Formular Y-B1 / 2026Seite 1 von 1

Privacy Policy

Last updated: June 26, 2026

This Privacy Policy explains how Yulo (“we”, “us”, “the Service”) collects and processes personal data when you use the Yulo web application. We comply with the EU General Data Protection Regulation (GDPR) and applicable data protection laws.

1. Data Controller

The responsible party (controller) for the processing of your personal data is the operator of Yulo.

For all data protection inquiries, you can contact us at hello@yulo.app.

2. Categories of Personal Data We Collect

We process the following categories of personal data when you use Yulo:

2.1 Account & Identity Data

  • Name (if provided)
  • Email address
  • Account credentials (e.g., hashed password)

2.2 Learning & Usage Data

  • Exercise results, mock exam responses, and listening exercise responses
  • Writing inputs and AI-generated feedback
  • Speaking submissions and AI-generated assessments
  • Progress statistics and performance metrics

2.3 Payment & Subscription Data

  • Billing information (processed by Polar, our payment provider — we do not store full payment details)
  • Transaction history and subscription status

2.4 Technical Data

  • Session and authentication cookies (essential for the service to function)
  • Device and browser type

For website analytics, we use Umami, a privacy-focused, cookie-free analytics tool that we host ourselves on our own infrastructure. It does not collect or store personally identifiable information. IP addresses are immediately hashed with a daily rotating salt and are never stored. All analytics data is aggregated and cannot be used to identify individual users.

For application monitoring and error tracking, we use Laravel Nightwatch, an observability service that records technical performance and diagnostic data — such as request timing, database query performance, and exceptions — to help us detect, diagnose, and fix problems. Where an event relates to a signed-in user, only your internal account identifier is recorded; we do not send your name or email address to this service. Telemetry is stored in the EU (Frankfurt) under a data processing agreement.

We do not collect special category data (e.g., health, biometric, or political data). We only collect personal data that is necessary and relevant for the purposes outlined in this policy.

3. Purpose & Legal Basis of Processing

We process personal data for the following purposes:

PurposeLegal Basis (GDPR)
Provide and operate the platformArt. 6(1)(b) — performance of contract
Save learning progress & exam resultsArt. 6(1)(b)
Generate AI-powered feedback on submissionsArt. 6(1)(b)
Payment processingArt. 6(1)(b)
Transactional emails (e.g., password resets, subscription notifications)Art. 6(1)(b)
Security, fraud prevention, abuse detectionArt. 6(1)(f) — legitimate interest
Improve service quality & features (aggregated data)Art. 6(1)(f)
Application monitoring, error tracking & performance diagnosticsArt. 6(1)(f)
Marketing communications (e.g., product updates, tips)Art. 6(1)(a) — consent
Legal compliance & record retentionArt. 6(1)(c) — legal obligation

Where we rely on legitimate interests, we have assessed that our interests do not override your fundamental rights and freedoms. You have the right to object to such processing at any time. Where consent is required (e.g., marketing emails), you may withdraw consent at any time without affecting the lawfulness of processing before withdrawal.

4. AI Processing & Learning Content

Yulo uses artificial intelligence to evaluate and provide feedback on your practice responses, including writing corrections and speaking assessments.

  • Your submissions (text, audio transcriptions, and other content) are sent to third-party AI providers for processing. We do not include your name, email, or other personally identifiable information in AI prompts. However, if you include personal information in your own responses, it will be processed by the AI provider as part of your submission
  • AI-generated feedback is stored with your account for learning progress purposes
  • We do not sell or publicly share user content
  • We do not use your content to train externally accessible AI models

For speaking exercises, audio may be transcribed locally in your browser before being sent to our servers. Raw audio recordings are not permanently stored on our servers.

AI assessments are provided as learning aids and do not constitute decisions with legal or similarly significant effects as defined in GDPR Article 22. You should not rely solely on AI feedback to determine your exam readiness.

5. Cookies & Similar Technologies

Our cookie practices comply with the GDPR and the German Telekommunikation-Telemedien-Datenschutz-Gesetz (TTDSG). We only use cookies that are strictly necessary for the service to function:

  • Authentication & session cookies — to keep you logged in securely and maintain your session state
  • Security cookies — CSRF protection and fraud prevention
  • Preference cookies — to remember your language selection and interface settings

All cookies used by Yulo are strictly necessary for providing the service you requested and are exempt from consent requirements under TTDSG § 25(2). We do not use any tracking, advertising, or third-party analytics cookies.

For website analytics, we use a privacy-focused tool that operates without cookies and does not track individual users. See Section 2.4 for details.

