HieroLingo collects only the data strictly necessary to provide the educational service. We do not sell your data to third parties. Data is protected through Firebase security services (Google LLC). You can request deletion of your data at any time.
Section 01
Data Controller
The Data Controller for personal data collected through the HieroLingo Application is:
| Field | Information |
|---|---|
| Name / Business name | [Insert controller's name] |
| Address | [Insert controller's address] |
| [Insert contact email] | |
| Application | HieroLingo (com.shadowings.HieroLingo) |
| Platforms | Android, iOS |
Pursuant to Art. 13 GDPR, the Data Controller is the entity that determines the purposes and means of processing users' personal data.
Section 02
Legal Basis for Processing
Processing of users' personal data takes place on the following legal grounds, pursuant to Art. 6 GDPR:
| Legal Basis | GDPR Art. | Application |
|---|---|---|
| Performance of a contract | Art. 6(1)(b) | Account management, progress synchronisation, provision of educational service |
| Legitimate interests | Art. 6(1)(f) | Aggregate analysis of App usage to improve the service (Firebase Analytics) |
| Consent | Art. 6(1)(a) | Personalised advertising via Google AdMob (where applicable) |
| Legal obligation | Art. 6(1)(c) | Compliance with applicable statutory obligations |
Section 03
Categories of Data Collected
The Application collects the following categories of data:
3.1 Data Voluntarily Provided by the User
- Email address: provided at the time of registration with an email/password account.
- Password: managed in hashed form exclusively by Firebase Authentication; the Controller has no access to passwords in plain text.
3.2 Data Automatically Generated by App Usage
- Educational progress data: stars earned per lesson (
stars), "perfect" lessons (perfect), explanations viewed (explanations), current chapter (chapter). - Gamification data: accumulated coins (
coins), available hearts (hearts), daily streak (strike), last open date (lastOpenDate) and last quiz date (lastQuizDate). - Personal preferences: favourite hieroglyphs (
favoriteHieros), favourite words (favoriteWords), character customisations for Alyn (alynColors) and Nilo (niloColors), selected language (language). - Tutorial status: tutorial completion (
tutorialDone).
3.3 Technical and Usage Data (Firebase Analytics)
- Anonymised unique device identifier (Firebase Instance ID).
- Operating system and device version.
- Installed App version.
- Usage event data: lesson start, quiz completion, hieroglyph viewing, vocabulary viewing, adding/removing favourites, character customisation, login/registration, tutorial start/completion, data reset.
- Parameters associated with events (e.g. lesson ID, score, chapter number, stat type).
3.4 Advertising Data (Google AdMob)
- Device advertising identifiers (Android Advertising ID / iOS IDFA), subject to User consent and device settings.
- Ad interaction data (impression, rewarded ad completion).
- Contextual and behavioural targeting data (managed entirely by Google LLC).
3.5 Data NOT Collected
The Application does not collect the following types of data:
- Precise geolocation data.
- Camera or microphone content.
- Phone book contacts.
- Banking or payment data (any in-app purchases are managed entirely by App Store / Google Play).
- Biometric data.
- Health data or special category data under Art. 9 GDPR.
Section 04
Purposes of Processing
Data collected is processed exclusively for the following purposes:
| Purpose | Description | Legal Basis |
|---|---|---|
| Service Provision | Account management, saving and synchronising educational progress across devices | Contract performance |
| Authentication | User identity verification via Firebase Authentication (email) | Contract performance |
| Cloud Synchronisation | Backup and restoration of progress on Firebase Firestore with intelligent data merging | Contract performance |
| Analysis & Improvement | Anonymised understanding of App usage patterns to improve content and user experience | Legitimate interests |
| Advertising | Displaying ads via Google AdMob, including rewarded ads for heart refills | Consent / Legitimate interests |
| Security & Anti-Fraud | Detection of abusive behaviour, bot usage, multiple accounts | Legitimate interests |
| Legal Compliance | Compliance with statutory obligations, responding to competent authority requests | Legal obligation |
Section 05
Firebase Authentication โ Identity Management
5.1 How It Works
The Application uses Firebase Authentication (Google LLC) for user identity management. The following sign-in method is supported:
- Email and password sign-in: Firebase Authentication manages account creation, secure password hashing and identity verification via JWT tokens.
5.2 Data Processed by Firebase Authentication
- Firebase UID (unique user identifier, associated with the registered email account).
- Email address (only for email/password registration).
- Password hash (managed exclusively by Firebase/Google, inaccessible to the Controller).
- JWT authentication tokens, automatically renewed.
- Access metadata: account creation date, date of last sign-in.
5.3 Security
Firebase Authentication implements protections against brute-force attacks, secure token usage and TLS-encrypted data transmission. The Controller has no access to user passwords in any form.
For detailed information on how Google handles authentication data: firebase.google.com/support/privacy
Section 06
Firebase Firestore โ Cloud Database
6.1 Synchronised Data
User progress is synchronised in real time to Firebase Firestore. The cloud document structure is as follows:
| Field | Type | Description |
|---|---|---|
stars | Map<String, Int> | Stars per lesson/quiz |
perfect | Set<String> | IDs of quizzes completed with "Perfect" |
explanations | Set<String> | Lessons whose explanations have been viewed |
coins | Int | Accumulated virtual coins |
strike | Int | Consecutive days of completed quiz |
hearts | Int | Available hearts |
chapter | Int | Current unlocked chapter |
lastOpenDate | Int | Date of last App open (numeric format) |
lastQuizDate | Int | Date of last completed quiz |
tutorialDone | Boolean? | Tutorial completion status |
alynColors | Map<String, Int> | Colour customisation for character Alyn |
niloColors | Map<String, Int> | Colour customisation for character Nilo |
favoriteHieros | Set<String> | Codes of favourite hieroglyphs |
favoriteWords | Set<String> | IDs of favourite vocabulary items |
language | String | Language selected by the User |
showStrikeCelebration | Boolean | Flag for streak celebration |
6.2 Access Structure
Firestore documents are structured in the users/{userId} collection, where userId corresponds to the User's Firebase UID. Access to documents is protected by Firebase Security Rules.
6.3 Offline Persistence
Firestore is configured with offline persistence (persistentCacheSettings), which stores a local copy of the document on the device to ensure data access without an internet connection.
Firebase Firestore stores data on Google Cloud servers, primarily in the United States and Europe. For location details: firebase.google.com/support/privacy
Section 07
Firebase Analytics โ Usage Analysis
7.1 How It Works
The Application uses Google Analytics for Firebase to collect aggregated and anonymised data on App usage. This data helps the Controller understand which features are most used and improve the learning experience.
7.2 Tracked Events
The App tracks the following custom events:
| Event | Parameters | Description |
|---|---|---|
start_lesson | lesson_id, chapter, level | Lesson started |
start_quiz | lesson_id, chapter, level | Quiz started |
quiz_completed | lesson_id, score, total, errors | Quiz completed |
word_viewed | word_id, meaning | Vocabulary item viewed |
hiero_viewed | hiero_id, unicode | Hieroglyph viewed |
favorite_toggled | word_id, is_favorite | Item added/removed from favourites |
character_customized | character, category, color_index | Character customised |
character_reset | character | Character customisation reset |
tutorial_started | โ | Tutorial started |
tutorial_completed | โ | Tutorial completed |
login | โ | Sign-in with registered account |
sign_up | โ | New account registration |
sign_out | โ | Account sign-out |
data_reset | โ | User data reset |
test_mode_toggled | enabled | Test mode enabled/disabled |
stat_clicked | stat_type | Profile stat clicked |
7.3 Anonymisation and Opt-Out
Google Analytics for Firebase anonymises user IP addresses. Users can disable analytics data collection through their device settings (Android: Settings โ Google โ Ads; iOS: Settings โ Privacy โ Advertising).
Analytics events do not contain directly identifying user information (name, email, etc.). Event parameters relate to App content (lesson ID, hieroglyph ID, scores).
Section 08
Google AdMob โ Advertising
8.1 How It Works
The Application integrates Google AdMob (Google LLC) for displaying advertisements. In particular, the App uses Rewarded Ads, which the User may optionally choose to watch in order to receive additional hearts.
8.2 Data Collected by AdMob
Google AdMob may collect the following data for ad personalisation:
- Device advertising identifier (GAID on Android, IDFA on iOS).
- IP address (anonymised).
- Device type, model, OS version.
- Approximate location (IP-based).
- App usage data relevant to advertising profiling.
8.3 User Controls
Users can limit personalised advertising through:
- Android: Settings โ Google โ Ads โ "Opt out of Ads Personalisation".
- iOS: Settings โ Privacy โ Advertising โ "Limit Ad Tracking".
- Google account settings: adssettings.google.com.
8.4 Google's Responsibility
Google LLC is an independent data controller for data collected through AdMob. For full information: policies.google.com/privacy.
Viewing rewarded ads is always voluntary. The User is never required to watch an ad and can use the App normally without doing so.
Section 09
Local Storage โ Jetpack DataStore
9.1 How It Works
The App uses Jetpack DataStore (Preferences DataStore) to store user data directly on the device in a secure and persistent manner. This technology is a modern and more robust alternative to SharedPreferences, based on Kotlin Coroutines and Flows.
9.2 Data Stored Locally
The same data synchronised to Firestore (see Section 6) is stored on the device, accessible offline. Local data includes:
- Educational progress (stars, perfect completions, viewed explanations).
- Gamification data (coins, hearts, streak, dates).
- Preferences (favourites, character colours, language).
- Tutorial status.
- Test mode flag (development only, not accessible in production).
9.3 Local Storage Security
Data stored via DataStore is accessible exclusively to the HieroLingo Application thanks to the application sandbox isolation of Android/iOS. Data is not accessible to other applications installed on the device.
9.4 Local Data Deletion
Locally stored data is automatically deleted in the event of:
- Uninstalling the Application from the device.
- Using the "Reset Data" function available in the App.
- Manually clearing App data from device settings.
