Skip to content

Privacy Policy

Last Updated: April 4, 2026

1. Who We Are

TonesFly is operated by Thang Pham ("TonesFly," "we," "our," or "us"). This Privacy Policy explains how we collect, use, and protect your information when you use the TonesFly mobile application ("the App").

For GDPR purposes, Thang Pham is the data controller. Contact: support@tonesfly.com

2. Information We Collect

We collect the following types of information:

  • Account information — your email address, display name, authentication provider, and account/user ID when you create or link an account via Apple Sign-In, Google Sign-In, or email
  • Audio files — audio files you import into the App for listening practice (processed and stored on-device only)
  • Transcript and lesson metadata — for full-mode processing, we send text transcripts to our servers for real-time enrichment processing. Our backend does not store or retain transcript content after processing
  • Learning and Light Up data — practice progress, accuracy scores, challenge completion, streaks, total Light Up count, which words you tapped, associated lesson IDs, and timestamps
  • Device-linked identifiers — a persistent device_id stored in Keychain and sent to our backend so free-tier Light Up limits cannot be reset by creating multiple accounts on the same device
  • Preferences — your native language so we can generate Light Up explanations in your language and route requests to the appropriate language-specific model
  • Device information — device model, operating system version, and app version for diagnostics
  • Usage analytics — product interaction data used to improve the App; optional analytics are collected only with your consent
  • Campaign attribution — when you open the App from a marketing link, we may collect anonymous UTM parameters (source, medium, campaign name) to measure marketing effectiveness. These parameters do not contain personally identifiable information and are processed through PostHog subject to your analytics consent

3. Legal Basis for Processing (GDPR)

We process your personal data on the following legal bases:

  • Contract performance (Art. 6(1)(b)) — Account data, audio processing, and learning data are necessary to provide the service you requested
  • Legitimate interest (Art. 6(1)(f)) — Device information and anonymized analytics help us maintain and improve the App, prevent fraud, and ensure security
  • Consent (Art. 6(1)(a)) — Non-essential analytics (PostHog) are only processed with your consent, which you can withdraw at any time via Privacy Settings

You may withdraw consent for analytics at any time without affecting the lawfulness of processing before withdrawal.

4. How We Use Your Information

We use the information we collect to:

  • Provide, maintain, and improve TonesFly
  • Process imported audio on-device and use transcripts to generate full-mode listening practice challenges
  • Generate Light Up explanations in your native language and personalize your learning analytics
  • Track your learning progress, streaks, and Light Up usage
  • Enforce the free tier fairly, including full-mode and Light Up limits, and prevent abuse across multiple accounts on the same device
  • Process subscriptions and in-app purchases
  • Send important service updates and lesson-ready notifications
  • Respond to support requests
  • Measure marketing effectiveness using anonymous campaign attribution data from UTM parameters

5. Audio File Processing

Audio is processed entirely on your device and never leaves it.

When you import an audio file:

  • Speech recognition runs on your device using on-device models
  • Only text transcripts are sent for enrichment. No audio data leaves your device.
  • Audio files are stored on-device and in iCloud (if enabled) only
  • Transcripts are processed in real-time and returned to your device immediately. No lesson content is stored on our servers.
  • Processed challenge data is stored locally on your device and in your iCloud account for offline practice
  • We do not use your data for training AI models or share it with third parties

Automated processing: The speech recognition and challenge generation are fully automated. No human reviews your audio or transcripts. You have the right to request human review of any automated processing decision that significantly affects you.

5a. Artificial Intelligence & Machine Learning

TonesFly uses artificial intelligence and machine learning to personalize your learning experience. We are committed to transparency about how these technologies work.

AI-generated content: Light Up word explanations (translations, pronunciation guides, difficulty analysis, and listening tips) are generated by large language models provided by Groq (primary) and Cloudflare Workers AI (backup). These explanations are clearly labeled as AI-generated in the app. Only text transcripts and your native language preference are sent to these providers — never audio, your name, or email.

