may temporarily retain session audio and telemetry for technical debugging and quality assurance purposes (a limited period, then permanently deleted).
• Cloud Hosting: Railway Corporation (US) — application and database hosting
• Web Hosting: Vercel, Inc. (US) — web hosting and (when you opt in) consent-gated visitor analytics
• Image Hosting: Cloudflare, Inc. (US) — image hosting and CDN delivery (no personal data uploaded; viewer IP and user-agent recorded for standard CDN logging)
• Email Communications: Resend, Inc. — for account emails (verification, password reset) and service emails (usage notifications, session reminders). Resend may collect open and click data where enabled to help us understand whether emails are being received. You can opt out of service emails at any time using the unsubscribe link in any such email.
• Web Payment Processing: Stripe, Inc. (US) — for web subscription payments
• iOS App Store and In-App Purchases: Apple Inc. (US) — for iOS App Store distribution and in-app purchase handling
• Subscription Management: RevenueCat, Inc. (US) — for subscription / in-app purchase receipt validation
• Error Monitoring: Functional Software, Inc. (trading as Sentry) (US) — for application error tracking and debugging (transcript and audio content excluded)
• Internal Operational Alerts: Slack Technologies, LLC (US) — for internal staff notifications about new signups, subscription events, discovery-source responses, and similar operational alerts. Receives user email addresses and names; does not receive transcript or audio content.

These providers act as data processors and process your data only on our instructions. All processors are bound by data processing agreements and are required to handle your data in accordance with applicable data protection law.

Legal Requirements:

When required by law, court order, or to protect the rights and safety of our users and platform.

Business Transfers:

In the event of merger, acquisition, bankruptcy, or asset sale, your data may be transferred as part of that transaction. We will notify you of any such change and any choices you may have regarding your information.

5.3 International Data Transfers

Some of our service providers are located outside the UK/EEA, primarily in the United States. Where personal data is transferred internationally, we ensure appropriate safeguards are in place, including:

• Standard Contractual Clauses (approved by the UK government)
• Adequacy Decisions where applicable
• Data processing agreements with all international processors

6. User Content and Data Ownership

6.1 Conversation Content (Transcripts and Audio)

You retain ownership of the content you submit to the Service. Your individual conversation content (transcripts and audio of your practice sessions) is used to generate your scores and feedback, support quality assurance and safeguarding, and improve our scoring systems through aggregate analysis. By using the Service, you grant us a limited licence to store, process, and analyse this content. We do not build behavioural profiles of individual users from their conversation content, and we do not sell or share conversation content with third parties for advertising or profiling.

6.2 Profile, Scores, and Usage Data

Your account profile, scores, and usage data are used to deliver the Service, communicate with you, and inform our product and business priorities — including aggregate analysis of patterns across schools, exam boards, and engagement.

7. Data Retention

• Account Data: Retained while your account is active, plus 2 years after account closure
• Educational Records: Retained for up to 7 years for educational continuity and safeguarding purposes
• Audio Recordings: Voice audio is streamed in real time and is not stored by us. Our voice infrastructure provider (LiveKit) may temporarily retain session audio for a limited period for technical debugging and quality assurance purposes, then permanently deleted. Audio processed by OpenAI is not used to train OpenAI's models and may be retained for a limited period for safety monitoring purposes, then permanently deleted.
• Transcripts: Text transcripts of your practice sessions are retained for the duration of your account to support progress tracking and review. Deleted within 2 years of account closure.
• Performance & Assessment Data: Retained for up to 7 years for educational continuity and safeguarding purposes
• Marketing/Communications Data: Retained until you withdraw consent
• Log Files & Technical Data: Retained for up to 90 days for security purposes
• Legal Compliance Data: Retained as long as required by applicable law

8. Your Rights Under UK GDPR

You have the following rights regarding your personal data:

• Access: Request a copy of your personal data held by us
• Rectification: Correct inaccurate or incomplete data
• Erasure: Request deletion of your data ("right to be forgotten"), subject to legal retention obligations
• Restriction: Limit how we process your data while we handle your request
• Portability: Receive your data in a structured, commonly-used electronic format
• Objection: Object to processing based on legitimate interests (we will stop unless we have compelling reasons)
• Withdraw Consent: Withdraw consent for consent-based processing at any time
• Unsubscribe from Service Emails: Use the unsubscribe link in any quota or session reminder email, or email privacy@tete-a-tete.ai to stop receiving these. Essential account emails (password resets, security notices) cannot be opted out of.

To exercise these rights, contact us at privacy@tete-a-tete.ai with details of your request. We will respond within 30 days of receipt. If you're not satisfied with our response, you have the right to lodge a complaint with the ICO.

9. Children's Privacy and the UK Children's Code

Tête-à-Tête is primarily used by students preparing for GCSE examinations. We take the privacy and safety of children and young people seriously and design our service in line with the ICO's Age Appropriate Design Code (Children's Code).

