Privacy Policy - Savvy Solutions MMC

This Privacy Policy for Savvy Solutions MMC (“Company”), explains which personal data we collect, store, use, and share ("process") when you engage with our services ("Services") in relation to the SpeakUp application and/or its website (“Application”). This includes instances when you:

download, install, register with, access, or use the Application and its Services; or
interact with us in other related ways, such as through sales, support, or marketing activities.

This Privacy Policy further describes how and why we collect your personal data; how we intend to use, store, protect and share your personal data; and what your rights are and how you may exercise them.

Summary of Key Points

This summary outlines the key highlights of our Privacy Policy. For more detailed information on any specific topic, please refer to the Table of Contents below to navigate to the relevant sections.

What personal data do we process? When you use our Services, we may process your personal information depending on your interactions with us, the choices you make, and the products or features that you access. The personal data of users processed by the Company, in particular, are as follows:

your name and e-mail address, which we may receive if you register an account or contact the Company;
your login information or basic profile data (e.g., display name, photo) if you sign in via Google or Apple;
your device information (such as device type, operating system version, and app version) collected to ensure proper functionality and security of the Application;
prompts, voice inputs, messages, text, images, or other educational content that you voluntarily upload or transmit within the Application during normal use of the SpeakUp service;
your order and subscription details if you make a purchase (e.g., plan type, billing period, payment status);
limited diagnostic and performance data automatically generated by the Application (e.g., crash logs or feature usage) to maintain service stability and improve user experience.

SpeakUp does not collect or process any data for advertising, tracking, or cross-app profiling. Specifically, we do not collect or use:

the Identifier for Advertisers (IDFA),
the Identifier for Vendors/Developers (IDFV),
the Google Advertising ID (GAID),
or any similar advertising or tracking identifiers.

We do not use any system or framework (including App Tracking Transparency) for tracking user behaviour across other applications or websites.

Do we process sensitive personal data? No, we do not process any sensitive personal data. SpeakUp does not request, store, or use information related to race, religion, political opinions, health, sexual orientation, or biometric data. Please do not share with us any content that may include such sensitive personal information.

How do we process your information? We mainly process your personal data to deliver, maintain, and improve our Services, enable communication with you, safeguard the integrity and security of the Application, prevent fraud, and comply with legal obligations. Your personal data may also be processed for additional purposes only if you have provided explicit consent (for example, optional analytics or service improvement). All processing activities are performed lawfully and in accordance with applicable data protection regulations.

When do we share personal information? We share your personal data only when it is necessary to operate the SpeakUp Services, comply with legal requirements, protect our rights, or prevent fraud and security risks. This may include sharing with trusted service providers (such as cloud hosting platforms, payment processors, and analytics systems), business partners assisting in service delivery, and competent legal authorities when required by law. Any sharing of data is conducted under strict data protection agreements and applicable privacy regulations. SpeakUp does not share any information with third parties for advertising or user tracking purposes.

How do we keep your personal data secure? We implement both administrative and technical measures designed to protect your personal data from unauthorised access, alteration, disclosure, or destruction. These include encryption, restricted access controls, secure data centre, firewalls, and regular audits.

What are your rights? Depending on your region, you may have specific rights regarding your personal data. These rights may include: The right to access your personal data, the right to request correction or deletion, the right to restrict or object to processing, the right to request data portability, and the right to withdraw consent where processing is based on consent.

How can you exercise your rights? You can exercise your rights by contacting us directly using the contact details provided in this Policy. We will promptly review and respond to all verified requests in accordance with applicable data protection laws.

The Data Controller and the Objective
Collection of Personal Data and Method
Purposes of Processing Personal Data and Legal Bases
Third Party Websites/Applications, Cookies and Notifications
Data Storage
Technical and Administrative Measures
Age Limitation
Transferring Personal Data to Third Parties
Your Rights as the Data Subject
Contact Information
For Individuals in the European Economic Area, the United Kingdom, and Switzerland
For California Residents

1. The Data Controller and the Objective

Your personal data, which you have provided or will provide to the Company (see Section 10 for contact information) and/or obtained by our Company through lawful external means, may be processed by Savvy Solutions MMC as the “Data Controller.”

The Company aims to process the personal data of users in accordance with the general principles of privacy and the provisions of the applicable data protection legislation, particularly the Law on Personal Data Protection No. 6698 of the Republic of Türkiye (“PDP Law”), the EU General Data Protection Regulation (GDPR) (Regulation (EU) 2016/679), and other applicable national and international data protection laws and regulations.

We are fully committed to complying with this Privacy Policy and all applicable privacy laws in every jurisdiction where we operate. To ensure full compliance with regional legal requirements, we include additional privacy notices for specific jurisdictions. Accordingly:

For individuals in the European Economic Area, the United Kingdom, and Switzerland, please refer to Section 11.
For residents of California, please refer to Section 12.

In accordance with this Privacy Policy, personal data are processed by the Company as a data controller in line with the following fundamental principles:

being processed lawfully, fairly, and in good faith;
being accurate and, where necessary, kept up to date;
being collected for specified, explicit, and legitimate purposes;
being limited and proportionate to the purposes for which they are processed (data minimisation); and
being retained only for the period stipulated by relevant legislation or as long as necessary to full fill the purpose of processing.

The Company emphasises that all personal data processed within the SpeakUp Application are limited strictly to operational and service-delivery purposes. SpeakUp does not process data for advertising, behavioral profiling, or cross-app tracking, and therefore does not utilize Apple’s App Tracking Transparency (ATT) framework.

Capitalized terms in this Privacy Policy shall have the meanings specified in the Terms and Conditions unless defined separately in this Privacy Policy.

2. Collection of Personal Data and Method

The Company may process the following categories of personal data for the purposes specified in this Privacy Policy. All collection is carried out fairly, transparently, and in accordance with applicable data protection laws. SpeakUp collects only the minimum data necessary to operate the Application and to provide the Services effectively.

Identity and Contact Information

When you contact us—such as via email, phone, or in-app support—we may process your name, surname, email address, and phone number, as well as the content of your communication. If you contact us by post, we may also process your address, where this information is included in the correspondence. This data is used exclusively to verify your identity (when necessary), respond to your inquiries, and provide customer support.

