© 2016 Your company
Privacy Policy
App name: Pratfoundy
Last updated: 29.01.2026.
Last updated: 29.01.2026.
This Privacy Policy explains how Pratfoundy (“we”, “us”, “our”) collects, uses, discloses, and protects personal data when you use the Pratfoundy mobile application and related services (collectively, the “Service”).
If you are located in the European Economic Area (“EEA”), United Kingdom (“UK”), or Switzerland, this Policy is intended to satisfy the transparency requirements under the General Data Protection Regulation (“GDPR”) and applicable local privacy laws.
1. Controller and Contact Details
The Service is operated under the brand Pratfoundy by an individual resident of Latvia.
Email (privacy contact): info@pratfoundy.app
If you have questions about this Policy or want to exercise your privacy rights, contact us using the details above.
Data Protection Officer (DPO): We are not currently required to appoint a DPO under GDPR. If this changes, we will update this Policy.
2. Definitions
“Personal data” means information relating to an identified or identifiable natural person.
“Processing” means any operation performed on personal data (e.g., collection, storage, use, disclosure).
“Processor” means a third party processing personal data on our behalf.
“EEA” includes EU member states plus Iceland, Liechtenstein, and Norway.
3. Categories of Personal Data We Collect
3.1 Data You Provide Directly
3.1.1 Account and profile data
Completed lessons, progress, XP, streaks, badges, daily tasks status, and similar in-app learning activity.
3.1.3 Communications
Support requests, feedback messages, and other communications you send us.
3.2 Data We Collect Automatically
3.2.1 Device and app data
Events such as app opens, screen views, lesson started/completed, feature interaction (typically aggregated and pseudonymized).
3.2.3 Diagnostics
Crash logs and performance data (to detect and fix bugs)
3.3 Special Categories of Personal Data
We do not intentionally collect “special categories” of data (e.g., health data, biometric data, political opinions) as defined by GDPR Art. 9. Please do not submit such information to us.
4. Purposes of Processing and Legal Bases (GDPR Art. 6)
We process personal data only when we have a valid legal basis.
4.1 Provide and Operate the Service (Account, Core Features)
Purpose: create accounts, authenticate users, provide learning content, store progress and settings, enable features.
Legal basis: Performance of a contract (GDPR Art. 6(1)(b)).
4.2 Service Improvement, Analytics, and Product Development
Purpose: understand how users interact with the Service; improve usability; evaluate feature performance; troubleshoot issues.
Legal basis: Legitimate interests (GDPR Art. 6(1)(f)) — to run and improve the Service in a secure and user-friendly way.
Where local law requires consent for certain analytics technologies, we will request and record your consent (GDPR Art. 6(1)(a)) and provide a way to withdraw it.
4.3 Security, Fraud Prevention, and Abuse Detection
Purpose: protect accounts, prevent suspicious activity, enforce rate limits, maintain integrity of Service.
Legal basis: Legitimate interests (GDPR Art. 6(1)(f)) and/or legal obligation where applicable (GDPR Art. 6(1)(c)).
4.4 Customer Support and Communications
Purpose: respond to requests, provide support, send service messages (e.g., security alerts, critical changes).
Legal basis: Contract (Art. 6(1)(b)) and/or legitimate interests (Art. 6(1)(f)).
4.5 Compliance with Legal Obligations
Purpose: comply with applicable laws, lawful requests, accounting and tax requirements (if applicable).
Legal basis: Legal obligation (GDPR Art. 6(1)(c)).
4.6 Marketing Communications (if implemented)
If we send marketing emails or promotional messages, we will do so:
We aim to collect and process only the data necessary for the purposes described above. Some features may be unavailable if certain data is not provided (for example, you cannot create an account without an email address).
6. Sharing and Disclosure of Personal Data
We do not sell your personal data.
We may share personal data in the following cases:
6.1 Service Providers (Processors)
We use third-party vendors to provide infrastructure and related services (e.g., hosting, databases, analytics, error logging). These vendors act as processors and are contractually required to process personal data only on our instructions, maintain security, and not use it for their own purposes.
Examples of processor categories:
We may disclose personal data if required by law or valid legal process, or to protect rights, safety, and security.
6.3 Business Transfers
If we are involved in a merger, acquisition, reorganization, or asset sale, personal data may be transferred as part of that transaction, subject to applicable law and appropriate safeguards.
