privacy, plainly

Progress data — which phrases you've engraved, session times, streak state, badges, personal bests — is written to local storage (AsyncStorage on iOS, localStorage on web). The app works fully offline and without an account.

Sign in on the web with email, or on iOS with Sign in with Apple. We create a row in our Supabase Postgres database keyed to your account id. That row holds: a generated display handle, your progress snapshot, your session log, your streak state, and any weekly-challenge badges you've earned. We use it to sync practice between devices and to rank weekly submissions.

Sign in with Apple relays a private email address to us — we never see your real Apple ID email unless you choose to share it. Deleting your account from the Profile screen issues a hard delete on the server within 24 hours.

If you join the beta tester list, we store the name, email, country, Vietnamese level, keyboard type, and follow-up consent you submit. We use this only to invite testers and ask product feedback questions. You can ask us to delete that entry at any time by emailing privacy@pengotype.com.

Premium billing runs through Stripe on the web and Apple In-App Purchase on iOS. We never see your card number. On our side we store only a subscription status flag (premium.tier) and, for web, a Stripe customer id.

• No third-party analytics. No Google Analytics, no Mixpanel, no Amplitude, no session-replay.
• No advertising. No tracking across apps or sites.
• No selling of data. Ever.
• No sensitive permissions. We never ask for location, microphone, camera, or contacts.

PengoType is rated for ages 4+ on the App Store and has no user-to-user communication. We do not knowingly collect data from users under 13 beyond the local device storage described above.

Data controller (Verantwortlicher i.S.v. Art. 4 Nr. 7 DSGVO) for everything described on this page is:

Tuan Anh Chu (Einzelgewerbe Tuano)
Hauptstr. 18, 03185 Peitz, Germany
privacy@pengotype.com · +49 1627 956367

Full Anbieterkennzeichnung is on /impressum. We don't have a designated DPO — solo operator, processing volume below the Art. 37 threshold.

• Local progress + offline use — no processing by us; data stays on your device. Outside DSGVO scope until you sign in.
• Account + cloud sync — Art. 6(1)(b) DSGVO, performance of the contract you opt into when you sign in. Without it we can't sync your streak between devices.
• Premium billing — Art. 6(1)(b) DSGVO (contract) for the subscription itself, plus Art. 6(1)(c) DSGVO (legal obligation) to retain invoices for tax records.
• Account confirmation + transactional emails — Art. 6(1)(b) DSGVO. We never send marketing emails, so no consent-based processing exists.
• Leaderboard submissions — Art. 6(1)(b) DSGVO when you choose to submit a race result with a handle.

We use a small set of vetted processors. Each one has a Data Processing Agreement (Art. 28 DSGVO) on file and transfers to non-EU countries are covered by EU Standard Contractual Clauses and/or the EU–US Data Privacy Framework.

• Supabase (Postgres + Auth) — account row, progress snapshot, leaderboard, badges. EU/US region depending on project, SCCs in place.
• Stripe (web payments) — Stripe Payments Europe Ltd. (Ireland) for EU customers; card data never reaches our servers.
• Apple — Sign in with Apple (Apple Distribution International Ltd., Ireland) and, when wired, In-App Purchase for iOS premium.
• Vercel (hosting) — serves the website + serverless functions. US-based; DPF-certified.
• Resend + AWS SES (transactional email) — sends confirmation and premium-welcome emails from contact.pengotype.com. DPF-certified.

• Account row + progress + badges — until you delete your account from the Profile screen. Hard-deleted on the server within 24 hours via cascade.
• Stripe invoices + subscription records — kept as long as German tax law requires (typically 10 years per §147 AO), even after account deletion. Held by Stripe; we only mirror the status flag.
• Email delivery logs at Resend/SES — 7-day rolling window for bounce + spam diagnostics, then aggregated.
• Server-side request logs at Vercel — 1 day for Hobby tier. No personally-identifiable content is logged.

Under Art. 15–22 DSGVO you can ask us to:

• Access the data we hold on you (Art. 15)
• Correct anything inaccurate (Art. 16)
• Delete it (Art. 17) — fastest path is the Delete Account button on the Profile screen
• Restrict processing (Art. 18)
• Export a portable copy (Art. 20)
• Object to processing (Art. 21)

Email privacy@pengotype.com and we'll respond within five business days.

You also have the right to lodge a complaint with a supervisory authority (Art. 77). Our competent authority is the Landesbeauftragte für den Datenschutz Brandenburg. You may also contact the supervisory authority of your EU member state of residence.

Providing data to us is voluntary — no contract is concluded without it, but the app itself works fully offline without an account.