Technical Information

When you visit, use, or otherwise engage with the Application, certain limited technical data may be collected automatically in order to maintain, secure, and improve our Services. This information includes:

Account Information: We collect limited information that you provide directly when creating or maintaining your account. This includes your email address and, if optionally provided, your phone number. This data is used solely to register, authenticate, and protect your account within SpeakUp.
Sign-In Information: When you sign in using Google Sign-In or Apple Sign-In, we receive your name and verified email address from these platforms. We do not collect, access, or store your Google or Apple passwords.
Device Information: We may collect basic, non-identifiable details about your device—such as device type, operating-system version, and app version—to ensure proper functionality, performance, and compatibility. SpeakUp does not collect IP addresses, log data, browsing history, or any form of advertising identifiers.
Location Information: SpeakUp does not collect or track precise geolocation data. Only general region information (for example, country or language settings) may be used automatically to provide localized content or language preferences.
Identifiers: For security and service delivery, SpeakUp may generate a unique, anonymous internal user ID or device token. These identifiers are used only for authentication, session management, and to enable optional features such as push notifications. They cannot be used to identify you across other applications or websites.

SpeakUp does not collect or process advertising identifiers such as the Identifier for Advertisers (IDFA), Identifier for Vendors/Developers (IDFV), or Google Advertising ID (GAID), and does not use any third-party frameworks for user tracking or behavioral advertising.

All data is collected directly from you, through your device while using the Application, or from the authentication platforms you choose for login. No personal data is purchased or obtained from unrelated third-party sources.

Account Information

If you create an account with us, we will process the following data linked to your account. This information is necessary to enable you to access and use the features of the SpeakUp Application and to maintain the security of your account.

Profile Information: If you choose to create an account directly within SpeakUp by providing your personal details, we may collect and process the following data: your user ID, nickname, username, profile picture, user token, open ID, phone number (if provided), email address, and password. Your password is stored securely using industry-standard encryption methods. SpeakUp never stores plain-text passwords and does not share your account credentials with any third party.
Social Media Information: If you prefer to register or sign in through third-party authentication providers such as Google or Apple, we will receive only limited profile information from those platforms to verify your identity and create your SpeakUp account. We do not collect or store your Google or Apple passwords, nor do we access any unrelated social media data. The information we may receive from these platforms includes:

Through Google: Google user ID, display name (nickname or username), profile picture, user token, open ID, phone number (if linked to your Google account), and verified email address.
Through Apple: Apple user ID, display name (nickname or username), profile picture (if available), user token, open ID, and verified email address.
(Note: SpeakUp currently does not integrate Facebook Login. Should this option be added in the future, only the minimum data required for authentication—such as Facebook user ID, display name, profile picture, and email address—will be processed, in line with this Privacy Policy.)

This account data is used solely for the purpose of identifying users, securing access, providing personalized in-app functionality (e.g., displaying your name or avatar), and enabling password recovery if necessary. SpeakUp does not use this data for advertising, behavioral tracking, or sharing with any third-party marketing services.

User Content

We process the data that you provide when interacting with our Services, such as when you enter, upload, or share any information within the SpeakUp Application. This data is essential for delivering the main features of our Services — such as AI conversation, role play, vocabulary practice, or voice interaction — and is handled in compliance with this Privacy Policy and applicable laws.

This data includes prompts, messages, voice inputs, conversation text, user responses, translations, posts, questions, statements, uploaded materials, files, images, photos, videos, audio and visual recordings, or any other data or content that you generate, upload, transmit, create, store, edit, or share through the Application. These may include inputs provided during AI chat sessions, vocabulary exercises, and role-play dialogues.
Onboarding Information: Before you start using the Application, you may be asked several optional onboarding questions — for example, your gender, native language, target (foreign) language level, learning goals, hobbies, or preferred practice times. If you choose to answer these questions, we may collect and process your responses in order to personalize your learning experience, such as recommending conversation topics or sending optional study reminders (with your consent). These questions are entirely optional, and you may use the Application freely without answering them or providing such information.
Permissions for Device Access: We may request your permission to access certain features of your device, such as the microphone, camera, or photo gallery, in order to enable specific educational functionalities (for example, voice conversations with AI tutors, pronunciation evaluation, or uploading images for avatar configuration). You can decline or later revoke these permissions at any time through your device’s settings. However, certain features of the Application may not function properly without these permissions.
Please do not share any content that includes sensitive personal information. SpeakUp does not require, and explicitly discourages, the sharing of financial details, social security numbers, health information, images of other individuals, information about children, or any sensitive or confidential information through the Application. If such content is submitted inadvertently, we will take commercially reasonable steps to promptly delete it from our systems, unless retention is strictly required by law.
Storage of User Content: We store your user content securely in accordance with this Privacy Policy and relevant legislation. Storing your user content is necessary for providing the Services — for example, maintaining conversation history, enabling grammar feedback, or displaying saved vocabulary. At any time, you may request the deletion of this data by contacting us via the methods described in Section 10. Your other rights regarding this information are outlined in detail in Section 9 of this Policy.
Access to Device Tools: When you use certain features, we may ask for your consent to access your device’s camera, microphone, or photo files, for instance to allow video or audio interactions with your AI tutor avatar, or to process images you upload. You can withdraw permission at any time in your device settings.
Note regarding voice recordings: If you record voice messages within SpeakUp, these recordings are stored only with your consent and may be used to generate responses, pronunciation feedback, or lesson transcripts. Recordings are not used for AI model training unless you have explicitly provided consent for such use in your settings.
Note regarding sensitive information: SpeakUp does not intentionally collect sensitive personal data. If we become aware that any sensitive information has been submitted to us inadvertently, we will delete it as soon as reasonably possible, except where retention is required to comply with applicable laws.
Note regarding your rights: You have full control over your user content. You may request the deletion, correction, or export of your stored data at any time. All such requests are handled promptly and in accordance with applicable privacy regulations.

Customer Transaction

We may collect limited order and transaction information directly from you, from our authorized payment processors, or through our secure in-app purchase systems (for example, Apple App Store or Google Play Store).

