Privacy Policy — MistakeLab

Last updated: 21 June 2026

This Privacy Policy explains what personal data MistakeLab (“the App”, “we”, “us”) collects, why, and what rights you have. We aim to keep this simple and honest.

1. Who is responsible

The data controller responsible for your personal data is:

MistakeLab is operated from Germany and is available worldwide. We process personal data in accordance with the EU General Data Protection Regulation (GDPR).

2. What MistakeLab does

MistakeLab is a language-learning app. You translate sentences from a language you speak into a language you are learning, and the App scores your translation and explains your mistakes. To do this, we process a small amount of your data, described below.

3. What data we collect

We deliberately keep this minimal. We collect:

• Your email address — only if you create an account. If you use the App as a guest, we do not collect your email.
• A guest identifier — when you first open the App we create an anonymous session so you can practise without signing up. This is a randomly generated identifier, not linked to your real identity.
• Your practice history — the sentences you were shown, your translation attempts, your scores, your rating, and your streaks. This is what lets the App track your progress and adapt difficulty.

When you submit a translation, your attempt is processed to generate a score and feedback (see Section 5). If speech-input features are offered and you choose to use them, the audio you record is sent to our transcription provider to convert it into text; we do not store that audio.

We do not collect payment information (the App is free), we do not use analytics or tracking tools, and we do not build advertising profiles.

4. Why we process it, and our legal basis

We process your data to provide the App’s core function — serving you exercises, scoring your translations, and saving your progress. Our legal basis is performance of a contract (Art. 6(1)(b) GDPR): processing this data is necessary to deliver the service you are using.

5. Who we share data with (sub-processors)

We use two service providers to run the App:

• Supabase — hosts our database, authentication, and backend. Your account data, practice history, and ratings are stored here. Our Supabase project is hosted in the European Union.
• OpenAI — provides the AI that scores your translations and writes your feedback. When you submit a translation, your attempt and the reference sentence are sent to OpenAI to be graded. If you use speech input, your audio is sent to OpenAI for transcription. OpenAI is based in the United States.

These providers act as our processors and may only use the data to provide their service to us.

6. International data transfers

Because OpenAI is based in the United States, some processing (translation grading, and transcription if you use speech input) involves transferring data outside the EU. These transfers are covered by the appropriate safeguards under GDPR, including the European Commission’s Standard Contractual Clauses. We send only what is needed to grade your translation — not your account identity.

7. How long we keep your data

We keep your account data and practice history for as long as your account exists, so your progress is preserved across devices. If you delete your account, your data is deleted (see Section 8). Guest data persists on your device session until you clear it or link an account.

8. Your rights

Under GDPR you have the right to:

• Access the data we hold about you.
• Export your data — the App provides a data export in JSON format.
• Delete your account and data — the App provides in-app account deletion, which removes your data from our systems.
• Correct inaccurate data.
• Object to or restrict certain processing.
• Lodge a complaint with a data protection supervisory authority. In Germany this is the Berlin Commissioner for Data Protection and Freedom of Information (Berliner Beauftragte für Datenschutz und Informationsfreiheit).

To exercise any right you can use the in-app tools or contact us at support@mistakelab.app.

9. Security

We use industry-standard measures to protect your data, including encrypted connections and access controls. Our API keys and credentials are held server-side and are never exposed to the App. No system is perfectly secure, but we take reasonable steps to protect your information.

10. Children

MistakeLab is intended for users aged 16 and over. We do not knowingly collect data from children under 16. If you believe a child has provided us with personal data, please contact us and we will delete it.

11. Changes to this policy

We may update this policy as the App evolves. When we make material changes, we will update the “Last updated” date above. Continued use of the App after changes means you accept the updated policy.

12. Contact

For any privacy question or request, contact: