top of page

Privacy Policy - ReadBee GmbH

This document is available for download. Click here to download it.

Privacy Policy – ReadBee GmbH

​

Effective date: 02 Oct 2025

​

This Privacy Policy explains how ReadBee GmbH (“ReadBee”, “we”, “us”, or “our”)

collects and processes personal data when you use our apps, websites, and related

services (the “Service”). It also describes your rights under the EU General Data

Protection Regulation (GDPR) and, where applicable, similar laws.

Contact: ReadBee GmbH — Data privacy delegate: Ignasi Selga, ignasi@readbee.ai.

VAT: DE454134699.

If you have any questions about this Policy or our data practices, contact us at

ignasi@readbee.ai.

 

1) Roles and Scope

 

- Direct consumer use (non-school): ReadBee acts as the data controller for your

personal data.

- School/tenant use: The school or district typically acts as the controller and

ReadBee acts as the processor, following the school’s documented instructions under

a Data Processing Agreement (DPA). This Policy describes our processing, but the

school’s own privacy notices apply to students and staff using the Service via the

school.

 

2) Categories of Data We Process

 

Depending on how you use the Service, we may process the following data:

1. Account and authentication

- Identity provider data: Google or Apple sign-in tokens and basic profile fields

provided by you or the provider (e.g., email, display/given/family name where

available).

- Device-bound credentials: A device-generated public key and device identifier

used to establish secure sessions.

- Session tokens: Access and refresh tokens and related metadata (e.g., expiry).

On device, these are stored securely (e.g., Keychain/Secure Enclave). Server-side,

we store session-related identifiers to operate authentication and allow

revocation.

2. Usage and functional data

- Text you submit for syllabification and question generation.

- Optional saved library items and folders linked to a profile (e.g., a student

or user profile you select).

- Reading statistics/usage counters (e.g., number of reads per month, words per

text) to enforce plan limits and improve service quality.

- Real-time connection metadata (e.g., request IDs, timestamps).

3. Device and diagnostics

- Device information such as platform and model (for device registration and PoP

security).

- Error and performance diagnostics via Sentry (e.g., crash traces, error

context).

4. School/tenant administration

- Tenant admin and teacher emails for invitations, account creation, and role

management.

- Audit logs for administrative actions (e.g., invites, revocation) to provide

accountability and security.

5. Optional Bluetooth Low Energy (BLE)

- If you use classroom features with BLE advertising/scanning, the app may use

short session codes for proximity-based joining. We don’t use or store precise

location; BLE permissions can be denied, which only limits those features.

We do not intentionally collect special categories of data unless you or your

controller (e.g., school) instruct us to, and only where lawful to do so.

 

3) Purposes and Legal Bases

 

We process data for the following purposes and legal bases under GDPR:

- Provide the Service and its core features (syllabification, reading guidance,

questions) — Art. 6(1)(b) (contract) or, in school context, Art. 6(1)(e)/(c) or (b)

as defined by the controller.

- Authenticate users and secure sessions, including device-bound proof-of-

possession — Art. 6(1)(b) and (f) (legitimate interests in security).

- Enforce plan/usage limits and manage subscriptions — Art. 6(1)(b).

- Improve reliability and security (e.g., diagnostics via Sentry) — Art. 6(1)(f)

(legitimate interests) with appropriate minimization.

- Send invitations/notifications (e.g., teacher or admin invites) — Art. 6(1)(b)

and/or (f). Where required, we rely on consent — Art. 6(1)(a).

- Comply with legal obligations — Art. 6(1)(c).

Where we rely on consent (e.g., certain optional permissions or communications),

you can withdraw consent at any time without affecting the lawfulness of processing

prior to withdrawal.

 

4) Data Sources and Sharing

 

Sources: We receive data directly from you (text you input, your device), from your

organization (school/tenant), and from authentication providers (Google/Apple).

Processors/Recipients: To operate the Service, we may share data with:

- Cloud AI model providers (e.g., Google Gemini, Mistral) to process text for

syllabification or question generation.

- Authentication providers (Google, Apple) to verify identity tokens you choose to

use.

- Diagnostics provider (Sentry) for error/crash reporting and performance

troubleshooting.

- Email service providers for invitations and notifications.

- Infrastructure Providers (Hosting and Data Storage): We use servers from Hetzner

Online GmbH, a German-based provider, to securely host our services and store your

data. Our servers are located exclusively within the European Union. We have a Data

Processing Agreement (DPA) in place with Hetzner Online GmbH, compliant with Art.

28 GDPR, to ensure your data is handled with the highest security and data

protection standards.

We require processors to implement appropriate security measures and process data

only on our documented instructions.

 

5) Retention

 

We retain personal data only as long as necessary for the purposes above, including

to comply with legal obligations, resolve disputes, and enforce agreements.

Examples:

- Session/refresh tokens: retained for their validity period or until revoked.

- Saved texts and profiles: retained until you delete them or your administrator

deletes them.

- Diagnostic logs: retained for a limited period consistent with troubleshooting

needs and our retention schedules.

- School/tenant administration records and audit logs: retained for the duration of

the contract and a reasonable period thereafter for audit/security.

 

6) Your Rights (GDPR)

 

Subject to applicable law, you have the right to request:

- Access to your personal data.

- Rectification of inaccurate data.

- Erasure (“right to be forgotten”).

- Restriction or objection to processing in certain cases.

- Data portability (to the extent technically feasible).

Where processing is based on consent, you can withdraw consent at any time. To

exercise rights:

- Direct consumer users: contact us at ignasi@readbee.ai.

- School users: contact your school/district (controller); we will assist the

controller with requests according to our DPA.

You also have the right to lodge a complaint with your local supervisory authority.

 

7) Security

 

We implement technical and organizational measures to protect personal data,

including transport encryption (HTTPS), device-bound proof-of-possession for API

calls, secure device storage for tokens, access controls, auditing, and least-

privilege practices. No method is 100% secure, but we continuously improve our

safeguards.

 

8) Children

 

We support use in schools under the supervision of teachers/administrators who act

as controllers and obtain any required consents. For direct consumer use by

children, a parent or legal guardian must provide consent where required by law.

 

9) Cookies and Similar Technologies

 

Our web tools may use strictly necessary cookies (e.g., for administrator sessions)

and minimal analytics as configured by the controller. In the app, we do not use

third-party ad trackers. We use Sentry strictly for diagnostics.

 

10) Changes to this Policy

 

We may update this Policy. We will post the updated version with a new “Effective

date” and, where required, provide notice. Your continued use of the Service after

the effective date constitutes your acceptance of the changes.

 

11) Contact

 

ReadBee GmbH

Data privacy delegate: Ignasi Selga — ignasi@readbee.ai

VAT: DE454134699

For school/tenant customers, a DPA is available. Contact us at ignasi@readbee.ai.

bottom of page