PRIVACY POLICY

Privacy Policy

Last updated · 2026-04-27

EN ES

Who we are

Helburu is a learning app for AI fluency, run by Alejandro Bilbao as a sole-founder operation based in Madrid, Spain. This policy explains what we collect, why, and the rights you have under the EU General Data Protection Regulation (GDPR) and equivalent UK / Spanish law.

What we collect

We keep the data set small on purpose. Everything below is stored against your account so the app can do its job — there is no advertising, no resale, no third-party data brokering.

• Email address — for sign-in (magic link).
• Anonymous user id (uid) generated by Firebase Auth.
• Language preference (English / Spanish).
• Role (e.g. PM, engineer) and learning track — used to target your daily brief.
• Lesson activity: which questions you saw, your answers, and how long they took. We use this to compute streak, XP, accuracy, and to avoid repeating questions.
• Device push token — only when you opt in to notifications. We can revoke it at any time from Settings.
• Timezone — to schedule the daily brief at your local hour.
• Subscription state (Premium yes/no) — provided by RevenueCat / Apple / Google when you subscribe.
• Crash + error logs — only the technical detail (stack trace, OS version), no message contents.

What we do NOT collect

Helburu does not collect contacts, calendar, location (GPS), photos, microphone audio, biometrics, or any health data. We do not track you across other apps and we do not use the iOS Identifier for Advertisers (IDFA).

Why we collect it (legal basis)

Under GDPR Article 6, our legal bases are: (1) performance of contract — we need this data to provide the lessons + tracking you signed up for; (2) consent — push notifications are opt-in via the OS prompt; (3) legitimate interest — diagnostic logs to keep the app working.

Where the data lives

All Firestore + Cloud Functions data is hosted in Google Cloud's europe-west1 region (Belgium). Authentication is handled by Firebase Auth (Google). Subscription state is mirrored from Apple / Google / RevenueCat. We do not maintain our own servers.

Subprocessors

We rely on the following GDPR-compliant providers:

• Google Firebase (Auth, Firestore, Functions, Cloud Messaging) — Google Ireland Ltd.
• Sentry (crash + error reporting) — Functional Software Inc., USA, under Standard Contractual Clauses, EU data region.
• RevenueCat (subscription state) — RevenueCat Inc., USA, under Standard Contractual Clauses.
• Apple App Store / Google Play (in-app purchases) — Apple Distribution International / Google Ireland Ltd.

How long we keep it

We keep your account data for as long as your account exists. Lesson attempts and aggregates are pruned after 24 months of inactivity. Anonymous exit-survey responses (collected when you delete your account) are retained as aggregate counts only — no uid.

Your rights (GDPR Art. 15–22)

You have the right to:

• Access — get a copy of the data we hold about you.
• Rectification — correct any inaccurate data.
• Erasure — delete your account from Settings → Account → Delete account, or by emailing us. The wipe is immediate and irreversible.
• Restriction — ask us to pause processing while a complaint is being reviewed.
• Portability — receive your activity data in a machine-readable format.
• Objection — object to processing based on legitimate interest.
• Withdraw consent — at any time, without affecting prior lawful processing.
• Lodge a complaint with your local supervisory authority (in Spain: Agencia Española de Protección de Datos, www.aepd.es).

Children

Helburu is intended for users aged 16 and older. We do not knowingly collect data from children under that age. If you believe we have, contact us and we will delete the account.

Changes to this policy

If we change anything material — new data type, new subprocessor, expanded retention — we will surface a one-time notice in the app before the change takes effect, with the new effective date.