6. Data Storage & Retention

Data is stored on servers located in the EU/EEA or with providers that maintain GDPR-compliant safeguards.

  • Account & learning data — retained for the duration of your active account
  • Deleted accounts — personal data is erased or anonymised within 30 days of your deletion request
  • Payment & subscription records — retained as required by applicable tax and accounting laws
  • Technical logs — retained for up to 90 days for security and troubleshooting, then deleted
  • Monitoring & diagnostic telemetry — retained by our monitoring provider for up to 90 days, then deleted
  • Backups — automatically deleted within 90 days. Data from deleted accounts may persist in backups until the next scheduled cleanup

We keep data only as long as necessary for the stated purposes.

7. Data Sharing & Third-Party Processors

We may share data with carefully selected service providers that support platform operation, including:

  • Hosting and infrastructure providers
  • AI processing providers
  • Payment processors
  • Email and communication services
  • Application monitoring and error-tracking providers

These parties act as GDPR-compliant processors under data processing agreements. We do not sell, rent, or share personal data with third parties for their own marketing purposes. For information on international data transfers, see Section 8.

Payments are handled by Polar, which acts as the Merchant of Record for your purchase. As such, Polar is an independent data controller for the payment and billing data it collects to process your transaction, prevent fraud, and meet its tax and legal obligations — it does not act as our processor for this purpose. Polar shares limited transaction details (such as your billing country and subscription status) back to us to manage your account.

Our website analytics (Umami) is self-hosted on our own infrastructure. Analytics data never leaves our systems, is not shared with any third-party analytics provider, and contains no personally identifiable information. See Section 2.4 for details.

8. International Data Transfers

Some of our service providers, including AI processing providers, may be located outside the European Economic Area (EEA). For such transfers, we ensure adequate protection through:

  • EU adequacy decisions where applicable
  • EU Commission-approved Standard Contractual Clauses (SCCs)
  • Encryption in transit and at rest
  • Contractual obligations requiring processors to maintain GDPR-level protection

We prioritise storing data in EU regions by default.

9. Your Rights Under GDPR

You have the following rights regarding your personal data:

  • Right of access (Art. 15) — request a copy of the data we hold about you
  • Right to rectification (Art. 16) — correct inaccurate or incomplete data
  • Right to erasure (Art. 17) — request deletion of your data where there is no legal reason for continued processing
  • Right to restriction (Art. 18) — limit how we use your data in certain circumstances
  • Right to data portability (Art. 20) — receive your data in a structured, commonly used format
  • Right to object (Art. 21) — object to processing based on legitimate interests or for direct marketing
  • Right to withdraw consent (Art. 7) — withdraw consent at any time where processing is consent-based

You have an absolute right to object to processing of your personal data for direct marketing purposes at any time. When you object, we will stop processing your data for marketing immediately.

To exercise your rights, contact us at hello@yulo.app. We may require identity verification before fulfilling requests. We will respond within one month of receipt. If your request is complex, we may extend this by up to two additional months and will notify you with the reason for the delay.

You also have the right to lodge a complaint with your local data protection supervisory authority. Our competent authority is the Hamburgische Beauftragte für Datenschutz und Informationsfreiheit (Hamburg Commissioner for Data Protection and Freedom of Information).

10. Security Measures

We implement appropriate technical and organisational measures to protect your personal data, including:

  • Encrypted data transmission (HTTPS/TLS) and encryption at rest
  • Restricted access controls
  • Secure authentication with hashed credentials
  • Regular system monitoring and updates
  • Regular encrypted backups

In the event of a data breach that poses a risk to your rights and freedoms, we will notify the relevant supervisory authority without undue delay and within 72 hours, as required by GDPR Article 33. We will also notify affected users where required by Article 34.

No system is fully secure. You remain responsible for protecting your account credentials and using a strong, unique password.

11. Children's Data

You must be at least 18 years old to create an account. If you are between 16 and 18, you may use Yulo with parental or guardian consent. Users under 16 may not use the service.

We do not knowingly collect personal data from children under 16 without appropriate authorisation. If you believe a child has provided us with personal data without consent, please contact us at hello@yulo.app and we will delete the information promptly.

12. Changes to This Policy

We may update this Privacy Policy from time to time. When we make material changes, we will notify you at least 30 days in advance by updating the “Last updated” date at the top of this page and by email. If you do not agree with the revised policy, you may close your account before the changes take effect. Continued use of Yulo after the notice period constitutes your acceptance of the updated policy.

13. Contact

If you have any questions about this Privacy Policy or wish to exercise your data protection rights, please contact us at hello@yulo.app.