Privacy Policy
1. Introduction
This Privacy Policy explains how HelloStello, LLC ("HelloStello," "we," "us," or "our"), a California limited liability company, collects, uses, shares, and protects personal information when you access or use the HelloStello mobile application and any related services, websites, and features (collectively, the "Service").
By creating a HelloStello account, downloading the HelloStello mobile application, or otherwise using the Service, you agree to the practices described in this Privacy Policy. If you do not agree, do not use the Service.
This Privacy Policy is incorporated by reference into our Terms and Conditions. Capitalized terms not defined here have the meanings given in the Terms and Conditions.
2. About HelloStello
HelloStello is a vocabulary-learning mobile application that helps users build language vocabulary through customizable flashcards, quizzes, and spaced-repetition study sessions. The initial release supports English speakers learning Spanish; additional language pairs may be added over time. Cards are generated using third-party artificial intelligence services in response to user-supplied prompts and the user's selected proficiency level.
HelloStello is operated by HelloStello, LLC, a California limited liability company. Our contact information appears at the end of this Privacy Policy.
3. Information We Collect
We collect the following categories of information when you use the Service.
3.1 Information You Provide to Us
Account information. When you create a HelloStello account, we collect:
- Your name (or the display name you choose)
- Your email address
- Your age (used to verify you meet the minimum-age requirement — see Section 10)
- Your password (stored only as a salted cryptographic hash; we cannot view the original)
- Your authentication provider (for example, Sign in with Apple), if you use one
Onboarding preferences. During onboarding you tell us:
- Your learning goal (for example, Travel, Work, Culture, Heritage, Polyglot)
- Your self-reported Spanish proficiency level (Absolute Beginner, Beginner, Intermediate, or Advanced)
- Your daily card-review goal
- Whether you want daily push-notification reminders
- Whether you want to enable HelloStello's gamification features (points, daily streaks, daily-goal celebrations). You may opt in or out of gamification at onboarding and may change your preference at any time from the in-app Profile screen. If you opt out, your engagement with cards is still recorded as described elsewhere in this Policy, but we do not award points or surface streak or goal-celebration UI to you.
Profile changes. You may update any of the above from the in-app Profile screen. Old values are not retained beyond what is required for our audit log (see Section 8).
User-submitted prompts and content. When you use the Deck Builder, the +Card tool, or the Enhance feature you submit natural-language text (for example, "I'm watching Stranger Things in Spanish" or the single word "injury"). We refer to all such text and any other content you submit, post, or upload as "User Content."
Support communications. If you contact us for support or feedback, we collect the contents of your communication, your email address, and any attachments.
3.2 Information Generated as You Use the Service
Study activity. Cards reviewed, decks built, quiz answers, points earned, daily streaks, daily-goal hits, Enhance sessions used, monthly-limit counters, and the timestamps of these events.
Generated content. Cards and decks that the AI generates in response to your prompts. These remain associated with your account until you delete them.
Device and technical information. Information about the device you use to access the Service, including:
- Device model and operating-system version (for example, iPhone 15 Pro, iOS 18.4)
- HelloStello app version and build identifier
- Approximate IP-address-derived location (country and region only; we do not collect precise GPS location)
- Time zone, language, and locale settings
- Diagnostic and crash data
- The Apple Push Notification service (APNs) token used to send you push notifications, if you have enabled them
Cookies and similar technologies. The HelloStello mobile application does not use traditional browser cookies. The application may use Apple's standard advertising identifier (IDFA) only if you affirmatively grant permission via the iOS App Tracking Transparency prompt, and only when and if we begin to support advertising (see Section 6).
3.3 Information from Third Parties
If you sign in using a third-party identity provider (for example, Sign in with Apple), we receive limited account-identification information from that provider in accordance with the permissions you grant. We do not receive your password from any third-party identity provider.
4. How We Use Your Information
We use the information described above for the following purposes.
To provide the Service. Create and maintain your account; generate, store, and synchronize your decks and cards; track your study progress and points; deliver the daily-reminder notification (if enabled); enforce monthly-usage limits; and otherwise operate the Service.
