GDPR Compliance
Last updated: January 2025
1. Introduction
SRS Deutsch is committed to protecting the personal data of all users, including those in the European Economic Area (EEA). This page explains how we comply with the General Data Protection Regulation (GDPR) and describes the rights available to EU/EEA residents.
2. Data Controller Information
SRS Deutsch acts as the data controller for personal data processed through our Service. We determine the purposes and means of processing and are responsible for ensuring GDPR compliance. For data protection inquiries, please contact us through the email provided in the application.
3. Legal Bases for Processing
Under GDPR, we must have a legal basis for processing your personal data. We rely on the following legal bases:
Performance of Contract (Article 6(1)(b))
Processing necessary to provide you with the Service you've signed up for:
- Creating and maintaining your user account
- Storing and processing your vocabulary cards and learning progress
- Processing payments and managing your subscription
Consent (Article 6(1)(a))
Processing based on your explicit consent, which you can withdraw at any time:
- Sending push notifications for study reminders
- Sending marketing communications (if applicable)
Legitimate Interests (Article 6(1)(f))
Processing necessary for our legitimate interests, balanced against your rights:
- Ensuring the security of our Service and preventing abuse
- Improving our Service based on aggregated usage patterns
- Preventing fraud and unauthorized access
4. Your GDPR Rights
As an EU/EEA resident, you have the following rights under GDPR:
Right to Access (Article 15)
You have the right to obtain confirmation of whether we process your personal data and to request a copy of that data.
How to exercise: Use the Export feature in Settings to download all your vocabulary data. For a complete data export, contact us via email.
Right to Rectification (Article 16)
You have the right to correct inaccurate personal data. You can update most information directly through your account settings, including your email, name, and preferences.
Right to Erasure (Article 17)
You have the right to request deletion of your personal data under certain circumstances. We will delete your data unless we have a legal obligation to retain it.
How to exercise: Go to Settings → Delete Account. This will permanently delete your account and all associated data, including decks, cards, and learning progress.
Right to Data Portability (Article 20)
You have the right to receive your personal data in a structured, commonly used, machine-readable format.
How to exercise: Use the Export feature in Settings to download your vocabulary data in CSV format.
Right to Restriction of Processing (Article 18)
You have the right to request restriction of processing in certain circumstances, such as when you contest the accuracy of your data.
Right to Object (Article 21)
You have the right to object to processing based on legitimate interests. Contact us to exercise this right, and we'll stop processing unless we have compelling grounds.
Right to Withdraw Consent (Article 7)
Where we process data based on consent, you can withdraw consent at any time. For example, disable push notifications in Settings. Withdrawal doesn't affect the lawfulness of processing before withdrawal.
5. Subprocessors
We use the following third-party service providers (subprocessors) to help deliver our Service:
| Service Provider | Purpose | Location |
|---|---|---|
| Stripe, Inc. | Payment processing and subscription management | USA (Privacy Shield successor mechanisms) |
| Groq, Inc. | AI-powered example sentence generation | USA |
| OpenAI, Inc. | Text-to-speech pronunciation generation | USA |
| Resend, Inc. | Transactional email delivery (password resets) | USA |
| Vercel, Inc. | Application hosting and content delivery | Global (edge network) |
6. International Data Transfers
Your data may be transferred to countries outside the EEA, primarily the United States. We ensure adequate protection through:
- Standard Contractual Clauses (SCCs) with our service providers
- EU adequacy decisions where applicable
- Binding Corporate Rules of our service providers where applicable
7. Data Breach Notification
In the event of a personal data breach that is likely to result in a risk to your rights and freedoms, we will:
- Notify the relevant supervisory authority within 72 hours of becoming aware of the breach
- Provide all required information to the supervisory authority
- Notify affected individuals directly if the breach is likely to result in high risk to their rights
8. Data Protection Officer
Given the nature and scale of our data processing, we are not required to appoint a Data Protection Officer under GDPR Article 37. However, you can contact us with any data protection concerns through the email address provided in the application.
9. Right to Lodge a Complaint
If you believe we have not handled your data in accordance with GDPR, you have the right to lodge a complaint with your local data protection supervisory authority. We encourage you to contact us first so we can address your concerns directly.
10. Contact Us
For any GDPR-related inquiries, requests to exercise your rights, or data protection concerns, please contact us through the email address provided in the application. We aim to respond to all requests within 30 days, as required by GDPR.
See also:Privacy Policy,Terms of Service,Cookie Policy