Privacy Policy – BandForge

Last updated: 2026-02-12
Version: 2.0

1. Who We Are

This Privacy Policy explains how your personal information is collected, used, and protected when you use BandForge (the “Service”).

BandForge is operated by IP Pavlushkin Alexander (Individual Entrepreneur, registered in the Kyrgyz Republic), trading as BandForge (“we”, “us”, or “BandForge”).

Website: linguo.me and ielts.linguo.me
Contact: support@linguo.me

We process your data in compliance with the EU General Data Protection Regulation (GDPR), the UK GDPR, and other applicable data protection laws.

2. Data We Collect

Account data

Name and email address (provided during registration)
Authentication method (email/password or Google OAuth)

Writing data

Essays, overview attempts, and drill responses you submit through the Service

Progress data

Skill map status and drill completion history
Session history and timestamps
Band score estimates generated by AI

Device and technical data

Browser type, operating system, screen size
IP address (for security and analytics)

Analytics data

Page views, clicks, scroll depth, session duration
Heatmaps and session replays (anonymised)
Collected via PostHog, Microsoft Clarity, and Google Analytics

Payment data

Payments are handled entirely by Paddle.com as our Merchant of Record
We do not collect, store, or have access to your credit card numbers, bank details, or other payment credentials
We receive payment confirmation from Paddle (transaction ID, payment status, and purchase date)

3. How We Use Your Data

We use your data to:

Provide the Service — process your writing submissions, generate AI feedback, track your skill progress, and deliver your personalised learning experience.
Improve the product — analyse usage patterns, identify areas where users struggle, and improve drills, feedback quality, and user experience.
Maintain security — detect abuse, prevent fraud, and protect the integrity of the Service.
Communicate with you — respond to support requests and send important service updates. We will only send marketing communications if you opt in.

4. AI Processing

Your writing submissions are sent to third-party AI providers for feedback generation (band score estimates, per-criterion analysis, suggestions for improvement).
We currently use services from OpenAI, Google (Gemini), and Anthropic, and may use additional providers (including self-hosted fine-tuned models) in the future. The specific provider used may vary by feature and over time.
Where available, we configure AI providers not to use your data for model training. For example, OpenAI’s API data usage policy states that API inputs and outputs are not used to train their models.
AI outputs may be inaccurate or incomplete. See our Terms of Service (Section 8: AI Disclaimer) for details.

5. Payment Processing

All payments are processed by Paddle.com Market Limited (“Paddle”) as our Merchant of Record.
Paddle collects and processes your payment information directly. We never see or store your payment details.
Paddle’s privacy policy: https://www.paddle.com/legal/privacy
Paddle’s buyer terms: https://www.paddle.com/legal/terms
For payment-related questions: https://paddle.net

6. Cookies

We use the following categories of cookies:

Essential cookies

Session management and authentication
These are necessary for the Service to function and cannot be disabled

Analytics cookies

PostHog — product analytics, feature usage tracking, and session replay. See PostHog Privacy Policy.
Microsoft Clarity — heatmaps, session replay, and behavioural analytics (first- and third-party cookies). See Microsoft Privacy Statement.
Google Analytics — page views, user flow, and aggregated usage statistics. See Google Privacy Policy.

Payment cookies

Paddle Checkout sets cookies for fraud prevention, payment flow, and session continuity. These are essential for completing purchases.

You can manage non-essential cookies via your browser settings or our cookie consent banner. Blocking analytics cookies will not affect the core functionality of the Service.

We process your personal data based on:

Legal basis	What it covers
Contract	Processing necessary to provide the Service you signed up for (account management, AI feedback, progress tracking)
Legitimate interests	Analytics, product improvement, security, and fraud prevention
Consent	Non-essential cookies (analytics), optional marketing communications
Legal obligation	Tax records and payment data retained as required by law

We share your data with the following third parties, solely for the purposes described:

Third party	Data shared	Purpose
OpenAI, Google (Gemini), Anthropic	Writing submissions (essays, drill responses)	AI feedback generation
Paddle	Payment information (collected directly by Paddle)	Payment processing, tax compliance
PostHog	Usage events, feature interactions, session replays	Product analytics
Microsoft Clarity	Anonymised usage data, session replays	Analytics, UX improvement
Google Analytics	Anonymised page view and event data	Analytics, traffic analysis

We do not sell your personal data. We do not share your data with advertisers or data brokers.

9. Infrastructure & Data Storage

Component	Provider	Region(s)
Application backend	Google Cloud Platform (Cloud Run)	Multi-region (US, EU, and/or Asia — may change)
Database	Neon (managed Postgres)	Multi-region (may change)
Frontend hosting	Cloudflare Pages	Global CDN
AI processing	OpenAI, Google (Gemini), Anthropic, and others	US and/or EU (varies by provider)
Analytics	PostHog	EU (PostHog Cloud EU)
Payments	Paddle	EU/UK

We may change hosting regions and providers as the Service scales. Your data may be processed in any of the regions listed above, or in additional regions in the future.

Where your data is transferred outside the UK or EU, transfers are protected by Standard Contractual Clauses (SCCs) and, where applicable, the UK International Data Transfer Addendum.

10. Data Retention

Data type	Retention period
Account data (name, email)	Kept while your account is active + 24 months after deletion
Writing samples and progress data	Kept while your account is active; deleted upon account deletion
Analytics data	12 months
Payment records	Retained as required by tax law (typically 7 years, managed by Paddle)
Backups	May retain data for up to 90 days after deletion

11. Your Rights

If you are in the UK or EU, you have the right to:

Access your personal data
Rectify inaccurate data
Erase your data (“right to be forgotten”)
Restrict processing in certain circumstances
Object to processing based on legitimate interests
Data portability — receive your data in a structured, machine-readable format

How to exercise your rights:

Account deletion is available directly in the app
For all other data requests, email support@linguo.me
We will respond within 30 days of receiving your request

You also have the right to lodge a complaint with a supervisory authority in your country of residence.

12. Children

The minimum age to use BandForge is 13 years old, aligned with OpenAI’s age requirements.
Users under 16 in the EU/UK require parental or guardian consent to use the Service.
If we learn that we have collected data from a child below the applicable age without proper consent, we will delete it promptly.

13. Security

We take reasonable measures to protect your data, including:

Encryption in transit (TLS/HTTPS) and at rest
Access controls and least-privilege principles
Regular security reviews

No system is 100% secure. If you become aware of a security vulnerability, please report it to support@linguo.me.

14. Changes to This Policy

We may update this Privacy Policy from time to time. The latest version will always be available at /privacy. If we make material changes, we will notify you via email or a prominent notice on the Service.

15. Contact

For any questions about this Privacy Policy or your personal data:

Email: support@linguo.me

Last updated: 2026-02-12