AI Tutor

Privacy Policy

Effective date: April 6, 2026

Last updated: April 6, 2026

This Privacy Policy explains how GokuGoku ("GokuGoku", "we", "us", or "our") collects, uses, stores, and protects personal data when you use our website, application, and related services, including the learning platform available at learn.gokugoku.app (together, the "Services").

This policy is written to reflect a GDPR-led global standard. Depending on where you live, you may have additional rights under local law.

1. Joint Controllers

The joint controllers of your personal data are:

  • Anna Baffa Volpe
  • Sandro Maglione

The joint controllers are based in Italy.

For privacy questions, account deletion requests, or to exercise your rights, please contact: [email protected]

2. Personal Data We Collect

We collect only the data reasonably necessary to operate and secure the Services.

Account and authentication data

Authentication is handled by Clerk. We do not store your email address, password, or other core sign-in identity data in our own application database. Instead, our systems generally store only the internal account reference needed to associate your learning data with your account, such as a Clerk-provided user ID.

Clerk may process authentication and identity data, such as your email address and sign-in credentials or third-party sign-in details, under Clerk's own role in providing authentication services.

Learning and account data

  • text you submit in lessons, exercises, prompts, chats, or other learning features
  • corrections, feedback, generated explanations, and other outputs associated with your account
  • saved history, study progress, profile settings, and preferences
  • AI-generated audio content made available to you through the Services

Billing and subscription data

When you subscribe, payments are processed by Paddle. We may receive subscription and transaction metadata such as:

  • customer identifier
  • subscription status
  • plan or product information
  • billing country, currency, amount, renewal, and receipt details

We do not receive your full payment card details.

Technical and security data

  • IP address and device/browser data processed for security, fraud prevention, debugging, and infrastructure protection
  • server, access, and error logs
  • analytics, diagnostic, and usage data collected through browser-side and server-side service monitoring tools, including PostHog
  • data associated with cookies, local storage, and similar technologies used for authentication, security, payments, analytics, and core service functionality

3. Data We Do Not Intend to Collect

The Services are not designed for the submission of sensitive personal data. Please do not submit health information, government identifiers, financial account details, or other sensitive personal data unless strictly necessary and specifically requested by us.

We do not collect user voice recordings for pronunciation analysis or shadowing. If the Services provide audio output, that audio is generated by the Services and is not a recording of your voice.

4. How We Use Personal Data

We use personal data to:

  • create and manage user accounts
  • authenticate users and maintain secure sessions through Clerk
  • provide lessons, AI-assisted feedback, corrections, and generated learning content
  • store learning history, progress, and account preferences
  • generate and deliver AI-generated audio responses or study materials
  • process subscriptions, manage billing-related records, and provide customer support
  • improve the Services and learning experience
  • monitor service performance, troubleshoot issues, and maintain reliability
  • detect abuse, fraud, unauthorized access, and technical issues
  • comply with legal obligations and enforce our terms

Where the GDPR applies, we generally rely on the following legal bases:

  • Performance of a contract: to provide your account, learning features, subscriptions, and requested Services
  • Legitimate interests: to secure the Services, prevent abuse and fraud, maintain infrastructure, debug issues, and protect our legal rights
  • Legal obligation: where we must retain or disclose data to comply with applicable law

If we introduce a feature that requires consent under applicable law, we will ask for that consent separately.

6. AI Processing

GokuGoku uses external AI-enabled services, including Google Cloud and Gemini, to process prompts, submissions, exercises, and related learning content in order to generate feedback, explanations, audio, and other outputs requested through the Services.

Those providers may receive the content and related technical data needed to generate the requested output and support service operation. We do not make broader promises in this Policy about provider-side model training restrictions or internal handling beyond the configurations, contracts, and technical controls we choose to use from time to time.

7. Service Providers and Recipients

We may share personal data with service providers acting on our behalf, including:

  • Clerk, for authentication, account identity, and session management
  • Cloudflare, for hosting, content delivery, application-layer services, and security functions
  • PostHog, for product analytics, diagnostics, product improvement, troubleshooting, service reliability, and abuse prevention
  • Google Cloud and Gemini, for infrastructure and AI processing
  • Paddle, for recurring subscription billing, payment processing, invoicing, and related transaction handling

We may also disclose personal data:

  • if required by law, court order, or competent authority
  • to protect the rights, safety, property, or security of GokuGoku, our users, or others
  • in connection with a reorganization, merger, sale of assets, or similar transaction, subject to appropriate safeguards

We do not sell your personal information.

