Privacy Policy

Data Controller

SagaDeutsch is operated as an independent platform. For the purposes of applicable data protection law, SagaDeutsch is the data controller responsible for your personal data. Our primary place of operation is Nepal.

Contact

For any privacy-related questions, requests, or complaints, email us at [email protected].

Account Information

When you register, we collect your full name and email address. Your password is stored only as a bcrypt hash. we never store or transmit your password in plain text.

Profile & Subscription Data

We store your subscription plan, access levels (CEFR levels permitted), account status, and any admin-applied overrides. When paid subscriptions are enabled, we collect billing name and address. We do not store raw payment card numbers. those are handled exclusively by our payment processor.

Exam & Usage Data

We record your exam attempts, submitted answers, scores, section-level performance, and timestamps. This data is core to the service. it powers your progress history and score breakdowns. We also log which exam passages (including listening passages) you have accessed.

Device & Technical Data

We collect standard server-side logs: IP address, browser type and version, device type, operating system, referring URL, and pages visited. Each authenticated session is tracked with a device identifier and session token to enforce device limits and support remote logout.

Communications

If you contact us by email or subscribe to our newsletter, we retain that correspondence and your email address. Newsletter subscriptions are opt-in and can be withdrawn at any time.

Cookies & Session Tokens

We use HTTP-only cookies or local storage to hold your authentication token (JWT). No third-party advertising or tracking cookies are set. See Section 8 for full cookie details.

AI-Generated Audio Content

Listening exam passages on SagaDeutsch are narrated using AI text-to-speech (TTS) technology. We use Microsoft Azure Cognitive Services (via the edge-tts library, which accesses Microsoft's Neural TTS API) to synthesise German-language audio. We also use Amazon Polly (Amazon Web Services) as an alternative TTS provider. When audio is generated, the passage text is sent to these services to produce an audio file, which is then stored on our infrastructure. No personal data about you as a user is transmitted to TTS providers during this process.

No Automated Decision-Making About You

SagaDeutsch does not use AI or automated systems to make legally significant decisions about individual users (e.g. approvals, denials, profiling for targeted advertising). Exam scoring is rules-based, not AI-evaluated. You are not subject to automated profiling that produces legal or similarly significant effects.

Future AI Features

If we introduce AI features that process your personal data (e.g. AI-generated feedback on written answers), we will update this policy before launch and obtain any required consent.

Contract Performance (Art. 6(1)(b))

Processing your account data, exam history, subscription status, and session data is necessary to provide the Service you signed up for.

Legitimate Interests (Art. 6(1)(f))

We process technical/log data to ensure platform security, prevent abuse, and improve the Service. Our legitimate interest does not override your fundamental rights.

Consent (Art. 6(1)(a))

Newsletter emails and any optional cookies are processed only with your consent. You may withdraw consent at any time without affecting prior processing.

Legal Obligation (Art. 6(1)(c))

We may retain billing records and comply with valid legal requests from authorities as required by applicable law.

To Provide and Operate the Service

Authenticate you, display your exam history and scores, enforce subscription access levels, manage device session limits, and deliver listening exam audio.

To Improve the Platform

Aggregated, anonymised usage patterns (e.g. which exam sections have high error rates) inform our content and feature decisions. Individual exam responses are not shared externally for this purpose.

To Communicate with You

Transactional emails: account confirmation, password reset, subscription receipts. Educational newsletters: only if you opted in. We do not sell your email address or use it for third-party marketing.

To Ensure Security

Log data and session records are used to detect abuse, enforce device limits, and investigate security incidents.

To Comply with Law

We may process or retain data to meet legal obligations, respond to lawful requests from authorities, or enforce our Terms of Service.

We Do Not Sell Your Data

SagaDeutsch does not sell, rent, or trade your personal data to any third party for commercial purposes.

Infrastructure. Amazon Web Services (AWS)

Our backend application and database run on AWS EC2 in the ap-south-1 region (Mumbai, India). Your account data and exam history are stored in this region. AWS acts as a data processor under our instructions. AWS is certified under ISO 27001 and SOC 2.

Frontend Hosting. Vercel

The SagaDeutsch web application is served via Vercel's global edge network. Vercel may process request logs (IP address, headers) as part of routing. Vercel's infrastructure is distributed globally. See Vercel's privacy policy for details.

Media Storage. Cloudflare R2

Audio files for listening passages and other media are stored in Cloudflare R2 (Cloudflare's object storage). Files are served via Cloudflare's global CDN. Cloudflare acts as a data processor. No personal user data is stored in R2. only platform media content.

AI Audio. Microsoft Azure Cognitive Services

Listening passage text is sent to Microsoft's Neural TTS API to generate audio files. This is a one-time content-generation step during platform administration. not triggered by user actions. No user personal data is included in TTS requests. Microsoft's use of this data is governed by the Microsoft Azure Privacy Statement.

AI Audio. Amazon Polly

Amazon Polly (AWS) is used as an alternative TTS provider. Same conditions as above. passage text only, no user personal data transmitted.

