Privacy Notice - Glite Tech Ltd.

Last Updated: January 2025

At Glite Tech Ltd, one of our main priorities is the privacy of the users of our applications and technology. This privacy notice outlines the information that is collected, processed, and used by Glite Tech Ltd and on its website.

Navigate this privacy notice to understand:

1. Who we are and how to contact us
2. What data we process
3. Third-party services relied on and intended international transfers of your data
4. Exercising your rights

1. Who we are and how to contact us and our DPO

Responsible for your personal data as data controller is:

Glite Tech Ltd
128 City Road, London
United Kingdom, EC1V 2NX

If you have additional questions or require more information about our privacy policy, do not hesitate to contact us directly at privacy@glite.ai.

We have appointed a Data Protection Officer to oversee our compliance and to address matters relating to data protection. Users can contact the DPO for concerns and/or complaints in relation to their personal data, and/or to exercise their data subject rights (see section 5 of the privacy notice). The contact details are as follows:

TechGDPR DPC GmbH
Willy-Brandt-Platz 2
12529 Berlin-Schönefeld, Germany
Email: glite.dpo@techgdpr.com
Phone: +493054908661

We have also appointed a EU Representative in accordance with Art.27 GDPR. The contact details are as follows:

European Data Protection Office
Avenue Huart Hamoir 71
1030 Brussels, Belgium

2. What data we process

2.1. Data processing on our website

When visiting our website, we process your personal data for the following purposes:

2.1.1 Website Analytics

We use Google Analytics 4 (GA4) to collect aggregated analytics data about how visitors use the Glite website and landing pages. This helps us understand traffic sources, user behaviour, and product interest for the purpose of improving performance and user experience.

Data is collected through the website cookies and includes:

• Analytics data including: page views, session duration, clickstream data, referrer URLs, location, device type, browser, language and browser user-agent
• Device ID
• Operating system version
• Campaign parameters (UTM tags)

Note that your IP address is also anonymised by default by GA4 and that your data is processed in aggregated form and used solely for analytics and reporting.

We process this personal data on the basis of your consent (Art. 6.1.a GDPR) you provide to us by selecting your preferences on our cookie banner.

Data is stored within the Google Analytics platform for 2 months for event data (e.g. page view, click events etc.) and 14 months for user data (pseudonymous identifiers and demographics such as age group and language).

2.1.2. Web Testing

We use VWO (Visual Website Optimizer) to run A/B tests, feature experiments, and user experience improvements on the Glite website and landing pages (English tests). The purpose of this is to help us evaluate how different versions of pages perform and improve overall conversion rates.

Data is collected through website cookies and includes:

• Page views and experiment participation (which variant a user sees)
• Device type
• Browser type
• Screen resolution
• Approximate location (city-level)
• Technical identifiers like session IDs

Note that your IP address is pseudonymised by VWO by replacing the last octet with 0 for any IP addresses stored in the VWO server.

We process this personal data on the basis of your consent (Art. 6.1.a GDPR) you provide to us by selecting your preferences on our cookie banner.

Data is stored within the VWO system for 30 days from the day of the A/B test completion.

2.1.3. Marketing emails

If you opted-in for marketing communication from us we will process your personal data for the purpose of sending you newsletters, marketing emails and/or other promotional materials.

The following data is collected and processed for this purpose:

• Email address
• Delivery metadata (timestamps, delivery status, bounces)
• Engagement metrics (opens and clicks)
• Suppression list data when applicable (unsubscribes, bounces)

We process this personal data on the basis of your consent (Art. 6.1.a GDPR) you provide to us when opting in for marketing communication through the check-box in our website and/or app.

Data is stored for this purpose until you decide to unsubscribe/withdraw consent to the processing.

Note that after that, your data will be retained in the suppression list to ensure that we honor your request not to send further marketing emails.

2.1.4. Social Media Marketing

Joint Controllership Information

1. Meta (Facebook and Instagram)

Meta Platforms Ireland Limited (“Meta Ireland”) and we are joint controllers in regards to (i) collection of personal data specified by the applicable terms and (ii) transmission of that data to Meta Ireland. We include specific disclosures related to the processing in this privacy notice (see below).

