Privacy Policy

Last updated: May 28, 2026

This Privacy Policy describes what personal data AnyAccent collects, why we collect it, who else processes it, how long we keep it, and the rights you may exercise over it. It also identifies the boundary between data we control and data Paddle controls.

The data controller for service data is Guimin Zhou ("we", "us", "AnyAccent"). The data controller for payment data is Paddle (see §1 below). The "Service" means sandbox.anyaccent.com and the application at sandbox.anyaccent.com/h5.

Summary

Sign-in uses one-time codes sent by email. We do not store passwords.
Voice recordings are streamed to a third-party scoring provider, scored, and discarded on our side. We retain the numeric scores; we do not retain the raw audio. We do not process voice recordings for biometric identification purposes; they do not constitute special category data under Article 9 of the GDPR.
Payment card data is held by Paddle. We do not receive the full card number, CVV, full billing address, or BIN.
AI chat history is automatically deleted 7 to 30 days after creation, depending on your subscription tier.
We do not use advertising trackers or cross-site analytics, and we do not sell or rent personal data.
You can export or delete your account from Settings → Account. Requests not covered there may be sent to us by email.

1. Independent data controllers

Because AnyAccent uses Paddle as Merchant of Record, two parties process personal data about you, each as an independent data controller. Neither party acts as the other's processor in respect of this data.

AnyAccent controls service data. This includes your sign-in email, learning progress, AI chat content, subscription tier, and the billing metadata Paddle returns to us so that the application can display a billing screen. The categories are detailed in §2.
Paddle controls payment data. This includes the full card number, CVV, BIN, fraud-risk score, and the precise billing address used to calculate the invoice and applicable taxes. Paddle's processing is governed by Paddle's privacy policy . We do not receive this data.

Practical consequence: privacy requests relating to service data should be sent to us; privacy requests relating to payment data should be sent to Paddle. If a request is addressed to the wrong party, we will redirect it and confirm.

A defined set of metadata flows from Paddle to us so that the application can display a billing screen — the masked card brand, the last four digits of the card, the billing country (used only for tax display), the subscription state, and the invoice IDs. We are the controller for that data on our side. It is the only payment-adjacent data we hold.

2. Categories of personal data we collect

Account data. Your email address, an optional display name, and the timestamp of account creation.
Practice and progress data. Pronunciation scores, phoneme-level diagnoses, lesson progress, streaks, statistics, and in-application preferences (target language, accent, AI tone, AI verbosity level).
Voice recordings. Short audio clips recorded at your request. These are streamed to a third-party scoring provider, scored, and discarded on our side. The resulting numeric scores are retained. Voice recordings are not used for biometric identification and do not constitute special category data under Article 9 of the GDPR.
AI chat content. Text submitted to the chat, word lookup, translation, or word-detail features, and the replies returned. Retained for the window applicable to your tier (between 7 and 30 days) and then deleted automatically.
Billing metadata received from Paddle. Subscription state (tier, cycle, renewal date), masked card brand and last four digits, billing country for tax display, and invoice IDs.
Device and log data. IP address, user agent, browser identifiers, timestamps, request paths, security events, and rate-limit triggers. Voice content is never written to logs.
Cookies and local storage. A limited set of strictly necessary cookies, including your sign-in session, an anti-CSRF token, and your theme preference. We do not use advertising cookies, and we do not embed third-party trackers that fingerprint users across sites.

3. Purposes and lawful bases for processing

Under the GDPR and UK GDPR, we rely on the following lawful bases:

Performance of a contract (Art. 6(1)(b)) — to provide the Service: score recordings, generate AI replies, synchronise progress, and render billing information.
Legitimate interests (Art. 6(1)(f)) — to secure the Service, prevent abuse, debug, monitor service health, and perform aggregated analytics on feature use. We balance these interests against your rights and collect only what is proportionate.
Legal obligation (Art. 6(1)(c)) — to comply with tax, accounting, and consumer-protection law (the tax-data side is handled by Paddle as Merchant of Record), and to respond to lawful requests from authorities.
Consent (Art. 6(1)(a)) — where we ask for it explicitly, such as the browser microphone permission required to record voice samples. Consent may be withdrawn at any time; withdrawal does not affect the lawfulness of processing conducted prior to withdrawal.

Other consumer- and data-protection laws applicable in your jurisdiction may impose additional notice, consent, or access requirements. The standards described on this page are designed to meet or exceed the GDPR, UK GDPR, and CCPA standards.

4. Recipients of personal data

We do not sell or rent personal data. To operate the Service we engage a limited set of third parties, identified below by their legal role.

Independent data controllers — these parties hold a direct relationship with you under their own privacy policy:

Paddle.com Market Ltd — Merchant of Record; processes payment data and tax-relevant data. See Paddle's privacy policy .

Sub-processors — these parties process service data on our instructions only, pursuant to a data-processing agreement. Current vendor identities in each category are available on request.

Speech-evaluation provider — receives audio streams for pronunciation scoring. Audio is processed transiently and is not retained by us.
LLM providers — used for chat, word lookup, translation, and feedback. Routing depends on tier and feature. We do not opt user data into model training. Where enterprise plans with bounded retention and training opt-out are available, we use those plans.
Transactional email provider — delivers sign-in codes, billing receipts, and service announcements.
CDN and edge-security provider — content delivery, DNS, DDoS protection, and bot mitigation. Receives request metadata such as IP address and headers.
Cloud hosting provider — application servers and database. The data-centre region is selected to minimise cross-border data flow where practical.

