Privacy Policy

Last updated: February 27, 2026

1. Who We Are

Tulipa ("we", "our", "us") is a Dutch language learning platform. This privacy policy explains how we collect, use, store, and protect your personal data in compliance with the General Data Protection Regulation (GDPR) and other applicable data protection laws.

2. Data We Collect

We collect and process the following personal data:

  • Account Information: Name, email address, profile image (if provided via Google OAuth).
  • Learning Data: Lesson progress, exercise answers, scores, streak data, and practice time.
  • Conversation Data: Messages exchanged with our AI tutor during conversation practice sessions.
  • Subscription Data: Subscription tier and billing period.
  • Technical Data: IP address, browser user agent, session tokens (for authentication).
3. Legal Basis for Processing

We process your data under the following legal bases (GDPR Art. 6):

  • Contract (Art. 6(1)(b)): To provide the language learning service you signed up for.
  • Consent (Art. 6(1)(a)): For analytics and AI-powered data processing. You can withdraw consent at any time.
  • Legitimate Interest (Art. 6(1)(f)): For security, fraud prevention, and service improvement.
4. How We Use Your Data
  • Provide and personalize your Dutch learning experience
  • Track your progress and streaks
  • Power AI conversation practice (Pro subscribers) using OpenAI
  • Improve our curriculum and platform
  • Ensure security and prevent abuse
5. AI Data Processing

Our AI conversation feature sends your messages to OpenAI for processing. We do not use your conversation data to train AI models. Conversation history is stored on our servers and can be exported or deleted at your request. AI data processing requires your explicit consent.

6. Data Sharing

We share data only with:

  • Supabase: Database hosting
  • Vercel: Application hosting and cookieless analytics
  • OpenAI: AI conversation processing (with consent)
  • Google: OAuth authentication (if you sign in with Google)

We do not sell your personal data to third parties.

7. Data Retention

We retain your personal data for as long as your account is active. If you delete your account, all your personal data is permanently and immediately erased. Consent records are retained for 3 years after withdrawal to demonstrate compliance.

8. Your Rights Under GDPR

You have the right to:

  • Access your personal data (Art. 15) — available via Settings → Privacy & Data
  • Rectify inaccurate data (Art. 16) — edit your profile in Settings
  • Erase your data (Art. 17) — request account deletion in Settings → Privacy & Data
  • Data Portability (Art. 20) — export all your data as JSON in Settings → Privacy & Data
  • Withdraw Consent (Art. 7) — manage cookie and processing preferences at any time
  • Object to processing (Art. 21) — contact us to object to specific processing activities
  • Lodge a Complaint with your local data protection authority
9. Cookies

We use the following cookies and data processing:

  • Essential: Authentication session cookies and local storage for app preferences. Cannot be disabled.
  • Analytics: Vercel Analytics collects cookieless, privacy-friendly usage data to help us understand usage patterns. Requires consent.
  • AI Data Processing: Your conversation messages are sent to OpenAI to power the AI tutor feature. No cookies are set for this — it is a data processing consent. Requires explicit consent.

You can manage your preferences at any time via the Privacy & Data section in your account settings or the banner shown on first visit.

10. Security

We implement appropriate technical and organizational measures to protect your data, including encrypted connections (TLS), hashed passwords, secure session management, and access controls.

11. Contact

For any privacy-related questions or to exercise your rights, please use the Privacy & Data section in your account settings or email us at: privacy@tulipa.app. Note: ensure this mailbox is configured before going live.

← Back to Tulipa