Payment Processing

When paid subscriptions are active, payments are processed by a PCI-DSS Level 1 compliant payment processor (to be disclosed when activated). We receive a payment confirmation, billing name, and billing address. We never receive or store your full card number, CVV, or raw card data.

Legal Disclosures

We may disclose your information to law enforcement, courts, or regulatory authorities when required by applicable law, court order, or to protect the rights, property, or safety of SagaDeutsch, our users, or the public.

Business Transfers

If SagaDeutsch is acquired, merged, or its assets transferred, your personal data may be transferred as part of that transaction. We will notify you before your data is subject to a materially different privacy policy.

Where Your Data Is Processed

SagaDeutsch is operated from Nepal. Your data may be processed in the following locations: Nepal (operations), India/Mumbai (AWS ap-south-1. primary database and application), United States (Vercel edge, Cloudflare R2, Microsoft Azure TTS, Amazon Polly), and globally via Cloudflare's CDN network.

EEA & UK Users

If you are located in the European Economic Area (EEA) or United Kingdom, your personal data may be transferred to countries that do not have an EU adequacy decision. Where required, such transfers are carried out under Standard Contractual Clauses (SCCs) or rely on the adequacy frameworks of our sub-processors (e.g. AWS, Microsoft, Cloudflare maintain their own transfer mechanisms). By using SagaDeutsch, you acknowledge these transfers.

Safeguards

We select sub-processors that maintain industry-standard security certifications (ISO 27001, SOC 2 Type II) and comply with applicable data protection requirements.

Authentication Cookies / Local Storage

We store your JWT authentication token to keep you logged in between sessions. This is strictly necessary for the service to function.

Session Cookies

Temporary session data may be stored in browser session storage. These are deleted when you close your browser tab.

No Advertising or Tracking Cookies

We do not use Google Analytics, Facebook Pixel, or any third-party advertising or behavioural tracking cookies.

Do Not Track

We respect browser "Do Not Track" signals. Since we do not engage in cross-site tracking, enabling DNT does not change the behaviour of our Service.

Active Account Data

We retain your account data, exam history, and usage data for as long as your account is active or as needed to provide the Service.

Account Deletion

When you delete your account, we will remove your personal data (name, email, exam history, session records) within 30 days. Anonymised, aggregated data derived from your usage may be retained indefinitely as it can no longer identify you.

Billing Records

Financial transaction records (subscription payments, invoices) are retained for up to 7 years to comply with tax and accounting laws, even after account deletion.

Server Logs

Server access logs are retained for a maximum of 90 days for security and debugging purposes, then deleted.

Rights Under GDPR (EEA & UK Users)

You have the right to: (a) Access. obtain a copy of your personal data. (b) Rectification. correct inaccurate data. (c) Erasure. request deletion ('right to be forgotten') where no overriding legal basis applies. (d) Restriction. limit how we process your data. (e) Portability. receive your data in a structured, machine-readable format. (f) Object. object to processing based on legitimate interests. (g) Withdraw Consent. for processing based on consent (e.g. newsletter), at any time. (h) Lodge a Complaint. with your national data protection authority.

Rights Under CCPA (California Residents)

California residents have the right to: know what personal information is collected and how it is used; request deletion of personal information; opt out of the sale of personal information (we do not sell personal information); non-discrimination for exercising these rights.

How to Exercise Your Rights

Email [email protected] with your request. We will respond within 30 days. We may need to verify your identity before processing the request.

SagaDeutsch is not directed at children under the age of 16. We do not knowingly collect personal data from users under 16. If we become aware that a user under 16 has registered, we will delete their account and associated data. If you believe a child under 16 has provided us with personal data, contact us at [email protected].

Measures We Take

HTTPS/TLS encryption for all data in transit; bcrypt password hashing; HTTP-only authentication tokens; session revocation via token blacklist; access-controlled infrastructure with environment separation; Cloudflare DDoS protection.

Limitations

No method of internet transmission or electronic storage is 100% secure. We cannot guarantee absolute security. We encourage you to use a strong, unique password and to log out of shared devices.

Data Breach Notification

In the event of a personal data breach that is likely to result in a high risk to your rights and freedoms, we will notify affected users and, where required by law (e.g. GDPR Art. 33/34), the relevant supervisory authority within 72 hours of becoming aware.

Our blog and platform may contain links to external websites (e.g. Goethe-Institut, TELC, TestDaF official sites). We are not responsible for the privacy practices or content of those sites. We encourage you to read their privacy policies before providing any personal information.

We may update this Privacy Policy from time to time. We will revise the effective date at the top of this page. For material changes (e.g. new categories of data, new third-party processors, new purposes), we will notify you by email and/or a prominent in-app notice at least 14 days before the change takes effect. Continued use of the Service after the effective date constitutes acceptance of the updated policy.

Contact Us

For any privacy questions, data requests, or concerns: [email protected]. We aim to respond within 5 business days.

EEA Supervisory Authority

If you are located in the EEA and believe we have not adequately addressed your concern, you have the right to lodge a complaint with your local data protection authority (e.g. the ICO in the UK, the CNIL in France, or the relevant DPA in your country).