Section 10
Data Retention
| Data Category | Storage Location | Retention Period |
|---|---|---|
| Firebase Authentication account data | Firebase/Google servers | Until account deletion at the User's request |
| User progress (Firestore) | Firebase/Google servers | Until account deletion at User's request or by the Controller |
| Local data (DataStore) | User's device | Until App uninstallation or manual reset |
| Analytics data (Firebase Analytics) | Google servers | Up to 14 months from event (Firebase Analytics default policy) |
| Advertising data (Google AdMob) | Google servers | According to Google LLC policies |
Users may request early deletion of all cloud data by contacting the Controller or using the reset function available in the App. Deletion will be carried out within 30 days of the request.
Section 11
International Data Transfers
User data may be transferred to and stored on servers located outside the European Economic Area (EEA), in particular in the United States of America, where Google LLC and its Firebase and AdMob services are headquartered.
Such transfers take place in compliance with the safeguards provided by the GDPR, in particular:
- Standard Contractual Clauses (SCCs) approved by the European Commission.
- EU-USA Data Privacy Framework (where applicable).
- Security certifications and measures adopted by Google LLC.
For information on the transfer safeguards implemented by Google: policies.google.com/privacy/frameworks.
Section 12
Your Rights as a Data Subject
Pursuant to Arts. 15โ22 GDPR, Users have the following rights with respect to the processing of their personal data:
12.1 How to Exercise Your Rights
To exercise your rights, you may:
- Contact the Controller at the email address indicated in Section 17.
- Use the data reset function in the App (for cloud data deletion).
- Uninstall the App (for local data deletion).
The Controller will respond within 30 days of receiving the request, unless an extension is reasonably required.
12.2 Right to Lodge a Complaint
You have the right to lodge a complaint with the Italian Data Protection Authority (Garante per la Protezione dei Dati Personali) (www.garanteprivacy.it) or the supervisory authority of your country of residence if you believe that the processing of your personal data violates the GDPR.
Section 13
Data Security
The Controller and data processors (Google LLC) implement appropriate technical and organisational measures to ensure data security, including:
- Encryption in transit: all communications between the App and Firebase servers take place via TLS/HTTPS.
- Encryption at rest: data stored on Firebase Firestore is encrypted at rest by Google.
- Firebase Security Rules: access rules configured on Firestore ensuring each User can only access their own data (
users/{userId}). - Password hashing: passwords are never stored in plain text; Firebase Authentication uses secure hashing algorithms.
- Sandbox isolation: local data (DataStore) is protected by the operating system's application isolation.
- JWT authentication tokens: access to Firebase APIs is always authenticated via tokens with automatic expiry.
In the event of a security breach entailing a high risk to Users' rights and freedoms, the Controller will notify the supervisory authority within 72 hours and affected Users without undue delay, pursuant to Arts. 33โ34 GDPR.
Section 14
Cookies and Similar Technologies
The Application is a native mobile app and, as such, does not use cookies in the traditional browser sense. However, analogous technologies may be used by integrated Third-Party Services:
- Firebase Instance ID / Installation ID: anonymous identifier associated with the App installation on the device, used for Analytics and Cloud Messaging.
- Device advertising identifier (GAID / IDFA): used by Google AdMob for ad personalisation, subject to User control via device settings.
- Firestore cache: persistent local storage for synchronised data, not related to advertising tracking.
Section 15
Children and Data Protection
The Application is designed for a general audience. The Controller implements the following specific measures to protect children's data:
- We do not knowingly collect personal data from individuals under the age of 13 (or the minimum age required by the law of the country of residence) without verifiable parental or legal guardian consent.
- If accounts belonging to children below the minimum age are reported, the Controller will delete the account and associated data.
- In view of the Google AdMob integration, the Controller activates available technical options to ensure that advertisements shown to children comply with COPPA (Children's Online Privacy Protection Act) and applicable GDPR for children policies.
- Parents and legal guardians may contact the Controller to request information on data processed in relation to children's accounts or to request their deletion.
Section 16
Changes to This Privacy Policy
The Controller reserves the right to update this Policy at any time. In the event of material changes:
- Users will be notified via in-app notification.
- The "Last updated" date will be updated.
- For particularly significant changes (e.g. addition of new processing purposes), fresh explicit consent may be requested.
- Continued use of the App after publication of changes constitutes acceptance of the updated Policy.
Users are encouraged to periodically review this Policy to check for any updates.
Section 17
Contact and Data Protection Officer
| Channel | Reference |
|---|---|
| Privacy Email | [Insert dedicated privacy email] |
| Data Protection Officer (DPO) | [Insert DPO name/reference if appointed] |
| Italian DPA (Garante) | www.garanteprivacy.it |
| EU ODR Platform | ec.europa.eu/consumers/odr |
| Firebase / Google Privacy | firebase.google.com/support/privacy |
| AdMob Privacy | policies.google.com/privacy |
| Terms and Conditions | Read the Terms and Conditions |
The Controller is committed to ensuring maximum transparency in the processing of Users' personal data. For any questions or requests regarding privacy, please do not hesitate to contact us. We will respond within 30 days of receiving your request.
ยฉ 2025 HieroLingo โ All rights reserved ยท Terms & Conditions ยท Informativa Privacy (IT)