Privacy Policy

1. Who We Are (Data Controller)

NexSpeak is a language learning platform operated by Javier Wilfrido Garcia Goyes, a sole trader registered in the United Kingdom, trading as NexSpeak.

We are registered as a Data Controller with the UK Information Commissioner's Office (ICO) under the Data Protection Act 2018 and UK GDPR.

Data Controller: Javier Wilfrido Garcia Goyes (trading as NexSpeak)

Registered address: 60 Tottenham Court Road, Office 1203, Fitzrovia, London W1T 2EW, United Kingdom

ICO Registration No.: 00013746096

Email: [email protected]

2. What Data We Collect

We collect the following categories of personal data:

  • Account information: Name, email address, and profile picture (when provided via Google or email authentication).
  • Learning progress: Stories read, chunks learned, XP earned, SRS flashcard data, and session history.
  • Payment data: Subscription status and billing history. Payment card details are processed directly by Stripe and never stored on our servers.
  • Usage data: Information about how you interact with the audio player, stories, and learning tools.
  • Device information: Browser type, operating system, and general device characteristics (for compatibility and performance purposes).
  • Communications: Messages you send us via email or support channels.

3. How We Use Your Data

Your data is used to provide and improve the NexSpeak service:

  • Providing and personalising your language learning experience.
  • Synchronising your learning progress across devices.
  • Processing payments and managing your subscription.
  • Sending account-related communications (receipts, important updates).
  • Providing customer support.
  • Analysing usage trends to improve our content library and learning method.
  • Complying with our legal obligations.

4. Lawful Basis for Processing

We process your personal data on the following lawful bases under UK GDPR:

  • Contract (Art. 6(1)(b)): Processing your account and learning data to deliver the service you signed up for.
  • Legitimate interests (Art. 6(1)(f)): Analysing usage to improve the platform; fraud prevention and security.
  • Legal obligation (Art. 6(1)(c)): Retaining financial records as required by UK tax law.
  • Consent (Art. 6(1)(a)): Analytics data, where applicable. You may withdraw consent at any time.

5. Data Processors & Third Parties

We share data with the following processors, each bound by their own privacy policies and data processing agreements:

Supabase — Database and authentication. Stores your account information and learning progress. Hosted on EU infrastructure.

Stripe — Payment processing. Handles all subscription payments and billing. PCI DSS Level 1 certified. Stripe stores payment card data; we never do.

ElevenLabs — Audio synthesis. Generates the British English voice audio used in our stories and learning content.

Cloudflare — Content delivery network (CDN). Serves audio files via audio.nexspeak.com. No personal data is shared beyond what is technically necessary for delivery.

Plausible Analytics — Website analytics. Cookieless and privacy-friendly. No personal data or IP addresses are stored. Hosted on EU servers.

6. International Transfers

Some of our processors (including Stripe, ElevenLabs, and Cloudflare) are based in the United States. When personal data is transferred outside the UK, we ensure appropriate safeguards are in place, including:

  • Standard Contractual Clauses (SCCs) approved by the UK Information Commissioner's Office.
  • Adequacy regulations under the UK GDPR framework.
  • Processor-specific certifications (e.g. Stripe's PCI DSS compliance).

7. Data Retention

We retain your personal data only for as long as necessary, in accordance with the UK GDPR principle of storage limitation (Article 5(1)(e)):

  • Account and learning data (email, name, learning progress, XP, session history): Retained while your account is active. If your account has had no login activity for 24 consecutive months, we will anonymise or delete your personal information. You may request deletion at any time — see Your Rights below.
  • Financial records (subscription history, payment amounts and dates): Retained for 6 years from the date of each transaction, as required by HMRC for Sole Trader tax records. After 24 months of inactivity, identifying personal data linked to these records (such as your name and email) is removed; only anonymised transaction data is kept for legal compliance.
  • Support communications: Retained for up to 2 years after your request is resolved.
  • Security and access logs: Retained for up to 12 months.

8. Data Security

We implement industry-standard security measures including Row-Level Security (RLS) via Supabase (PostgreSQL), HTTPS encryption on all connections, secure authentication, and access controls. Your data is accessible only by you and authorised NexSpeak systems.

9. Cookies

NexSpeak uses a minimal cookie approach:

  • Essential session cookies: Required for authentication and to keep you logged in. Cannot be disabled without breaking the service.
  • Analytics: We use Plausible Analytics, which is cookieless and does not track you across websites.

We do not use advertising cookies or third-party tracking pixels.

10. Your UK GDPR Rights

Under UK GDPR, you have the following rights:

  • Right of access (SAR): Request a copy of the personal data we hold about you.
  • Right to rectification: Request correction of inaccurate or incomplete data.
  • Right to erasure: Request deletion of your personal data (“right to be forgotten”). See our dedicated Data Deletion page for the full procedure, including how to delete your account and what data is retained for legal reasons.
  • Right to restriction: Request that we limit how we process your data.
  • Right to data portability: Receive your data in a structured, machine-readable format.
  • Right to object: Object to processing based on legitimate interests.
  • Rights related to automated decision-making: Not to be subject to solely automated decisions that significantly affect you.
  • Right to withdraw consent: Where processing is based on consent, you may withdraw it at any time.

To exercise any of these rights, contact us at [email protected]. We will respond within 30 days.

You also have the right to lodge a complaint with the ICO: ico.org.uk/make-a-complaint

11. Changes to This Policy

We may update this Privacy Policy from time to time. When we make significant changes, we will notify you by email or via a notice within the app. The “Last Updated” date below always reflects the most recent version.

12. Contact

Data Controller: Javier Wilfrido Garcia Goyes (trading as NexSpeak)

Address: 60 Tottenham Court Road, Office 1203, Fitzrovia, London W1T 2EW, United Kingdom

ICO Registration No.: 00013746096

Email: 

NexSpeak™ is a trade mark of Javier Wilfrido Garcia Goyes (UK Trade Mark Application No. UK00004369436, Classes 9 and 41). Published 24 April 2026 by the UK Intellectual Property Office.

Last Updated: 5 May 2026