Additional information on how Meta processes the data can be found in Meta Ireland’s Privacy Policy (including legal basis and how to exercise rights against Meta).

Data subjects can exercise rights under Arts 15–21 GDPR directly against Meta Ireland for personal data processed by Meta Ireland, and if we receive a rights request or supervisory authority contact relating to the Joint Processing, we will forward the relevant information to Meta Ireland promptly and within a maximum of 7 calendar days, cooperate, and not respond on Meta Ireland’s behalf.

2. TikTok

Glite is also joint controllers with TikTok for (i) collection & transmission of Developer Data and/or Event Data to TikTok, and (ii) measurement/insight reporting on Event Data. Any subsequent processing by TikTok for audience creation/ad targeting, ad optimisation/personalisation, and safety/security/fraud is carried out by TikTok as an independent controller. For more information on their processing related to the purposes set out below, see TikTok’s relevant privacy notice explaining TikTok’s legal basis and DS rights process.

TikTok enables rights requests (Arts 15–20 GDPR) for personal data stored/processed by TikTok after collection/transmission. If requests/authority queries are received by us relating to the Joint Processing, we will promptly notify TikTok via TikTok’s privacy report channel and provide cooperation; we are not authorised to respond on TikTok’s behalf.

Processing Information

We run paid advertising campaigns on Meta platforms (Facebook and Instagram) and TikTok to promote Glite. Users may interact with our ads and visit our website, landing pages or directly download the app.

For the former, we use a Meta pixel on our webpages to send conversion data back to Meta. Within the meta platform, they provide aggregated counts on the accounts that the ad reached. This is split by demographics such as age, gender, and location. For the latter, data is processed for the following purpose: measuring ad performance and conversions, building and optimising consented remarketing and lookalike audiences and budget allocation and campaign optimisation and is stored within the TikTok Ads platform.

The data processed for this purpose includes:

• Recorded events such as “Page View”, “Lead”, and “Purchase”
• Technical identifiers like browser type, device, and campaign parameters (eg UTM)
• Data is collected in two main ways:
1. Conversion event
2. Aggregated campaign metrics e.g. impressions, clicks, conversions (TikTok Ads Manager)

We process this personal data on the basis of your consent (Art. 6.1.a GDPR) you provide to us by selecting your preferences on our cookie banner.

Glite does not retain personal data collected via the Meta Pixel or Conversions API, this personal data is transmitted directly to Meta Platforms Ireland Ltd, which determines its own retention period. Aggregated, non-personal campaign metrics may be retained by Glite Tech for up to 12 months. Meanwhile, data processed by Glite and TikTok may be retained for a maximum of 18 months.

2.2. Data processing when using our app (Glite app users)

2.2.1 Account Creation

We process your personal data for the purpose of creating your user accounts and enable you to sign into the Glite app with a new account.

The following data is collected and processed upon signing up:

• Third-party authentication tokens (e.g., OAuth tokens from Google/Apple Sign-In) used to manage user sessions (we don’t use passwords)
• Email address
• User ID assigned upon registration
• IP address
• Device ID
• Browser user-agent string
• Operating system version
• Pseudonymous identifiers generated by analytics or authentication services (e.g. Firebase UID).

We process this personal data on the basis of the necessity for fulfilling contractual obligations between you and us (Art. 6.1.b GDPR) to provide you with our product.

We delete or irreversibly anonymise personal data for registered users after 24 months of inactivity.

2.2.2 User Authentication

We process your personal data for the purpose of enabling you to sign into the Glite app with your existing account.

The following data is collected and processed upon signing up:

• Third-party authentication tokens (e.g., OAuth tokens from Google/Apple Sign-In) used to manage user sessions
• Email address
• User ID assigned upon registration
• IP address
• Device ID
• Browser user-agent string
• Operating system version
• Pseudonymous identifiers generated by analytics or authentication services (e.g., Firebase UID).

