Privacy Policy

Introduction

Pocket Apps Studio Pte Ltd (Registered Office: 160 Robinson Road, #14-04 Singapore Business Federation Center, Singapore 068914; hereinafter referred to as the “controller”), as the operator of the “XueTang” app, is the controller responsible for the processing of personal data in connection with the use of the app. The contact details of the provider can be found in the imprint of the app, the contact persons for questions regarding the processing of personal data are named directly in this privacy policy.

The controller takes the protection of your privacy and your private data very seriously. Your personal data will only be collected, stored and used in accordance with the content of this privacy policy and the applicable data protection regulations, in particular the European General Data Protection Regulation (GDPR) and the national data protection regulations.

With this privacy policy, the controller informs you to what extent and for what purposes personal data is processed in connection with the use of the app.

Personal data

Personal data is information relating to an identified or identifiable natural person. This includes information such as your e-mail address or a chosen username. Information that cannot be linked to your identity (such as statistical or anonymized usage data) is not considered personal data.

In principle, you can use the app without disclosing your identity. However, to access certain features such as account creation or cloud-based progress tracking, personal data will be collected. Specifically, the controller only collects and stores the following personal data:

  • E-mail address
  • Username
  • Password (securely hashed)

No additional identity-related information (such as your real name, date of birth, or address) is required or collected. If further information is ever requested, it will be used solely for analytics purposes and only in anonymous form. Any such data collection will be explicitly marked as voluntary.

Automated decision-making based on your personal data does not take place in connection with the use of the app.

Processing of personal information

Your personal data is stored on specially protected servers within the European Union or in secure cloud infrastructure operated by Firebase (Google), which may include servers outside the EU. These servers are protected by technical and organizational measures against loss, destruction, unauthorized access, modification, or dissemination of your data. Access to personal data is restricted to a limited number of authorized individuals responsible for technical, administrative, or operational maintenance of the service. Despite regular checks, complete protection against all risks is not possible.

User account data (email, username, and password) as well as learning progress and user-generated vocabulary are securely stored using Firebase services. All data transfers to Firebase or other service providers are encrypted.

Your personal data is transmitted in encrypted form over the Internet. We use Transport Layer Security (TLS) to ensure secure data transfer.

Disclosure of personal data to third parties

Your personal data will only be used by the controller to provide the services you have requested. Where external service providers are involved in delivering these services, their access to your data is strictly limited to what is necessary for fulfilling their specific function. The controller takes technical and organizational measures to ensure compliance with data protection regulations and requires all service providers to do the same.

The controller uses the following external services in connection with the XueTang app:

  • Firebase (Google): for storing account data, learning progress, and user-generated vocabulary.
  • Crashlytics: for crash reporting and diagnostics.
  • PostHog: for product analytics.
  • RevenueCat: for managing in-app purchases and subscription tracking.

These providers may process certain personal data such as device information, session data, or purchase status. Where such data is transmitted to countries outside the European Union (e.g., the United States), the controller ensures that an adequate level of data protection is maintained. This is guaranteed either by an adequacy decision of the EU Commission or through the use of standard contractual clauses in accordance with Art. 46 GDPR.

Your data will never be sold or disclosed to third parties for advertising purposes. Data will only be disclosed to third parties where you have explicitly consented or where the controller is legally entitled or obliged to do so — for example, in the context of criminal investigations or to enforce legal rights.

Legal basis for data processing

Insofar as we obtain your consent for the processing of personal data — for example, when you create an account or agree to non-essential analytics — Art. 6 (1) (a) GDPR serves as the legal basis for data processing. This also applies when you choose to register or log in using third-party services such as Apple or Google, which share selected account information (e.g., your email address) with us based on your authorization.

If the controller processes your personal data because this is necessary for the performance of a contract or in the context of a quasi-contractual relationship with you — such as storing your learning progress, managing your account, or handling in-app purchases — Art. 6 (1) (b) GDPR forms the legal basis.

Where processing is necessary for compliance with a legal obligation to which the controller is subject, Art. 6 (1) (c) GDPR provides the legal foundation.

Art. 6 (1) (f) GDPR may also apply if the processing of your personal data is necessary for the purposes of the legitimate interests pursued by the controller or a third party — for example, to ensure the technical stability and improvement of the app through anonymized analytics — provided your interests or fundamental rights do not override those interests.

As part of this privacy policy, the controller will always indicate the legal basis applicable to each type of data processing.

Data erasure and storage duration

The controller deletes or blocks your personal data as soon as the purpose for which it was stored no longer applies — for example, if you delete your account or withdraw your consent.

You may request the deletion of your account and associated personal data (such as your email and username) at any time via the app or by contacting the controller directly. Once the request is processed, this personal data will be permanently removed from our systems, unless legal retention obligations require otherwise.

