Privacy Policy

Last Updated: February 1, 2026

1. Introduction

Welcome to Avena ("we," "our," or "us"). Avena is a suite of Progressive Web Applications (PWAs) designed to help users prepare for language proficiency examinations through advanced spaced repetition learning, AI-powered tutoring, and gamified study experiences.

This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our applications and websites (collectively, the "Service"). We are committed to protecting your privacy and complying with applicable data protection laws worldwide, including:

• General Data Protection Regulation (GDPR) - European Union
• California Consumer Privacy Act (CCPA/CPRA) - California, USA
• Children's Online Privacy Protection Act (COPPA) - United States
• Brazil's Lei Geral de Proteção de Dados (LGPD)
• Canada's Personal Information Protection and Electronic Documents Act (PIPEDA)

This policy applies to all Avena products including:

• Avena HSK: Chinese language learning and HSK exam preparation (hsk.goavena.com)
• Avena Hamza: Arabic language learning and Hamza Arabic Proficiency Test preparation (hamza.goavena.com)

By using the Service, you agree to the collection and use of information in accordance with this Privacy Policy.

2. Information We Collect

2.1 Account Information

• Authentication Data: Email address (from Google Sign-In or email/password registration), display name, and profile picture (if using Google Sign-In)
• Age Information: Age or date of birth (to ensure age-appropriate experiences and COPPA compliance)
• Account Metadata: Account creation date, last login, and subscription status
• Preferences: Study goals, daily targets, notification settings, and display options

2.2 Learning and Progress Data

• FSRS Algorithm Data: Vocabulary progress parameters including difficulty, stability, and retrievability scores for spaced repetition scheduling
• Practice Session Data: Quiz results, accuracy rates, response times, and confidence ratings (Again/Hard/Good/Easy)
• Proficiency Data: Placement test results, HSK levels (1-6), Arabic proficiency levels (A2-C1), and exam readiness scores
• Weakness Patterns: Identified learning challenges (e.g., tone confusion, directional words, root patterns)
• Character/Root Decomposition: Interactions with radical breakdowns (Chinese) and trilateral root analysis (Arabic)

2.3 Gamification Data

• Daily streak information and streak protection usage
• XP points and level progression
• Achievement badges earned
• Leaderboard participation (optional, disabled by default for users under 13)

2.4 Device and Technical Information

• Device Data: Device type, operating system, browser type, and screen resolution
• Network Data: IP address (anonymized for analytics)
• App Data: App version, performance metrics, crash reports
• Push Tokens: Firebase Cloud Messaging tokens (if notifications enabled)

2.5 AI Interaction Data (Premium Feature)

• AI Queries: Questions submitted to the "Ask AI" tutoring feature
• Context Data: Current vocabulary item and learning context to personalize AI explanations
• Feedback: Ratings and feedback on AI responses

2.6 Offline Storage Data

Our PWA stores data locally on your device for offline functionality:

• IndexedDB: Learning progress, vocabulary data, and review schedules
• Service Worker Cache: App assets for offline access
• Firebase Persistence: Local database cache for seamless sync

3. How We Use Your Information

3.1 Core Service Delivery

• Authenticate your identity and maintain account security
• Provide personalized vocabulary learning through our FSRS spaced repetition algorithm
• Determine your proficiency level through adaptive placement testing
• Deliver age-appropriate content and experiences
• Enable offline functionality with automatic data synchronization
• Process subscription payments and manage premium features

3.2 Personalization and Improvement

• Identify learning patterns and customize study recommendations
• Generate AI-powered explanations and mnemonics (premium users)
• Calculate exam readiness scores and suggest focus areas
• Improve our algorithms based on aggregated, anonymized usage data
• Develop new features based on user behavior patterns

3.3 Engagement and Communication

• Track streaks, achievements, and learning milestones
• Send study reminders and notifications (only with your consent)
• Enable optional social features like leaderboards
• Respond to support inquiries and feedback

4. Legal Basis for Processing (GDPR)

For users in the European Economic Area (EEA), United Kingdom, and similar jurisdictions, we process your data based on:

• Contract Performance: Processing necessary to provide learning services you've requested
• Consent: Optional features requiring explicit consent (push notifications, leaderboards, AI tutoring)
• Legitimate Interests: Analytics, security monitoring, and service improvement (balanced against your privacy rights)
• Legal Obligation: Compliance with child protection laws and data retention requirements

5. Information Sharing and Third Parties

5.1 Service Providers

We share data only with trusted service providers who assist in operating our Service:

All service providers are contractually bound to protect your data and use it only for specified purposes.

5.2 Legal Requirements

We may disclose information when required by law, court order, or government request, or when necessary to protect our rights, safety, or property.

5.3 Business Transfers

In the event of a merger, acquisition, or sale of assets, your data may be transferred. We will provide notice before your data becomes subject to a different privacy policy.

