Skip to main content

Privacy Policy

How we collect, use, protect, and share your data.

Last updated April 25, 2026

This Privacy Policy explains how Copycat Cafe Limited (“Copycat Cafe”, “we”, “us”) collects, uses, shares, and protects personal data when you use our website, app, language-learning features, subscriptions, emails, support, and related services.

Short version: we use your data to run Copycat Cafe, take payments, provide AI chat, speech recognition, pronunciation scoring, audio, support, security, and product improvement. Your chats, recordings, and transcripts are not for sale, and we do not use them to train Copycat Cafe’s own AI model. A small number of authorized people may review production data when needed to help you, fix bugs, improve prompts, evaluate models, or improve the service.

1. Who controls your data

Controller: Copycat Cafe Limited

Registered in Cyprus: HE 490235

Registered office: Arch. Makariou III, 56E, 2107, Nicosia, Cyprus

Privacy contact: [email protected]

2. Data we collect

  • Account data: name, email address, login details, account settings, language preferences, and communication preferences.
  • Subscription and billing data: subscription plan, status, renewal, cancellation, refund, transaction, Paddle customer/subscription identifiers, and limited billing metadata. We do not store full card details.
  • Learning data: lessons watched, exercises completed, answers, translations, flashcards, progress, level, language choices, chat messages, corrections, scores, and feedback.
  • Voice, audio, and speech data: recordings you submit, live microphone audio while you use speech features, transcripts, pronunciation scores, target phrases, generated audio, and related provider metadata.
  • AI data: prompts, chat context, lesson context, model outputs, evaluator results, and metadata needed to generate responses or assess practice sessions.
  • Support and contact data: messages you send us, testimonial submissions, support history, and information needed to answer you.
  • Technical, security, and usage data: IP address, user agent, device/browser data, logs, error reports, cookies, session identifiers, form-security signals, analytics events, and referrer/affiliate information.

Special-category and highly sensitive data

Copycat Cafe is not designed to collect special-category data such as health information, political opinions, religious beliefs, sexual orientation, biometric identifiers, or similar highly sensitive information. Please do not include highly sensitive personal data in practice conversations, recordings, support messages, or screenshots unless it is necessary for your request. If you choose to include it, we process it only as needed to provide the service, respond to you, maintain security, debug issues, comply with law, or protect legal claims.

3. Why we use data and our legal bases

  • To provide the service under our contract with you: accounts, lessons, AI chat, speech recognition, pronunciation scoring, text-to-speech audio, saved progress, subscriptions, transactional emails, and support.
  • For legitimate interests: security, abuse prevention, debugging, error monitoring, service reliability, product analytics, prompt and product improvement, customer support, and understanding which features work.
  • With consent: microphone/browser permissions, optional marketing emails where required, optional testimonials, and other optional browser permissions or marketing choices where required.
  • For legal obligations: tax, accounting, payment records, fraud prevention, responding to lawful requests, and enforcing legal claims.

4. AI, speech, and human review

Copycat Cafe uses AI and speech vendors to power language-learning features. When you use chat, pronunciation, transcription, or audio-generation features, we may send the relevant text, chat context, audio, transcript, target phrase, and metadata to the vendors listed below so they can provide that feature.

Authorized Copycat Cafe staff and contractors may access production chats, transcripts, recordings, scores, logs, screenshots, and related metadata when reasonably needed for support, debugging, security, abuse investigation, reliability, quality assurance, prompt improvement, model evaluation, and product improvement. This may include controlled internal engineering tools and coding-agent tools such as Amp. We limit this access to people with a work-related need, require confidentiality, and tell staff to include as little personal data as practical in internal review threads. We treat this as running and improving the service, not as training an AI model.

We do not sell your chats, recordings, or transcripts. We do not use them to train Copycat Cafe’s own AI model. For production AI and speech features, our baseline is to use vendors, routes, and account settings that say customer content is not used to train or improve general AI models without our opt-in. This is not a promise that providers keep no data at all: they may still process or keep limited data for security, abuse prevention, reliability, support, legal compliance, or billing, depending on the provider, route, model, account settings, and contract terms. Do not submit highly sensitive personal data in practice conversations unless it is necessary.

We do not use voice or audio data to identify you as a unique person, authenticate you, or create a biometric identifier. We use audio and speech data to provide transcription, pronunciation feedback, generated audio, support, debugging, quality assurance, and service improvement as described in this policy.

