Lovalingo (the "Service") is a SaaS translation tool provided via an npm package by Lovalingo Swiss, operating through the website lovalingo.com. We are committed to protecting the privacy of our users. This Privacy Policy explains what personal data we collect, how we use it, and your rights regarding this data. By using Lovalingo, you agree to the collection and use of information in accordance with this policy.

Data Controller: Lovalingo Swiss is the controller of personal data for account and website usage information. You can contact us at help@lovalingo.com for any questions about your personal data. Data Processor: When you use our translation Service, you (or your organization) may act as the data controller for any personal data contained in the text you submit for translation, and Lovalingo Swiss acts as a data processor of that content on your behalf. This relationship is governed by our Data Processing Agreement.

We collect the following types of data: • Account Information: When you register an Lovalingo account, we collect personal identifiers such as your name, email address, company name (if applicable), and password. This is used to create and manage your account, authenticate you, provide customer support, and communicate about the Service (account-related notices, updates, etc.). The legal basis for this processing is contract performance (providing the Service to you). • Translation Content: All text content that you submit for translation through Lovalingo (including any personal data it contains) is stored on our systems to perform translations and to enable you to retrieve translated results. We process this data solely to fulfill your requests and provide the translation Service. The legal basis is contract performance, as the processing is necessary to provide the translation functionality you requested. We do not use your submitted text content for any purpose other than providing the Service, troubleshooting, and improving the translation algorithms, unless we obtain your consent. • Usage Data and Technical Information: When you interact with our Service or website, we collect technical data such as your IP address, browser type, device type, operating system, and timestamps of requests. We also record logs of actions (e.g. API calls, errors) for security, debugging, and analytical purposes. This information helps us ensure the Service is delivered securely and functions properly (for example, using IP addresses to detect and prevent malicious activity). The legal basis for this processing is our legitimate interest in maintaining the security and performance of our Service. • Cookies and Similar Technologies: We use cookies to store basic preferences (for example, whether the dashboard sidebar is expanded) and to store your cookie consent choice. We may also use third-party analytics cookies (such as Google Analytics) to understand how our website is used, which helps us improve the user experience. Where required by law, we will obtain your consent for non-essential cookies. You can control cookies through your browser settings or via our cookie consent tool. • Payment Information: If you subscribe to a paid plan, our third-party payment processor (e.g., Stripe) will collect and process your payment card details. Lovalingo itself does not store your full financial information; we may retain basic payment records (like billing name, billing address, last four digits of card, transaction IDs) for invoicing, record-keeping, and fraud prevention. The legal basis for processing payment-related data is contract performance and compliance with legal obligations (e.g., financial record-keeping).

We treat your personal data as confidential. We do not sell or rent your personal information. However, we share certain data with third parties under the following circumstances: • Service Providers (Subprocessors): We utilize trusted third-party services to operate Lovalingo. These subprocessors only process data as needed to provide their services to us, under strict data protection obligations. Key subprocessors include: - Supabase (Supabase, Inc.): We use Supabase as our primary database and authentication platform to store account data and translation content. Supabase may store this data on servers located in the EU or other regions as configured. Supabase acts as a data processor on our behalf. - Google Cloud Platform (Google LLC): Lovalingo is hosted on Google Cloud infrastructure and may use Google Cloud services (such as cloud functions or translation APIs) to perform translations. This means personal data (like text content you submit or associated technical data) might be processed and stored on Google Cloud servers. Google LLC is a U.S.-based provider, so data may be transferred to or accessed from the United States. We rely on Google's certifications and data protection measures (such as compliance with the EU-U.S. Data Privacy Framework and Standard Contractual Clauses) to safeguard these transfers. - Lovable, Inc. (Delaware): We use Lovable as our web application development and hosting platform for the frontend dashboard interface. Lovable is a U.S.-based company, so personal data (like account information displayed in the dashboard) may be processed and stored on Lovable servers in the United States. - Other Subprocessors: We may use additional subprocessors for specific functionalities (for example, an email service to send verification emails or support tickets). We maintain a list of our current subprocessors which we can provide upon request, and we will notify you of any significant changes to this list. All subprocessors are bound by data processing agreements to protect your information. • Legal Requirements: We may disclose your information if required to do so by law or in response to valid requests by public authorities (e.g., law enforcement). In such cases, we will only disclose the minimum necessary data and, if legally permissible, we will inform you of such disclosure. • Business Transfers: If Lovalingo Swiss or Lovalingo is involved in a merger, acquisition, or asset sale, your personal data may be transferred to the successor entity. We will provide notice before your personal data is transferred and becomes subject to a different privacy policy. • With Your Consent: We may share your information with third parties for purposes not covered by this Privacy Policy only if you explicitly consent to such sharing.