6. International Data Transfers

Your information may be transferred to and processed in countries other than your own, including the United States, where our service providers operate.

For transfers from the EEA/UK, we ensure adequate protection through:

• Standard Contractual Clauses (SCCs) approved by the European Commission
• Adequacy decisions where applicable
• Data Processing Agreements with all providers

7. Data Retention

• Active Accounts: Data retained while your account remains active
• Learning Progress: Retained to maintain your personalized learning experience
• After Account Deletion: Most data deleted within 30 days; anonymized analytics may be retained
• Legal Requirements: Financial and legal records retained for 3-7 years as required by law
• AI Queries: Not permanently stored; processed in real-time and not retained by Anthropic beyond processing

8. Children's Privacy (COPPA Compliance)

8.1 Age Requirements

• Our Service is designed for users aged 6 years and older
• Users under 13 require verifiable parental consent before creating an account
• Users aged 13-17 may use the Service with parental awareness

8.2 Parental Consent Process (Under 13)

• Parents or guardians must create and manage accounts for children under 13
• Email verification required from parent/guardian email address
• Consent form must be acknowledged before account activation

8.3 Limited Data Collection for Children

For users under 13, we collect only:

• Username (not required to be real name)
• Age range (not specific date of birth)
• Essential learning progress data
• Parent/guardian contact email

We do not collect from children under 13:

• Precise location data
• Photos or videos
• Voice recordings
• Social media connections

8.4 Restricted Features for Children

• Leaderboards and social features disabled by default
• AI tutoring features require separate parental approval
• No targeted advertising or third-party tracking
• Push notifications require parental consent

8.5 Age-Appropriate Experience (Ages 6-12)

• Larger buttons and simplified visual interface
• Encouraging, age-appropriate feedback and messaging
• No competitive pressure or social comparison features
• Content filtered for age appropriateness

8.6 Parental Rights

Parents and guardians may at any time:

• Review their child's personal information
• Request deletion of their child's account and data
• Refuse further collection or use of their child's information
• Manage account settings and feature access

To exercise these rights, contact us at privacy@goavena.com with verification of parental relationship.

9. Your Privacy Rights

9.1 All Users

• Access: Request a copy of your personal data
• Correction: Update or correct inaccurate information
• Deletion: Request deletion of your account and associated data
• Data Portability: Export your learning data in a machine-readable format
• Opt-Out: Disable analytics tracking in app settings

9.2 Additional Rights for EEA/UK Residents (GDPR)

• Restriction: Request limitation of processing
• Objection: Object to processing based on legitimate interests
• Withdraw Consent: Withdraw previously given consent at any time
• Lodge Complaint: File a complaint with your local Data Protection Authority

9.3 California Residents (CCPA/CPRA)

• Right to Know: Request disclosure of data collected and shared
• Right to Delete: Request deletion of personal information
• Right to Opt-Out: Opt out of sale of personal information (we do not sell data)
• Non-Discrimination: Equal service regardless of privacy choices

To exercise any of these rights, contact us at privacy@goavena.com. We will respond within the timeframes required by applicable law (typically 30-45 days).

10. Data Security

We implement industry-standard security measures to protect your information:

• Encryption in Transit: All data transmitted using TLS 1.3 encryption
• Encryption at Rest: Data stored encrypted in Firebase's secure infrastructure
• Authentication: Secure authentication via Firebase Auth (Google Sign-In, email/password)
• Access Controls: Strict internal access controls with least-privilege principles
• Security Monitoring: Regular security audits and vulnerability assessments
• Incident Response: Established procedures for detecting and responding to data breaches

While we strive to protect your data, no method of transmission or storage is 100% secure. We encourage you to use strong, unique passwords and keep your account credentials confidential.

11. Cookies and Local Storage

Our PWA uses the following storage technologies:

• IndexedDB: Stores learning progress and vocabulary data for offline access
• Service Worker Cache: Caches app assets for offline functionality
• Firebase Persistence: Enables offline database operations with automatic sync
• Analytics Cookies: Google Analytics cookies for usage tracking (can be disabled)

You can manage cookies through your browser settings, though disabling certain storage may affect offline functionality.

12. Third-Party Links

Our Service may contain links to third-party websites or services. We are not responsible for the privacy practices of these external sites. We encourage you to review their privacy policies before providing any personal information.

13. Changes to This Privacy Policy

We may update this Privacy Policy from time to time. We will notify you of material changes by:

• Posting the updated policy on this page with a new "Last Updated" date
• Sending an in-app notification or email for significant changes
• For users under 13, obtaining new parental consent if required by the changes

Continued use of the Service after changes constitutes acceptance of the updated policy.

14. Contact Us

If you have questions about this Privacy Policy or wish to exercise your privacy rights, please contact us:

• Privacy Inquiries: privacy@goavena.com
• General Support: support@goavena.com
• Website: https://goavena.com

For GDPR-related inquiries, you may also contact your local Data Protection Authority.