Privacy Policy

Last updated: 24 March 2026

This Privacy Policy describes how Deutsch Exam (hereafter "we", "our" or "the Publisher") collects, uses, stores and protects the personal data of users (hereafter "you" or "the User") of the Deutsch Exam mobile application (hereafter "the Application").

By using the Application, you accept the practices described in this policy.

1. Data collected

1.1 Data provided by the User

• Registration data — Last name, first name, email address, profile picture (optional), password (if signing up by email)
• Profile data — Chosen CEFR level (A1–C2), target exam centre (Goethe, ÖSD, TELC, ECL, TestDaF), planned exam date (optional), city
• Written productions — Texts written as part of the written-expression exercises (Schreiben)
• Oral productions — Audio recordings made as part of the speaking exercises (Sprechen)
• Messages to Frau Roos — Text and voice messages sent to the AI tutor
• Vocabulary — Words manually added to the vocabulary notebook

1.2 Data collected automatically

• Usage data — Exercises completed, answers given, scores obtained, time spent per exercise, progress per module and skill
• Leaderboard data — Weekly points, leaderboard position, streaks, badges unlocked
• Technical data — Device type, operating system, app version, unique device identifier, IP address, system language
• Vocabulary data — Review results (success/failure), spaced-repetition intervals, next-review dates
• Notification data — Push-notification token (FCM token), notification preferences

1.3 Data from third parties

• Google Sign-In / Apple Sign-In — Name, email address and profile picture provided by the third-party authentication service, if the User picks this sign-up method

2. Purposes of processing

Your data is used for the following purposes:

2.1 Operation of the Application

• Create and manage your user account
• Adapt exercises to your level and exam centre
• Record your progress and results
• Manage the vocabulary notebook and spaced reviews
• Compute and display the weekly leaderboard
• Award badges and rewards

2.2 AI correction

• Transmit your written and oral productions to the AI service (Google Gemini) for analysis and grading
• Generate personalised corrections, marks and suggestions
• Identify your recurring mistakes for targeted recommendations

2.3 Virtual tutor Frau Roos

• Transmit your messages to the AI service to generate contextual replies
• Adapt explanations to your CEFR level
• Generate personalised exercises based on your identified weaknesses

2.5 Communication

• Send push notifications (revision reminders, leaderboard, encouragement)
• Send service emails (sign-up confirmation, password reset)

2.6 Service improvement

• Analyse aggregated usage data to improve exercises and features
• Detect and fix technical bugs

3. Legal basis for processing

The processing of your data rests on the following legal bases:

• Performance of the contract — Processing is necessary to deliver the service (account management, exercises, correction, leaderboard)
• Consent — For sending push notifications and promotional emails. You can withdraw your consent at any time from the Application settings
• Legitimate interest — For service improvement based on aggregated and anonymised usage data

4. Data sharing

Your data may be shared with the following third parties, exclusively for the purposes described above:

4.1 Technical sub-processors

• Google Firebase (Google LLC, United States) — Database hosting, authentication, file storage, push notifications, analytics. Firebase privacy policy
• Google Gemini (Google LLC, United States) — AI processing of written/oral corrections and conversations with Frau Roos. Productions are sent to the Gemini API for analysis; Google does not use them to train its models under the paid API

4.2 Public data

The following information is visible to other users of the Application:

• Pseudonym or displayed first name
• Profile picture (if provided)
• Weekly leaderboard position and points
• Badges unlocked
• Level and exam centre (on the public profile)

4.3 No sale of data

We do not sell, rent or share your personal data for advertising or commercial purposes with third parties.

5. International data transfers

Your data is hosted on Google Firebase servers located in Europe (europe-west1 region) or the United States. Productions sent to Google Gemini are processed on Google's servers.

These transfers are governed by Google's standard contractual clauses and the safeguards provided by applicable data-protection regulations.

6. Retention period

• Account and progress data — Kept for the entire lifetime of the account, then deleted within 30 days of the deletion request
• Written and oral productions — Kept for the lifetime of the account to allow the correction history to be displayed. Deleted with the account
• Conversations with Frau Roos — Kept for a rolling 12 months, then automatically deleted
• Technical and analytics data — Kept in aggregated and anonymised form for 24 months
• Audio recordings (Sprechen) — Kept for 90 days after correction, then automatically deleted

7. Data security

We implement technical and organisational security measures to protect your data:

• Encryption in transit (TLS/SSL) and at rest (Firebase encryption)
• Secure authentication (Firebase Authentication, JWT tokens)
• Firestore security rules limiting access to each user's data
• Restricted access to production data (principle of least privilege)
• No plaintext password storage (hashing on the Firebase side)

Despite these measures, no system is completely invulnerable. In the event of a data breach, we will inform you as soon as possible in accordance with the applicable regulation.

8. User rights

In accordance with Cameroonian personal-data legislation and, where applicable, with the General Data Protection Regulation (GDPR) for users residing in the European Union, you have the following rights:

• Right of access — Obtain a copy of your personal data
• Right to rectification — Correct inaccurate or incomplete data
• Right to erasure — Request deletion of your account and data
• Right to portability — Receive your data in a structured, machine-readable format
• Right to object — Object to the processing of your data on legitimate grounds
• Right to withdraw consent — Withdraw your consent to push notifications and promotional emails at any time

To exercise these rights, contact us at: privacy@deutschexam.app. We will respond within 30 days.

Account deletion can be performed directly from the Application settings (Profile → Settings → Delete my account).

9. Cookies and similar technologies

The mobile Application does not use cookies. For the website (landing page), we use:

• Essential cookies — Required for the site to work (no consent required)
• Analytics — If enabled, audience-measurement cookies may be placed (with your consent)

10. Protection of minors

The Application is intended for people aged 13 and over. We do not knowingly collect data from minors under the age of 13. If you are a parent or guardian and believe your child under 13 has provided us with data, contact us so we can delete it.

For minors aged 13 to 17, use of the Application is subject to the authorisation of the legal guardian.

11. Changes to this policy

We reserve the right to modify this Privacy Policy at any time. Substantial changes will be communicated by notification within the Application. The date of the last update is indicated at the top of this page.

Continued use of the Application after notification of changes constitutes acceptance of the amended policy.

12. Contact

For any question relating to the protection of your personal data or to exercise your rights, you may contact us at:

• General email: contact@deutschexam.app
• Personal-data email: privacy@deutschexam.app