To process your prompts using AI. When you submit a prompt through Deck Builder, +Card, or Enhance, we send the prompt and limited contextual data (your selected proficiency level and target language pair) to our AI provider so that vocabulary cards can be generated. See Section 6.2 for details.
To improve the Service. We analyze aggregated and de-identified usage patterns to understand how the Service is used, debug issues, evaluate content quality (for example, identifying cards that are frequently removed), and inform future feature development.
To audit content for quality and policy compliance. HelloStello-authorized auditors may review randomly or thematically sampled cards to confirm translation accuracy, sentence quality, and compliance with our content policies (including our Copyright and Obscenity filters). Audit activity is logged.
To communicate with you. We may send you transactional communications (account confirmations, password resets, security notices, changes to legal terms), support replies, and — if you opt in — daily-reminder push notifications and optional product announcements. You can disable optional notifications at any time from the Profile screen or from your device's notification settings.
To enforce our Terms and protect the Service. Detect and prevent fraud, abuse, security incidents, violations of our Terms and Conditions, and harmful or unlawful activity. Investigate and respond to legal claims and government requests.
To comply with law. Comply with our legal obligations, including age-verification, tax, accounting, and recordkeeping requirements.
For new purposes only with notice. We will not use personal information for materially different purposes than those described in this Privacy Policy without first updating this document and, where required by law, obtaining your consent.
5. Legal Bases for Processing (EU / UK Users)
If you are located in the European Economic Area, the United Kingdom, or another jurisdiction with similar privacy laws, the legal bases on which we rely to process your personal data are:
- Performance of a contract (Art. 6(1)(b) GDPR) — creating and operating your account; generating cards; processing your prompts to deliver the Service you requested.
- Legitimate interests (Art. 6(1)(f) GDPR) — diagnostic, crash reporting, security, and fraud-prevention; auditing content quality; enforcing our Terms; product improvement; our interest in operating, securing, and improving the Service, balanced against your privacy rights.
- Consent (Art. 6(1)(a) GDPR), withdrawable at any time — sending optional product communications, displaying any advertising (if and when offered), and processing precise advertising identifiers (IDFA).
- Legal obligation (Art. 6(1)(c) GDPR) — verifying you meet the minimum-age requirement; complying with tax, audit, and other legal obligations.
You can withdraw consent at any time without affecting the lawfulness of any processing that occurred before withdrawal. Withdrawing consent for processing necessary to provide the Service may mean we can no longer provide some or all of the Service to you.
6. How We Share Information
We do not sell personal information. We share personal information only as described below.
6.1 Service Providers (Processors)
We use a small set of vendors to operate the Service. Each is contractually required to handle personal information only as instructed by us, only as necessary to perform their service, and to maintain appropriate security and confidentiality safeguards. As of the date above, our principal service providers are:
- Amazon Web Services, Inc. — cloud hosting, storage, and infrastructure (United States).
- Anthropic, PBC — artificial-intelligence services used to generate vocabulary cards from your prompts. See Section 6.2.
- Apple Inc. — application distribution, in-app purchase processing (when offered), Sign in with Apple, and the Apple Push Notification service. Apple's own privacy practices apply to information it processes; see Apple's privacy policy at apple.com/privacy.
- Diagnostic, error-monitoring, and analytics tools of the kind commonly used in mobile applications, scoped to operational and quality purposes.
- Customer-support tools for handling user inquiries.
A current list of categories of service providers and material changes will be reflected in updates to this Privacy Policy.
6.2 AI Provider — Anthropic
When you submit a prompt to the Deck Builder, +Card, or Enhance feature, we transmit the following to Anthropic, PBC for the purpose of generating Spanish-language vocabulary content:
- Your natural-language prompt text
- Your target language pair (currently English → Spanish)
- Your selected proficiency level
- Generation parameters (number of cards, target CEFR vocabulary range)
We do not transmit your name, email address, age, password, payment information, or your IP address to Anthropic. HelloStello has entered into a commercial agreement with Anthropic that restricts how prompts may be used (in particular, Anthropic does not use API submissions to train its general-purpose models). Anthropic's own privacy and processing practices apply to information once received; see Anthropic's privacy documentation at anthropic.com.
