1Who Controls Your Data
SignDeaf operates signdeaf.com and is the controller for the personal data described in this notice. SignDeaf is operated from Poland.
Our primary privacy framework is the EU General Data Protection Regulation (GDPR) together with applicable Polish data protection law. Because the service is available internationally, additional local rules may apply depending on where a user is located and how the service is used, including UK GDPR where relevant to UK-facing processing. Nothing in this notice limits mandatory rights you have under applicable law.
If you need formal correspondence details for a regulator, court, or specific legal request, contact legal@signdeaf.com and we will provide the appropriate current contact route for that request.
2Scope And Standards
This notice applies to SignDeaf accounts, memberships, dictionary features, support communications, and related pages or tools that link to it. It does not control the privacy practices of third-party sites or services that you open from our platform.
- Lawfulness, fairness, and transparency: we aim to explain data use in clear language and avoid hidden surprises.
- Data minimization: we try to collect only the data needed to run the service, secure it, and support you.
- Purpose limitation: we do not treat data as a free-for-all. We use it for defined operational, support, learning, security, and legal purposes.
- Security and confidentiality: we use technical and organizational measures designed to reduce unauthorized access, loss, misuse, or disclosure.
- Accountability: when our practices change, this notice should change with them.
3Data We Collect
The categories below describe the main personal data we process and why. Not every user will trigger every category. For example, people who do not create an account or buy a membership will not generate the same records as paying members.
| Category | Typical Data | Why We Use It |
|---|---|---|
| Account and profile data | Username, email address, password hash, display name, account status, sign-up timestamps, and security-related IP or login records. | To create and secure your account, let you log in, and provide the member experience you asked for. |
| Membership and billing data | Subscription status, plan history, transaction references, invoice or billing details, and refund or chargeback records. | To provide paid access, process renewals, handle refunds, and meet tax, accounting, and fraud-prevention obligations. |
| Learning progress and preferences | Practice counts, streaks, favorites, learned signs, difficulty ratings, recent activity, and related learning-state data. | To remember your progress, power core learning features, and keep the service useful across visits. |
| Contact and support data | Your name, email address, message content, and any attachments or context you choose to send us. | To answer questions, solve problems, and keep a record of support correspondence. |
| Technical and security data | IP address, browser type, operating system, basic request logs, device information, and error or abuse-prevention signals. | To keep the service stable, defend against abuse, investigate incidents, and understand service performance at an operational level. |
| Sign metadata used for AI content generation | Sign word, category, handshape, movement, location, and similar sign-description metadata. | To generate educational sign content for the dictionary. In the normal generation flow this does not include member profiles, support messages, or payment data. |
We do not design the platform around special category data, and we do not ask users to submit health, biometric, or other highly sensitive data as part of normal use. If you choose to send sensitive information to us in a free-text message, we will handle it only as needed to resolve that request.
4Lawful Bases
Under GDPR, each processing activity needs a lawful basis. The table below reflects the main bases we rely on as the site currently operates.
| Processing Activity | Lawful Basis | Reference |
|---|---|---|
| Creating accounts, logging you in, and providing member access | Performance of a contract | Art. 6(1)(b) |
| Remembering progress, favorites, streaks, and other core learning features | Performance of a contract and, where relevant, our legitimate interests in operating the service | Art. 6(1)(b) / Art. 6(1)(f) |
| Taking payments, managing subscriptions, refunds, and chargebacks | Performance of a contract | Art. 6(1)(b) |
| Keeping invoices, transaction records, and legally required business records | Legal obligation | Art. 6(1)(c) |
| Security monitoring, fraud prevention, and abuse handling | Legitimate interests | Art. 6(1)(f) |
| Responding to contact or support requests | Legitimate interests and steps taken at your request | Art. 6(1)(f) / Art. 6(1)(b) |
| Generating educational sign content from sign metadata using external AI tools | Legitimate interests | Art. 6(1)(f) |
| Any future optional analytics or marketing tools | Consent where the law requires it before activation | Art. 6(1)(a) |
5Cookies And Device Storage
SignDeaf uses a mix of cookies and browser-side storage technologies such as
localStorage. These technologies are used for authentication, access control,
progress memory, and user-requested preferences.
| Technology | Where It Lives | Purpose | Notes |
|---|---|---|---|
| WordPress authentication and security cookies | Browser cookie storage | Keeps signed-in users authenticated, protects sessions, and supports account security. | Core service functionality. |
| MemberPress access cookies | Browser cookie storage | Maintains membership access and subscription-related session state. | Core paid-member functionality. |
| Learning progress storage | Browser localStorage on your device | Stores guest progress, practice counts, learned signs, favorites-related state, ratings, and loop preferences until they are synced or cleared. | Used for features you actively use. |
| Accessibility preferences | Browser localStorage on your device | Remembers choices such as high contrast, large text, or reduced motion preferences you toggle on the site. | User-requested preference storage. |
You can clear browser storage through your browser settings. Doing so may sign you out, reset guest progress, remove saved learning state on that device, or reset accessibility preferences you previously chose.
