DuoAccentDuoAccent

Legal

Privacy Policy

Effective 2026-06-30

DuoAccent ("we," "us," or "our") is operated by Savy Surge. This Privacy Policy explains how we collect, use, share, and safeguard your personal information when you use our accent training platform, including our website at duoaccent.com and our mobile application (collectively, "the Service").

A note on voice data. Our app records your voice to power accent scoring and coaching. This policy explains what happens to your recordings. Please read Sections 3 and 4 before using the Service.

This policy covers users worldwide and addresses requirements under the EU/UK General Data Protection Regulation (GDPR), the California Consumer Privacy Act and California Privacy Rights Act (CCPA/CPRA), and the Illinois Biometric Information Privacy Act (BIPA). Privacy enquiries: bash@duoaccent.com. Legal matters: bash@duoaccent.com.

1. What Data We Collect

Account and Identity

When you create an account, we collect your email address, display name, authentication provider (Apple, Google, or email link), native language, professional role, and target accent preference. When you sign in with Apple or Google, those providers share limited profile data with us (name, email, account identifier); Apple may supply a private relay email address.

Voice and Audio Recordings

We handle several types of audio through the Service.

  • Practice-drill audio — recordings you make during accent drills are transmitted over TLS to our pronunciation-scoring engine, scored, and immediately discarded. Only numeric scores and phoneme analysis are retained, linked to your account.
  • Demo audio (unauthenticated, duoaccent.com/demo) — same scoring pipeline; audio discarded after scoring. Only an anonymous numeric result and a rate-limiting device identifier are retained.
  • Baseline recording (captured during onboarding) — stored in Firebase Cloud Storage. Used as your benchmark for progress comparison and in-app playback. Retained as described in Section 7.
  • Check-in recordings (periodic progress recordings) — stored in Firebase Cloud Storage. The raw audio is also sent to third-party AI and speech-analysis service providers for check-in scoring and coaching text generation (see Section 3). Retained as described in Section 7.

Voice as sensitive data. In some jurisdictions — including the EU (GDPR Art. 9, Recital 51), Illinois (BIPA), and Texas (CUBI) — voice recordings used to evaluate or compare an individual's speech characteristics may be classified as biometric data. We treat your stored audio (baseline and check-in) as sensitive personal data and apply the corresponding protections described in this policy.

Pronunciation Scores and Coaching Analysis

For each drill and check-in, we retain: overall accent score (0–100), clarity and phoneme-level subscores, syllable- and word-level accuracy, coach-generated feedback text, speaking rate and duration metrics, and the recognized transcript. These are the persistent output of ephemeral scoring audio and power your progress timeline and coaching screens.

Progress and Gamification

Practice history and session metadata, XP totals and weekly XP (used for leaderboard ranking), streak length and streak-freeze balance, achievements, drill mastery per topic, and tier/sound unlock status.

Subscription and Payment Status

Subscription tier (free or Pro), subscription status, relevant dates (purchase, expiration, renewal), and the product identifier linked to your subscription. We do not store full payment card numbers, bank account details, or full payment transaction data — these are handled exclusively by Apple App Store, Google Play Store, RevenueCat, and Dodo Payments.

Device and Technical Information

Platform (iOS or Android), OS version, app version, Expo push notification token (for drill reminders), and a randomized installation identifier (generated on first launch, stored in device secure storage — not linked to Apple/Google device IDs) used for demo rate-limiting and multi-device detection.

Product Analytics and Error Monitoring

Anonymized event data (screen views, drill completions, paywall interactions, feature adoption) via PostHog — product analytics only, not used for advertising (see Section 6). Diagnostic stack traces and breadcrumbs via Sentry; email addresses are masked before transmission.

2. How We Use Your Data

We use the information we collect for the following purposes. Each lists the GDPR legal basis where applicable.