User-generated content such as vocabulary entries or exercise data created within the app is not considered personal data and may be retained for the continued operation and improvement of the app. This data is stored separately from personally identifiable information and is processed in anonymized form.

In some cases, data may be retained for longer periods where required by legal obligations — for example, commercial or tax law retention periods. In such cases, the data will be deleted or anonymized once the statutory period has expired.

Use of the app

Information about your end device

Each time you access the app, the following information about your device is collected, regardless of whether you are logged in: the IP address of the device, the request from the app and the time of the request. In addition, technical details such as device model, operating system version, app version, and the status and volume of data transferred are recorded.

This data may also be collected through integrated services such as Firebase, PostHog, and Crashlytics to help monitor performance, detect errors, and improve app stability and functionality. The IP address is only stored for the duration of your app session and is then either deleted or anonymized. Other device data is retained for a limited period and used solely for operational purposes.

The controller uses this data to maintain and optimize the app, identify issues, and analyze usage patterns. These purposes represent legitimate interests in accordance with Art. 6 (1) (f) GDPR.

Use of cookies

Cookies may be used for our app. Cookies are small text files that are stored on your computer and save certain settings and data for exchange with our online offer via your browser. A cookie usually contains the name of the domain from which the cookie file was sent as well as information about the age of the cookie and an alphanumeric identifier.

Cookies enable us to recognize your computer and make any pre-settings and preferences immediately available. The cookies we use are – as far as possible – so-called session cookies, which are automatically deleted at the end of the browser session. Occasionally, cookies with a longer storage period may also be used so that your pre-settings and preferences can also be taken into account the next time you visit our website.

Most browsers are set to accept cookies automatically. However, you can deactivate the storage of cookies or set your browser so that it notifies you as soon as cookies are sent. It is also possible to delete cookies that have already been saved manually via the browser settings. Please note that you may only be able to use our online services to a limited extent or not at all if you reject the storage of cookies or delete necessary cookies.

If cookies are not required for our online offer, we ask you to consent to the use of cookies when you access the online offer for the first time. With regard to the non-essential cookies from third-party providers, you will find a more detailed description of the services we use from these third-party providers below. The legal basis for the associated data processing, including any data transfer, is your consent within the meaning of Art. 6 (1) (a) GDPR. Once consent has been given, it can be revoked at any time with effect for the future, in particular by changing the selected settings.

The legal basis for the use of necessary cookies is our legitimate interest in the proper provision of our online offer within the meaning of Art. 6 (1) (f) GDPR and – insofar as contracts are concluded or fulfilled via our online offer – the fulfillment of the contract within the meaning of Art. 6 (1) (b) GDPR.

Once a selection has been made with regard to the use of cookies, it can be changed again at any time.

Integration of the services of third-party providers

Google Firebase

The controller uses various services from Google Firebase in connection with the app. Google Firebase is a platform that provides tools for app development and analytics and is operated by Google Ireland Limited, Gordon House, 4 Barrow St, Dublin, D04 E5W5, Ireland (“Google”).

Firebase is used in XueTang for purposes including:

  • Managing user authentication (e.g., email/password or social login)
  • Storing user account data (email, username)
  • Storing individual learning progress and user-generated vocabulary
  • Tracking technical performance, crashes (via Crashlytics), and usage behavior (e.g., session duration, device type, operating system)

A detailed overview of the data collected by Google Firebase can be found at: https://support.google.com/firebase/answer/6318039?hl=de

Additional information is also available at: https://firebase.google.com/ and https://www.firebase.com/terms/privacy-policy.html

In connection with the use of Firebase services, it cannot be ruled out that personal data may be transmitted to the USA or other third countries. To ensure the protection of such data, the controller has concluded a data processing agreement with Google that includes the standard contractual clauses approved by the European Commission under Art. 46 GDPR.

Firebase is used for operational functionality and the technical improvement of the app. This represents a legitimate interest pursuant to Art. 6 (1) (f) GDPR. Where Firebase services rely on non-essential cookies or identifiers, these are only activated with your consent pursuant to Art. 6 (1) (a) GDPR.

PostHog

The controller uses the functions of PostHog to improve the app. PostHog is an open source platform and offers various functions for analyzing software products. PostHog is operated by PostHog Inc, 2261 Market Street #4008, San Francisco, CA 94114, USA. When PostHog is used, the IP address, session duration, operating system, device model and a range of other data are stored. A detailed overview of the data collected by PostHog can be found at https://posthog.com/dpa. Further information about PostHog is available at https://posthog.com/ and https://posthog.com/privacy. In connection with the use of the service, it cannot be ruled out that personal data will be transferred to the USA. To protect the data, there is an agreement with PostHog for order processing, taking into account the standard contractual clauses.

PostHog is used to optimize the app. This constitutes a legitimate interest within the meaning of Art. 6 (1) (f) GDPR. Insofar as cookies are used for PostHog, this is only done for non-essential cookies if consent has been given.

