Privacy Policy

ETHEIA LLC (“Lanma,” “we,” “us,” or “our”) is committed to protecting your privacy. This Privacy Policy explains how we collect, use, disclose, retain, and protect your personal information when you use the Lanma vocabulary learning platform (the “Service”).

This Privacy Policy applies to all users of the Service worldwide, including users in the European Economic Area (EEA), United Kingdom, South Korea, Japan, Brazil, the United States, and other jurisdictions. Where specific laws provide additional rights or impose additional obligations, we have included supplementary provisions in Section 13.

By using the Service, you acknowledge that you have read and understood this Privacy Policy. If you do not agree with our data practices as described herein, please do not use the Service.

For the purposes of applicable data protection laws, the data controller is:

ETHEIA LLC (Lanma)
Email: support@lanma.ai

3.1 Information You Provide Directly

• Account Information: Email address and password when you register, or profile information provided through third-party authentication services (Google, Apple).
• Profile Data: Language preferences and display settings.
• User Content: Word sets, vocabulary entries, definitions, example sentences, notes, and other learning materials you create or upload.
• Payment Information: Billing details processed through our payment provider, Stripe. We do not directly store your full credit card number or payment credentials; these are handled by Stripe in accordance with PCI DSS standards.
• Communications: Information you provide when contacting us for support or feedback.

3.2 Information Collected Automatically

• Usage Data: Study session history, quiz results, progress statistics, streak data, mastery levels, and feature usage patterns.
• Device Information: Browser type, operating system, device type, screen resolution, and language settings.
• Log Data: IP address, access times, pages viewed, referring URLs, and other standard server log information.
• Cookies and Similar Technologies: We use essential cookies for authentication and session management. See Section 9 for details.

3.3 Information from Third Parties

• Authentication Providers: When you sign in using Google or Apple, we receive your name, email address, and profile picture (if available) as authorized by you through those services.
• Payment Processor: Stripe provides us with transaction confirmations, subscription status, and billing-related information.

We use the information we collect for the following purposes:

• Service Delivery: To provide, operate, and maintain the Service, including managing your account, enabling study sessions, tracking progress, and delivering personalized learning experiences.
• Payment Processing: To process subscriptions, manage billing, and handle payment-related inquiries.
• Service Improvement: To analyze usage patterns, diagnose technical issues, and improve the features, functionality, and performance of the Service.
• Communication: To send you service-related notifications, account updates, security alerts, and (with your consent where required) promotional communications.
• Safety and Security: To detect, prevent, and address fraud, abuse, security incidents, and technical issues.
• Legal Compliance: To comply with applicable laws, regulations, legal processes, and governmental requests.

We may in the future use anonymized and aggregated User Content and usage data to train, develop, or improve artificial intelligence and machine learning models. We are not currently using your data for AI training purposes.

Before implementing any such use, we will:

• Update this Privacy Policy and our Terms of Use with clear, specific details about the nature and scope of AI training;
• Provide advance notice to all users via email and/or in-app notification;
• Where required by applicable law (including GDPR, PIPA, and other data protection regulations), obtain your explicit consent before using your data for AI training;
• Provide a clear and accessible mechanism to opt out of AI training use;
• Ensure that any data used for AI training is anonymized so that individual users cannot be identified from the training data;
• Conduct a Data Protection Impact Assessment (DPIA) where required by applicable law.

If you are in the EEA or UK, we process your personal data based on the following legal bases under the GDPR:

• Performance of Contract (Art. 6(1)(b)): Processing necessary to provide you with the Service, manage your account, and fulfill our contractual obligations.
• Legitimate Interests (Art. 6(1)(f)): Processing for our legitimate interests, such as improving the Service, ensuring security, and preventing fraud, where these interests are not overridden by your rights.
• Consent (Art. 6(1)(a)): Processing based on your explicit consent, such as for marketing communications or future AI training use. You may withdraw consent at any time.
• Legal Obligation (Art. 6(1)(c)): Processing necessary to comply with our legal obligations.

We do not sell your personal information. We may share your information in the following circumstances:

• Service Providers: We share information with trusted third-party service providers who assist us in operating the Service, including:
  • Supabase — Authentication and database hosting
  • Stripe — Payment processing
  • Vercel — Application hosting and content delivery
  These providers are contractually obligated to protect your data and may only process it on our behalf and in accordance with our instructions.
• Public Content: If you make word sets public, those word sets and associated content will be visible to other users of the Service.
• Legal Requirements: We may disclose your information if required by law, regulation, legal process, or governmental request, or if we believe disclosure is necessary to protect the rights, property, or safety of Lanma, our users, or others.
• Business Transfers: In connection with a merger, acquisition, reorganization, or sale of assets, your information may be transferred as part of the transaction. We will notify you of any such change and any choices you may have.

We retain your personal information for as long as necessary to fulfill the purposes described in this Privacy Policy, unless a longer retention period is required or permitted by law.