This information may include your order date, payment date, subscription plan type, billing period, billing document or receipt details, payment amount, due amount, payment status, and any associated transaction identifiers (such as a billing ID or your registered email address). This data is processed solely for the purposes of verifying payment, managing your subscription, and ensuring the accurate handling of invoices and renewals.
Please note that SpeakUp and Savvy Solutions MMC do not collect or store any payment method details (for example, your credit card number or bank account information). All payment transactions are processed securely by third-party payment service providers such as Apple, Google, or other authorized payment platforms, in accordance with their respective privacy policies.

Marketing Data

SpeakUp does not engage in advertising tracking or targeted marketing activities. We do not collect or use advertising identifiers, including:

Identifier for Advertisers (IDFA),
Identifier for Vendors/Developers (IDFV),
Google Advertising ID (GAID), or any similar identifiers used for ad personalization or cross-app tracking.

When you give us permission, we may collect limited usage and diagnostic data through analytics tools such as Firebase Analytics for the purpose of improving performance, monitoring technical stability, and understanding general user interactions within the app. These analytics do not identify you personally, do not link data to advertising networks, and do not enable tracking outside of the SpeakUp Application.

We will only process analytics or marketing-related data based on your explicit consent (for example, if you opt in to performance monitoring). You may withdraw your consent at any time by adjusting your in-app privacy settings.

Explanation on the Source of Information

We may collect the categories of personal data described above from the following lawful and limited sources:

directly from you, through electronic means such as registration forms, in-app purchases, or support requests;
automatically from your device when you use the Application (e.g., through necessary technical logs or analytics events);
through third-party platforms or stores (such as the Apple App Store or Google Play Store) when you download, install, or subscribe to the Application;
from authorized payment processors or service providers (for example, those managing subscription renewals or secure payment verification).

All such data collection occurs for legitimate business and contractual purposes, including:

the operation and improvement of the SpeakUp Application,
fulfillment of legal obligations,
maintenance of service functionality,
and ensuring a safe, seamless user experience.

We do not purchase or collect personal data from unrelated third-party sources for marketing, profiling, or advertising purposes.

3. Purposes of Processing Personal Data and Legal Bases

Your personal data will be processed through automatic or non-automatic means for the purposes stated in this Privacy Policy, in accordance with applicable laws — including Articles 5 and 6 of the Law on the Protection of Personal Data No. 6698 (PDP Law) — and based on the following lawful grounds:

where processing is expressly permitted by law,
where processing is necessary for the establishment or performance of a contract,
where processing is necessary for the legitimate interests of the Company, provided that your fundamental rights and freedoms are not adversely affected, and
where processing is required to fulfill our legal obligations.

For individuals in the European Economic Area, the United Kingdom, and Switzerland, please refer to Section 11 of this Privacy Policy for detailed explanations of the legal bases applicable under the GDPR.

a) Purposes of Processing Personal Data

Your personal data is processed for the following purposes, in accordance with the general principles referred to above and the lawful bases described below. Each processing activity is limited to what is necessary for the operation, maintenance, and improvement of the SpeakUp Application, and all processing is performed in compliance with applicable data protection legislation.

Execution of goods/services sales processes, including subscription purchases and renewals.
Execution of agreement processes, to establish and maintain contractual relationships with users.
Execution of company/product/service commitment operations, including delivering purchased or subscribed services and ensuring their availability.
Operation of our product, to provide access to the SpeakUp Application and its features, including personalized lessons, conversation sessions, and AI-generated outputs.
Creating user accounts for service recipients/application users, to enable authentication, profile creation, and secure login.
Conducting storage and archive activities, to retain necessary data for compliance and user account maintenance.
Execution of communication activities, including user support, technical notices, and service-related announcements.
Conducting after-sales support services, such as managing refund requests, addressing account-related inquiries, or resolving technical defects.
Execution of activities in compliance with legislation, to fulfill obligations under applicable data protection, tax, and commercial laws.
Execution and auditing of business activities, to ensure operational integrity and accuracy of internal processes.
Execution of information security processes, including fraud prevention, user authentication, and protection of system integrity.
Conducting audit and ethical activities, including verification of compliance with internal and external privacy standards.
Conducting activities to ensure business continuity, including data backup, system maintenance, and recovery processes.
Compliance with legislation and protection of persons’ rights, privacy, and safety, ensuring that all users’ data are handled responsibly and securely.
Providing information to authorized persons, institutions, and organizations, where required by law or judicial order.
Prevention of crimes and other illegal acts, including detection and prevention of unauthorized use or security breaches.
Conducting activities for customer satisfaction, including quality control, service improvement, and feedback analysis.
Customizing our Services, understanding our users and their preferences to enhance their learning experience, usability, and enjoyment when using our Services.

Additionally, if you provide explicit consent, your data may be processed for limited marketing and analytics purposes as follows:

With your explicit consent, we may process basic app usage data through analytics tools (such as Firebase) to conduct performance evaluations and non-personalized marketing analysis. SpeakUp does not collect the Google Advertising ID (GAID), Identifier for Advertisers (IDFA), or any other advertising identifier.
If you provide explicit consent, your identity and contact information may be processed for service-related communication, such as sending you information about new features, updates, or promotions relevant only to SpeakUp. You may opt out at any time.

In addition, the purposes of data processing may be updated periodically in accordance with our internal policies and evolving legal obligations. In particular, your data may be processed for:

carrying out digital subscription and in-app purchase processes;
managing auto-renewable subscriptions, to provide uninterrupted access to premium content and features;
conducting finance and accounting transactions, including invoicing and payment reconciliation;
performing strategic planning activities, including product development and service optimization;
following up on requests, suggestions, and complaints to ensure responsive customer support and continuous improvement.