8. International Data Transfers

Some of our service providers may process personal data outside your country, including outside the European Economic Area.

Where required, we rely on appropriate transfer safeguards, such as contractual protections and other lawful transfer mechanisms, to protect personal data transferred internationally.

9. Retention

We retain personal data for as long as reasonably necessary to operate the Services, maintain accounts, satisfy legal obligations, protect the Services, and resolve disputes.

In practice:

  • account, learning, profile, progress, and generated-content records may be retained while your account is active and for a reasonable period afterward where needed for support, security, abuse prevention, or dispute handling
  • billing, transaction, and related business records may be retained for longer where required for accounting, tax, fraud prevention, chargeback handling, or legal compliance
  • logs, analytics, and diagnostic records may be retained for shorter operational periods where feasible, but retention may vary based on provider systems, security needs, and troubleshooting requirements

Deletion does not necessarily result in immediate removal from every system. Backup copies and provider-held records may persist temporarily until deleted or overwritten through normal operational processes.

10. Your Rights

Depending on applicable law, you may have rights relating to your personal data, including the right to request access to personal data we control and to request deletion of personal data we control where applicable.

To exercise your rights regarding personal data controlled by GokuGoku, contact us at [email protected].

We review requests manually and may need to limit or deny a request where an exception applies, where we cannot verify the request, or where the request concerns data controlled directly by a third-party provider rather than by GokuGoku.

Where authentication or identity data is processed directly by Clerk as our authentication provider, requests relating specifically to that data may also need to be handled through Clerk's own tools, processes, or privacy documentation.

If you are in the European Union, you may also lodge a complaint with your local supervisory authority. Because the joint controllers are based in Italy, the Italian data protection authority may also be relevant: Garante per la protezione dei dati personali.

11. Account Deletion

You may request deletion of your GokuGoku account data and associated personal data controlled by GokuGoku by emailing [email protected].

We handle deletion requests case by case. Depending on the systems involved, deletion may include removing or de-identifying some data while retaining limited records needed for legal compliance, billing, fraud prevention, security, dispute resolution, or internal recordkeeping.

Where your access to the Services depends on a Clerk-managed authentication account or another third-party provider account, deletion of GokuGoku-controlled data does not automatically mean that the separate provider account or provider-held data is deleted. We may need to coordinate with the provider, direct you to the provider's own tools, or explain any limits that apply.

Deletion timing depends on verification, system architecture, provider processes, legal retention requirements, fraud-prevention needs, and backup cycles.

12. Cookies and Similar Technologies

We and our service providers use cookies and similar technologies, such as local storage, session storage, SDK storage, and comparable browser technologies, to operate and secure the Services.

These technologies may be used for purposes such as:

  • authentication, session continuity, security, fraud prevention, and checkout or payment-related functionality
  • storing service preferences or supporting core application behavior
  • analytics, diagnostics, and service monitoring, including through PostHog

Some of these technologies are necessary for the Services to function, while others support measurement, troubleshooting, and service improvement. This Policy does not promise that only strictly necessary cookies or similar technologies are used at all times.

13. Children

The Services are not intended for children under 16. We do not knowingly collect personal data from children under 16. If we learn that we have collected such data without appropriate authorization, we will delete it.

14. Security

We use reasonable technical and organizational measures designed to protect personal data, including measures related to transport security, access control, and infrastructure security.

No system can be guaranteed to be completely secure, and we cannot guarantee absolute security.

15. Third-Party Sites and Sign-In Providers

The Services may contain links to third-party sites or may allow sign-in through third-party providers such as Google. Those third parties operate under their own terms and privacy policies, and we encourage you to review them.

16. Changes to This Policy

We may update this Privacy Policy from time to time. If we make material changes, we will post the updated version and update the effective date above. Where required by law, we will provide additional notice.

17. Contact

For any privacy, data protection, or deletion request, contact:

[email protected]