Privacy Policy
Effective date: 29 May 2026 Last updated: 29 June 2026
This Privacy Policy explains how Well Made Apps Limited, a New Zealand company (NZBN 9429053777782) ("we", "us", "our"), the operator of the Well Versed app, collects, uses, stores, and shares your personal information when you use the Well Versed voice-based language-practice app and website ("the Service").
We treat personal information in accordance with the Privacy Act 2020 and its thirteen Information Privacy Principles. If you'd like to read the plain-English overview of those principles, the Office of the Privacy Commissioner has a useful summary at https://privacy.org.nz/.
1. Information we collect
We collect three groups of personal information.
a. Account and profile information
What it is:
- Your email address (collected at sign-up).
- A display name you choose for the tutor to use.
- A securely hashed copy of your password if you signed up with email. Stored by our authentication provider; we never see your plaintext password.
- The language you're learning, your self-assessed CEFR level, your preferred tutor for that language, and any tutor directives you've added in Settings.
Where it's collected: directly from you when you sign up or change Settings.
Why we collect it: to identify you across devices, send you account emails (verification, password reset), and tailor the conversation to the language and level you're practising.
b. Conversation data
What it is:
- The audio of your voice during a practice session, while the session is live. Audio is streamed in real time to our processing partners (see below) and is not stored by us after the session ends.
- The transcribed text of what you said during the session, produced by our transcription partner and the conversation model.
- The text of what the tutor said during the session.
- Derived analytics generated by an automated analysis after each session: vocabulary you've used, grammar patterns you find difficult ("weak areas"), broad topics you've discussed, and a short list of personal facts you've mentioned to the tutor (e.g. "likes cricket"). These are stored to make future sessions adapt to you.
Where it's collected: from your microphone via the in-app session, with your explicit permission to use the microphone.
Why we collect it: the live audio is the conversation itself. The transcripts let you re-read your past conversations and let the tutor remember context. The derived analytics shape future sessions so the tutor doesn't keep repeating things you already know.
We do not sell, rent, or share your conversation data with anyone outside the processing chain described below. We do not use your conversations to train AI models that we sell or share, and the AI providers in our processing chain (listed below) have committed not to use your conversations or transcripts to train their own models.
c. Technical and diagnostic data
What it is:
- Device and app information: device type, operating system version, app version, screen size, and similar non-identifying technical context.
- IP address at the time of each request to our server.
- Logs of requests to our server (timestamp, route, HTTP status, duration, and a learner identifier).
- Crash reports and error events sent to our error-tracking service when something goes wrong in the app or server. These can include a stack trace and the surrounding context of the error.
Where it's collected: automatically when you use the app.
Why we collect it: to keep the Service running, diagnose problems, and defend against abuse.
2. How we use your information
We use the information described above to:
- Provide the Service — let you sign in, run conversations, store your learner profile, and show you your session history.
- Personalise the conversation — the tutor uses your profile, language, level, and recent topics to shape what it says next, so it doesn't repeat itself or pitch at the wrong level.
- Improve the Service — diagnose bugs and crashes, understand which features are used, plan changes. This is done at an aggregate level using technical and diagnostic data; we don't single out individual conversations for analysis except where you've asked us to help with a problem.
- Communicate with you about your account — for example, email verification at sign-up, password reset, or important changes to the Service or to this Privacy Policy.
- Protect the Service against fraud, abuse, and security incidents — for example, rate-limiting suspicious traffic.
- Comply with NZ law — including legitimate requests from law-enforcement, where we're legally required to respond.
We do not use your information for advertising. We do not run ads, and we don't share data with advertising networks.
3. Who processes your information (sub-processors)
To run the Service we use a small set of external service providers. Each one only sees the information needed to do its job. None of them are authorised to use your information for their own purposes outside the agreement they have with us.
| Provider | Role | Data they see | Where they process |
|---|---|---|---|
| Supabase, Inc. | Authentication, primary database, storage | Email, password hash, display name, profile, transcripts, derived analytics | Multi-region; we use a US-hosted project |
| Google LLC (Gemini Live API and Gemini Flash text models) | Live conversation processing and post-session analysis | Live audio of your voice during the session; conversation text; learner profile context | US |
| ElevenLabs Inc. (Scribe v2) | User-side transcription of your spoken turns | Per-turn audio of your voice during the session | US |
| Daily.co | Real-time WebRTC media transport between your device and our bot | Live audio of your voice during the session (in transit) | US-hosted media servers |
| Fly.io, Inc. | Server hosting | The server-side processing of any of the above | Sydney region |
| Sentry | Crash and error reporting | Stack traces, error context, device info, IP address | EU or US, depending on routing |
Because these providers operate in countries other than New Zealand, using the Service involves your personal information being processed outside New Zealand. We rely on each provider's published commitments (including, where applicable, the EU Standard Contractual Clauses, SOC 2, ISO 27001, and similar frameworks) as the safeguard for the overseas processing required by Information Privacy Principle 12.