On-device ML: Speech recognition (OpenAI Whisper) and speaker identification (FluidAudio/pyannote) run entirely on your device. No audio data is transmitted to any server.

Adaptive learning: TonesFly uses on-device machine learning to personalize pause duration between sentences and predict which words you may find difficult. These models adapt based on your interactions (replays, pauses, advances) and improve over 10-20 sessions.

Learner profiling: We build a vocabulary profile tracking your per-word accuracy to assign you to a learner cohort (beginner, intermediate, advanced) and to serve a personalized difficulty prediction model. This profiling is consent-gated and does not apply to users under the applicable age threshold.

You can control AI features in Settings > Privacy > AI Explanations. For a complete list of AI features, see Settings > AI in TonesFly.

5b. Automated Decision-Making & Profiling (GDPR Art. 22)

TonesFly uses automated profiling to personalize your learning experience. This includes:

  • Vocabulary profiling — tracking which words you know and which you struggle with
  • Cohort assignment — automatically categorizing you as beginner, intermediate, or advanced based on your accuracy across sessions
  • Struggle prediction — predicting which words you will find difficult before playback
  • Adaptive pacing — adjusting pause durations based on your cognitive load signals

These automated processes help personalize your learning but do not produce legal effects. Under GDPR Article 22, you have the right to:

  • Request human review of your learning profile
  • Express your point of view about automated decisions
  • Contest any automated decision that significantly affects you
  • Request that profiling data be deleted

To exercise these rights, contact support@tonesfly.com. We will respond within 30 days.

For users under the applicable age threshold (13-18 depending on region), automated profiling and ML training data collection are disabled entirely.

6. Third-Party Services

We use the following third-party services to operate and improve the App:

  • RevenueCat — subscription and purchase management
  • PostHog — product analytics (consent-based)
  • Firebase — authentication and crash reporting
  • Cloudflare — cloud hosting, real-time transcript processing, Light Up counters/history, and edge network services (Workers, D1, KV)
  • Groq — LLM provider for transcript enrichment and Light Up generation (text transcripts and language metadata only, never audio)
  • Axiom — server-side log aggregation for operational monitoring (request metadata, error traces, and performance metrics only; no user content, audio, or transcripts are sent to Axiom; logs are automatically redacted to remove email addresses, tokens, and other PII before transmission; retained for 30 days)
  • FluidAudio — on-device speaker diarization (Apache 2.0, based on pyannote.audio)
  • Resend — transactional email delivery

These providers process data under data processing agreements with appropriate safeguards. Our Data Processing Agreement is available at https://tonesfly.com/dpa. Apple handles all subscription billing directly.

7. Data Sharing

We do not sell, rent, or trade your personal data to third parties. This applies to all users, including California residents.

We may share data with:

  • Cloud hosting and infrastructure providers (for real-time transcript processing and Light Up data storage)
  • LLM and enrichment providers (text transcripts and native-language metadata only; no audio)
  • Analytics services (product interaction data, with your consent where required)
  • Payment processors (Apple handles all subscription billing)
  • Legal authorities when required by law or to protect our legal rights

For California residents (CCPA/CPRA): We do not sell personal information. We do not share personal information for cross-context behavioral advertising. We do not collect or process sensitive personal information as defined by the CPRA, including precise geolocation, racial or ethnic origin, religious beliefs, genetic data, biometric information, or health information. You have the right to know what personal information we collect, request deletion, and opt out of any future sale. Contact support@tonesfly.com to exercise these rights.

8. Data Security

We implement industry-standard security measures to protect your data, including encryption in transit (TLS/HTTPS). Our infrastructure is hosted on Cloudflare's global network (Workers, D1, KV). Text transcripts are sent to our servers for real-time enrichment processing and are not stored or retained by our backend after processing — all lesson data remains on your device and in your iCloud account. Audio is processed entirely on your device and never transmitted to any server.