All processing is carried out in accordance with valid legal bases and the principles of necessity, proportionality, and transparency.

b) Purpose of Processing and Legal Basis

Purpose of Processing | Type of Personal Data | Legal Basis

Purpose of Processing	Type of Personal Data	Legal Basis
Operation of our product, for example to provide outputs in response to user inputs, generate personalized dialogues, or enable specific subscription features	Identity and Contact Information, Account Information, Technical Information, User Content, Customer Transaction	It is necessary to process your personal data where we have established a contractual relationship with you, or where processing is directly related to our performance obligations arising from that contract.
Creating user accounts for the service recipients/application users	Account Information, Technical Information	Necessary to process your data to establish or maintain your contractual relationship and to fulfill our performance obligations under that contract.
Execution of goods/services sales processes (through in-app or web purchases)	Identity and Contact Information, Account Information, Customer Transaction	Necessary to process your data in relation to the establishment and performance of a contract.
Execution of agreement processes	Contact and Identity Information, Account Information, Technical Information, Customer Transaction, User Content	Necessary for the establishment and performance of a contract with you.
Execution of company/product/service commitment operations (including identifying and correcting technical defects)	Identity and Contact Information, Account Information, User Content, Technical Information	Necessary for the performance of a contract or directly related to our contractual obligations.
Execution of communication activities (only for contract establishment or product/service operation; excludes marketing communications, which require explicit consent)	Identity and Contact Information, Account Information, Customer Transaction, Technical Information	Necessary for the performance of a contract or directly related to our contractual obligations.
Conducting after-sales support services (e.g., handling refunds, technical support, account issues)	Identity and Contact Information, Account Information, Customer Transaction, Technical Information, User Content	Necessary for the performance of a contract or directly related to our contractual obligations.
Conducting storage and archive activities	Contact and Identity Information, Account Information, User Content, Technical Information, Customer Transaction	Necessary for the performance of a contract or directly related to our contractual obligations.
Execution and auditing of business activities	Technical Information, Customer Transaction, User Content	Processing is necessary for our legitimate interests, provided that your fundamental rights and freedoms are not harmed.
Conducting audit activities	Technical Information, Customer Transaction	Processing is necessary for our legitimate interests, provided that your fundamental rights and freedoms are not harmed.
Ensuring business continuity	Technical Information, Customer Transaction	Processing is necessary for our legitimate interests, provided that your fundamental rights and freedoms are not harmed.
Conducting activities for customer satisfaction	Technical Information, Customer Transaction, User Content, Account Information	Processing is necessary for our legitimate interests, provided that your fundamental rights and freedoms are not harmed.
Customizing our Services, understanding our users and their preferences to enhance experience and learning outcomes (this does not include processing to train AI models)	Technical Information, Customer Transaction, User Content, Account Information	Processing is necessary for our legitimate interests, provided that your fundamental rights and freedoms are not harmed.
Execution of activities in compliance with legislation	Identity and Contact Information, Account Information, Technical Information, User Content, Customer Transaction	Conditions necessary to fulfill our legal obligations.
Compliance with legislation and protection of persons’ rights, privacy, and safety	Contact and Identity Information, Account Information, Technical Information, Customer Transaction, User Content	Conditions necessary to fulfill our legal obligations; and, where not subject to a specific obligation, processing may occur when necessary for our legitimate interests (e.g., safeguarding the Services against abuse, fraud, or security risks).
Execution of information security processes	Technical Information	Conditions necessary to fulfill our legal obligations; and, where not subject to a specific obligation, processing may occur when necessary for our legitimate interests (e.g., protecting the integrity and security of our systems).
Providing information to authorized persons, institutions, and organizations	Account Information, Contact and Identity Information, Technical Information, Customer Transaction, User Content	Conditions necessary to fulfill our legal obligations.
Prevention of crimes and other illegal acts	Account Information, Contact and Identity Information, Technical Information, Customer Transaction, User Content	Conditions necessary to fulfill our legal obligations; and, where not subject to a specific obligation, processing may occur when necessary for our legitimate interests, such as preventing abuse, fraud, or other security threats.

In addition to the above purposes, the following processing activities occur only with your explicit consent:

If you give us explicit consent (acquired through Apple and/or Google and/or within the SpeakUp App), limited analytics data may be processed to perform non-personalized performance analysis and service-improvement studies. SpeakUp does not process advertising identifiers such as GAID, IDFA, or IDFV and does not conduct personalized or behavioral advertising.
If you give us explicit consent (acquired when you opt in for marketing communication), your identity and contact information may be processed for informational updates about new features, services, or special offers directly related to SpeakUp. You may withdraw this consent at any time by adjusting your communication preferences.
If you give us explicit consent (acquired when you opt in for model improvement), your user content (for example, anonymized voice or text samples) may be processed to help enhance the accuracy and quality of our language AI models. This processing is strictly optional and revocable through the in-app settings.

4. Third Party Websites/Applications, Cookies and Notifications

The SpeakUp Application may contain links to external websites or applications that are not operated or controlled by the Company. These third-party websites or applications may contain their own terms and conditions, privacy policies, or cookie practices that differ from those of the Company.

The Company cannot be held responsible for the use, content, data processing, or disclosure of information that these third-party sites or applications may perform. Likewise, the Company shall not be liable for any links from other websites or applications that direct users to the SpeakUp Application.

We collect personal data only through fair and lawful means, and always with your knowledge and consent. You are informed of the purpose and method of each data collection, and you have the right to decline the provision of optional information. However, please note that certain features of the Application may not be available if specific information is not provided.

When you interact with third-party websites, such as external payment gateways, social media platforms, or authentication providers (for example, Apple or Google), you may provide information through these channels to the Company. Please be aware that your legal relationship, rights, and obligations with respect to such third-party websites or applications will remain subject to their own terms and privacy policies. The Company shall not be held responsible for any terms, conditions, or rules established by those third parties.

Cookies

Cookies are small text files that are stored on your browser or the hard drive of your computer or mobile device when you visit a website or use an online service. They allow certain functionalities to operate efficiently and help deliver a more seamless experience.

SpeakUp may use cookies and similar technologies only when necessary for the following purposes:

to operate essential features of the Application,
to maintain performance and security,
to remember your preferences (such as language or login status), and
to analyze non-personal usage statistics to improve service stability.

SpeakUp does not use cookies or similar technologies for advertising, behavioral tracking, or profiling purposes, nor do we share cookie data with third-party advertisers.

Cookies used by the Application contain only technical data related to your session and do not include personal data or any files stored on your device.

You can delete cookies already stored on your device and configure your browser settings to refuse new cookies. Please note that most browsers accept cookies by default. Cookie management instructions vary by browser; refer to your browser’s help menu or support page for detailed guidance.