  • Provide pronunciation scoring and feedback (drill audio, scores, phoneme analysis) — performance of contract, Art. 6(1)(b).
  • Store baseline and check-in recordings for progress tracking and playbackconsent, Art. 6(1)(a) + Art. 9(2)(a) (biometric/sensitive data). You may withdraw this consent at any time (see Section 8).
  • Generate coaching text and check-in scoring via AI (third-party AI and speech-analysis service providers — service delivery) — performance of contract, Art. 6(1)(b). See Section 3.
  • Personalize your training based on your language, role, target accent, and practice history — performance of contract, Art. 6(1)(b).
  • Account authentication and security performance of contract, Art. 6(1)(b).
  • Leaderboard and gamification legitimate interests, Art. 6(1)(f). You may use a pseudonym.
  • Subscription management and entitlement performance of contract, Art. 6(1)(b).
  • Push notifications and email reminders consent, Art. 6(1)(a). You can opt out at any time.
  • Product analytics and service improvement (PostHog event data, analytics-only — not for advertising) — legitimate interests, Art. 6(1)(f).
  • Error monitoring and reliability (Sentry) — legitimate interests, Art. 6(1)(f).
  • Legal compliance and fraud prevention legal obligation / legitimate interests, Art. 6(1)(c)/(f).
  • Use your voice to develop and improve our models consent, Art. 6(1)(a). By accepting our Terms of Service and using the Service, you consent to this use as described in Section 4.

3. AI Processing of Your Voice

Audio you submit through the Service is processed to deliver pronunciation scoring and coaching. Practice-drill audio and demo audio are processed by our proprietary speech-analysis engine for pronunciation and phoneme-level scoring; audio is discarded by the scoring engine after scoring is complete.

For certain features — including coaching text generation and check-in scoring — audio may additionally be sent to and processed by third-party AI and speech-analysis service providers. These providers receive your audio as necessary to deliver these features. Audio transmitted to third-party AI and speech-analysis providers may be retained and used by those providers in accordance with their own terms and policies, which we do not control. The legal basis for this service-delivery processing is performance of contract (GDPR Art. 6(1)(b)).

No OpenAI or Whisper client-side integrations are used in the live Service.

4. Use of Your Voice to Improve Our Models

By creating an account, accepting our Terms of Service, and using the Service, you consent to our using your voice recordings — including baseline recordings and periodic check-in recordings — to provide and improve the Service, including to develop, train, and improve our speech and accent models. Your recordings may be used by us and by the third-party AI and speech-analysis service providers we engage to train current and future pronunciation-scoring and accent-recognition models.

Illinois BIPA and Texas CUBI notice

For Illinois and Texas residents: this consent also serves as the written release required by the Illinois Biometric Information Privacy Act (BIPA §15(b)) and the Texas Capture or Use of Biometric Identifier Act (CUBI), naming the data (voice recording), the purpose (model development and improvement by DuoAccent and its service providers), and the retention described in Section 7.

Withdrawal of consent

You may withdraw consent for model-training use and request deletion of your stored voice recordings at any time by emailing bash@duoaccent.com. Withdrawal stops all future training use and triggers deletion of stored recording files. We cannot remove your voice from models already trained, as individual recordings cannot be extracted once training is complete (this limitation is recognised by data-protection regulators, provided the stored raw file is deleted on request).

5. Sub-Processors and International Data Transfers

We share data only with the service providers listed below, under contracts that restrict use to the stated purpose. Approximately 18 sub-processors are active; the principal ones are listed here.

Core Infrastructure

  • Google Firebase (Auth, Firestore, Cloud Storage) — Authentication, primary database, stored audio files (baseline + check-in recordings), push tokens, leaderboard. Region: United States. DPA: Google Cloud Data Processing Addendum (incorporating SCCs for EEA/UK transfers).
  • Self-Hosted Pronunciation Scoring Engine — Pronunciation and phoneme-level scoring. Receives audio buffer (drill recordings, ephemeral, discarded after scoring), expected text, phoneme targets, uid, and session metadata. Audio is not retained by the scoring engine. Overflow capacity may be served via a cloud-based failover endpoint; the same ephemeral audio handling applies.

AI and Coaching

  • Third-party AI and speech-analysis service providers — Coaching text generation, check-in scoring, and related speech analysis. These providers receive audio recordings as necessary to deliver these features. Audio transmitted to these providers may be retained and used by them pursuant to their own terms and policies.

Payments and Subscriptions

  • RevenueCat, Inc. — Native in-app purchase management (Apple StoreKit for iOS; Google Play Billing for Android), subscription events, entitlement logic, and purchase validation. Receives subscription events, product identifiers, transaction tokens from Apple/Google stores, uid, and entitlement dates. Region: United States.
  • Dodo Payments — Web checkout and subscription management for browser users. Card data is PCI-DSS compliant and not transmitted to us; we receive only transaction confirmations and subscription status.
  • Apple App Store / Google Play Store — iOS and Android app distribution and in-app purchase receipt processing.