In the event of a data breach that poses a risk to your rights and freedoms, we will notify the relevant supervisory authority within 72 hours and affected users without undue delay, as required by GDPR Article 33-34.

However, no method of transmission over the internet is 100% secure.

9. Data Retention

We retain your data for as long as your account is active or as needed to provide services.

  • Audio: stored on-device and iCloud only. Audio files never leave your device.
  • Text transcripts: sent to our servers for real-time enrichment processing and not stored or retained by our backend after processing. All lesson content remains on your device and in your iCloud account.
  • Light Up tap history: retained for up to 12 months, then automatically purged.
  • Light Up usage counters, device_id associations, native language, and account data: retained until account deletion.
  • Practice data stored locally on your device: deleted when you remove the app, delete individual lessons, or choose to remove local data.
  • Analytics data: retained for up to 12 months, subject to your consent settings.

You may request account deletion at any time from Settings > Delete Account. When you request deletion, your account enters a 7-day grace period during which you may cancel by signing in. After the grace period expires, all your data is permanently deleted from our servers. We send email confirmation when deletion is scheduled, a reminder 24 hours before, and confirmation after deletion.

TonesFly cannot delete data stored in your iCloud account. To manage iCloud data, visit Settings > [Your Name] > iCloud on your device.

10. International Data Transfers

Our infrastructure is hosted on Cloudflare's global edge network, with data processed via Cloudflare D1 and KV, and related services. Audio is processed entirely on your device and never leaves it. Text transcripts are sent to our servers for real-time enrichment processing and are not stored or retained by our backend after processing. Light Up data and account preferences are stored on our servers for personalization. Third-party services including Firebase, RevenueCat, PostHog, and Groq process data in the United States.

Your information may also be accessed from Viet Nam (where the data controller is located) for administrative and development purposes.

For transfers outside the EU/EEA, we rely on:

  • Standard Contractual Clauses (SCCs) approved by the European Commission
  • Data processing agreements with all third-party service providers
  • Where applicable, adequacy decisions by the European Commission

You may request a copy of the safeguards in place by contacting support@tonesfly.com

Japanese residents (APPI): Your personal data is transferred to the United States (Firebase, RevenueCat, PostHog, Groq) and Viet Nam (data controller) for the purposes described in this policy. We ensure appropriate data protection through contractual obligations with all service providers.

Chinese mainland residents (PIPL): Your personal information, including text transcripts, Light Up data, native-language settings, and account data, may be transferred outside the People's Republic of China to the United States (Firebase, RevenueCat, PostHog, Groq) and Viet Nam (data controller). By using TonesFly, you consent to this cross-border transfer for the purposes described in Section 4. You may withdraw consent at any time by contacting support@tonesfly.com, which may affect our ability to provide the service. We conduct personal information protection impact assessments for cross-border transfers as required by PIPL.

South Korean residents (K-PIPA): Your personal data is transferred to the United States (Firebase, RevenueCat, PostHog, Groq) and Viet Nam (data controller). We provide notice of the recipient, purpose, and items of personal information transferred. These transfers are protected by data processing agreements with all service providers.

Brazilian residents (LGPD): Your personal data is transferred internationally to the United States (Firebase, RevenueCat, PostHog, Groq) and Viet Nam (data controller) for the purposes described in this policy. These transfers are protected by contractual clauses that ensure an adequate level of data protection as required by the LGPD.

Vietnamese residents (PDPD): As the data controller is located in Viet Nam, your personal data is subject to Decree 13/2023/NĐ-CP on personal data protection. Text transcripts and related lesson metadata may be transferred to the United States for processing by third-party services (Firebase, RevenueCat, PostHog, Groq). We conduct data processing impact assessments for cross-border transfers as required by Vietnamese law.

United Kingdom residents (UK GDPR): Your personal data is transferred to the United States (Firebase, RevenueCat, PostHog, Groq) and Viet Nam (data controller). For transfers from the UK, we rely on the International Data Transfer Agreement (IDTA) or the UK Addendum to EU Standard Contractual Clauses, as approved by the UK Information Commissioner's Office (ICO).