In-app purchases/subscriptions

In the app, you have the option of purchasing paid content via the Apple App Store. The controller uses your personal data for in-app purchases and subscriptions only within the company and with the company commissioned to process orders.

Storage and data transfer for in-app purchases

The controller uses the technical interface provided by RevenueCat to manage in-app purchases and subscriptions. RevenueCat is operated by RevenueCat Inc., 1032 E Brandon Blvd #3003, Brandon, FL 33511, USA.

When a purchase is initiated in the app, RevenueCat forwards the transaction to the Apple App Store. Payment is processed using the payment method stored in the user's App Store account (e.g. credit card, PayPal, or store credit). After successful payment processing, the App Store sends confirmation to RevenueCat, which then updates the subscription status.

In the course of providing this service, RevenueCat may process data including subscription status, payment metadata, device identifiers, and technical details related to the purchase. A detailed overview of the data collected by RevenueCat is available at: https://www.revenuecat.com/dpa/

Further information can be found at: https://www.revenuecat.com/privacy/

As RevenueCat is based in the United States, it cannot be ruled out that personal data may be transferred to the USA. To protect this data, the controller has entered into a data processing agreement with RevenueCat, which includes standard contractual clauses in accordance with Art. 46 GDPR.

The legal basis for this data processing is Art. 6 (1) (b) GDPR, as it is required for the performance of a contract (i.e. processing your purchase or subscription).

The data is stored for as long as necessary to fulfill the contract and for compliance with legal obligations. This includes commercial and tax-related retention periods, typically up to 10 years after the end of the respective calendar year.

During the payment process, data may also be processed by Apple, as the operator of the App Store, and by the respective payment service provider. The controller has no influence over how Apple or payment providers process your data, and they do not act as processors on behalf of the controller. For more information on Apple’s data practices, see: https://www.apple.com/legal/privacy/data/de/app-store/

Please note that data collected by Apple in this context may also be transferred outside the European Union.

Communication with us

You can contact the responsible persons in various ways, including via the contact form in the app.

Contact form

If you wish to use the contact form in the app, the controller will collect the personal data that you enter in the contact form, in particular your name and email address. In addition, the controller stores the IP address, device-related information such as the device model and the date and time of the request. The controller processes the data transmitted via the contact form solely for the purpose of responding to your inquiry or request.

You can decide for yourself what information you send to the controller via the contact form. The legal basis for the processing of your data is your consent in accordance with Art. 6 (1) (a) GDPR.

After the matter has been processed by the controller, the data will initially be stored in case of any queries. Deletion of the data can be requested at any time, otherwise we will delete the data after the matter has been fully dealt with; statutory retention obligations remain unaffected in each case.

Your rights and contact

The controller attaches great importance to explaining the processing of your personal data as transparently as possible and to informing you of the rights to which you are entitled. If you would like more information or wish to exercise your rights, you can contact the controller at any time so that they can deal with your request.

Rights of data subjects

You have extensive rights regarding the processing of your personal data. You have the right to access the information stored about you and may request the correction and/or deletion or blocking of your personal data if necessary. You can also request a restriction of processing and have the right to object to data processing. For personal data you have provided to the controller, you also have the right to data portability.

In the context of the XueTang app, this includes the ability to request the deletion of your account and all associated personal data (e.g. email and username). Please note that learning progress and vocabulary data created within the app is not classified as personal data and will not be included in such deletion requests.

If you wish to assert one of your rights or receive further information, you can contact the controller at any time.

Withdrawal of consent and objection

Once you have given your consent — for example, to create an account or to allow analytics — you may withdraw it at any time with effect for the future. Withdrawal of consent does not affect the lawfulness of data processing carried out prior to the withdrawal.

If the processing of your personal data is based on a legal ground other than consent, you also have the right to object to that processing. Your objection will trigger a review and, if applicable, lead to the termination of the processing. You will be informed of the outcome and, if the processing continues, the controller will explain why it is considered permissible.

Complaints

If you are of the opinion that the processing of your personal data by the controller does not comply with this privacy policy or the applicable data protection regulations, you have the right to lodge a complaint with the supervisory authority. You can also lodge a complaint with the controller. The controller will then investigate the matter and inform you of the outcome of the investigation.

Further information and changes

Links to other websites

Our app may contain links to other websites. These links are usually marked as such. We have no influence on the extent to which the applicable data protection regulations are complied with on the linked websites. We therefore recommend that you also inform yourself about the data protection declarations of other websites.

Changes to this privacy policy

The status of this privacy policy is indicated by the date (below). The controller reserves the right to amend this privacy policy at any time with effect for the future. Changes will be made in particular in the event of technical adjustments to the app or changes to data protection regulations. The current version of the privacy policy can always be accessed directly via the app. We recommend that you inform yourself regularly about changes to this privacy policy.

Status of this privacy policy: December 2025

Menu
Scroll to Top