7. International Data Transfers
Your personal data may be processed in countries outside your country of residence, including outside the EEA/UK.
Where required by GDPR, we rely on lawful transfer mechanisms, such as:
8. Data Retention
We retain personal data only as long as necessary for the purposes described in this Policy, including to provide the Service, comply with legal obligations, resolve disputes, and enforce agreements.
Typical retention approach:
Subject to conditions and exceptions under law, you have the following rights:
We may ask you to verify your identity before fulfilling the request.
10. Complaints
If you believe our processing of your personal data violates applicable law, you have the right to lodge a complaint with your local data protection authority.
If you are in Latvia, the supervisory authority is typically the Data State Inspectorate (Datu valsts inspekcija).
We encourage you to contact us first so we can address your concerns directly.
11. Security Measures
We implement appropriate technical and organizational measures designed to protect personal data, such as:
12. Cookies and Similar Technologies
The Service is primarily a mobile application. We may use identifiers and similar technologies (e.g., device identifiers, SDK identifiers) for:
13. Automated Decision-Making
We do not perform automated decision-making that produces legal or similarly significant effects on you within the meaning of GDPR Art. 22.
14. Children’s Privacy
The Service is not intended for children under 13.
We do not knowingly collect personal data from children under 13. If you believe a child has provided us personal data, contact us and we will take steps to delete it.
15. Account Deletion
You may request deletion of your account and associated personal data by contacting info@pratfoundy.app.
Where feasible, deletion will include removal or anonymization of:
16. Changes to This Policy
We may update this Policy from time to time. We will post the new version and update the “Last updated” date. If changes are material, we may provide additional notice in-app.
If you are located in the European Economic Area (“EEA”), United Kingdom (“UK”), or Switzerland, this Policy is intended to satisfy the transparency requirements under the General Data Protection Regulation (“GDPR”) and applicable local privacy laws.
1. Controller and Contact Details
The Service is operated under the brand Pratfoundy by an individual resident of Latvia.
Email (privacy contact): info@pratfoundy.app
If you have questions about this Policy or want to exercise your privacy rights, contact us using the details above.
Data Protection Officer (DPO): We are not currently required to appoint a DPO under GDPR. If this changes, we will update this Policy.
2. Definitions
“Personal data” means information relating to an identified or identifiable natural person.
“Processing” means any operation performed on personal data (e.g., collection, storage, use, disclosure).
“Processor” means a third party processing personal data on our behalf.
“EEA” includes EU member states plus Iceland, Liechtenstein, and Norway.
3. Categories of Personal Data We Collect
3.1 Data You Provide Directly
3.1.1 Account and profile data
- Email address;
- Username;
- Profile information you choose to provide (e.g., first/last name, country, date of birth, learning preferences, knowledge level, daily goals);
- Profile picture/avatar (if you upload one).
Completed lessons, progress, XP, streaks, badges, daily tasks status, and similar in-app learning activity.
3.1.3 Communications
Support requests, feedback messages, and other communications you send us.
3.2 Data We Collect Automatically
3.2.1 Device and app data
- Device model, operating system and version;
- App version, language settings;
- Approximate region (derived from device settings; we do not collect precise GPS location unless explicitly implemented and enabled).
Events such as app opens, screen views, lesson started/completed, feature interaction (typically aggregated and pseudonymized).
3.2.3 Diagnostics
Crash logs and performance data (to detect and fix bugs)
3.3 Special Categories of Personal Data
We do not intentionally collect “special categories” of data (e.g., health data, biometric data, political opinions) as defined by GDPR Art. 9. Please do not submit such information to us.
4. Purposes of Processing and Legal Bases (GDPR Art. 6)
We process personal data only when we have a valid legal basis.
4.1 Provide and Operate the Service (Account, Core Features)
Purpose: create accounts, authenticate users, provide learning content, store progress and settings, enable features.
Legal basis: Performance of a contract (GDPR Art. 6(1)(b)).
4.2 Service Improvement, Analytics, and Product Development
Purpose: understand how users interact with the Service; improve usability; evaluate feature performance; troubleshoot issues.
Legal basis: Legitimate interests (GDPR Art. 6(1)(f)) — to run and improve the Service in a secure and user-friendly way.
Where local law requires consent for certain analytics technologies, we will request and record your consent (GDPR Art. 6(1)(a)) and provide a way to withdraw it.