6.3 Other HelloStello Users
HelloStello is, in the MVP release, a single-user experience. We do not share your decks, cards, or personal information with other HelloStello users by default. If we add social, leaderboard, or community features in a future release, we will update this Privacy Policy and provide separate opt-in controls before any such sharing occurs.
6.4 Advertising Partners (When and If Offered)
Advertising is not active in the initial release of the Service. If and when we introduce advertising:
- We will update this Privacy Policy to identify the categories of advertising partners involved.
- We will not provide advertisers with your name, email address, or other directly identifying information.
- Any use of the Apple advertising identifier (IDFA) will be subject to your affirmative consent through the iOS App Tracking Transparency framework.
- You will be able to opt out of personalized advertising from the in-app Profile settings.
- We will not engage in any practice that constitutes a "sale" or "sharing for cross-context behavioral advertising" of personal information under the California Consumer Privacy Act without first providing a Do Not Sell or Share My Personal Information control.
6.5 Legal, Safety, and Business Transfers
We may disclose personal information when we believe in good faith that disclosure is necessary to:
- Comply with applicable laws, valid legal process (including subpoenas and court orders), or governmental requests;
- Enforce our Terms and Conditions and other agreements;
- Detect, prevent, or address fraud, security, or technical issues;
- Protect the rights, property, safety, or security of HelloStello, our users, or others; or
- Complete a merger, acquisition, financing, reorganization, bankruptcy, receivership, dissolution, or other transaction involving the sale or transfer of some or all of our business or assets, in which case personal information may be transferred to the successor entity, subject to the protections of this Privacy Policy or a successor policy that we will notify you about.
7. AI-Generated Content
You understand and acknowledge that HelloStello uses artificial intelligence to generate vocabulary cards, example sentences, fill-in-the-blank prompts, and synonym/antonym suggestions in response to user prompts. AI-generated content can be inaccurate, incomplete, or unsuitable for your particular learning goals. HelloStello applies automated Copyright and Obscenity filters, and conducts sampled human review of generated cards, but does not guarantee the accuracy of every card. Do not rely on HelloStello-generated content for medical, legal, professional, or safety-critical purposes. See also Section 7 of our Terms and Conditions.
8. Data Retention
We retain personal information for as long as your account is active or as needed to provide the Service, comply with our legal obligations, resolve disputes, and enforce our agreements. Specific retention practices:
- Account information is retained while your account is active and for up to 30 days after deletion to support recovery in case of accidental deletion. After 30 days, account information is permanently deleted, except as required by law.
- Prompts you submit are retained in their original form for up to 12 months, after which they are either deleted or fully de-identified. Aggregated cluster statistics may be retained indefinitely.
- Generated cards and decks that you save remain in your account until you delete them.
- Audit-log records of admin and auditor actions are retained for a minimum of 90 days for security and accountability purposes and may be retained longer where required by law or our legitimate business needs.
- Diagnostic and crash data is retained for up to 12 months, then de-identified or deleted.
You can delete your account at any time from Profile → Account → Delete account.
9. Your Rights and Choices
9.1 All Users
You can update your profile information, change your daily goal, toggle notifications, change your password, and delete your account from within the Service. You may also opt out of optional product communications from within the Service or by following the unsubscribe link in any such message.
9.2 EU, UK, and Similar Jurisdictions (GDPR)
If you are located in the EU, UK, or another jurisdiction with similar privacy laws, you have the following rights subject to limited exceptions:
- Access — request a copy of the personal information we hold about you;
- Rectification — request that we correct inaccurate or incomplete information;
- Erasure ("right to be forgotten") — request that we delete your personal information;
- Restriction — request that we limit our processing of your personal information;
- Portability — request that we provide your personal information to you or another controller in a structured, commonly used, machine-readable format;
- Objection — object to our processing of your personal information based on legitimate interests, or for direct-marketing purposes;
- Withdraw consent — where we rely on your consent, you may withdraw it at any time;
- Lodge a complaint — with the data-protection authority in the EU member state where you live, work, or where the alleged infringement took place. In the UK, contact the Information Commissioner's Office (ico.org.uk).
To exercise these rights, contact us using the details in Section 15. We may need to verify your identity before responding to certain requests.