For more information on how we use cookies, please review our Cookie Policy.

Push Notifications

The Company may occasionally send you push notifications via the SpeakUp mobile application or website. These notifications may include:

updates about application features or system improvements,
reminders about upcoming lessons or language practice sessions (if enabled), or
important service-related announcements (such as changes to Terms or Privacy Policy).

You may opt out of receiving push notifications at any time by adjusting the notification settings within the Application or through your device’s system preferences. Disabling push notifications will not affect your access to the Application’s core features.

5. Data Storage

Your personal data will be stored only for as long as it is necessary to fulfill the specific purposes outlined in this Privacy Policy, or for the duration required by applicable law.

The Company retains your personal data for the period expressly stipulated in relevant legislation, or, where no specific timeframe is provided, only until the original purpose of processing ceases to exist.

The Company may continue to securely store certain personal data even after the initial processing purpose has ended, but only under the following lawful circumstances:

where retention is required by other applicable laws, regulations, or administrative obligations; or
where you have expressly granted consent for an extended retention period.

In cases where you have allowed the Company to retain your personal data for an additional period based on your consent, such data shall be deleted, destroyed, or anonymized immediately after the expiration of that period, or upon withdrawal of your consent — whichever occurs first.

Additionally, certain categories of your data may be stored beyond the fulfillment of the original purpose on the legal basis of necessity for the establishment, exercise, or defense of legal claims. Such storage will continue only until the end of applicable statutory limitation periods or for the minimum time required to protect the Company’s legitimate rights and interests (for instance, in the context of dispute resolution, audit requirements, or compliance with financial regulations).

In jurisdictions where the General Data Protection Regulation (GDPR) applies, the continued storage of data beyond its initial purpose is based on our legitimate interests in ensuring the stability, integrity, and legal compliance of the SpeakUp Services.

SpeakUp does not retain user data for marketing, profiling, or behavioral tracking purposes. All stored personal data is periodically reviewed, and data that is no longer required is securely deleted or permanently anonymized in accordance with international best practices.

6. Technical and Administrative Measures

The Company stores and processes personal data in full compliance with applicable data protection legislation and undertakes to implement all necessary technical and administrative measures to ensure the confidentiality, integrity, and security of such data.

The Company takes due care to prevent unlawful processing, unauthorized access, and accidental or unlawful destruction, loss, alteration, or disclosure of personal data. All personal data processing within the SpeakUp Application is conducted under strict security protocols and internal data protection policies.

Accordingly, the Company applies the following technical and administrative measures to safeguard personal data:

Anti-virus Applications: All computers, mobile devices, and servers connected to the Company’s IT infrastructure are equipped with periodically updated anti-virus software. Continuous monitoring ensures detection and removal of malware and potential threats.
Firewalls: The data centers and backup (disaster recovery) systems hosting Company servers are protected by next-generation firewalls. These systems are regularly updated and configured to control all incoming and outgoing traffic, blocking unauthorized access and malicious activities.
Virtual Private Network (VPN): Remote access to Company systems is restricted through SSL-VPN configurations on firewalls. Each supplier or remote user is assigned a unique VPN credential, allowing access only to authorized systems and data.
User Identifications and Access Controls: Employee access to Company systems is restricted strictly according to their job descriptions and responsibilities. When an employee’s role or authorization changes, access rights are immediately updated or revoked to maintain access integrity.
Information Security Threat and Event Management (SIEM): Security-related events occurring on Company servers and network systems are continuously monitored through a Security Information and Event Management (SIEM) system. This system generates real-time alerts, enabling immediate incident response by responsible personnel.
Encryption: All sensitive or confidential data (including personal data and credentials) is stored using advanced cryptographic encryption methods. Data transfers, when required, are conducted through encrypted channels (e.g., HTTPS/TLS). Encryption keys are stored securely in segregated environments.
Logging: All transactions and system activities involving access to personal data are securely logged. Logs are retained for the duration required by applicable law and reviewed periodically for security compliance.
Two-Factor Authentication (2FA): Remote access to systems processing personal data, as well as registration and account creation processes, require at least two-factor authentication to verify user identity.
Penetration Testing: Regular penetration tests are conducted by authorized cybersecurity specialists to identify and resolve vulnerabilities within Company servers and applications. Detected issues are promptly remediated and retested for verification. Automated vulnerability scans are also scheduled periodically through the Information Security Threat and Event Management system.
Information Security Management System (ISMS): Within the Company, ISMS meetings are held monthly, chaired by the Director of Information Technology and the Director of Financial Operations. These meetings review compliance with information security policies, audit outcomes, and risk mitigation plans.
Employee Training: All Company employees receive periodic training on data protection principles, secure data handling, phishing awareness, and incident response. Training aims to minimize human-related security risks and enhance awareness of personal data obligations.
Physical Data Security: Personal data stored on paper or physical media is secured in locked cabinets accessible only to authorized personnel. Premises hosting sensitive data are protected against risks such as fire, electrical leakage, theft, and flooding, using appropriate preventive measures.
Data Backup: The Company maintains regular backups of all critical systems and data. Backups are encrypted and stored both on secure cloud infrastructure (e.g., Firebase, Google Cloud) and internal backup systems. Backups are maintained in compliance with relevant legislation and this Privacy Policy.
Non-Disclosure Agreements (NDAs): All employees and contractors involved in data processing activities sign confidentiality and non-disclosure agreements, legally binding them to uphold the Company’s data protection and privacy commitments.
Transfer of Sensitive Personal Data: If it becomes necessary to transfer sensitive personal data (such as via email), such transfer is executed only through encrypted corporate email accounts or Registered Electronic Mail (REM) systems to ensure secure transmission.

Incident Response and Breach Notification

In the event that personal data is compromised — whether through unauthorized access, data breach, or malicious attack — despite the Company’s implementation of the above security measures, the Company shall:

Immediately notify affected users of the incident,
Inform the relevant data protection authority, where legally required, and
Take all reasonable corrective and preventive measures to minimize any potential harm and prevent recurrence.

7. Age Limitation

The Company is committed to protecting the privacy and safety of minors. Use of the SpeakUp Application is strictly prohibited for children under the age of 16. The Company does not knowingly collect, store, or process any personal data from individuals under 16 years of age.