4.3 Security, Fraud Prevention, and Abuse Detection
Purpose: protect accounts, prevent suspicious activity, enforce rate limits, maintain integrity of Service.
Legal basis: Legitimate interests (GDPR Art. 6(1)(f)) and/or legal obligation where applicable (GDPR Art. 6(1)(c)).
4.4 Customer Support and Communications
Purpose: respond to requests, provide support, send service messages (e.g., security alerts, critical changes).
Legal basis: Contract (Art. 6(1)(b)) and/or legitimate interests (Art. 6(1)(f)).
4.5 Compliance with Legal Obligations
Purpose: comply with applicable laws, lawful requests, accounting and tax requirements (if applicable).
Legal basis: Legal obligation (GDPR Art. 6(1)(c)).
4.6 Marketing Communications (if implemented)
If we send marketing emails or promotional messages, we will do so:
- On consent (Art. 6(1)(a)) where required, or
- On legitimate interests (Art. 6(1)(f)) where permitted, with an opt-out in each message.
We aim to collect and process only the data necessary for the purposes described above. Some features may be unavailable if certain data is not provided (for example, you cannot create an account without an email address).
6. Sharing and Disclosure of Personal Data
We do not sell your personal data.
We may share personal data in the following cases:
6.1 Service Providers (Processors)
We use third-party vendors to provide infrastructure and related services (e.g., hosting, databases, analytics, error logging). These vendors act as processors and are contractually required to process personal data only on our instructions, maintain security, and not use it for their own purposes.
Examples of processor categories:
- Cloud hosting and database providers
- Authentication and email delivery providers
- Analytics and crash reporting providers
- Customer support tools (if used)
We may disclose personal data if required by law or valid legal process, or to protect rights, safety, and security.
6.3 Business Transfers
If we are involved in a merger, acquisition, reorganization, or asset sale, personal data may be transferred as part of that transaction, subject to applicable law and appropriate safeguards.
7. International Data Transfers
Your personal data may be processed in countries outside your country of residence, including outside the EEA/UK.
Where required by GDPR, we rely on lawful transfer mechanisms, such as:
- European Commission adequacy decisions (where applicable), or
- Standard Contractual Clauses (SCCs) and, where needed, supplementary safeguards.
8. Data Retention
We retain personal data only as long as necessary for the purposes described in this Policy, including to provide the Service, comply with legal obligations, resolve disputes, and enforce agreements.
Typical retention approach:
- Account and profile data: retained while your account is active; deleted or anonymized upon account deletion, except where retention is required by law or necessary for legitimate purposes (e.g., security logs).
- Learning progress data: retained with your account; removed upon account deletion.
- Support communications: retained for a reasonable period to address your request and for quality/security purposes.
- Security and diagnostic logs: retained for limited periods, typically days to months, depending on necessity.
Subject to conditions and exceptions under law, you have the following rights:
- Right of access – obtain confirmation and a copy of your personal data.
- Right to rectification – correct inaccurate or incomplete data.
- Right to erasure (“right to be forgotten”) – request deletion of personal data.
- Right to restrict processing – request suspension of processing under certain conditions.
- Right to data portability – receive data you provided in a structured, commonly used format and transmit it to another controller.
- Right to object – object to processing based on legitimate interests or direct marketing.
- Right to withdraw consent – where processing is based on consent, you can withdraw it at any time without affecting prior lawful processing.
We may ask you to verify your identity before fulfilling the request.
10. Complaints
If you believe our processing of your personal data violates applicable law, you have the right to lodge a complaint with your local data protection authority.
If you are in Latvia, the supervisory authority is typically the Data State Inspectorate (Datu valsts inspekcija).
We encourage you to contact us first so we can address your concerns directly.
11. Security Measures
We implement appropriate technical and organizational measures designed to protect personal data, such as:
- Access controls and least-privilege practices
- Encryption in transit (e.g., HTTPS/TLS)
- Secure storage and credential handling
- Monitoring and logging for security events
- Regular updates and vulnerability management (as feasible)
12. Cookies and Similar Technologies
The Service is primarily a mobile application. We may use identifiers and similar technologies (e.g., device identifiers, SDK identifiers) for:
- Authentication/session management
- Analytics and performance measurement
- Crash reporting
13. Automated Decision-Making
We do not perform automated decision-making that produces legal or similarly significant effects on you within the meaning of GDPR Art. 22.