We disclose data to public authorities only where legally required, or where necessary to protect the rights, safety, and property of AnyAccent, our users, or others. Voice recordings and chat content are not disclosed to parties outside this list except where compelled by valid legal process.

5. International data transfers

Our sub-processors operate in multiple jurisdictions, including the United States and the European Economic Area. Where personal data is transferred out of the EEA or the UK, we rely on the European Commission's Standard Contractual Clauses (and the UK International Data Transfer Addendum where applicable) and apply additional safeguards where required. A copy of the applicable clauses is available on request to support@anyaccent.com.

6. Retention periods

Voice recordings: not retained on our servers after scoring (typically processed within seconds).
Pronunciation scores and practice history: retained while the account is active; deleted within 90 days of account deletion (sooner on request).
AI chat history: retained for the window applicable to your tier (7 to 30 days), then deleted automatically by a scheduled job.
Account and billing metadata: retained while the account exists, then archived as required by tax and accounting law (up to 7 years in certain jurisdictions). Paddle retains the underlying tax records under its own retention policy.
Security logs: retained for up to 90 days for incident investigation, then deleted.

7. Your rights

Depending on the jurisdiction in which you reside, the following rights apply to the personal data we hold about you:

Access — to receive a copy of the personal data we hold about you.
Rectification — to correct data that is inaccurate or incomplete.
Erasure — to request deletion, subject to lawful retention obligations.
Restriction — to pause processing during a dispute.
Portability — to receive your data in a structured, machine-readable format.
Objection — to object to processing based on legitimate interests, including profiling.
Withdraw consent — where processing relies on consent (for example, microphone access), to withdraw consent at any time.
Lodge a complaint — to file a complaint with the supervisory authority of your country (for example, the UK ICO, the Irish DPC, the data-protection authority of your EU country of residence, or the equivalent authority in other jurisdictions).

Several of these rights can be exercised directly from the application: Settings → Account → Export data and Settings → Account → Delete account. For requests not covered by those flows, write to support@anyaccent.com. We respond within 30 days (the GDPR / UK GDPR response window) and may request identity verification before disclosing or modifying data.

For payment data held by Paddle — including the full card number, full billing address, and fraud-risk data — the request must be directed to Paddle, which is the controller for that data. Use the contact route in Paddle's privacy policy . If a request is sent to us, we will forward it and confirm.

8. California residents (CCPA / CPRA)

In addition to the rights listed above, California residents have the right to know what categories of personal information we collect and the purposes for which we use it (see §2 and §3), the right to access and delete personal information, the right to correct inaccurate information, the right to limit the use of sensitive personal information, and the right not to face discrimination for exercising any of these rights.

We do not sell or share personal information as those terms are defined in the CCPA and CPRA, and we do not use personal information for cross-context behavioural advertising. Requests may be sent to support@anyaccent.com.

9. Children

The Service is not directed to children under the age of 13 (or under 16 in jurisdictions that require it). We do not knowingly collect personal data from children below that age. If you believe a child has provided personal data to us, contact support@anyaccent.com and we will delete it.

10. Security

We apply technical and organisational measures appropriate to the risk, including TLS in transit, passwordless sign-in by one-time code, scoped backend access, encryption at rest for primary data stores, regular dependency patching, and incident logging. No system is perfectly secure; if we become aware of a security incident that materially affects your data, we will notify you and the relevant authorities as required by law.

Payment-card security is administered by Paddle under its PCI-DSS compliance regime. Because we never handle raw card data, our systems are not in scope for PCI-DSS and do not hold information that would be.

11. Cookies and local storage

We use a limited set of strictly necessary cookies and local-storage entries to operate the Service, including your sign-in session, an anti-CSRF token, and your theme preference. We do not use advertising cookies, and we do not embed third-party trackers on the marketing site. If we introduce an analytics tool, we will select one that does not fingerprint users across sites and will update this policy in advance.

12. Additional disclosures for AI features

When you use AI features (chat, lookup, translation, word-detail cards), your input is transmitted to one or more LLM providers listed in §4 to generate the reply. We do not opt your data into model training. Providers may retain prompts and outputs for a limited period for abuse detection in accordance with their own policies. Where enterprise plans with bounded retention and training opt-out are available, we use those plans.

Outputs are practice feedback only; see Terms §5 for the related disclaimer.

13. Changes to this Privacy Policy

We may update this Privacy Policy from time to time. The "Last updated" date at the top of the page reflects the current version. For changes that materially affect your rights or our processing of your data, we will give advance notice by email or in-app banner where reasonably possible. Continued use of the Service after the change takes effect constitutes acceptance of the updated policy.

14. Contact

Privacy questions, data-subject requests under the GDPR, UK GDPR, or CCPA, and any other concern about how we handle your personal data may be sent to support@anyaccent.com. Marking the subject line with "Privacy" or "GDPR" helps with routing. The data controller for service data is named in the opening of this Policy; the independent controller for payment data is Paddle — see §1 for the boundary and for Paddle's contact route.