If we become aware that a person under 16 has provided personal data through the Application, we will take immediate steps to delete such information from our systems.

If you believe that a child under 16 has provided personal information to the Company, please contact us promptly at the email address provided in Section 10 of this Privacy Policy so that we may investigate and remove the data in accordance with applicable law.

Users who are under 18 years of age may access and use the Services only with the express consent and supervision of a parent or legal guardian. By permitting their dependent to use the Application, the parent or guardian assumes full responsibility for:

monitoring the minor’s activity within the Application,
ensuring that the minor’s data and usage comply with this Privacy Policy and the Terms of Use, and
providing or withdrawing consent where required.

The Company reserves the right to restrict or terminate access to the Services if it has reasonable grounds to believe that a user does not meet the age requirements set forth herein.

8. Transferring Personal Data to Third Parties

The procedures and principles governing the transfer of personal data are regulated under Articles 8 and 9 of the Law on the Protection of Personal Data (PDP Law). Accordingly, the Company may transfer personal and non-sensitive data to third parties located within the country or abroad, as required for the operation, maintenance, and lawful management of the SpeakUp Application, including through the use of secure cloud-based servers and international data storage systems.

The Company ensures that all such transfers are carried out in compliance with the PDP Law, General Data Protection Regulation (GDPR), and other applicable data protection legislation, using legally recognized transfer mechanisms such as Standard Contractual Clauses (SCCs), adequacy decisions, or explicit consent, depending on jurisdiction.

Data Transfers to Service Providers

Your personal data may be transferred to the Company’s service providers and business partners, including but not limited to cloud infrastructure providers, authentication services, and analytics platforms, for the following purposes:

Technical and Storage Services: Your Technical Information, Identity and Contact Information, Account Information, Customer Information, and User Content may be transferred to authorized third-party processors for the purpose of conducting secure storage, data backup, and archival activities necessary to maintain SpeakUp’s operations.
Account Authentication: Your Account Information may be transferred to third-party authentication providers (such as Apple and Google) solely for the purpose of verifying user credentials and maintaining secure account access. SpeakUp does not access or store passwords from these providers.
Technical Maintenance and Error Correction: Your Technical Information may be transferred to specialized service providers for the identification, correction, and prevention of technical issues, software defects, and service interruptions.

Marketing and Analytics Services

If you have provided your explicit consent, your Marketing Data may be shared with trusted analytics and marketing service providers (including Google, Apple, Firebase Analytics, and Adjust) for the limited purpose of conducting marketing performance analysis, aggregated usage reporting, and campaign optimization. SpeakUp does not sell, rent, or share user data for behavioral advertising or tracking across third-party platforms. All analytics operations are pseudonymized, and users may withdraw their consent at any time through in-app settings.

Legal and Regulatory Disclosures

The Company may share personal data with authorized public institutions, regulatory authorities, and judicial bodies when required to:

comply with legal obligations or court orders,
fulfill reporting duties imposed by law, or
protect the legitimate interests, rights, and safety of users, the Company, or the public.

Such transfers occur strictly on a legal obligation basis and are limited to the minimum information necessary to satisfy the relevant legal requirement.

AI and Anonymized Data Sharing

The Company may share anonymized or aggregated data — data that does not identify individual users — with third-party AI models or research partners for the purpose of improving algorithmic performance, analytics, and language accuracy. This data is irreversibly anonymized before transfer, ensuring that no individual user can be identified.

Safeguards for International Transfers

Where personal data is transferred outside the jurisdiction of collection (e.g., to the European Union, United States, or other regions), the Company ensures appropriate data protection safeguards are in place, including:

Adequacy Decisions — Transfers to countries officially recognized by data protection authorities as providing an adequate level of protection.
Standard Contractual Clauses (SCCs) — Legally binding commitments between the Company and third-party processors, ensuring GDPR-level protection for international transfers.
Encryption and Access Controls — Data transferred internationally is encrypted both in transit and at rest and accessible only to authorized personnel for legitimate purposes.

User Rights and Oversight

You may request details of the safeguards applied to your data transfers, including copies of relevant Standard Contractual Clauses or adequacy decisions, by contacting us via email (see Section 10). If you believe your data has been transferred unlawfully or without proper safeguards, you have the right to lodge a complaint with your local data protection authority.

For individuals in the European Economic Area (EEA), the United Kingdom, and Switzerland, please refer to Section 11 for GDPR-compliant details on data transfers. For individuals residing in California, please refer to Section 12 for the applicable rights and disclosures under the California Consumer Privacy Act (CCPA).

9. Your Rights as the Data Subject

Pursuant to Article 11 of the Law on the Protection of Personal Data (PDP Law), you are entitled to exercise the following rights with respect to your personal data processed by Savvy Solutions MMC (“Company”).

You may submit a request to the Company to:

Learn whether or not your personal data have been processed.
Request information regarding the processing of your personal data.
Learn the purpose of processing your personal data and whether such data is used in accordance with its intended purpose.
Know the third parties in the country or abroad to whom your personal data has been transferred.
Request correction of your personal data if it is found to be incomplete or inaccurate, and request that such corrections be communicated to third parties to whom the data has been transferred.
Request deletion, destruction, or anonymization of your personal data if the reasons for processing no longer exist, and request that such actions be communicated to third parties to whom the data has been transferred.
Object to adverse outcomes arising from the analysis of your personal data solely through automated systems.
Request compensation for damages in the event of unlawful processing of your personal data.
Withdraw explicit consent at any time, where the processing of personal data is based on your prior explicit consent.

Request Procedure

When exercising any of the above rights, your request must be clear, specific, and understandable. If you are making a request on behalf of another individual, you must provide valid documentation proving your authority to act on their behalf.

Your application must also include your name, surname, signature (if submitted physically), identity verification documents, and address or electronic contact details to which the Company’s response can be delivered.

You may submit your request via email or post to the contact information provided in Section 10 of this Privacy Policy.

The Company will process and respond to your request free of charge within 30 (thirty) days from the date of receipt, depending on the complexity and nature of your request. If the request is denied, the Company will provide a written or electronic explanation specifying the reasons for rejection.

