Winny Speaking app icon Winny Speaking

Privacy Policy

Last updated: 23 April 2026

This Privacy Policy describes how Winny Speaking EOOD ("Winny Speaking", "we", "us", "our") collects, uses, and protects personal data when you use the Winny Speaking mobile app, our website, and the waitlist. This policy covers individual consumer accounts only and does not apply to organisational or enterprise services, which are governed by separate agreements.

1. Controller details

Winny Speaking EOOD
Crystal Business Center
38-40 Osogovo St.
Sofia, Bulgaria
Email: hi@winnyspeaking.com

2. Who this service is for

Winny Speaking is intended for users aged 13 and older. It is not directed to children under 13.

3. Data we collect

Depending on how you use our services, we may process:

  • Identity and authentication data — email address, display name, and provider identifiers issued by your chosen sign-in provider (Apple, Google, or Microsoft).
  • Session and practice data — audio recordings you submit during a practice session, generated transcripts, context or scenario selections, AI-generated scores and feedback, and session history.
  • Technical and device data — app version, device model and OS version, crash reports, and diagnostic logs needed to maintain service reliability.
  • Analytics and usage data — aggregated event data (screen views, feature interactions, conversion events) collected via Google Analytics through Google Tag Manager on the website.
  • Website and waitlist submissions — name, email, role, and any other information you enter in forms on the website or waitlist.
  • Cookie and storage data — see Section 8 (Cookies and Tracking) below.
  • Support communications — messages you send to us by email or in-app.

4. How we use data

  • Operate and improve app and website functionality.
  • Generate speech transcripts, produce AI-assisted communication scores and coaching feedback, and return those results to you.
  • Authenticate your identity and maintain secure sessions.
  • Provide support, troubleshoot issues, and enforce security safeguards.
  • Measure website and product performance using aggregated analytics.
  • Comply with legal obligations and respond to lawful requests.

5. Legal bases (GDPR)

  • Performance of a contract — processing necessary to provide the features you request (transcription, scoring, session storage).
  • Legitimate interests — security monitoring, product improvement, fraud prevention, and abuse detection, where those interests are not overridden by your rights.
  • Consent — analytics cookies and optional marketing communications, where consent is required and can be withdrawn at any time.
  • Compliance with legal obligations — responding to supervisory authority requests or court orders.

6. AI processing and sub-processors

We rely on the following categories of third-party processors to deliver service features. Each processor is bound by a data processing agreement and may only process data on our documented instructions.

Infrastructure and storage

  • Google LLC (Firebase / Google Cloud) — identity management (Firebase Authentication), database (Cloud Firestore), file storage (Cloud Storage), and serverless compute (Cloud Functions / Cloud Run). Google Cloud infrastructure is deployed in the europe-west1 and europe-west4 regions. See Google Cloud Privacy.

Authentication providers

Signing in with Apple, Google, or Microsoft routes your credentials through the respective identity provider. Each provider receives only the information needed to verify your identity; we store only the resulting provider identifier and basic profile data (email, display name).

Transcription providers

Audio recordings are sent to one of the following transcription providers. We use EU-region endpoints where available to minimise cross-border data flow, and we opt out of model-improvement data usage on applicable provider accounts.

  • Deepgram Inc. — EU endpoint (Dublin). Audio is transmitted and a transcript is returned; Deepgram's model-improvement opt-out is enabled for our account. See Deepgram Privacy Policy.
  • AssemblyAI Inc. — EU endpoint. Used as an alternative transcription provider. See AssemblyAI Privacy Policy.
  • WhisperX (self-hosted) — a locally-deployed, open-source speech recognition model running on our own Cloud Run infrastructure in europe-west4. No audio is sent to a third party for this provider.

AI evaluation and feedback providers

Transcripts and session context are processed by AI models to generate communication scores and coaching feedback. We transmit only the minimum data required (transcript text and session metadata) and do not include audio for this step.

Waitlist and forms

  • Formshare.ai — the waitlist page embeds a Formshare form to collect your submission (name, email, role, and any other information you choose to provide). Formshare processes this data on our behalf as a data processor. See Formshare Privacy Policy.

Analytics

  • Google LLC (Google Analytics / Google Tag Manager) — website event analytics. Analytics are loaded via GTM on the website only, subject to your cookie consent choice (see Section 8). See Google Privacy Policy.
  • Microsoft Clarity — website session replay, heatmaps, and interaction diagnostics. Clarity follows our analytics-consent controls and helps us understand where website visitors experience friction. See Microsoft Privacy Statement.

Automated decision-making

Communication scores and feedback are generated entirely by automated AI processing without human review. These outputs are for personal development and coaching purposes only and do not produce legal effects or significantly affect you in a similar way within the meaning of Article 22 GDPR. You can disregard any score or request account deletion at any time.

