Privacy Policy

This Privacy Policy explains how ReadBee GmbH ("ReadBee", "we", "us" or "our") collects and processes personal data when you use our apps, websites, and related services (the "Service"). It also describes your rights under the EU General Data Protection Regulation (GDPR) and, where applicable, similar laws.

Contact: ReadBee GmbH — Data Protection Officer: Ignasi Selga, ignasi@readbee.ai. VAT ID: DE454134699.

1) Roles and Scope

• Direct consumer use (outside a school context): ReadBee acts as the controller for your personal data.
• School/tenant use: The school or school authority typically acts as controller and ReadBee acts as a processor, following the school's documented instructions under a Data Processing Agreement (DPA). This policy describes our processing; however, the school's own privacy notices apply to pupils and staff who use the Service through the school.

2) Categories of Data We Process

Depending on how you use the Service, we may process the following data:

1. Account and Authentication

• Identity-provider data: sign-in tokens from Google or Apple and basic profile data.
• Device-bound credentials: a device-generated public key and device identifier.
• Session tokens: access and refresh tokens and associated metadata.

2. Usage and Feature Data

• Text you submit for syllabification and question generation.
• Optionally saved library items and folders.
• Reading statistics / usage counters for service improvement.
• Real-time connection metadata (e.g. request IDs, timestamps).

3. Device and Diagnostic Data

• Device information such as platform and model.
• Error and performance diagnostics via Sentry.io.

4. School/Tenant Administration

• E-mail addresses of tenant administrators and teachers.
• Audit logs for administrative actions.

5. Optional Bluetooth Low Energy (BLE)

• When you use classroom features, short session codes may be used. We do not use or store precise location data.

3) Purposes and Legal Bases

• Providing the Service and its core features — Art. 6(1)(b) GDPR.
• Authenticating users and securing sessions — Art. 6(1)(b) and (f).
• Enforcing plan/usage limits and managing subscriptions — Art. 6(1)(b).
• Improving reliability and security (e.g. diagnostics via Sentry) — Art. 6(1)(f).
• Sending invitations/notifications — Art. 6(1)(b) and/or (f).
• Complying with legal obligations — Art. 6(1)(c).

4) Data Sources and Sharing

Sources: We receive data directly from you, from your organisation (school/tenant), and from authentication providers (Google/Apple).

Processors/Recipients:

• Infrastructure provider: Hetzner Online GmbH (Germany), server locations exclusively within the EU. DPA concluded pursuant to Art. 28 GDPR.
• Cloud AI model providers (e.g. Mistral, Google Gemini) for syllabification and question generation.
• Authentication providers (Google, Apple) for verifying identity tokens.
• Diagnostics provider (Sentry) for error and crash reports.
• E-mail service provider for invitations and notifications.

5) Retention Periods

• Session/refresh tokens: for their validity period or until revoked.
• Diagnostic logs: limited retention for troubleshooting purposes.
• Saved texts and profiles: until deleted by you or your administrator.
• School/tenant audit logs: for the duration of the contract and a reasonable period thereafter.

6) Your Rights (GDPR)

Subject to applicable law, you have the right to:

• Access your personal data.
• Rectify inaccurate data.
• Erasure ("right to be forgotten").
• Restriction of or objection to processing.
• Data portability (where technically feasible).

To exercise your rights, contact us at ignasi@readbee.ai. You also have the right to lodge a complaint with your local supervisory authority.

7) Security

We implement technical and organisational measures to protect personal data, including transport encryption (HTTPS), device-bound proof-of-possession for API calls, secure on-device token storage, and access controls based on the principle of least privilege.

8) Children

We support school use under the supervision of teachers/administrators who act as controllers and obtain all required consents. For direct use by children, a parent or guardian must provide the legally required consent.

9) Cookies and Similar Technologies

Our web tools may use strictly necessary cookies (e.g. for administrator sessions). In the app we do not use third-party advertising trackers. Sentry is used exclusively for diagnostics.

10) Embedded YouTube Videos

Our website embeds videos from YouTube LLC (901 Cherry Ave., San Bruno, CA 94066, USA), a service of Google LLC. We use the privacy-enhanced mode via youtube-nocookie.com. Videos are initially shown as a thumbnail and only load after the user actively clicks.

Only when the user clicks the play button does a connection to YouTube's servers take place. At that point, personal data (in particular the IP address) may be transmitted to Google. Google may set cookies and process data in accordance with its own privacy policy (policies.google.com/privacy).

The legal basis for embedding is Art. 6(1)(f) GDPR (legitimate interest in illustrating our app features) as well as the consent expressed by clicking the play button.

11) Changes to This Policy

We may update this policy. We will publish the updated version with a new "Effective date". Your continued use of the Service after the effective date constitutes your acceptance of the changes.

12) Contact

ReadBee GmbH
Data Protection Officer: Ignasi Selga
ignasi@readbee.ai
VAT ID: DE454134699

A Data Processing Agreement (DPA) is available for school/tenant customers. Contact us at ignasi@readbee.ai.