As noted, some of our service providers are located outside your country (including outside the European Economic Area). When we transfer personal data internationally, we take steps to ensure appropriate safeguards are in place to protect it. For example, for transfers from the EEA to countries not deemed adequate by the European Commission, we use Standard Contractual Clauses (SCCs) or rely on providers certified under frameworks like the EU-U.S. Data Privacy Framework. These measures are designed to ensure that your personal data remains protected according to EU standards even when processed abroad.

We only retain personal data for as long as necessary to fulfill the purposes described in this policy or as required by law. Specific retention periods include: - Account Information: retained for the duration of your account being active. If you delete your account or if it's terminated, we will delete or anonymize this data within a reasonable period (unless we are required to keep it for legal reasons, such as tax records). - Translation Content: stored to provide the Service to you. We retain translated text and the original submitted text for your later reference and to improve service performance (for example, avoiding re-translating the same text). You can delete specific translation projects or content via your account interface or by contacting us. If you delete data, we will remove it from our active databases, though backup copies may persist for a limited time before they are overwritten. If your account is closed, we will delete or anonymize stored translation content after a retention period of 90 days, except where required to keep it longer for legal dispute resolution or troubleshooting. - Usage Logs: logs and technical records are generally retained for a short period (e.g., 90 days up to 1 year) for security, auditing, and analysis, then either deleted or anonymized. - Cookies: cookie data is retained according to the cookie's lifespan (e.g., session cookies are deleted when you close your browser, analytics cookies may persist for 6-24 months). You can clear cookies at any time via your browser.

Depending on your location and applicable law (notably the EU General Data Protection Regulation), you have certain rights regarding your personal data that we handle. These may include: - Right of Access: You can request a copy of the personal data we hold about you. - Right of Rectification: You have the right to ask us to correct or update any inaccurate or incomplete personal data. - Right to Erasure: You can request that we delete your personal data. We will honor such requests to the extent required by law (for example, we may need to retain certain information for legal obligations or legitimate interests). - Right to Restrict Processing: You can ask us to restrict the processing of your data in certain circumstances, e.g., if you contest the accuracy of the data or object to our processing. - Right to Object: You have the right to object to our processing of your personal data when we process it on the basis of legitimate interests, including any processing for direct marketing purposes. If you object, we will consider your request and stop or adjust processing unless we have compelling legitimate grounds to continue. - Right to Data Portability: For data you provided to us and which we process based on your consent or to perform a contract, you have the right to request a copy in a structured, commonly used, machine-readable format, and you can ask us to transfer that data to another controller where technically feasible. - Right to Withdraw Consent: If we rely on your consent to process any personal data (for example, in case of optional marketing emails), you have the right to withdraw that consent at any time. Withdrawal of consent will not affect the lawfulness of processing already carried out. - Right to Complain: If you believe we have infringed your data protection rights, you have the right to lodge a complaint with your local supervisory data protection authority. You may exercise your rights by contacting us at help@lovalingo.com. We may need to verify your identity before fulfilling certain requests. We will respond to your request within a reasonable timeframe and in accordance with applicable law (typically within one month). Please note that some requests (like deletion or restriction) might limit our ability to provide the Service to you if fulfilling the request makes it impossible to properly operate the Service.

We take appropriate technical and organizational measures to secure your personal data and protect it against unauthorized access, alteration, disclosure, or destruction. These measures include encryption of data in transit (e.g., HTTPS/TLS for all interactions) and at rest, access controls to restrict access to data on a need-to-know basis, and regular review of our security practices. We also rely on reputable hosting providers (such as Google Cloud) that have robust security certifications (for example, compliance with standards like SOC 2 Type 2) and safeguards in place. However, no method of transmission over the Internet or electronic storage is completely secure. While we strive to protect your personal data, we cannot guarantee its absolute security. In the event of a data breach affecting your personal data, we will notify you and/or the relevant authorities as required by law, without undue delay.

Lovalingo is not directed at children, and we do not knowingly collect personal data from individuals under the age of 16 (or the relevant age of digital consent in your jurisdiction). If we become aware that we have inadvertently collected personal information from a child without appropriate consent, we will take steps to delete it. If you are a parent or guardian and believe your child has provided personal data to us, please contact us so we can remove the information.

We may update this Privacy Policy from time to time to reflect changes in our practices or for other operational, legal, or regulatory reasons. If we make material changes, we will provide a prominent notice (e.g., on our website or via email) and indicate when the policy was last updated. Your continued use of the Service after any changes signifies your acceptance of the updated policy.

If you have any questions or concerns about this Privacy Policy or our data practices, please contact us at: Email: help@lovalingo.com Mail: Lovalingo Swiss – Privacy Department