Voice recordings and free-form practice content may reveal sensitive details such as accent, health, ethnicity, religion, political opinions, or other personal information if you choose to say or type them. Copycat Cafe does not need that information for ordinary language practice, so please avoid including highly sensitive personal data in recordings, chats, prompts, or support messages unless it is necessary for your request.

What happens when you submit a recording: we may process the recording in Copycat Cafe and send it to the speech provider needed for the feature. For speech-to-text, we may send audio to Soniox. For pronunciation scoring, we may send audio, the target phrase, language or dialect settings, and related metadata to Langcraft. Our current production pronunciation-scoring flow stores the score, transcript or analysis, target text, and feedback metadata in Copycat Cafe so you can see your progress; it does not attach the raw pronunciation audio recording to your account after the request completes. For text-to-speech, ElevenLabs generally receives text to be spoken and voice identifiers, not your own pronunciation recording, unless a feature specifically tells you otherwise.

Can you use Copycat Cafe without uploading voice? Yes, you can read and listen to lessons, review content, and type in chat without giving microphone access. Features that need your speech—pronunciation scoring, spoken chat, and speech-to-text—require microphone audio because the app cannot score or transcribe speech it never receives.

Different AI and speech providers handle data differently. We choose production provider routes and account settings intended to meet a simple baseline: no training or model improvement on Copycat Cafe customer content. For OpenRouter routes, this means we send requests with data collection disabled. That is lower than a strict zero-data-retention requirement, but it is intended to avoid routing customer prompts and outputs to endpoints that use them for training or model improvement. Provider retention, abuse monitoring, security review, deletion periods, and processing locations may depend on the provider, route, model, account setting, and contract terms. We do not promise that every provider has identical retention rules or that every route is zero-retention.

We do not authorize AI or speech providers to use Copycat Cafe customer chats, transcripts, or audio recordings to train, fine-tune, or improve general-purpose models unless we explicitly opt in, update this policy, and have an appropriate legal basis, including consent where required.

Automated decisions

Copycat Cafe does not use your learning data to make decisions that produce legal or similarly significant effects about you solely by automated means. AI scores, corrections, and feedback are learning aids. Paddle and other payment/security providers may use automated systems for fraud prevention, payment authorization, tax, or billing decisions under their own terms and privacy policies.

5. Vendors and recipients we actively use

We use processors, subprocessors, and independent controllers to run Copycat Cafe. Based on our production code paths and production data, these are the active categories we currently rely on:

Some vendors act as our processors or subprocessors and process personal data under our instructions. Some vendors, such as Paddle when acting as merchant of record or reseller for payments, may act as independent controllers for their own legal, tax, fraud-prevention, payment-compliance, and support purposes. Where a vendor acts independently, its own privacy notice also applies.