7. Data retention

  • Audio recordings — retained for approximately 30 days after session creation, then permanently deleted from storage. Transcripts derived from audio may be retained longer as part of session history.
  • Session history (transcripts, scores, feedback) — retained until you delete your account or submit a deletion request. See your rights in Section 11.
  • Account data — retained while your account is active. Deleted within 30 days of a verified account deletion request, subject to any overriding legal retention obligation.
  • Technical logs and diagnostics — retained for up to 90 days for operational monitoring and security purposes.
  • Analytics data — aggregated website analytics are retained per Google Analytics default retention settings (up to 14 months for user-level signals), subject to your consent.
  • Support communications — retained for up to 2 years to support issue resolution and follow-up, unless you request earlier deletion.

8. Cookies and tracking

The Winny Speaking website uses limited analytics and similar browser-based technologies to understand how visitors use the site and to improve performance and content.

  • Analytics cookies / tags (Google Analytics via Google Tag Manager and Microsoft Clarity) — these technologies may be loaded when you visit the website and may collect aggregated information such as page views, approximate location, device/browser information, interaction events, heatmaps, and session replay diagnostics.
  • No advertising cookies — we do not use advertising or retargeting cookies on this website.

On your first visit we display a cookie consent banner. Until you make a choice, analytics and marketing storage are denied by default via Google Consent Mode v2. Security storage and functional site-preference storage remain active so the website can operate correctly. Your decision is saved in your browser's localStorage under the key ws_cookie_consent and is reflected in subsequent GTM tag behaviour. You can change your choice at any time by clearing that key in your browser storage, or by reopening preferences via Cookie settings. We configure Google Analytics and Microsoft Clarity to follow your analytics-consent choice. You can also use your browser's privacy controls or extensions to block or clear cookies.

9. Data sharing

We share personal data only with the sub-processors listed in Section 6. We do not sell, rent, or trade personal data to advertisers or data brokers. We may disclose data to law enforcement or regulatory authorities where required by applicable law or a valid legal process.

10. International data transfers

Some sub-processors (including Google LLC, Apple Inc., Microsoft Corporation, Deepgram Inc., and AssemblyAI Inc.) are headquartered in the United States. Where personal data is transferred outside the European Economic Area, we rely on:

  • Standard Contractual Clauses (SCCs) approved by the European Commission, and/or
  • An adequacy decision or other lawful transfer mechanism recognised under GDPR.

Details of the applicable transfer mechanism for each processor are available on request at hi@winnyspeaking.com.

11. Your rights

As a data subject under GDPR (or equivalent applicable law), you have the following rights:

  • Access — obtain a copy of the personal data we hold about you.
  • Rectification — correct inaccurate or incomplete data.
  • Erasure — request deletion of your personal data ("right to be forgotten").
  • Restriction — ask us to pause processing while a dispute is resolved.
  • Portability — receive your data in a structured, machine-readable format.
  • Objection — object to processing based on legitimate interests.
  • Withdraw consent — where processing is based on consent, withdraw it at any time without affecting the lawfulness of prior processing.

To exercise any right, email hi@winnyspeaking.com with your request. We will respond within 30 days. We may ask you to verify your identity before acting on the request. If you are unsatisfied with our response, you have the right to lodge a complaint with the Bulgarian Commission for Personal Data Protection (CPDP) or the supervisory authority in your country of residence.

12. Security

We apply technical and organisational safeguards including encryption in transit (TLS), encrypted storage at rest (AES-256 via Google Cloud), role-based access controls, and operational monitoring. No system can be guaranteed 100% secure. In the event of a personal data breach that is likely to result in a risk to your rights and freedoms, we will notify the relevant supervisory authority within 72 hours of becoming aware of it, and notify affected individuals where required by GDPR.

13. Regional rights supplements

Depending on where you live, additional or equivalent rights may apply alongside Section 11:

  • California (USA) — CCPA / CPRA: California residents have the right to know what personal information we collect and how it is used, the right to delete their personal information, and the right to opt out of the sale or sharing of personal information. We do not sell or share personal information with third parties for their own commercial purposes. To exercise your rights, contact us at hi@winnyspeaking.com.
  • United Kingdom: UK residents are protected under the UK GDPR. All rights in Section 11 apply. You may also lodge a complaint with the UK Information Commissioner's Office (ICO) at ico.org.uk.
  • Australia: Australian residents have rights under the Privacy Act 1988 (Cth), including the right to access and correct personal information. Complaints may be made to the Office of the Australian Information Commissioner (OAIC) at oaic.gov.au.
  • Canada: Canadian residents may have rights under PIPEDA or applicable provincial privacy law, including rights of access, correction, and complaint to the Office of the Privacy Commissioner of Canada.
  • New Zealand: New Zealand residents have rights under the Privacy Act 2020. Complaints may be made to the Office of the Privacy Commissioner at privacy.org.nz.

14. Payments and purchases

If paid app plans are introduced, iOS purchases are processed by Apple through the App Store. We do not receive or store full payment card details.

15. Changes to this policy

We may update this policy from time to time. Material updates are reflected by revising the "Last updated" date and, where appropriate, by in-app or email notice.

Back to homepage