In cases where your application requires additional cost (for example, copying or delivery expenses), you may be charged according to the tariff set by the Personal Data Protection Board.

International Data Subject Rights

For individuals residing in different jurisdictions:

European Economic Area (EEA), United Kingdom, and Switzerland: You are entitled to additional rights under the General Data Protection Regulation (GDPR), as detailed in Section 11 of this Policy.
California Residents (USA): You are entitled to specific rights under the California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA), as detailed in Section 12 of this Policy.

10. Contact Information

If you have any questions or comments regarding this Privacy Policy that is not covered here or if you have any request or would like to exercise your rights, you may contact us via the following email address or by post at the following Company address:

Company Title: Savvy Solutions MMC
Address: 16/12th Ramiz Gambarov str, Bakukhanov settlement, AZ1132, Baku, Azerbaijan
E-mail: office@savvysolutionsmmc.com
Tel: +994.10.2159088

11. For Individuals in the European Economic Area, the United Kingdom, and Switzerland

Where the General Data Protection Regulation (GDPR), the UK Data Protection Act 2018, or the Swiss Federal Act on Data Protection is applicable, this section provides additional information specific to these jurisdictions. For a complete understanding of our data practices, this section should be read together with the general provisions of this Privacy Policy.

Purposes of Processing Personal Data and Legal Bases

Your personal data may be processed for the following purposes and on the corresponding legal bases:

Purpose of Processing	Type of Personal Data	Legal Basis
Creating and maintaining user accounts	Account Information, Technical Information	Processing is necessary for the performance of a contract to which the data subject is party or to take steps at the request of the data subject prior to entering into a contract.
Providing, analyzing, and maintaining our Services (including generating outputs based on user input, providing subscription-specific features, and performing storage and archival activities). This includes personalizing functionality such as displaying the Service in the relevant language based on region.	Identity and Contact Information, Account Information, Technical Information, User Content, Customer Transaction	Processing is necessary for the performance of a contract to which the data subject is party or to take steps prior to entering into a contract.
Administering and operating our business, including managing subscriptions and resolving technical issues.	Identity and Contact Information, Account Information, Technical Information, User Content, Customer Transaction	Processing is necessary for the performance of a contract to which the data subject is party or to take steps prior to entering into a contract.
Communicating with you regarding your subscription or account-related matters (excluding marketing communications).	Identity and Contact Information, Account Information, Customer Transaction, Technical Information	Processing is necessary for the performance of a contract to which the data subject is party or to take steps prior to entering into a contract.
Conducting after-sales support, including handling refunds, addressing technical defects, and responding to inquiries.	Identity and Contact Information, Account Information, Customer Transaction, Technical Information, User Content	Processing is necessary for the performance of a contract to which the data subject is party or to take steps prior to entering into a contract.
Ensuring business continuity, user satisfaction, and general service improvement (excluding AI training).	Account Information, Customer Transaction, Technical Information, User Content	Processing is necessary for the purposes of the legitimate interests pursued by the controller or a third party, except where such interests are overridden by the rights or freedoms of the data subject.
Complying with legal and regulatory obligations.	Identity and Contact Information, Account Information, Technical Information, User Content, Customer Transaction	Processing is necessary for compliance with a legal obligation to which the controller is subject.
Ensuring safety and security, preventing fraud, and protecting against misuse of our Services. This includes detecting and blocking accounts or content that violate our Community Guidelines.	Identity and Contact Information, Account Information, Technical Information, User Content, Customer Transaction	Processing is necessary for compliance with a legal obligation or, where none applies, for the purposes of legitimate interests such as fraud prevention and system integrity.
Protecting the rights, privacy, and property of our users, the Company, or third parties.	Identity and Contact Information, Account Information, Technical Information, User Content, Customer Transaction	Processing is necessary for compliance with a legal obligation or, where none applies, for the purposes of legitimate interests including safeguarding the Services from abuse or security threats.
Auditing and evaluating our business operations.	Technical Information, User Content, Customer Transaction	Processing is necessary for the purposes of legitimate interests, provided that the data subject’s rights and freedoms are not adversely affected.

Processing Based on Consent

In addition to the above lawful bases, the Company will process the following personal data only with your explicit consent. You may withdraw this consent at any time without affecting the lawfulness of processing carried out prior to withdrawal.

Marketing Data: If you provide consent (via Apple, Google, or within the App), we may process Marketing Data to conduct analytics and execute advertising, campaign, or promotion activities (including personalized advertising). You can withdraw consent through your account settings.
Marketing Communications: If you opt in to receive marketing messages, we may process your Identity and Contact Information to send you news about products, services, and promotional offers. You can withdraw consent by clicking the “unsubscribe” link in any email or following the opt-out instructions provided in each message.
Model Improvement: If you consent to model improvement, your User Content may be processed to help train and improve our AI models. You can withdraw this consent at any time in the Application settings or by contacting us directly.

AI Training Disclaimer: We do not use your personal data for AI training unless you have explicitly consented. Where consent is granted, data may be temporarily retained and used for algorithmic refinement. You can withdraw consent at any time through the Application settings or by contacting us.

Transferring Personal Data to Third Parties

To ensure compliance with GDPR, the Company applies the following mechanisms when transferring personal data outside the European Economic Area (EEA), United Kingdom, or Switzerland:

Adequacy Decisions: Transfers are made to countries recognized by the European Commission as providing an adequate level of data protection under Article 45(1) GDPR.
Standard Contractual Clauses (SCCs) and Supplementary Measures: For jurisdictions without adequacy decisions, we implement Standard Contractual Clauses under Article 46(2)(c) GDPR and apply supplementary safeguards such as:
- Encryption of personal data in transit and at rest,
- Data minimization
- Pseudonymization of data where possible,
- Regular audits of third-party processors,
- Contractual obligations ensuring GDPR-compliant data handling.
Explicit Consent: In cases where neither adequacy decisions nor SCCs apply, data transfers may occur only with your explicit consent, clearly explaining the risks of such transfers.
Other Lawful Mechanisms: Where applicable, transfers may rely on derogations under Article 49 GDPR, such as for the performance of a contract or to establish legal claims.

