Privacy Policy

Version 2 · Effective from May 14, 2026

This Privacy Policy explains what personal data the 12levels mobile application (the "Service") collects and how it is processed.

1. Data Controller

The data controller is Iuvenalii Khlopkov (PE), an individual entrepreneur registered in the Republic of Armenia, tax identification number 20279853, registered office: 26A Movses Khorenatsi str., apt. 201, Yerevan 0010, Armenia.

Contact for data protection inquiries:
Email: [email protected]
Website: https://12levels.app

2. Categories of Data Processed

2.1 Identification data

• Email address — for registration and account recovery
• Name — for interface personalization
• Internal user identifier (User ID) — to link progress to your account

2.2 Learning data

• Word learning progress — which words are being learned and their current learning stage
• Answer results — correct/incorrect answers used to schedule review intervals via a spaced-repetition algorithm
• Reading sessions — which learning texts you have opened, your position within them, and your overall progress
• Free-text answers — phrases you type during knowledge-check exercises
• Calibration results — your detected language level (CEFR scale) and identified gaps

2.3 Technical data

• Crash reports — anonymous crash data via Apple MetricKit
• Performance metrics — anonymous performance data (launch time, memory) via MetricKit
• App and iOS version — for compatibility

2.4 Payment and subscription data

The Service does not receive credit card numbers, bank details, or any other payment instrument data. All payments for the "12levels Pro" subscription and Lifetime purchase are processed by Apple through the App Store In-App Purchase system.

For purchases made inside the Service, we process the following purchase-related data:

• Signed Apple transaction receipt (JWS) — cryptographically signed by Apple, contains the transaction identifier, product identifier (Monthly / Yearly / Lifetime), purchase date, expiration date (for subscriptions), and Apple's environment (sandbox or production). Verified server-side using Apple's public certificate chain to confirm the purchase is genuine and untampered.
• App Account Token (appAccountToken) — a deterministic anonymous UUID derived from your internal User ID using a one-way SHA-256 transformation with a Service-controlled salt. The token is sent to Apple at purchase time so that subsequent Apple-to-server notifications (renewals, refunds, cancellations) can be matched back to your account without revealing your User ID, email, name, or any other personal data to Apple beyond what Apple already processes as the payment processor.
• Entitlement status — derived state on our servers: which "Pro" plan is active for your account, when it expires, whether auto-renewal is enabled, whether a refund/revocation occurred. Used to gate Pro features and to display correct subscription status in the app.
• Subscription lifecycle events from Apple — received via Apple App Store Server Notifications V2 (a server-to-server webhook from Apple to the Service). Includes events such as SUBSCRIBED, DID_RENEW, EXPIRED, REFUND, REVOKE, DID_CHANGE_RENEWAL_PREF. Used solely to keep your entitlement status accurate; logged in an audit table for compliance and debugging.

We do not collect, see, or have any access to your Apple ID password, your Apple ID email address (we see only the anonymous appAccountToken), your billing address, or your country of residence beyond what Apple may disclose to us indirectly through the regional pricing tier of the purchased product.

3. Purposes of Processing

1. Providing learning functionality — adaptive learning algorithms and personalized content selection based on your level and progress
2. Saving progress across devices — backend synchronization
3. Subscription management — verifying payment status with Apple, gating Pro features, processing renewal/refund/cancellation events
4. Account recovery — via email if device is lost
5. Service improvement — anonymous analytics for bug fixing and UX improvement
6. Legal compliance — tax reporting, retention of subscription records, responding to lawful requests

4. Legal Bases (GDPR Article 6)

• Consent — for processing learning data and personalization
• Contract performance — to provide the subscription service, including verifying purchases and granting Pro entitlements
• Legitimate interest — for security (preventing fraud, abuse), and for keeping subscription state consistent via Apple webhook processing
• Legal obligation — for tax and other regulatory reporting

5. Sharing With Third Parties

5.1 Infrastructure and hosting

• Cloudflare — DNS, CDN, WAF, backend hosting (Containers + Workers), object storage (R2)
• Supabase — managed PostgreSQL database
• Apple Inc. (USA) — App Store, In-App Purchase (payment processor), push notifications, App Store Server Notifications V2 (webhook source for subscription lifecycle events)
• Resend — transactional email delivery (account recovery, important notifications)

5.2 AI content generation (international data transfer)

For features powered by external AI providers, anonymized learning context may be transmitted to:

• OpenAI, L.L.C. (USA) — text generation
• Anthropic, PBC (USA) — text generation

Before transmission, data is anonymized: email, name, and User ID are stripped from the payload. Only the anonymized learning context required for generation is sent.

5.3 Analytics

• Apple MetricKit — anonymous diagnostic data, processed by Apple
• PostHog — product analytics, including paywall and subscription funnel events. Events are linked to your internal User ID; no payment data is sent to PostHog.

6. Data Retention

• Account data — while your account exists. Deleted within 30 days after account deletion
• Backups — kept for 90 days after deletion, then destroyed
• Subscription transaction records and Apple webhook events — 5 years per tax law and to enable refund / dispute handling
• Anonymous metrics — indefinite (not linked to identity)

7. Your Rights

Under applicable law, you have the right to:

1. Access your personal data and receive a copy
2. Request correction or erasure of your data
3. Withdraw consent (which may limit functionality)
4. Restrict or object to processing
5. Data portability (receive your data in a machine-readable format)
6. Lodge a complaint with a supervisory authority
7. Delete your account directly in the app: Profile → Delete Account

Deleting your account removes your learning progress and personal data within 30 days. It does not automatically cancel your active Apple subscription — you must cancel it separately through Apple's subscription management (Settings → [your name] → Subscriptions). Records of past subscription transactions are retained for tax compliance as described in Section 6.

To exercise your rights, send a request to [email protected]. We respond within 30 days.

8. Security

• TLS 1.3 encryption in transit
• Tokens stored in device Keychain
• Password hashing (bcrypt)
• Apple JWS receipts cryptographically verified server-side against Apple Root CA before any entitlement is granted
• Idempotent processing of Apple webhooks via unique notificationUUID deduplication
• Regular dependency updates and vulnerability scanning
• Data minimization (we collect only what is necessary)
• Anonymization before AI service transmission

9. Children

The Service is not intended for children under 13. App Store age rating is 4+ (no objectionable content), but an Apple ID is required (Apple requires parental management via Family Sharing for children under 13). If we learn that a user under 13 has created an account without parental consent, we will delete it. We do not knowingly sell paid subscriptions to children under 13.

10. Changes to This Policy

We may update this Policy. Material changes (expanded data categories, new purposes or recipients) will be notified in the app and may require renewed consent. The version and effective date are shown at the top.

11. Governing Law

For users in the European Union or the EEA, Regulation (EU) 2016/679 (GDPR) applies.

For all other users, the laws of the Republic of Armenia apply (the country of the Controller's registration), without prejudice to mandatory consumer protection provisions of the user's country of residence.

12. Contact

For all data protection inquiries:
Email: [email protected]
Website: https://12levels.app