Privacy Policy

Last updated: 17 March 2026

Maestro ("we", "us", "our") is an Italian language learning application. This policy explains what personal data we collect, how we use it, and your rights under the General Data Protection Regulation (GDPR) and other applicable laws.

1. Data controller

The data controller responsible for your personal data is:

Maestro
Email: privacy@maestro.dev

If you have appointed a Data Protection Officer or a representative in the EU/EEA, add their contact details here.

2. Data we collect

  • Account information: email address and hashed password.
  • Student profile: your name (optional), CEFR level estimate, learning preferences, and persona details you provide (background, interests, goals).
  • Lesson history: lessons taken, drill attempts, scores, learning events, and vocabulary cards.
  • LLM interaction logs: prompts sent to AI models and their responses, token counts, and cost records. These are used to generate lessons and score your answers.
  • Payment information: billing details processed by Stripe. We do not store credit card numbers on our servers; Stripe handles this as an independent data controller for payment fraud prevention and compliance.
  • Technical data: IP address, browser type, operating system, and access timestamps collected automatically by our hosting infrastructure and error-tracking services.

3. How we use your data

We use the data listed above for the following purposes:

  • Providing the core language-learning service: generating lessons, tracking your progress, and personalising content to your level and goals.
  • Managing your account and authenticating your sessions.
  • Processing subscription payments via Stripe.
  • Sending transactional emails (e.g. password resets, subscription confirmations) via Resend.
  • Monitoring application errors and performance via Sentry to maintain service reliability.
  • Improving the service based on aggregated, anonymised usage patterns.

4. Lawful basis for processing

Under GDPR Article 6, we process your data on the following bases:

  • Contract performance (Art. 6(1)(b)): processing necessary to provide the core language learning service — account management, lesson generation, progress tracking, and subscription billing.
  • Legitimate interest (Art. 6(1)(f)): error tracking via Sentry and basic usage analytics to maintain and improve service reliability. We have conducted a balancing test and concluded that these processing activities do not override your rights, given their limited scope and the technical safeguards in place.

We do not rely on consent as a legal basis for any core processing. If we ever introduce optional features that require consent (e.g. marketing emails), we will request it separately and you may withdraw it at any time.

5. Data processors and third-party services

We use the following third-party services to operate Maestro. Each acts as a data processor under a Data Processing Agreement (DPA) with us, unless otherwise noted:

  • MongoDB Atlas (MongoDB, Inc. — USA) — database hosting.
  • Railway (Railway Corp. — USA) — application hosting.
  • Stripe (Stripe, Inc. — USA) — payment processing. Stripe also acts as an independent data controller for fraud prevention and financial compliance.
  • Resend (Resend, Inc. — USA) — transactional email delivery.
  • Sentry (Functional Software, Inc. — USA) — error tracking and performance monitoring.
  • OpenAI (OpenAI, LLC — USA) — AI model provider for lesson generation and scoring.
  • Anthropic (Anthropic, PBC — USA) — AI model provider for lesson generation and scoring.

6. International data transfers

Your data may be transferred to and processed in the United States by the processors listed above. Since you are located in the EU/EEA (Bulgaria), these transfers are protected by one or more of the following safeguards under GDPR Chapter V:

  • The EU–US Data Privacy Framework, where the recipient is a certified participant.
  • Standard Contractual Clauses (SCCs) adopted by the European Commission, incorporated into our DPAs with each processor.

You may request a copy of the relevant transfer safeguards by contacting us at the address below.

7. Data retention and deletion

We retain your data for as long as your account is active. Specifically:

  • Account and profile data: retained until you delete your account.
  • Lesson history and LLM logs: retained until you delete your account.
  • Payment records: retained for the period required by applicable tax and accounting laws (typically 5 years in Bulgaria under the Accountancy Act), after which they are deleted.
  • Error logs (Sentry): automatically purged after 90 days.

You may delete your account and all associated data at any time from your account settings or by sending a request to the contact address below. Upon deletion, all personal data is permanently removed from our database within 30 days. Backups containing your data are overwritten within the normal backup rotation cycle (up to 30 days).

8. Your rights

Under the GDPR, you have the right to:

  • Access (Art. 15) — obtain a copy of your personal data. Use the data export feature in your account settings.
  • Rectification (Art. 16) — correct inaccurate data via your profile settings or by contacting us.
  • Erasure (Art. 17, "right to be forgotten") — delete your account and all associated data.
  • Restriction of processing (Art. 18) — request that we limit how we use your data in certain circumstances.
  • Data portability (Art. 20) — download your data in machine-readable JSON format from your account settings.
  • Object (Art. 21) — object to processing based on legitimate interest. We will stop processing unless we demonstrate compelling grounds that override your interests.
  • Withdraw consent (Art. 7(3)) — where processing is based on consent, withdraw it at any time without affecting the lawfulness of prior processing.

To exercise any of these rights, use the relevant feature in your account settings or email us at privacy@maestro.dev. We will respond within 30 days.

9. Right to lodge a complaint

If you believe we have violated your data protection rights, you have the right to lodge a complaint with your national supervisory authority. For users in Bulgaria, this is:

Commission for Personal Data Protection (КЗЛД)
Address: 2 Prof. Tsvetan Lazarov Blvd., Sofia 1592, Bulgaria
Website: www.cpdp.bg
Email: kzld@cpdp.bg

10. Cookies

Maestro uses only the following strictly necessary cookies:

  • session — a signed session cookie required for authentication.
  • csrftoken — a CSRF protection cookie to prevent cross-site request forgery.

These cookies are exempt from the consent requirement under the ePrivacy Directive (Art. 5(3)) because they are strictly necessary for the service to function. We do not use any tracking cookies, analytics cookies, or third-party advertising cookies.

11. Automated decision-making

Maestro uses AI models to generate lessons and score your answers. These automated processes produce educational content and performance feedback but do not make decisions that have legal or similarly significant effects on you. You are always free to retake exercises and your scores are used solely for learning progress.

12. Children's privacy

Maestro is not directed at children under the age of 16. We do not knowingly collect personal data from children under 16. If you believe a child under 16 has provided us with personal data, please contact us and we will delete the data promptly.

13. Security

We implement appropriate technical and organisational measures to protect your personal data, including:

  • Passwords stored using industry-standard one-way hashing.
  • All data transmitted over HTTPS/TLS encryption.
  • Access to production systems restricted to authorised personnel.
  • Regular dependency updates and security monitoring.

14. Changes to this policy

We may update this privacy policy from time to time. If we make material changes, we will notify you by email or by a prominent notice within the application at least 14 days before the changes take effect. Continued use of Maestro after the effective date constitutes acceptance of the updated policy.

15. Contact

For privacy requests or questions, contact us at: privacy@maestro.dev