Privacy Policy
Last updated: April 21, 2026
1. Data Controller
The data controller is Denys Nehometianov, operating the Polski B1 website (hereinafter: “Service”), available at polishb1.pl, and publishing the Polski B1 mobile application for iOS / iPadOS (hereinafter: “App”).
Contact: polskib1.app@gmail.com
The controller has not appointed a Data Protection Officer.
2. Purposes and Legal Basis for Data Processing (website)
| Purpose | Data | Legal basis |
|---|---|---|
| Newsletter (email subscription via Brevo) | Email address | Art. 6(1)(a) GDPR (consent) |
| Session cookies | Session identifier | Art. 6(1)(f) GDPR (legitimate interest — security) |
| Security and abuse prevention | IP address, device information | Art. 6(1)(f) GDPR (legitimate interest) |
| Google Ads (conversion tracking) | Cookies, click identifier | Art. 6(1)(a) GDPR (consent) |
3. Polski B1 mobile application
This section covers the Polski B1 app for iOS / iPadOS. The app does not require account creation — all learning progress is stored locally on your device (SwiftData) and optionally synced through iCloud across your Apple devices (a toggle you control in the Profile tab). The administrator has no access to your progress or answers.
The app handles the following data categories:
| Category | Data | Purpose | Legal basis |
|---|---|---|---|
| Written answers | Student-typed text (writing tasks, dialogues, grammar transformations, photo descriptions) | AI grading | Art. 6(1)(b) GDPR (performance of contract) |
| Voice recordings | Short speaking-task recordings (Mówienie, Monolog) | Speech-to-text transcription (Whisper) and AI grading of the transcript | Art. 6(1)(b) GDPR |
| Learning progress | Exercise results, daily stats | Progress tracking (strictly local + iCloud) | Art. 6(1)(b) GDPR |
| Diagnostics | Device attestation (Firebase App Check), crash info | API abuse prevention | Art. 6(1)(f) GDPR |
AI processing (third parties)
Your text and voice submissions are forwarded to a single AI grading provider without any user identifier — every request is anonymous and unlinkable to you:
- OpenAI Ireland Ltd. — the only provider that processes user-submitted content. It receives all written text (writing tasks, grammar transformations, photo descriptions, dialogue practice) for substantive grading, and all voice recordings for speech-to-text transcription (Whisper). Data processed in EU / US under Standard Contractual Clauses (SCCs). OpenAI commits that API data is not used for model training and is deleted within at most 30 days.
The technical intermediary is our backend hosted on Fly.io Inc. (Belgium). The backend does not persist your answers or recordings — it proxies them to OpenAI and returns the result.
Text-to-speech providers (TTS) — do not receive your data
The app plays Polish voice recordings in listening exercises and character lines. The audio is synthesised from our own script text — it is not your answers or recordings:
- Microsoft Ireland Operations Ltd. (Azure Speech — TTS) — voice synthesis from our text. Receives no user-submitted data.
- Amazon Web Services, Inc. (AWS Polly) — voice synthesis (Polish female voices). Receives no user-submitted data.
Firebase App Check
The app uses Firebase App Check (Google Ireland Ltd.) to verify that requests originate from an authentic app install and not from scripts. App Check emits a short-lived device token that contains no user identifier or personal data.
Children’s data
The app is aimed at learners preparing for the Polish B1 state certification — typically adults or teenagers. We do not knowingly collect data from children under 13. If you notice a child using the app without a parent’s consent, write to polskib1.app@gmail.com and we will delete the associated data without delay.
4. Data Recipients
The website relies on the following providers:
- Brevo (Sendinblue SAS) — newsletter management and storage of subscriber email addresses (EU — France)
- Google Ireland Ltd. — website advertising and conversion tracking (Google Ads)
- Fly.io Inc. — website and app-backend hosting (EU — Belgium)
The app relies on the following providers — clearly indicating which of them receive your data and which do not:
| Recipient | Purpose | Receives user data? | Location |
|---|---|---|---|
| OpenAI Ireland Ltd. | Text grading + Whisper transcription | Yes — text and recordings | EU / US (SCCs) |
| Microsoft Azure Speech (TTS) | Voice synthesis from our script text | No | EU |
| Amazon Web Services (AWS Polly) | Voice synthesis (female voices) | No | EU / US (SCCs) |
| Google Ireland Ltd. (Firebase App Check) | Device attestation for app requests | Attestation token, no personal data | EU |
| Apple Distribution International Ltd. (iCloud) | Syncing user progress | Yes, but directly from the device — not via our backend | EU |
5. Data Transfers
Data is processed primarily within the EU (Belgium — Fly.io; France — Brevo; Ireland — Azure, Firebase, Apple iCloud). For OpenAI (text grading and Whisper transcription) and AWS Polly (voice synthesis), processing may take place in the United States under Standard Contractual Clauses (SCCs) in line with Art. 46(2)(c) GDPR. TTS providers (Azure, Polly) do not receive your data — they only synthesise audio from our script text.
6. Data Retention
- Newsletter (email) — stored until the user unsubscribes from the mailing list
- Session cookies — expire on browser close or after 30 days
- Server logs — stored for 30 days
- Text and recordings forwarded to OpenAI — streamed through and not retained by our server. OpenAI commits to deletion within at most 30 days.
- Azure Speech (TTS), AWS Polly — receive only our scripts; they do not store your data.
- Learning progress (SwiftData + iCloud) — stored locally on your device and in your iCloud until you delete them (progress never reaches our servers).
7. User Rights
Under the GDPR, you have the following rights:
- Right of access to your data (Art. 15)
- Right to rectification of your data (Art. 16)
- Right to erasure — “right to be forgotten” (Art. 17)
- Right to restriction of processing (Art. 18)
- Right to data portability (Art. 20)
- Right to object to processing (Art. 21)
To exercise your rights, contact us at: polskib1.app@gmail.com
8. Withdrawal of Consent
If data processing is based on consent, you have the right to withdraw consent at any time. Withdrawal does not affect the lawfulness of processing carried out prior to the withdrawal.
9. Right to Complain
You have the right to lodge a complaint with the supervisory authority — the President of the Personal Data Protection Office (UODO), ul. Stawki 2, 00-193 Warsaw, uodo.gov.pl.
10. Cookies
The Service uses cookies for the following purposes:
- Essential — session cookies to maintain sessions (no consent required)
- Marketing — Google Ads — conversion tracking and remarketing (requires user consent)
A consent banner is displayed on first visit to request permission for marketing cookies. You can manage cookies in your browser settings.
11. Voluntary Data Provision
Providing personal data is voluntary. Subscribing to the newsletter only requires an email address.
12. Changes to Privacy Policy
The controller reserves the right to amend this Privacy Policy. Users will be notified of significant changes via a notice on the Service. The current version is always available on this page.