We process this personal data on the basis of the necessity for fulfilling contractual obligations between you and us (Art. 6.1.b GDPR) to provide you with our product.

We delete or irreversibly anonymise personal data for registered users after 24 months of inactivity.

2.2.3 Vocabulary Assessment Reviews

We process your personal data for the purpose of helping you understand your current level of English, and enable Glite to deliver a personalized learning journey.

The following data is collected and processed for this purpose:

• Email address
• User ID
• Technical information collected from the user's device: including IP address, device ID, browser user-agent string, operating system version, and pseudonymous identifiers generated by analytics or authentication services (e.g., Firebase UID).
• Vocabulary test result: A record of a user's answers from the vocabulary assessment test, indicating which words they know and do not know
• Vocabulary size report: An estimated vocabulary size and proficiency level (e.g., CEFR) generated for a user based on their Vocabulary Test Results.
• Inferred knowledge state: Machine-learning-driven model of an individual user's knowledge of the English language.
• User learning interactions e.g. quizzes, lesson cards, looking up new words etc.

We process this personal data on the basis of the necessity for fulfilling contractual obligations between you and us (Art. 6.1.b GDPR) to provide you with our product.

This data is stored for the duration of your user account with us. We delete or irreversibly anonymise personal data for registered users after 24 months of inactivity.

2.2.4 Import Text Feature

We process your personal data for the purpose of analysing free-form content you provide in our Import Text interface, to provide you with vocabulary and grammar analysis. This allows us to identify further learning opportunities for you.

The following data is collected and processed for this purpose:

• Third-party authentication token
• User ID
• Free-form text content that users paste or type into the app for vocabulary and grammar analysis. Note that the content is discarded by default after analysis unless the user explicitly saves it as a lesson
• Lists of words and phrases that a user has explicitly saved for learning
• Inferred knowledge state: Machine-learning-driven model of an individual user's knowledge of the English language.
• User learning interactions e.g. quizzes, lesson cards, looking up new words etc.

We process this personal data on the basis of the necessity for fulfilling contractual obligations between you and us (Art. 6.1.b GDPR) to provide you with our product.

This data is stored for the duration of your user account with us. We delete or irreversibly anonymise personal data for registered users after 24 months of inactivity.

2.2.5 Add Words From Movie Feature

We process your personal data for the purpose of enabling you to add vocabulary from selected movies into your personal learning profile; personalize suggested words using prior knowledge; store learning records for future lessons; and log aggregate usage metrics (e.g., words added count) to improve the product.

The following data is collected and processed for this purpose:

• Pseudonymous user ID
• Lists of words and phrases that a user has explicitly saved for learning.
• User interaction data with the mobile application: including feature usage frequency, session duration, screen views, button clicks, and other behavioural events used for product improvement, bug detection, and understanding user engagement patterns.
• User learning interactions e.g. quizzes, lesson cards, looking up new words etc.

We process this personal data on the basis of the necessity for fulfilling contractual obligations between you and us (Art. 6.1.b GDPR) to provide you with our product.

This data is stored for the duration of your user account with us. We delete or irreversibly anonymise personal data for registered users after 24 months of inactivity.

2.2.6 Quick Lesson and Audio Lesson Feature

We process your personal data for the purpose of enabling you to take a short interactive lesson and track user progress over time based on the use of this feature.

The following data is collected and processed for this purpose:

• Pseudonymous user ID
• User learning interactions e.g. quizzes, lesson cards, looking up new words etc.
• Data related to game-like features within the app, such as points, badges, streaks, and leaderboard positions.
• Inferred knowledge state: Machine-learning-driven model of an individual user's knowledge of the English language.

We process this personal data on the basis of the necessity for fulfilling contractual obligations between you and us (Art. 6.1.b GDPR) to provide you with our product.

This data is stored for the duration of your user account with us. We delete or irreversibly anonymise personal data for registered users after 24 months of inactivity.

2.2.7 Word/Phrase Lookup Analytics

We process your personal data for the purpose of enabling learning personalisation and useful suggestions. This data is also used to provide definitions of the words/phrases searched by you and may be logged to understand user interests and identify gaps in Glite’s available lexicon.

The following data is collected and processed for this purpose:

• UserID
• The specific words or phrases a user searches for within the app's dictionary or lookup feature.

We process this personal data on the basis of the necessity for fulfilling contractual obligations between you and us (Art. 6.1.b GDPR) to provide you with our product.

This data is stored for the duration of your user account with us. We delete or irreversibly anonymise personal data for registered users after 24 months of inactivity.

2.2.8 Daily Notifications and Updating Notification Preferences

We process your personal data for the purpose of sending you daily email notifications summarising your learning activity and progress.

The following data is collected and processed for this purpose:

• User ID
• Email address
• A record of transactional and marketing emails sent to users, including delivery status, open rates, and click-through data. This also includes the content of any email correspondence between the user and the company, such as support requests.
• User learning interactions e.g. quizzes, lesson cards, looking up new words etc.
• Data related to game-like features within the app, such as points, badges, streaks, and leaderboard positions.
• Inferred knowledge state: Machine-learning-driven model of an individual user's knowledge of the English language.

We process this personal data on the basis of your consent (Art. 6.1.a GDPR) you provide to us by selecting your notification preferences.

This data is stored for the duration of your user account with us. We delete or irreversibly anonymise personal data for registered users after 24 months of inactivity.

2.2.9 Payment Funnel Optimization

We process your personal data for the purpose of optimizing and improving in-app payment processes.

The following data is collected and processed for this purpose:

• Subscription lifecycle events (e.g. trial start, purchase, renewal, cancellation etc.)
• Product metadata (e.g. plan, currency, price)
• Device ID (pseudonymised identifier)

We process this personal data on the basis of our legitimate interest (Art. 6.1.f GDPR) of understanding and improving how users move through the subscription journey and optimizing the service by reducing payment friction, testing pricing and paywall variants, and ensuring users receive the correct subscription access state.

This data is stored for the duration of your user account with us. We delete or irreversibly anonymise personal data for registered users after 24 months of inactivity.

2.2.10 Adjust Attribution Tracking

We process your personal data for the purpose of understanding user behaviour for growth and marketing, by linking ad click attribution to iOS installations with App Tracking Transparency authorisation.

The following data is collected and processed for this purpose:

• Device and technical data e.g. pseudonymous device ID, model, OS, app version
• User events e.g. sign-in, onboarding completion, paywall views
• Attribution data e.g. which network (Meta, Google etc.), and which ad campaign the user interacted with

We process this personal data on the basis of your consent (Art. 6.1.a GDPR) you provide to us when prompted to agree to tracking preferences.

We delete or irreversibly anonymise personal data for registered users after 25 months.

2.3. Data processing when requesting customer support

2.3.1 Customer Support Requests

We process your personal data for the purpose of addressing your requests to our support team.

The following data is collected and processed for this purpose:

• User ID
• Email address
• Technical information collected from the user's device: including IP address, device ID, browser user-agent string, operating system version, and pseudonymous identifiers generated by analytics or authentication services (e.g., Firebase UID).
• (Optional) user-provided information about their background relevant for language learning including their native language, education level, country of residence, occupation, English level, age.
• User learning interactions e.g. quizzes, lesson cards, looking up new words etc.
• Data related to game-like features within the app, such as points, badges, streaks, and leaderboard positions.
• Inferred knowledge state: Machine-learning-driven model of an individual user's knowledge of the English language

We process this personal data on the basis of the necessity for fulfilling contractual obligations between you and us (Art. 6.1.b GDPR) to provide you with our product.

This data is stored for 30 days after solving and closure of the issue.

2.3.2 Data Subject Rights Request

We process your personal data for the purpose of addressing your data subject rights requests (See Section 6 for how to exercise your rights).