Analytics, Monitoring, and Communications

  • PostHog, Inc. — Product analytics: funnel tracking, screen views, drill engagement, feature adoption, retention cohorts. Receives event names, anonymous properties, uid, device ID, app version. No audio, no payment data. Region: United States (us.i.posthog.com). DPA: PostHog DPA (SCCs for EEA/UK).
  • Sentry, Inc. — Error tracking and performance monitoring. Stack traces, breadcrumbs, device information; email addresses masked before transmission. Region: United States or EU.
  • Resend, Inc. — Transactional email (onboarding, reminders). Receives recipient email address and display name. Region: United States.
  • Expo — Push notification delivery (drill reminders, streak milestones). Receives Expo-format push tokens and notification message body. Region: Google Cloud multi-region.
  • Upstash (managed Redis) — Distributed rate limiting. Receives uid, IP address, request timestamps. All data is ephemeral (TTL-keyed buckets; no persistent user profiles in Redis).

Personal data is not transferred to countries without an adequacy decision or appropriate safeguards. Transfers to the US are covered by the applicable Standard Contractual Clauses (SCCs) incorporated in each provider's DPA or by the provider's EU–US Data Privacy Framework certification.

6. Data Sharing

We do not sell your personal data to third parties. We do not share personal information for cross-context behavioral advertising. No advertising-network SDK is used in the app or on the website (no Google Ads, no Meta Pixel, no AppsFlyer, no Adjust).

PostHog receives pseudonymous product-analytics event data to help us understand how the app is used and improve it. This is analytics for our own internal product understanding — not data brokering or ad targeting. California residents: we do not "share" personal information for cross-context behavioral advertising under CPRA §1798.140(ah); no opt-out link is required or provided for this purpose.

We share your data in the following circumstances:

  • With sub-processors as described in Section 5, under contracts that restrict their use to the stated purpose.
  • On the leaderboard — your display name, weekly XP, league tier, rank, and current streak length are visible to other users in your league. You may use a pseudonym as your display name.
  • For legal compliance — if required by a valid court order, subpoena, or government request; to enforce our Terms; or to protect the safety of our users or others. We will notify you of such requests where legally permitted.
  • In a corporate transaction — if DuoAccent is acquired, merged, or its assets are sold, your data may be transferred to the successor entity, subject to the same commitments in this policy. We will notify you before transfer.

7. Data Retention

We retain your information, including voice recordings, for as long as we consider reasonably necessary to provide and improve the Service and for our legitimate business purposes. We may retain and use voice recordings — including after account closure — to develop and improve our speech and accent models.

Financial records may be retained for longer periods as required by applicable law. Aggregated, irreversibly de-identified analytics data may be retained indefinitely.

To request deletion of your personal data or voice recordings, email bash@duoaccent.com. Requests are processed manually.

8. Your Rights

GDPR Rights (EEA and UK Users)

  • Access (Art. 15): Request a copy of all personal data we hold about you, including scores, coaching data, and stored audio files.
  • Rectification (Art. 16): Request correction of inaccurate or incomplete personal data.
  • Erasure (Art. 17): Request deletion of your personal data. This covers baseline audio, check-in audio, scores, coaching data, and your account profile. For voice recordings used for model training, email us to request erasure — we will delete the stored raw files and stop future training use (we cannot extract your voice from model weights already trained). Residual anonymised analytics cannot be individually deleted. Financial records required by law will be retained for the applicable statutory period.
  • Restrict processing (Art. 18): Request that we pause processing during a dispute about accuracy.
  • Portability (Art. 20): Receive your personal data in a structured, commonly used, machine-readable format (JSON), for data processed on a consent or contract basis.
  • Object (Art. 21): Object to processing based on legitimate interests (e.g., product analytics). We will cease unless we demonstrate compelling legitimate grounds.
  • Withdraw consent (Art. 7): Withdraw consent for consent-based processing — including model-training use of your voice recordings — at any time by emailing bash@duoaccent.com. Withdrawal does not affect the lawfulness of past processing.
  • Lodge a complaint: UK: Information Commissioner's Office (ico.org.uk). EEA: your national supervisory authority (edpb.europa.eu).