If we add, change, or remove a sub-processor we'll update this list and note the change in the "Last updated" date.
4. How long we keep your information
- Account and profile information is kept for as long as your account exists.
- Conversation transcripts and derived analytics are kept for as long as your account exists, unless you delete individual sessions or your account. (We intend to introduce a configurable retention window for transcripts; until then "for as long as your account exists" is the operating default.)
- Live audio is processed in real time and is not retained by us after the session ends. Our processing partners may retain audio briefly for their own operational reasons in line with their own privacy commitments.
- Technical logs and crash reports are kept for up to 90 days at the hosting and error-tracking layers, after which they are automatically rotated out.
- Backups may persist for a limited period after deletion before being overwritten in the normal course of operation.
When you delete your account, we remove your account and profile information, your transcripts, your derived analytics, and your tutor directives from our active systems. We may keep limited records of the fact that an account was deleted for a short period for audit and security purposes.
5. Your rights
Under the Privacy Act 2020 you have the right to:
- Access the personal information we hold about you.
- Correct information you think is wrong.
- Delete your account and the personal information attached to it, using the "Delete account" option in the in-app Settings screen.
- Withdraw consent to non-essential processing, where we're relying on your consent — typically by deleting your account.
If you can't do something via the in-app controls, or want a copy of the information we hold in a portable format, get in touch using the contact details below.
If you believe we've mishandled your personal information and we can't resolve the issue with you directly, you can complain to the Office of the Privacy Commissioner at https://privacy.org.nz/contact-us/.
6. Security
We protect your information using:
- HTTPS / TLS for all traffic between the app and our server, and between our server and our sub-processors.
- Encrypted storage at rest at the database and storage layers, managed by our hosting providers.
- Authentication using industry-standard mechanisms (Supabase Auth), including password hashing with bcrypt-style algorithms; we never see or store your plaintext password.
- Server-side authorisation using verified JSON Web Tokens — every authenticated request is checked against your user identity before the server returns data, so one user can't access another user's records.
- Operational controls on who can access production systems, limited to a very small number of people.
No system is perfectly secure. We can't guarantee that information transmitted to or stored by us is safe from all unauthorised access, but we work to apply industry-standard practices appropriate to the sensitivity of the data we hold.
If we discover a privacy breach that is likely to cause serious harm, we will notify you and the Office of the Privacy Commissioner as required under the Privacy Act 2020.
7. Children
Well Versed is not for users under 16. We don't knowingly collect personal information from anyone under 16, and we don't permit children to create accounts. If you become aware that a child has provided us with personal information, please contact us and we'll delete it.
8. Cookies and similar technologies (web app)
Our web app uses cookies and similar browser storage to:
- Keep you signed in across visits (authentication tokens).
- Remember small preferences like the active language.
We do not use cookies for advertising or for cross-site tracking, and we don't load third-party analytics scripts that profile you across the web.
The mobile app doesn't use cookies; the equivalent is local secure storage of your authentication token, which never leaves the device.
9. AI-generated content
Conversations with the tutor are generated by an AI system. AI can be wrong, can hallucinate facts, and can occasionally produce inappropriate output despite our safeguards. The Terms of Service explain this in more detail under "The AI tutor — important limits". Don't rely on AI-generated content for anything that matters — health, legal, financial, immigration, or safety-critical decisions — without independently verifying it.
10. Changes to this Privacy Policy
We may update this Privacy Policy from time to time. The "Last updated" date at the top of the document shows when the policy was last changed. For material changes (for example, adding a new sub-processor, or changing what we collect), we'll notify you by email and/or an in-app notice with at least seven days' notice where reasonably possible.
11. Contact
If you have questions about this Privacy Policy, want to exercise any of the rights described above, or want to raise a privacy concern:
Privacy Officer, Well Made Apps Limited (Well Versed) — contact@wellversedlearning.com