You may request further details on the safeguards applied to your data transfers by contacting us using the details in Section 10. The Company works only with third-party processors that demonstrate GDPR compliance and agree to strict data protection terms.

Data Subject Rights

Under GDPR, you have the following rights regarding your personal data:

Right of Access (Article 15): You may request confirmation of whether your personal data is being processed and access to that data, including details about the purposes, recipients, and retention periods.
Right to Rectification (Article 16): You may request correction of inaccurate or incomplete personal data.
Right to Erasure (Article 17): You may request deletion of your personal data where it is no longer necessary, consent is withdrawn, or processing is unlawful.
Right to Restrict Processing (Article 18): You may request restriction of processing in certain cases, such as when contesting data accuracy or objecting to processing.
Right to Data Portability (Article 20): You may request a copy of your personal data in a structured, commonly used, and machine-readable format for transfer to another controller.
Right to Object (Article 21): You may object to processing based on legitimate interests or for direct marketing purposes.
Right to Avoid Automated Decision-Making (Article 22): You have the right not to be subject to decisions based solely on automated processing that produce legal or significant effects, unless necessary for a contract or based on consent.
Right to Withdraw Consent: Where processing is based on consent, you may withdraw it at any time without affecting prior processing.

To exercise these rights, please contact us using the details in Section 10. We will respond within one month, extendable by two months for complex requests, and provide a reasoned response if any request is denied.

If you are dissatisfied with our response, you have the right to lodge a complaint with a supervisory authority in your country of residence, work, or where the alleged infringement occurred. For example:

In the EU, contact your national Data Protection Authority (e.g., CNIL in France, ICO in the UK).
In the UK, contact the Information Commissioner’s Office (ICO).
In Switzerland, contact the Federal Data Protection and Information Commissioner (FDPIC).

Data Protection Officer

For GDPR-related inquiries, you may contact our Data Protection Officer at office@savvysolutionsmmc.com or via post at the address provided in Section 10.

12. For California Residents

This section applies to California residents and provides disclosures required under the California Consumer Privacy Act of 2018 (CCPA), as amended by the California Privacy Rights Act of 2020 (CPRA). It supplements the general provisions of this Privacy Policy.

Categories of Personal Information Collected

In the past 12 months, we have collected the following categories of personal information, as defined by the CCPA, in connection with the SpeakUp Application:

Identifiers: Name, email address, phone number (if provided), user ID, account credentials, and device identifiers (e.g., internal user token).
Customer Records: Subscription details, payment status, billing period, and transaction identifiers.
Commercial Information: Purchase history, subscription plans, and payment-related data (processed via third-party payment providers).
Internet or Network Activity: Device type, operating system version, app version, and limited usage data (e.g., crash logs, feature interactions).
Audio, Electronic, Visual, or Similar Information: Voice inputs, text prompts, images, or other user-generated content provided during app use.
Professional or Employment-Related Information: None collected.
Sensitive Personal Information: None collected (e.g., no social security numbers, financial account details, precise geolocation, or biometric data).

We do not collect or process personal information for behavioral advertising, profiling, or tracking across third-party sites or apps.

Sources of Personal Information

We collect personal information from:

You directly (e.g., through registration, user inputs, or support requests).
Your device (e.g., technical data like device type or app version).
Third-party platforms (e.g., Apple, Google for authentication or payment processing).

Purposes for Collection

We collect personal information to:

Provide, maintain, and improve the SpeakUp Application.
Manage user accounts and subscriptions.
Ensure security and prevent fraud.
Comply with legal obligations.
Communicate with you about service-related matters.
Analyze usage for service improvement (with consent).

Sharing of Personal Information

We do not sell or share personal information for cross-context behavioral advertising. In the past 12 months, we have disclosed the following categories of personal information to third parties for business purposes:

Identifiers: To authentication providers (e.g., Apple, Google) and cloud storage providers.
Customer Records: To payment processors for subscription management.
Internet or Network Activity: To analytics providers (e.g., Firebase) for performance monitoring (with consent).
Audio, Electronic, Visual Information: To cloud storage or AI processing providers for service delivery.

Disclosures are made under strict data protection agreements, and no personal information is sold or used for advertising.

Your CCPA Rights

As a California resident, you have the following rights under the CCPA:

Right to Know: Request details about the personal information we collect, use, disclose, or sell.
Right to Delete: Request deletion of your personal information, subject to exceptions (e.g., legal obligations).
Right to Opt-Out of Sale/Sharing: Not applicable, as we do not sell or share personal information for advertising.
Right to Correct: Request correction of inaccurate personal information.
Right to Non-Discrimination: We will not discriminate against you for exercising your CCPA rights.

To exercise these rights, contact us at office@savvysolutionsmmc.com or via the address in Section 10. You may authorize an agent to submit requests on your behalf with valid documentation. We will verify your identity and respond within 45 days, extendable by 45 days for complex requests.

Do Not Track Signals

The SpeakUp Application does not respond to browser-based Do Not Track (DNT) signals, as we do not engage in tracking or behavioral advertising. Our data collection is limited to service operation and improvement.

Shine the Light Law

Under California’s Shine the Light law (Civil Code Section 1798.83), you may request information about disclosures of your personal information to third parties for direct marketing purposes. As we do not disclose personal information for such purposes, no disclosures have been made in the past 12 months.

Changes to This Privacy Policy

The Company reserves the right to amend or update this Privacy Policy at any time to reflect changes in our Services, applicable laws, or business practices. Any updates will be effective upon posting the revised Privacy Policy within the SpeakUp Application or on our website.

In the event of significant changes that materially affect your rights or the way we process your personal data, we will notify you in advance through:

Prominent in-app notifications or banners,
Email communication to your registered email address, or
Other reasonable means of communication.

Such notifications will be provided at least 7 days before the changes take effect, unless immediate implementation is required by law. Where processing is based on your consent, significant changes will not apply to you unless you provide renewed consent.

Your continued use of the SpeakUp Application or Services after the effective date of the updated Privacy Policy constitutes acceptance of the revised terms, except where explicit consent is required. If you do not agree with the updated terms, you may discontinue use of the Services and request deletion of your data as outlined in Section 9.

We encourage you to periodically review this Privacy Policy to stay informed about how we collect, use, and protect your personal data.