9.3 California Residents (CCPA / CPRA)
If you are a California resident, you have the following rights subject to limited exceptions:
- Right to know what categories and specific pieces of personal information we have collected about you, the categories of sources, the business purposes, and the categories of third parties with which we share it;
- Right to delete personal information we have collected from you;
- Right to correct inaccurate personal information;
- Right to opt out of sale or sharing for cross-context behavioral advertising — as of the date above, HelloStello does not sell or share personal information for cross-context behavioral advertising. If this changes, we will provide a Do Not Sell or Share My Personal Information link;
- Right to limit use of sensitive personal information — as of the date above, we do not use sensitive personal information for purposes that trigger the right to limit. If this changes we will provide a Limit the Use of My Sensitive Personal Information link;
- Right of non-discrimination — we will not discriminate against you for exercising your CCPA rights.
You may exercise these rights by contacting us using the details in Section 15. We may need to verify your identity before responding to certain requests. You may use an authorized agent; we will require written proof of authorization.
9.4 Other Jurisdictions
If you live in another jurisdiction (for example, Brazil, Canada, Virginia, Colorado, Connecticut, Utah, Texas), you may have similar rights under your local law. Contact us using the details in Section 15 and we will respond consistent with applicable law.
10. Children's Privacy
HelloStello is intended for users aged 13 and older. We do not knowingly collect personal information from children under 13. During account creation we ask you for your age and block account creation for any user who indicates they are under 13.
In certain European jurisdictions the digital age of consent is higher than 13 (for example, 14, 15, or 16 depending on the country). If you are between the local digital age of consent and 18 you may need verifiable parental or guardian consent to use the Service. We are working to expand support for parental consent flows; in the interim, if you are under the digital age of consent in your jurisdiction, do not use the Service.
If you are a parent or guardian and you believe that a child under 13 has provided personal information to us, please contact us using the details in Section 15 so we can delete the account and any associated information.
11. International Data Transfers
HelloStello, LLC is based in California, United States, and our principal service providers are located in the United States. If you access the Service from outside the United States, your personal information may be transferred to, processed, and stored in the United States or in any other country where HelloStello or our service providers operate. These jurisdictions may have data-protection laws different from those of your country.
Where required by law (for example, transfers of personal data from the EEA, UK, or Switzerland to the United States), we rely on appropriate safeguards such as the Standard Contractual Clauses approved by the European Commission, the UK International Data Transfer Addendum, and applicable derogations. You may request a copy of the safeguards used for a particular transfer by contacting us.
12. Security
We implement reasonable administrative, technical, and physical safeguards designed to protect personal information. These include encryption in transit (TLS) and at rest, salted-hash storage of passwords, role-based access controls for HelloStello personnel, audit logging of administrative actions, and two-factor authentication for HelloStello administrative users.
No system is perfectly secure. We cannot guarantee the absolute security of personal information, and you are responsible for keeping your password and authentication credentials confidential. If you believe your account has been compromised, contact us immediately.
13. Third-Party Links and Services
The Service may contain links to third-party websites, services, or content (for example, app-store listings, partner content, or — if and when advertising is introduced — sponsor links). This Privacy Policy does not apply to those third parties. We are not responsible for the privacy practices of any third party. Review the privacy policies of any third-party services you visit.
14. Changes to This Privacy Policy
We may update this Privacy Policy from time to time. When we do, we will:
- Update the Last Updated date at the top of this Policy;
- Post the revised Policy in the Service and on any public-facing site where the Policy is hosted; and
- If the changes are material, provide additional notice (for example, via email, an in-app notice, or a banner the next time you open the Service) before the changes take effect.
Your continued use of the Service after the updated Policy takes effect constitutes acceptance of the updated Policy.
15. Contact Us
For privacy questions, requests, or to exercise any rights described above:
HelloStello, LLC
Attn: Privacy
857 W Grand Ave
Oakland, California 94607
United States
Email: privacy@hellostello.app
Support: support@hellostello.app
If you are an EU or UK user and prefer to contact a representative in your region, please email us at the address above and we will direct your request appropriately. HelloStello will appoint an EU and a UK representative as required under Article 27 GDPR / UK GDPR before commencing material processing of EU or UK personal data; the representative's identity and contact information will be added to this section at that time.
End of Privacy Policy.