← Home
frdeen

Privacy Policy

Last updated: May 13, 2026

This is a translation for convenience. The legally binding version is the German one.

01Controller

The controller within the meaning of the General Data Protection Regulation (GDPR) and other national data protection laws is:

Marouane Naghmouchi

c/o POSTFLEX PFX-158-132

Emsdettener Straße 10

48268 Greven

Germany

Email: kontakt@getasla.com

02Overview of data processing

Asla is a learning app for Arabic heritage languages with a focus on the Tunisian dialect. We process only the data required to operate the app and provide your learning progress:

  • Account data: email address and — for email registration — encrypted password
  • Profile data: selected dialect, script preference, difficulty level, app language (DE/EN/FR)
  • Learning progress: vocabulary decks, review results, spaced-repetition parameters, accumulated XP, level
  • Technical data: device and connection data inevitably created when accessing our servers (e.g. IP address, timestamp)

We do not process special categories of personal data (Art. 9 GDPR).

03Registration and authentication

Using the app requires a user account. Authentication is handled by Supabase Auth. The following sign-in methods are available:

  • Email and password: we store the email address and an encrypted password hash (bcrypt). The password itself is never visible to us.
  • Sign in with Apple (iOS): Apple sends us an identity token and — unless you choose "Hide My Email" — your email address. A private relay address is treated like a regular email.
  • Sign in with Google (iOS and Android): Google sends us an ID token, your email address and your public profile name.

Legal basis: Art. 6(1)(b) GDPR (performance of a contract).

04Data processing during app use

While you use the app, we store your learning progress so you see the same state on all devices and your reviews are due at the right time. Specifically:

  • added vocabulary and decks
  • review outcomes (correct / incorrect / difficulty)
  • SRS intervals, easiness factors and next due dates
  • aggregated learning statistics (XP, level, streak)

These data are required to run the learning algorithm and display your individual progress. They are linked to your user account only and are not visible to other users. Legal basis: Art. 6(1)(b) GDPR.

05Hosting and technical service providers

a) Database and backend (Supabase)

All personal data is stored in a PostgreSQL database operated by Supabase Inc. The servers are located in the AWS region eu-central-1 (Frankfurt, Germany). No transfers to third countries take place during normal operation.

We use Row Level Security (RLS), so each user can technically access only their own records. A Data Processing Agreement (Art. 28 GDPR) is in place with Supabase.

b) Authentication providers

When using "Sign in with Apple" or "Sign in with Google", Apple respectively Google receive the information that you are signing in to Asla. The privacy policies of Apple Inc. and Google LLC apply. Data transfers to the United States may occur; both providers have certified under the EU-US Data Privacy Framework.

c) Local storage on your device

On native devices (iOS, Android) non-personal settings (e.g. language choice, dismissed tutorial cards) are stored locally with the encrypted MMKV library. In the web browser we use localStorage for the same purpose. No tracking cookies are set.

06Error monitoring (Sentry)

To detect and fix technical errors and crashes we use Sentry, operated by Functional Software, Inc. d/b/a Sentry, 45 Fremont Street, 8th Floor, San Francisco, CA 94105, USA. Processing runs on Sentry's EU infrastructure (de.sentry.io); event data is stored within the European Union.

What data is processed? When the app crashes or hits an unexpected error, an error report is sent to Sentry automatically. It contains:

  • technical information about the error (stack trace, error message, release version of the app)
  • device context (model, OS version, app version, language, free memory, battery level, network type, screen orientation)
  • a pseudonymous user identifier (the technical UUID of your Supabase account, without email or profile data)
  • paths within the app that led to the error and HTTP status codes (no request or response bodies)

What is not transmitted? Email address, name, chosen dialect, learning content, authentication tokens as well as cookie and authorization headers are technically removed before sending. In development builds of the app, Sentry is fully disabled.

IP address: When an error report reaches Sentry's servers, your IP address is necessarily present at the network level. We have configured Sentry not to actively store the IP address in the error report; brief server-side processing on ingest cannot be ruled out technically.

Legal basis: Art. 6(1)(f) GDPR. Our legitimate interest is the stability, security and functionality of the app. No processing for marketing, profiling or personalization purposes takes place.

Transfers to third countries: The parent company Functional Software, Inc. is based in the United States. Sentry is certified under the EU-US Data Privacy Framework; in addition, the Standard Contractual Clauses of the EU Commission apply. A Data Processing Agreement (Art. 28 GDPR) is in place with Sentry.

07What we do NOT do

  • We use no third-party product analytics, advertising or personalization tools. The Sentry error monitoring described in the previous section does not process learning or profile data.
  • We display no advertising and share no data with ad networks.
  • We do not sell data to third parties.
  • We do not build profiles for marketing purposes.

08Retention

We keep your data for as long as your user account exists. When you delete your account ("Profile → Delete account" in the app), all your personal data and learning progress are removed promptly and irrevocably. Statutory retention obligations remain unaffected.

09Your rights

You have, at any time, the right to:

Access (Art. 15 GDPR)

to your stored data

Rectification (Art. 16 GDPR)

of inaccurate data

Erasure (Art. 17 GDPR)

of your data

Restriction (Art. 18 GDPR)

of processing

Data portability (Art. 20 GDPR)

of your data

Objection (Art. 21 GDPR)

to processing

You can exercise your rights at any time by emailing kontakt@getasla.com. You also have the right to lodge a complaint with a data protection authority (Art. 77 GDPR).

10Data security

All traffic between app and server uses TLS-encrypted connections. Passwords are never stored in plain text. Database access is bound to the authenticated user identity through Row Level Security.

11Changes to this Privacy Policy

We may adapt this policy when legal requirements change or we add new features. The current version is always at getasla.com/privacy. For material changes we will additionally notify you in the app.