Depending on the type of request e.g. access, deletion, etc. the following data is collected and processed for this purpose:

• User ID
• Email address
• Technical information collected from the user's device: including IP address, device ID, browser user-agent string, operating system version, and pseudonymous identifiers generated by analytics or authentication services (e.g., Firebase UID).
• (Optional) user-provided information about their background relevant for language learning including their native language, education level, country of residence, occupation, English level, age.
• User learning interactions e.g. quizzes, lesson cards, looking up new words etc.
• Data related to game-like features within the app, such as points, badges, streaks, and leaderboard positions.
• Inferred knowledge state: Machine-learning-driven model of an individual user's knowledge of the English language
• Vocabulary test result: A record of a user's answers from the vocabulary assessment test, indicating which words they know and do not know
• Vocabulary size report: An estimated vocabulary size and proficiency level (e.g., CEFR) generated for a user based on their Vocabulary Test Results.
• Lookup words and phrases
• Analytics and usage events
• Images generated based on user image description
• Feedback and scores related to a user's performance in a learning activity.
• Text import submissions
• Voice audio recordings

We process this personal data on the basis of the necessity for fulfilling our legal obligation (Art.6.1.c GDPR) to comply with your data subject rights request in accordance with Art.12 to 22 of the GDPR.

This data is stored for 30 days after fulfillment and closure of the request.

3 Third-party services and intended international transfers

We rely on the following third-party services to provide you with our app and its feature:

• Partners providing services in relation to the use of AI in the app
• Partners providing services for gathering and analysing analytics
• Partners providing cloud hosting services
• Partners providing services for sending email communication
• Partners providing services for Website Testing
• Partners providing productivity and messaging services

Only data relevant to the functionality of these services is shared with these partners.

Glite Tech Ltd only transfers data to the above third-party service providers if:

• this is necessary for the aforementioned purposes and permitted by law, or
• you have given your explicit consent, prior to the data being transferred.

As a result of the use of the third-party services listed above, we may transfer personal data to countries outside of the UK and EU/EEA, including the United States. These transfers are safeguarded in accordance with Chapter V of the GDPR, whereby we have signed Data Processing Agreements including Standards Contractual Clauses and the UK International Data Transfer Addendum, or signed the same agreements with providers that are part of the Data Privacy Framework and UK extension thereof.

4 Data security

All data stored by us, or any order processors are protected against unauthorised access, loss and modification using the current security standards. For this purpose, extensive technical and organisational security precautions are applied, including but not limited to:

• Encryption at-rest and in-transit (TLS, HTTP-only)
• Least-Privilege access rights
• Use of multi-factor authentication
• Carrying out backups
• Pseudonymisation of personal data whenever possible
• Network protection via Firewall

5 How can you exercise your rights?

You have the following rights with respect to us regarding your personal data:

• Right to information about your stored personal data, its origin and possible recipients and the purpose of the data processing (Art. 15 GDPR)
• Right to rectification of inaccurate data (Art. 16 GDPR)
• Right to erasure of processed personal data, unless processed to fulfill a legal obligation or public interest (Art.17 GDPR).
• Right to restriction of processing (Art. 18 GDPR)
• Right to withdraw your consent only when the processing is carried out on the basis of consent. We will then no longer continue the processing based on this consent for the future. The lawfulness of the processing carried out on the basis of the consent until the revocation is not affected by the revocation. (Art. 7 GDPR),
• Right to data portability but only in instances where data is processed on the basis of consent or performance of a contract (Art. 20 GDPR),
• Right to object if the data processing by us is based on legitimate interests. You may object to the processing of your data for direct marketing purposes at any time, even without giving reasons (Art. 21 GDPR).

Contacting us

To exercise any of the above-mentioned rights, you may contact our DPO at glite.dpo@techgdpr.com or us directly at privacy@glite.ai.

Contacting a data protection authority of your choosing

Should we fail to respond within thirty days or should you not find our response satisfactory, you may place a complaint with the supervisory authority of your choice.

https://edpb.europa.eu/about-edpb/about-edpb/members_en

We are registered with the Information Commissioner’s Office (ICO), located in Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF, UK. They also provide a contact form at the following link:
https://ico.org.uk/make-a-complaint/