LEWE LogoLEWE

Privacy Policy

Last updated: March 15, 2026

01Data controller

Marouane Naghmouchi

c/o POSTFLEX PFX-158-132

Emsdettener Strasse 10

48268 Greven

Email: datenschutz@getlewe.com

The data controller within the meaning of the General Data Protection Regulation (GDPR) and other national data protection laws as well as other data protection regulations is the person named above.

02Overview of data processing

LEWE is a language-learning app that lets users learn vocabulary from movies and TV shows. In doing so, we process the following categories of personal data:

  • Account data: email address and encrypted password
  • Profile data: selected source and target language, CEFR level
  • Learning progress: vocabulary progress, review results, SRS parameters (ease factor, interval, repetitions)
  • Usage statistics: anonymized app usage data for product improvement

Legal basis: Processing is based on GDPR Art. 6(1)(b) (performance of a contract) for providing the learning service and GDPR Art. 6(1)(f) (legitimate interest) for product improvement.

03Registration and user account

Use of the app requires registration. The following data is collected:

  • Email address
  • Password (stored hashed, never in plain text)
  • Source language (e.g. German)
  • Target language (e.g. English)
  • Self-assessed language level (CEFR A1–C2)

Authentication is handled via Supabase Auth. Supabase processes your data as a processor under GDPR Art. 28. Passwords are encrypted with bcrypt and are not visible even to us.

04Learning progress and usage data

While you use the app, the following data is stored:

  • Vocabulary progress: which words you have learned, ratings (Again, Hard, Good, Easy), response times
  • SRS parameters: ease factor, current interval, number of repetitions, next review date — per word
  • Session data: number of words learned per session, results, duration
  • Film match: calculated percentage of known words per film

This data is strictly necessary to run the learning algorithm (SM-2 spaced repetition) and to show you your individual progress. It is associated solely with your user account and is not visible to other users.

05Data storage and hosting

a) Backend and database

All personal data is stored in a PostgreSQL database at Supabase. The servers are located in the AWS region eu-central-1 (Frankfurt, Germany).

We use Row Level Security (RLS) to ensure that each user can only access their own data. Database queries are filtered server-side by the authenticated user identity.

b) Local storage on the device

The app uses react-native-mmkv for local data persistence. Only non-personal settings (e.g. language selection, theme preference) and cache data are stored there. MMKV automatically encrypts data on the device.

c) Website hosting

This website is hosted by Vercel Inc. Vercel automatically processes server log data (IP address, user agent, access timestamp). This data is stored for a maximum of 30 days and is used solely to ensure operation.

06Analytics and statistics

We use PostHog to analyze app usage. PostHog helps us understand how the app is used so we can improve it.

We collect:

  • Anonymized usage events (e.g. "learning mode started", "review completed")
  • Device type and operating system (without unique ID)
  • App version

We do not collect IP addresses in PostHog and do not use tracking cookies. The legal basis is GDPR Art. 6(1)(f) (legitimate interest in product improvement).

You can opt out of analytics at any time in the app settings.

07Cookies and local storage

The app does not use cookies. Authentication is handled via Supabase tokens, which are stored securely in device storage (MMKV).

This website does not use marketing or tracking cookies. Only technically necessary cookies are used for the website to function (e.g. session management by Vercel).

08Rights of data subjects

Under the GDPR, you have the following rights:

Right of access (GDPR Art. 15)

You may request information about the personal data we have stored about you.

Right to rectification (GDPR Art. 16)

You may request the correction of inaccurate data.

Right to erasure (GDPR Art. 17)

You may delete your account and all associated data. Account deletion is available directly in the app under Profile > Delete account.

Right to restriction (GDPR Art. 18)

You may request the restriction of the processing of your data.

Right to data portability (GDPR Art. 20)

You may receive your data in a structured, commonly used format.

Right to object (GDPR Art. 21)

You may at any time object to processing of your data based on legitimate interest.

To exercise your rights, please contact datenschutz@getlewe.com. You also have the right to lodge a complaint with a data protection supervisory authority.

09Data security

We use extensive technical and organizational measures to protect your data:

  • HTTPS: all connections between app, website and server are SSL/TLS-encrypted.
  • Row Level Security: database access is restricted at the user level.
  • Password hashing: passwords are hashed with bcrypt and never stored in plain text.
  • Encrypted local storage: MMKV encrypts all local data on the device.
  • Authenticated API calls: every server request requires a valid authentication token.

10Changes to this Privacy Policy

We reserve the right to update this Privacy Policy to adapt it to changed legal requirements or changes to our service. In the event of significant changes, we will notify you via the app or by email. The current version is always available on this page.

11Contact

For questions about data protection or to exercise your rights, you can reach us at:

Email: datenschutz@getlewe.com

This is a translation provided for convenience. The legally binding version is the German original available at /de/privacy.