High Privacy by Default

• Analytics cookies are switched off by default for all users. You must actively choose to enable them.
• We collect only the data necessary to provide the educational service — we do not collect data for its own sake.
• We do not build behavioural profiles of children for advertising, third-party sharing, or commercial purposes beyond providing the educational service. Service messages may be tailored to a child's own scores and learning progress, and aggregate analytics on usage patterns inform our product.
• We do not use nudge techniques or dark patterns to encourage children to share more data or weaken their privacy settings.

No Commercial Exploitation of Children's Data

• We do not show behavioural or profiled advertising to users under 18. We do not currently show any third-party advertising to users; if this changes in future, any advertising shown to under-18s will be limited to contextual placements (chosen based on the page or feature, not personal data) and disclosed in this Privacy Policy at that time.
• We do not sell children's personal data to third parties for behavioural advertising or profiling.
• We do not use children's data to train AI models. OpenAI does not use API data to train its models.
• We do not create voice prints, biometric templates, or any form of biometric identifier from student audio.

Parental and Guardian Rights

• If you are a parent or guardian, you can request to view, correct, or delete your child's data at any time.
• You can request the deletion of your child's account and all associated data by emailing privacy@tete-a-tete.ai.
• The Service is intended for users aged 13 and above. We do not knowingly collect personal data from children under 13 without verifiable parental consent. If we become aware that a user is under 13 without such consent, we will delete their account.
• If you are under 18, you must have permission from a parent or legal guardian to use the Service. Where the Service is used in a school setting, the school is responsible for obtaining appropriate consent.

School-Directed Use

Where students are directed to use Tête-à-Tête as part of school activity, the school acts as the data controller and is responsible for obtaining appropriate parental consent. See our Privacy Notice for Schools and School Data Processing Addendum for details.

Retention for Children

• We retain only the data necessary to provide the service. Educational records (scores, transcripts) are retained for the duration of the account to support ongoing exam preparation.
• Voice audio may be temporarily retained by our voice infrastructure provider (LiveKit) for a limited period for technical debugging purposes, then permanently deleted. OpenAI does not use API data to train its models; audio may be retained by OpenAI for a limited period for safety monitoring purposes, then permanently deleted.
• Parents can request deletion of all data at any time by contacting us.

Users Transitioning to Adulthood

If you joined Tête-à-Tête while under 18, the UK Age Appropriate Design Code's age-appropriate protections apply to you while you remain under 18. Once you turn 18, those AADC-specific provisions no longer apply by operation of law, although our broader privacy commitments under UK GDPR continue. We may at that point invite you to review and accept updated terms appropriate to adult use.

10. Data Security

We implement security measures appropriate to the size and nature of our organisation to protect your information:

Encryption

• All data encrypted in transit using TLS/SSL
• Sensitive data encrypted at rest

Access Controls

• Access to personal data is restricted to authorised personnel only
• Password-protected accounts with enforced complexity requirements

Monitoring & Response

• Application error monitoring and logging
• Procedures for identifying and responding to data breaches
• Notification to the Information Commissioner's Office (ICO) and affected individuals within 72 hours where legally required

No security system is 100% secure. While we take reasonable steps to protect your information, we cannot guarantee absolute security.

11. Cookies and Tracking

We use cookies and similar technologies (such as browser local storage) to remember your login, preferences, and consent choices. When you first visit the platform, a consent banner lets you choose which non-essential cookies to accept.

• Essential: Session authentication (NextAuth), CSRF protection, Stripe fraud-prevention — always active, cannot be disabled
• Analytics: Vercel Analytics (_vcrcs) — disabled by default; only activated after you accept analytics cookies
• Error monitoring: Sentry loads on page initialisation to capture technical errors, on the basis of our legitimate interest in maintaining a secure service. Sentry does not set persistent cookies and does not receive transcript or audio content.

For full details of every cookie we use, how to manage your preferences, and your opt-out options, see our Cookie Policy.

12. Third-Party Links

Our platform may contain links to third-party websites and services. This Privacy Policy applies only to Tête-à-Tête. We are not responsible for the privacy practices of third-party sites. We encourage you to review their privacy policies before providing your information.

13. Changes to This Policy

We may update this Privacy Policy periodically to reflect changes in our practices, technology, legal requirements, or other factors. We will notify you of significant changes by:

• Sending an email notification to your registered email address
• Posting a notice on the platform
• Requiring your acceptance of the updated policy upon login (if material changes)

The "Last updated" date indicates when this policy was last revised. Your continued use of the Service after changes constitutes your acceptance of the updated Privacy Policy.

14. Contact Information

Data Controller

We have not appointed a Data Protection Officer as we are not required to do so under UK GDPR. Privacy enquiries can be directed to privacy@tete-a-tete.ai.

Supervisory Authority

If you're not satisfied with our response to your privacy concerns or believe we have violated your rights under UK GDPR, you can lodge a complaint with the Information Commissioner's Office (ICO):