14. Children’s Privacy
The Service is not intended for children under 13.
We do not knowingly collect personal data from children under 13. If you believe a child has provided us personal data, contact us and we will take steps to delete it.
15. Account Deletion
You may request deletion of your account and associated personal data by contacting info@pratfoundy.app.
Where feasible, deletion will include removal or anonymization of:
- profile data
- learning progress data
- user-generated content (if any)
16. Changes to This Policy
We may update this Policy from time to time. We will post the new version and update the “Last updated” date. If changes are material, we may provide additional notice in-app.
Appendix A — Data Processors and Sub-Processors
This Appendix forms an integral part of the Privacy Policy.
We use the following third-party service providers (“Processors”) to process personal data on our behalf. Each Processor acts under our instructions and is contractually bound to comply with applicable data protection laws, including GDPR.
1. SupabaseProvider: Supabase, Inc.
Role: Data Processor
Purpose of processing
Data may be processed and stored on servers located in the United States and/or other jurisdictions depending on infrastructure configuration.
Transfer safeguards:
Supabase relies on appropriate safeguards for international data transfers, including Standard Contractual Clauses (SCCs) approved by the European Commission, where applicable.
Privacy & compliance information:
https://supabase.com/privacy
https://supabase.com/gdpr
2. Expo (Expo Platform / EAS)Provider: Expo (by 650 Industries, Inc.)
Role: Data Processor
Purpose of processing
Data location:
Data may be processed on servers located outside the EEA, including the United States.
Transfer safeguards:
Expo applies appropriate contractual and technical safeguards for international data transfers, including reliance on Standard Contractual Clauses (SCCs) where required.
Privacy & compliance information:
https://expo.dev/privacy
Processor Selection and Oversight
We select Processors that provide sufficient guarantees to implement appropriate technical and organizational measures to ensure data protection in accordance with GDPR Article 28.
We periodically review our Processors and will update this Appendix if additional providers are introduced.
Sub-Processors
Supabase and Expo may engage sub-processors to provide their services (such as cloud infrastructure providers).
Information about such sub-processors is available in their respective privacy and compliance documentation.
Changes to This Appendix
If we add or replace Processors, we will update this Appendix accordingly and reflect the changes in the “Last updated” date of the Privacy Policy.
We use the following third-party service providers (“Processors”) to process personal data on our behalf. Each Processor acts under our instructions and is contractually bound to comply with applicable data protection laws, including GDPR.
1. SupabaseProvider: Supabase, Inc.
Role: Data Processor
Purpose of processing
- User authentication and account management;
- Secure storage of user profiles and learning progress;
- Database hosting;
- File storage (e.g. avatars, if applicable).
- Account identifiers (email, user ID);
- Profile data (username, preferences, optional profile fields);
- Learning progress and in-app activity;
- Authentication metadata (timestamps, session identifiers).
Data may be processed and stored on servers located in the United States and/or other jurisdictions depending on infrastructure configuration.
Transfer safeguards:
Supabase relies on appropriate safeguards for international data transfers, including Standard Contractual Clauses (SCCs) approved by the European Commission, where applicable.
Privacy & compliance information:
https://supabase.com/privacy
https://supabase.com/gdpr
2. Expo (Expo Platform / EAS)Provider: Expo (by 650 Industries, Inc.)
Role: Data Processor
Purpose of processing
- Mobile application runtime and build services;
- Application updates and delivery;
- Error diagnostics and basic operational telemetry.
- Device information (device model, OS version);
- App usage metadata (app version, update status);
- Technical logs related to app performance and stability.
Data location:
Data may be processed on servers located outside the EEA, including the United States.
Transfer safeguards:
Expo applies appropriate contractual and technical safeguards for international data transfers, including reliance on Standard Contractual Clauses (SCCs) where required.
Privacy & compliance information:
https://expo.dev/privacy
Processor Selection and Oversight
We select Processors that provide sufficient guarantees to implement appropriate technical and organizational measures to ensure data protection in accordance with GDPR Article 28.
We periodically review our Processors and will update this Appendix if additional providers are introduced.
Sub-Processors
Supabase and Expo may engage sub-processors to provide their services (such as cloud infrastructure providers).
Information about such sub-processors is available in their respective privacy and compliance documentation.
Changes to This Appendix
If we add or replace Processors, we will update this Appendix accordingly and reflect the changes in the “Last updated” date of the Privacy Policy.