6Sharing And Processors
We do not sell personal data, we do not run a data broker business, and we do not share personal data for someone else to build unrelated marketing profiles. Where data is shared, it is because the service requires it or because the law requires it.
| Recipient | Why They Receive Data | Data Involved |
|---|---|---|
| Payment providers you choose at checkout, such as Stripe or PayPal | To process payments, refunds, renewals, and payment-related fraud or chargeback workflows. | Billing and transaction data needed for the payment flow. |
| SpreadTheSign and SignBSL media servers | To deliver sign videos directly to your browser. | Standard connection data such as IP address, browser user-agent, and request metadata generated by the media request itself. |
| Google Gemini API | To generate educational sign content from sign metadata. | Sign word and sign-description metadata used for content generation, not member account or billing data in the normal generation flow. |
| Operational service providers supporting hosting, delivery, backups, email, or security | To keep the service running safely and reliably. | The categories of data required for the relevant infrastructure task. |
| Professional advisers, regulators, courts, or authorities | To comply with law, protect rights, respond to disputes, or handle formal legal obligations. | Only the data reasonably necessary for the legal or regulatory purpose. |
Some software components, such as WordPress plugins running on our own servers, support the service without necessarily receiving your data as separate external recipients. We try to distinguish clearly between software we run ourselves and outside parties that actually receive data.
7International Transfers
Because SignDeaf is available internationally and uses service providers that may operate across more than one country, some personal data may be processed outside the country where you use the site. Where that happens, we aim to rely on an appropriate legal transfer mechanism, such as an adequacy decision, contractual safeguards, or another lawful basis permitted by applicable law.
If you need more detail about a specific transfer route tied to your data, contact legal@signdeaf.com.
8Retention
We keep personal data only for as long as there is a genuine operational, legal, support, or security reason to keep it. The periods below are the main retention rules currently in use.
| Data Category | Typical Retention Period | Reason |
|---|---|---|
| Account profile and login data | While your account is active and usually up to 30 days after confirmed deletion. | Service continuity, recovery window, and cleanup. |
| Learning progress, streaks, favorites, and related member-state data | While your account is active and usually up to 30 days after confirmed deletion. | Core service functionality and orderly deletion. |
| Contact and support records | Usually up to 3 years after the matter is resolved. | Record of correspondence and follow-up support. |
| Server, abuse-prevention, and security logs | Generally up to 90 days, and longer when reasonably needed for an active investigation or legal hold. | Security, abuse handling, and incident response. |
| Payment, invoice, refund, and tax-related records | For the period required by applicable tax, accounting, anti-fraud, and dispute-resolution obligations. | Legal obligation and financial recordkeeping. |
| Browser-side storage on your device | Until you clear it, overwrite it, or your browser removes it. | Device-side preference or progress storage controlled largely by your browser settings. |
9Your Rights
Depending on the law that applies to you, you may have the rights below. Some rights are subject to legal limits or exceptions, but we will explain clearly if one of those limits applies in a particular case.
Access
Ask us for a copy of the personal data we hold about you.
Rectification
Ask us to correct inaccurate or incomplete information.
Erasure
Ask us to delete data when there is no valid reason for us to keep it.
Restriction
Ask us to limit processing while a dispute or verification issue is being reviewed.
Portability
For data processed by contract or consent, ask for it in a structured, machine-readable format where the law provides that right.
Objection
Object to processing based on legitimate interests where your situation justifies it.
Withdraw Consent
Where we rely on consent in the future, you can withdraw it going forward.
Complain
You can complain to the supervisory authority available to you under applicable law.
To exercise a privacy right, email privacy@signdeaf.com. We may need to verify identity before acting on a request.
10Children
SignDeaf is a general-audience educational service. We do not knowingly design the service to collect personal data from children in a way that requires parental authorization without taking appropriate steps first. If you believe a child has provided personal data to us inappropriately, contact privacy@signdeaf.com and we will review the situation carefully.
We do not currently run non-essential advertising or session-replay tools on the live site.
11Security
We use technical and organizational measures designed to reduce unauthorized access, loss, misuse, or accidental disclosure of personal data. Measures include HTTPS/TLS in transit, account authentication, password hashing handled through WordPress, restricted administrative access, and operational logging used for security and abuse prevention.
No website or networked system can promise perfect security. If we become aware of a personal data breach that triggers notification duties under applicable law, we will handle that process in line with those legal obligations.
12Links And Media
SignDeaf links to and embeds third-party resources, including sign video providers and community platforms. When your browser loads content directly from a third party, that third party may receive standard connection information such as your IP address and browser details as part of the request. Their own privacy notices and terms then apply to that processing.
13Changes To This Notice
We update this notice when our processing practices, tools, or legal obligations change in a meaningful way. The date at the top shows the latest review date. If a change materially affects how we use your data, we will aim to give a clearer notice than simply editing a page silently.
14Contact And Complaints
Please contact us first if you can. A lot of privacy issues are faster to solve directly.
If you are in the EEA, you may complain to the President of the Personal Data Protection Office (UODO) in Poland or to the supervisory authority in the EEA country where you live, work, or believe the issue occurred.
If you are in the United Kingdom and UK GDPR applies to the relevant processing, you may also complain to the Information Commissioner's Office (ICO).