Indian residents (DPDP Act 2023): Your personal data, including text transcripts, Light Up data, and account information, may be transferred outside India to the United States (Firebase, RevenueCat, PostHog, Groq) and Viet Nam (data controller). We ensure appropriate data protection through contractual obligations with all service providers. Note: Under the DPDP Act, children are defined as individuals under 18 years of age, and verifiable parental consent is required before processing their data.

Indonesian residents (PDP Law 27/2022): Your personal data may be transferred outside Indonesia to the United States (Firebase, RevenueCat, PostHog, Groq) and Viet Nam (data controller) for the purposes described in this policy. These transfers are protected by data processing agreements ensuring an equivalent level of data protection.

Thai residents (PDPA 2019): Your personal data may be transferred outside Thailand to the United States (Firebase, RevenueCat, PostHog, Groq) and Viet Nam (data controller). We ensure that adequate safeguards are in place as required by the Personal Data Protection Act, including contractual obligations with all service providers.

Turkish residents (KVKK): Your personal data may be transferred outside Turkey to the United States (Firebase, RevenueCat, PostHog, Groq) and Viet Nam (data controller). We rely on your explicit consent or contractual necessity as the legal basis for these cross-border transfers, in accordance with the Law on the Protection of Personal Data (Law No. 6698).

Filipino residents (Data Privacy Act 2012): Your personal data may be transferred outside the Philippines to the United States (Firebase, RevenueCat, PostHog, Groq) and Viet Nam (data controller). These transfers are protected by contractual safeguards ensuring compliance with the Data Privacy Act of 2012 and regulations of the National Privacy Commission (NPC).

Saudi Arabian residents (PDPL 2023): Your personal data may be transferred outside the Kingdom of Saudi Arabia to the United States (Firebase, RevenueCat, PostHog, Groq) and Viet Nam (data controller). We ensure an adequate level of data protection for cross-border transfers as required by the Personal Data Protection Law.

11. Children's Privacy

TonesFly uses an age-gate flow to help comply with children's privacy laws including COPPA (US) and GDPR (EU/EEA). If you have not completed that flow yet, the app will ask for your birthday before optional data collection can be enabled. Your exact birthday is processed locally on-device to determine the correct age threshold; we store only an age range (under 13, 13–15, 16–17, or 18+) locally on the device, not on our servers.

If you identify yourself as under the applicable age threshold (13 in the US and most countries, 13–16 in the EU/EEA depending on country, 14 in China and South Korea, and 18 in India), optional data collection — including analytics, crash reports, and diagnostics — is automatically disabled and cannot be re-enabled in Settings.

If you believe a child's data has been collected in error, please contact support@tonesfly.com and we will delete it promptly.

12. Your Rights

Depending on your jurisdiction, you have the following rights:

All users:

  • Access the personal data we hold about you
  • Request correction of inaccurate data
  • Request deletion of your data
  • Export your data in a portable format
  • Opt out of analytics data collection

EU/EEA residents (GDPR):

  • Right to restrict processing of your data
  • Right to object to processing based on legitimate interest
  • Right to withdraw consent at any time
  • Right not to be subject to solely automated decisions
  • Right to lodge a complaint with your local data protection authority (supervisory authority)

California residents (CCPA/CPRA):

  • Right to know what personal information is collected
  • Right to delete personal information
  • Right to opt out of sale of personal information (we do not sell your data)
  • Right to non-discrimination for exercising your rights

Japanese residents (APPI):

  • Right to request disclosure of retained personal data
  • Right to request correction, addition, or deletion
  • Right to request cessation of use or erasure
  • Right to request cessation of provision to third parties

Chinese mainland residents (PIPL):

  • Right to know and decide about processing of your personal information
  • Right to access and copy your personal information
  • Right to correct or supplement inaccurate or incomplete information
  • Right to request deletion of your personal information
  • Right to withdraw consent at any time
  • Right to request explanation of processing rules
  • Right to data portability