Vendor Purpose Data involved
Render Application hosting, database, background jobs, logs, and backups. Account, learning, support, technical, and operational data.
Cloudflare CDN/security, Cloudflare R2 object storage, and Turnstile bot prevention on selected forms. IP address, user agent, security signals, stored audio/media/files, and request metadata.
Paddle Merchant of record / authorized reseller for payments, taxes, invoices, subscription billing, payment-method handling, refunds, and fraud prevention. Buyer, payment, tax, transaction, subscription, refund, fraud-prevention, and invoice data. Paddle handles payment data under its own Privacy Policy and buyer terms.
Paddle Retain / ProfitWell Payment recovery and subscription-related notices for signed-in users with Paddle customer records, especially subscribers and accounts with payment issues. Paddle customer identifiers and subscription metadata. We do not intentionally send email addresses to ProfitWell from the frontend.
OpenRouter, direct Cerebras, and approved AI model providers currently including Mistral, OpenAI, Google, Anthropic, and DeepSeek AI chat, evaluation, corrections, flashcard grading, pronunciation coaching experiments, and model routing. Prompts, chat context, lesson context, messages, transcripts, model outputs, and metadata. For OpenRouter routes, we configure production requests with data collection disabled. OpenRouter describes this class of routing as distinct from zero data retention: endpoints may retain data for purposes such as abuse scanning or legal compliance, but should not train on it. Where we call Cerebras directly, our understanding is that Cerebras does not retain inputs or outputs for its inference/chatbot services under the applicable service terms. Other approved model providers may have different security, abuse-monitoring, retention, and processor terms, but our production baseline is no training or model improvement on Copycat Cafe customer content without opt-in.
Soniox Realtime and batch speech-to-text. Live speech audio, uploaded fallback audio, transcripts, language settings, and request metadata. Soniox states in its published documentation that it does not use customer audio or transcripts to train its models and that realtime requests are not retained unless storage is specifically requested or configured. Batch or uploaded fallback audio may be handled according to the applicable Soniox settings and contract terms.
ElevenLabs Text-to-speech generation for lesson, model, and chat audio. Text to be spoken, voice identifiers, generated audio, language settings, and metadata. We do not usually send your own speech recordings to ElevenLabs for text-to-speech. We use ElevenLabs under its business/API and data-processing terms, and we configure available data-use controls to limit use of Copycat Cafe content for training where available.
Langcraft Pronunciation scoring and feedback. Submitted pronunciation audio, target phrase, language/dialect settings, request metadata, pronunciation scores, feedback, IPA/transcription information, and related analysis metadata. We use this for pronunciation scoring and feedback, not to identify you as a unique person or authenticate you. Langcraft has confirmed to us that API audio and transcripts are processed transiently by default and are not retained after response delivery; that it keeps limited operational metadata such as request ID, status, timestamp, and similar logs for API operation, security, troubleshooting, and support; and that API user recordings, transcripts, scores, alignments, and other customer content are not used for model training, fine-tuning, benchmarking, evaluation, or model/service improvement unless we explicitly opt in.
Sentry Error monitoring, performance diagnostics, and debugging. Technical logs, browser/device data, request metadata, email or account identifiers, breadcrumbs, limited diagnostic context, masked session replay or interaction data where enabled, and user-submitted feedback or screenshots where enabled.
Resend Transactional and lifecycle email delivery, plus delivery webhooks. Email address, name, email content, delivery status, unsubscribe/suppression data, and provider event metadata.
Plausible Aggregate, privacy-friendly website analytics. Page views, referrers, device/browser categories, and general location derived from request data.
jsDelivr and similar script/CDN providers Delivery of selected frontend libraries and scripts. IP address, user agent, requested asset URL, and request metadata needed to serve browser assets.
Affonso Affiliate referral attribution, signup attribution, partner commissions, fraud prevention, and affiliate-program reporting. Referral identifiers, affiliate URL parameters, signup identifiers, checkout metadata, and browser/device/request metadata used to credit referred signups or purchases. Affiliates may receive limited commission or attribution information needed to administer referrals, but not learner chats, recordings, transcripts, or lesson content.
Amp / internal coding-agent tooling Engineering support, debugging, quality assurance, prompt improvement, and product improvement. Minimized excerpts of chats, transcripts, recordings, logs, errors, screenshots, or metadata when staff include them in controlled internal review threads.

We also use first-party product analytics in our own application database to understand visits, events, feature usage, and learning progress. Historical records may contain metadata from providers we no longer use for new production requests; those providers are not listed here unless we actively send them new data.

AI and speech providers may change by feature, model route, fallback, experiment, or availability. We keep internal records of active production providers and update this policy when a new provider or processing purpose materially changes how personal data is handled. We will not materially expand the use of chats, recordings, or transcripts for model training without an appropriate legal basis and notice, and consent where required.

6. Cookies, local storage, and similar technologies

  • Strictly necessary: login/session, CSRF protection, security, application preferences, subscription access, billing flows, and bot prevention.
  • Analytics: Plausible provides aggregate website analytics without cross-site profiling; first-party analytics help us understand product usage.
  • Affiliate attribution: when you arrive through an affiliate link, Affonso may create an affonso_referral identifier and store it in your browser for up to 60 days. We pass that referral identifier and limited attribution metadata to Paddle/Affonso at signup or checkout to credit partners, calculate commissions, prevent fraud, and resolve attribution disputes.
  • Payment recovery: Paddle Retain / ProfitWell may run for signed-in users with Paddle customer records to show payment recovery or subscription-related notices.

7. International transfers

We are based in Cyprus, but our vendors may process data in the European Economic Area, the United Kingdom, the United States, and other locations. Where required, we rely on appropriate safeguards such as data processing agreements, Standard Contractual Clauses, adequacy decisions, or other lawful transfer mechanisms. We do not currently promise EU-only processing for all AI, speech, analytics, or infrastructure vendors.

