Privacy Policy

1. Who We Are

Butterfluent is operated by Kaizen Dubai ("we", "us", "our"). We are the data controller responsible for your personal data under the General Data Protection Regulation (GDPR, Regulation (EU) 2016/679).

Data protection contact: info@kaizendubai.com

2. Information We Collect

• Account data: Email address, display name, and encrypted password when you register. If you sign in with Google, we receive your name and email from Google.
• Payment data: Payment transactions are processed by Dodo Payments. We store your subscription ID and plan type. We do not store credit card numbers or payment credentials.
• Usage data: Number of videos processed, subtitles generated, flashcard decks created, and watch time consumed.
• Content data: YouTube URLs, uploaded file names, subtitle text you generate or save, vocabulary words, and flashcard content.
• Technical data: IP address (for rate limiting and security only), browser type, and server request logs retained for up to 30 days.

3. Legal Basis for Processing

Under GDPR Article 6, we process your data on the following legal bases:

• Contract performance (Art. 6(1)(b)): Processing your account data, content, and usage data is necessary to provide the Service you signed up for.
• Legitimate interest (Art. 6(1)(f)): Security logging, fraud prevention, and service improvement. Our legitimate interest does not override your fundamental rights.
• Consent (Art. 6(1)(a)): Analytics cookies and full analytics measurement are enabled only if you opt in through our cookie banner. You may withdraw that consent at any time from Cookie Settings in the footer.
• Legal obligation (Art. 6(1)(c)): Retaining payment records as required by tax and accounting law.

4. How We Use Your Information

• To provide, maintain, and improve the Service
• To enforce usage limits and plan restrictions
• To process payments and manage subscriptions
• To send transactional emails (account confirmation, subscription changes)
• To respond to support requests
• To detect and prevent abuse, fraud, or security incidents

We do NOT sell your data to third parties, use your data for advertising, or send marketing emails without your explicit consent.

5. Third-Party Data Processors

We share your data with the following processors, solely to operate the Service (GDPR Article 28):

• Supabase (US) - Database, authentication, and file storage
• Hetzner (Germany) - Application hosting on EU servers
• Anthropic (US) - AI-powered translation and language analysis
• Groq (US) - AI transcription of audio
• Dodo Payments (EU/US) - Payment processing and subscription management
• Resend (US) - Transactional email delivery
• PostHog (EU) - Optional product analytics, activated only after consent
• Google Analytics (Google Ireland / Google LLC) - Website analytics via Google tag and consent mode

Each processor is bound by their own privacy policy and data processing agreements. We only share the minimum data required for each service to function.

6. International Data Transfers

Some of our processors are located in the United States. Data transferred outside the European Economic Area (EEA) is protected by:

• The EU-U.S. Data Privacy Framework (where the processor is certified)
• Standard Contractual Clauses (SCCs) approved by the European Commission

You may request details about the specific safeguards in place by contacting us at info@kaizendubai.com.

7. Data Retention

• Account data: Retained for as long as your account is active, plus 30 days after deletion to allow recovery.
• Content data: Subtitle projects, vocabulary, and flashcard decks are stored until you delete them or close your account.
• Payment records: Retained for 7 years as required by tax and accounting regulations.
• Server logs: Automatically deleted after 30 days.
• Analytics data: Analytics retention follows the retention settings configured in PostHog and Google Analytics. Google consent-mode signals may be transmitted while analytics storage remains denied.

8. Your Rights Under GDPR

As an EU/EEA resident, you have the following rights under GDPR:

• Right of access (Art. 15): Request a copy of the personal data we hold about you.
• Right to rectification (Art. 16): Request correction of inaccurate data. You can update your name and email in your account settings.
• Right to erasure (Art. 17): Request deletion of your account and all associated data ("right to be forgotten"). Contact us to exercise this right.
• Right to restrict processing (Art. 18): Request that we limit how we use your data while a complaint is being resolved.
• Right to data portability (Art. 20): Request your data in a structured, machine-readable format. You can export your subtitle projects and vocabulary from the Service.
• Right to object (Art. 21): Object to processing based on legitimate interest. We will stop processing unless we have compelling grounds.
• Right to withdraw consent (Art. 7): Where processing is based on consent, you may withdraw it at any time without affecting prior processing.

To exercise any of these rights, email info@kaizendubai.com. We will respond within 30 days.

Right to lodge a complaint: If you believe we have violated your data protection rights, you have the right to lodge a complaint with a supervisory authority in the EU Member State of your habitual residence, place of work, or place of the alleged infringement.

9. Cookies and Analytics

We use strictly necessary cookies required for authentication, session management, payment continuity, and remembering your cookie choice. These are exempt from consent requirements because the Service cannot function properly without them or because they store a preference you explicitly made.

PostHog remains blocked until you click Accept Analytics. Google Analytics 4 uses Google's consent mode: the Google tag loads with analytics_storage denied by default, and full analytics cookies and detailed measurement are enabled only after you opt in.

While Google Analytics consent remains denied, Google may still receive consent-state signals and limited cookieless requests described by Google as consent mode pings. If you reject analytics, Butterfluent continues to work normally and analytics cookies remain disabled.

If you later want to change your decision, you can reopen Cookie Settings from the footer and withdraw consent as easily as you gave it. We do not use analytics for personalized advertising, and Google advertising signals and ad-personalization signals are disabled in our client-side implementation.

10. Security

We implement appropriate technical and organisational measures to protect your data (GDPR Article 32), including:

• HTTPS/TLS encryption for all data in transit
• Passwords hashed with bcrypt (never stored in plaintext)
• Row-level security (RLS) on all database tables
• Environment variables for all API keys and secrets (never exposed to the client)

In the event of a personal data breach, we will notify the relevant supervisory authority within 72 hours (GDPR Article 33) and affected users without undue delay where the breach poses a high risk (GDPR Article 34).

11. Children

The Service is not directed to children under 16 years of age. We do not knowingly collect personal data from children under 16. If you believe a child has provided us with personal data, contact us immediately and we will delete the data.

In EU Member States that have set a lower age of digital consent (minimum 13 under GDPR Article 8), parental consent is required for users between 13 and 16.

12. Changes to This Policy

We may update this policy periodically. For material changes, we will notify you by email or via a notice on the platform at least 14 days before the changes take effect. Continued use of the Service after changes constitutes acceptance.

13. Contact

For privacy enquiries, data protection requests, or to exercise your GDPR rights:

Email: info@kaizendubai.com

Operator: Kaizen Dubai