South Korean residents (K-PIPA):

  • Right to access your personal information
  • Right to request correction or deletion
  • Right to request suspension of processing
  • Right to withdraw consent at any time

Brazilian residents (LGPD):

  • Right to confirmation of data processing
  • Right to access your personal data
  • Right to correct incomplete, inaccurate, or outdated data
  • Right to anonymization, blocking, or deletion of unnecessary data
  • Right to data portability
  • Right to information about entities with which data has been shared
  • Right to revoke consent at any time

Vietnamese residents (PDPD):

  • Right to know about personal data processing activities
  • Right to consent and withdraw consent
  • Right to access your personal data
  • Right to request correction of your personal data
  • Right to request deletion of your personal data
  • Right to restrict data processing
  • Right to data portability

United Kingdom residents (UK GDPR):

  • Right to access your personal data
  • Right to rectification of inaccurate data
  • Right to erasure of your data
  • Right to restrict processing
  • Right to data portability
  • Right to object to processing
  • Right to withdraw consent at any time
  • Right not to be subject to solely automated decisions
  • Right to lodge a complaint with the Information Commissioner's Office (ICO)

Indian residents (DPDP Act 2023):

  • Right to access information about your personal data
  • Right to correction and erasure of personal data
  • Right to grievance redressal
  • Right to nominate a representative to exercise rights on your behalf

Indonesian residents (PDP Law 27/2022):

  • Right to be informed about data processing
  • Right to access your personal data
  • Right to correct inaccurate data
  • Right to request deletion of your personal data
  • Right to withdraw consent at any time
  • Right to data portability

Thai residents (PDPA 2019):

  • Right to access your personal data
  • Right to correct inaccurate data
  • Right to request deletion or anonymization
  • Right to restrict processing
  • Right to data portability
  • Right to object to processing
  • Right to withdraw consent at any time
  • Right to lodge a complaint with the Personal Data Protection Committee (PDPC)

Turkish residents (KVKK):

  • Right to know whether your personal data is being processed
  • Right to request information about processing
  • Right to learn the purpose of processing
  • Right to correct incomplete or inaccurate data
  • Right to request deletion or destruction of personal data
  • Right to object to processing
  • Right to data portability
  • Right to lodge a complaint with the Personal Data Protection Authority (KVKK Board)

Filipino residents (Data Privacy Act 2012):

  • Right to be informed about data processing
  • Right to access your personal data
  • Right to correct inaccurate data
  • Right to request deletion or blocking of data
  • Right to object to processing
  • Right to data portability
  • Right to lodge a complaint with the National Privacy Commission (NPC)

Saudi Arabian residents (PDPL 2023):

  • Right to be informed about data processing
  • Right to access your personal data
  • Right to correct inaccurate data
  • Right to request deletion of personal data
  • Right to restrict processing
  • Right to data portability

To exercise any of these rights, contact us at support@tonesfly.com, use the Privacy Settings in the App, or delete your account directly in Settings > Delete Account. We will respond within 30 days for GDPR requests, within 45 days for CCPA requests, within two weeks for APPI requests, within 15 working days for PIPL requests, within 10 days for K-PIPA requests, within 15 days for LGPD and PDPD requests, within 30 days for UK GDPR requests, within 30 days for DPDP requests, within 14 days for Indonesian PDP requests, within 30 days for PDPA requests, within 30 days for KVKK requests, within 15 days for Filipino DPA requests, and within 30 days for PDPL requests (or sooner where required by law).

13. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of material changes through the App or by email at least 30 days before the changes take effect. Your continued use of the App after changes constitutes acceptance of the updated policy.

14. Contact Us

If you have questions about this Privacy Policy or wish to exercise your data rights, please contact us at:

Thang Pham (TonesFly)
Email: support@tonesfly.com

For EU/EEA users: If you are unsatisfied with our response, you have the right to lodge a complaint with your local data protection supervisory authority.