AI model routing, fallback providers, and speech-processing infrastructure may mean the exact processing location varies by feature, provider, route, and availability. When personal data is transferred from Cyprus or the EEA to a country without an adequacy decision, we rely on safeguards such as Standard Contractual Clauses, data-processing terms, access controls, encryption in transit, and data minimization where required.

8. Retention

We keep personal data only as long as needed for the purposes described above, unless a longer period is required for legal, tax, accounting, security, fraud-prevention, backup, or dispute-resolution reasons. Our current retention practices are:

  • Account profile and settings: kept while your account exists, and then deleted or anonymized within a reasonable operational period after account deletion unless we need to keep limited records for legal, security, fraud-prevention, or dispute purposes.
  • Learning progress, chat history, answers, flashcards, scores, and pronunciation records: generally kept while your account exists so the product can work and you can review your progress. You may request deletion as described below.
  • Subscription, invoice, tax, and accounting records: kept as required for legal, tax, accounting, fraud-prevention, and dispute purposes.
  • Audio and transcripts: raw pronunciation audio is processed to provide scoring and is not attached to your Copycat Cafe account after the current production request completes. We may keep transcripts, target text, scores, analysis, and feedback while your account exists so the product can work and you can review your progress. Provider-side audio is deleted after processing where supported by the integration or retained according to the provider’s terms and our account settings.
  • Support messages: kept for a reasonable support-history period unless needed longer for disputes, safety, abuse prevention, or legal obligations.
  • Operational logs, analytics events, and error reports: generally kept for limited operational periods unless needed longer for security, debugging, abuse prevention, reliability, or aggregated analytics.
  • Backups: deleted or overwritten on a rolling schedule unless preserved for security, continuity, or legal reasons.
  • Affiliate referral identifiers: Affonso referral identifiers may be stored in your browser for up to 60 days; Paddle/Affonso signup and conversion records may be kept for partner commission, fraud-prevention, accounting, and dispute purposes.

If you ask us to delete data, we will delete or anonymize what we reasonably can, subject to legal, tax, payment, security, fraud-prevention, backup, and dispute-resolution obligations.

Deleting your Copycat Cafe account or requesting deletion may not immediately remove copies already processed by vendors from transient logs, security logs, backups, abuse-monitoring systems, or legal-compliance records. Vendor-side deletion and retention are governed by our contracts, provider terms, technical settings, and legal obligations. We minimize what we send to vendors and use shorter-retention or no-training settings where available.

9. Security

We use technical and organizational measures designed to protect personal data, including HTTPS, access controls, authentication, vendor security controls, monitoring, and limited internal access. No online service can guarantee perfect security.

10. Your rights

If GDPR or similar laws apply to you, you may have rights to access, correct, delete, restrict, object to processing, receive a portable copy of your data, withdraw consent, and lodge a complaint with a supervisory authority. In Cyprus, the supervisory authority is the Office of the Commissioner for Personal Data Protection.

To exercise rights, contact [email protected]. We may need to verify your identity before acting on a request.

You can object to processing based on legitimate interests, including certain analytics, product-improvement, security, or affiliate-attribution uses, where applicable. You can also object to direct marketing at any time. Withdrawing consent does not affect processing that happened before withdrawal. Some data may be needed to provide the service, maintain security, comply with law, process payments, prevent fraud, or resolve disputes.

11. Family, school, and administrator visibility

If you join through a family, school, team, or similar plan, the person or organization managing that plan may receive limited account-management information such as your email address, invitation status, seat status, subscription access, and usage needed to administer the plan.

If we offer educator, school, classroom, or team dashboards, the relevant administrator may be able to see learner progress, usage, scores, assignments, or similar information, as described in the product or separate school/team terms. We do not offer those expanded dashboard disclosures unless they are described at or before signup for that plan.

12. Children

You must be at least 16 years old to use Copycat Cafe. We do not knowingly collect personal data from children under 16. If you believe a child under 16 has used the service, contact us so we can review and delete the data where appropriate.

13. Keeping this policy current

Copycat Cafe changes as we add languages, features, vendors, AI models, speech providers, analytics, billing flows, support tools, and evaluation processes. We maintain this policy as an operational document: when we add or materially change a production vendor, model route, cookie/local-storage use, production-data review process, or data-retention practice, we should review this policy and update it before or alongside the product change.

14. Changes

We may update this Privacy Policy when our service, vendors, or legal obligations change. If a change is material, we will take reasonable steps to notify users or request acceptance where appropriate.

Questions about your privacy? Contact us