• Active Account Data: Retained for the duration of your account.
• Deleted Content: When you delete word sets or other content, it may be soft-deleted (marked as deleted but retained on our servers) for up to 90 days to support data recovery and maintain data integrity, after which it is permanently deleted.
• Account Deletion: Upon account deletion, your personal data is deleted or anonymized within 30 days, except where retention is required by law (e.g., financial records may be retained for up to 7 years for tax compliance).
• Backup Data: Residual copies may persist in encrypted backups for up to 90 days after deletion.
• Aggregated Data: Anonymized and aggregated data that cannot identify you may be retained indefinitely for analytical purposes.

We use essential cookies that are strictly necessary for the operation of the Service:

• Authentication Cookies: To keep you signed in and maintain your session.
• Preference Cookies: To remember your language and display settings.

We do not currently use advertising cookies, third-party tracking cookies, or analytics cookies that track you across other websites. If we introduce such technologies in the future, we will update this Privacy Policy and obtain your consent where required by applicable law.

We implement appropriate technical and organizational measures to protect your personal information against unauthorized access, alteration, disclosure, or destruction. These measures include:

• Encryption of data in transit (TLS/HTTPS) and at rest;
• Secure authentication mechanisms including OAuth 2.0;
• Regular security assessments and monitoring;
• Access controls and least-privilege principles for data access;
• PCI DSS compliant payment processing through Stripe.

While we strive to protect your personal information, no method of transmission over the Internet or method of electronic storage is 100% secure. We cannot guarantee absolute security.

Your information may be transferred to and processed in countries other than your country of residence. These countries may have data protection laws that differ from your jurisdiction.

Where we transfer personal data from the EEA, UK, or Switzerland, we ensure appropriate safeguards are in place, including:

• Standard Contractual Clauses (SCCs) approved by the European Commission;
• Adequacy decisions by relevant data protection authorities;
• Other legally recognized transfer mechanisms.

For South Korean users, international transfers of personal data are conducted in compliance with the Personal Information Protection Act (PIPA), and we provide notice of the recipient, purpose, and items of personal information transferred.

Depending on your jurisdiction, you may have the following rights regarding your personal information:

• Access: Request a copy of the personal data we hold about you.
• Rectification: Request correction of inaccurate or incomplete personal data.
• Erasure: Request deletion of your personal data (subject to legal retention requirements).
• Restriction: Request restriction of processing of your personal data.
• Data Portability: Request a copy of your data in a structured, commonly used, machine-readable format.
• Objection: Object to processing based on legitimate interests.
• Withdraw Consent: Where processing is based on consent, withdraw your consent at any time.
• Non-Discrimination: Exercise your privacy rights without receiving discriminatory treatment.

To exercise any of these rights, please contact us at support@lanma.ai. We will respond within the timeframes required by applicable law (generally within 30 days, or 45 days for CCPA requests).

13.1 European Economic Area, United Kingdom, and Switzerland

If you are located in the EEA, UK, or Switzerland, you have rights under the General Data Protection Regulation (GDPR) and equivalent legislation, as described in Section 12. You also have the right to lodge a complaint with your local supervisory authority if you believe your data protection rights have been violated.

13.2 South Korea

If you are located in South Korea, we process your personal information in accordance with the Personal Information Protection Act (PIPA). You have the right to access, correct, delete, and suspend processing of your personal information. We will not process personal information beyond the purpose for which it was collected without your separate consent. We appoint and manage personal information handlers in compliance with PIPA requirements.

13.3 United States — California

If you are a California resident, you have additional rights under the California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA), including the right to know what personal information we collect, the right to delete, the right to opt out of the sale or sharing of personal information (we do not sell personal information), and the right to non-discrimination. To submit a verifiable request, contact us at support@lanma.ai.

13.4 Brazil

If you are located in Brazil, your personal data is processed in accordance with the Lei Geral de Proteção de Dados (LGPD). You have rights including confirmation of processing, access, correction, anonymization, portability, deletion, and information about sharing. You may also file a complaint with the Autoridade Nacional de Proteção de Dados (ANPD).

13.5 Japan

If you are located in Japan, we process your personal information in accordance with the Act on the Protection of Personal Information (APPI). You have the right to request disclosure, correction, cessation of use, and deletion of your personal information. Cross-border transfers are conducted in compliance with APPI requirements.

The Service is not directed to children under 16 years of age. We do not knowingly collect personal information from children under 16. If we become aware that we have collected personal information from a child under 16 without parental consent, we will take steps to delete that information promptly. If you believe that a child under 16 has provided us with personal information, please contact us at support@lanma.ai.

We may update this Privacy Policy from time to time. If we make material changes, we will notify you by posting the updated policy on the Service and updating the “Last updated” date. For material changes that affect your rights, we will provide at least 30 days' advance notice via email or in-app notification. Your continued use of the Service after the effective date of the updated Privacy Policy constitutes your acceptance of the changes.

If you have any questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us at:

ETHEIA LLC (Lanma)
Email: support@lanma.ai

For EEA/UK users, you may also contact your local data protection supervisory authority.