We respond to verified GDPR requests within 30 days, extendable by a further 60 days for complex requests with notice.

CCPA / CPRA Rights (California Residents)

  • Right to know: Request disclosure of categories and specific pieces of personal information we collect, use, or disclose. You may request this once per 12-month period.
  • Right to delete: Request deletion of personal information, subject to legal exceptions.
  • Right to correct: Request correction of inaccurate personal information.
  • Right to opt out of sale or sharing: We do not sell personal information and do not share it for cross-context behavioral advertising. No opt-out is required or provided for this purpose.
  • Right to limit use of sensitive personal information: Voice recordings are sensitive personal information under CPRA §1798.121. To limit use to what is necessary to perform the Service, email bash@duoaccent.com with the subject "CCPA — Limit Sensitive PI."
  • Non-discrimination: We will not deny service, charge a different price, or provide a lower quality of service because you exercised any of the above rights.

Submit CCPA requests to bash@duoaccent.com with the subject "CCPA Privacy Request." We respond within 45 days, extendable by a further 45 days with notice.

Illinois BIPA and Texas CUBI

If you are an Illinois or Texas resident, your baseline and check-in voice recordings may constitute biometric identifiers or biometric information under Illinois 740 ILCS 14/ and Texas Bus. & Com. Code Ch. 503. We will not sell, lease, trade, or profit from your biometric data. We will not disclose it except to the sub-processors described in Section 5 who operate the Service. You may request deletion of biometric data at any time by emailing bash@duoaccent.com. This policy constitutes our public biometric data retention schedule as required by BIPA §15(a).

How to Exercise Your Rights

Email bash@duoaccent.com with your registered email address and the nature of your request. We may ask for additional information to verify your identity before processing. For verified deletion or erasure requests, we will confirm completion in writing. Manual processing is our current mechanism; response times are as stated above.

9. Children's Privacy

DuoAccent is designed for adult professionals and is not directed to children. The Service is listed on Google Play for an audience of adults (18+) and is not enrolled in the Families program. We do not knowingly collect personal data from any person under 13 (the COPPA threshold in the United States) or under 16 (the GDPR threshold in most EEA member states).

If we discover we have inadvertently collected data from a user under 13, we will delete it promptly. If you are a parent or guardian and believe we have collected data from a child under 13, please contact us at bash@duoaccent.com.

10. Security

We implement appropriate technical and organisational measures to protect your personal information, including:

  • All data in transit encrypted using TLS 1.2 or higher.
  • Firebase Cloud Storage and Firestore data encrypted at rest by Google (AES-256).
  • Audio files in Firebase Storage protected by Firebase Security Rules — accessible only to authenticated requests presenting your account credentials.
  • API endpoints require a valid Firebase Auth JWT for all authenticated routes.
  • Rate limiting (Upstash Redis) applied to scoring and recording endpoints to prevent abuse.
  • Sentry error reports strip email addresses via a beforeSend filter before transmission.
  • Production secrets managed via environment variables; not stored in source code.
  • Access to production infrastructure restricted to authorised personnel.

No security system is perfectly impenetrable. In the event of a personal data breach that poses a risk to your rights, we will notify you and, where required, the relevant supervisory authority, within 72 hours of becoming aware.

11. Changes to This Policy

We may update this Privacy Policy from time to time. For material changes — including any new uses of personal data, new categories of data, or new sub-processors — we will:

  • Post the updated policy at duoaccent.com/privacy with a new effective date.
  • Send an email notification to all registered users at least 14 days before the change takes effect.
  • Display an in-app notice on your next login.

For changes that materially affect how we process your voice data, we will seek fresh consent as required by applicable law rather than relying solely on notice of change.

12. Contact

If you have any questions, concerns, or rights requests regarding this Privacy Policy or our data practices, please contact us at:

Savy Surge — Privacy Team

Privacy enquiries & rights requests: bash@duoaccent.com

Legal matters: bash@duoaccent.com

Website: duoaccent.com

Governing law: India.

EU/UK supervisory authority contacts: UK Information Commissioner's Office (ico.org.uk); EEA national authorities directory (edpb.europa.eu).