Viobean

Privacy Policy

Last updated: January 18, 2026

This Privacy Notice for Viobean ("we", "us", or "our"), describes how and why we might access, collect, store, use, and/or share ("process") your personal information when you use our services ("Services").

Questions or concerns? Reading this Privacy Notice will help you understand your privacy rights and choices. If you do not agree with our policies and practices, please do not use our Services. If you still have any questions or concerns, please contact us at privacy@viobean.com.

Table of Contents

  1. What Information Do We Collect?
  2. How Do We Process Your Information?
  3. What Legal Bases Do We Rely On?
  4. When Do We Share Your Information?
  5. Do We Use Cookies?
  6. Do We Offer AI-Based Products?
  7. How Do We Handle Social Logins?
  8. International Transfers
  9. How Long Do We Keep Your Info?
  10. How Do We Keep Info Safe?
  11. Do We Collect From Minors?
  12. What Are Your Privacy Rights?
  13. Do-Not-Track Controls
  14. Do We Make Updates?
  15. How To Contact Us

1. What Information Do We Collect?

In Short: We collect personal information that you provide to us.

We collect personal information that you voluntarily provide to us when you register on the Services, express an interest in obtaining information about us or our products and Services, when you participate in activities on the Services, or otherwise when you contact us.

Personal Information Provided by You. The personal information we collect may include:

  • Names
  • Email addresses
  • Billing addresses
  • Usernames
  • Contact or authentication data
  • Learning progress and activity data

Sensitive Information. We do not process sensitive information.

Payment Data. We may collect data necessary to process your payment if you choose to make purchases. All payment data is handled and stored by Stripe.

Social Media Login Data. We may provide you with the option to register with us using your existing social media account details, like your Google account.

Information automatically collected

In Short: Some information — such as your IP address and/or browser and device characteristics — is collected automatically when you visit our Services.

We automatically collect certain information when you visit, use, or navigate the Services. This information does not reveal your specific identity but may include device and usage information, such as your IP address, browser and device characteristics, operating system, language preferences, referring URLs, device name, country, location, and other technical information.

2. How Do We Process Your Information?

In Short: We process your information to provide, improve, and administer our Services, communicate with you, for security and fraud prevention, and to comply with law.

We process your personal information for a variety of reasons, including:

  • To facilitate account creation and authentication
  • To deliver and facilitate delivery of services to the user
  • To respond to user inquiries and offer support
  • To send administrative information about our products and services
  • To fulfil and manage your orders including payments
  • To protect our Services including fraud monitoring and prevention
  • To identify usage trends so we can improve our Services

Email Communications

We send the following types of emails:

Transactional Emails (no consent needed, cannot opt out):

  • Account security (password resets, login links)
  • Payment confirmations and receipts
  • Subscription updates

Service Emails (Legitimate Interest, can opt out):

  • Weekly progress reports
  • Practice reminders
  • Post-exam feedback requests

We send these under Legitimate Interest because they directly support your stated goal of exam preparation. You can opt out anytime via the unsubscribe link in any email or in your Account Settings.

Marketing Emails (requires consent):

  • Special offers and promotions
  • Product announcements

You must explicitly opt in to receive marketing emails. You can update your preferences at any time in Account Settings.

Signup Attribution

When you visit our website from a marketing link (such as social media or search results), we temporarily store referral information (campaign source, medium, and name) on our servers to understand how users discover our service. A short-lived cookie (vb_aid) containing only a random identifier connects this information to your signup.

This data is:

  • Resolved once at account creation
  • Immediately deleted afterward
  • Used only for aggregated reporting (e.g., "X% of signups came from social media")
  • Not used for behavioral tracking, profiling, or marketing automation

This processing is based on our Legitimate Interest (Art. 6(1)(f) GDPR) in understanding how users find our service.

3. What Legal Bases Do We Rely On To Process Your Information?

In Short: We only process your personal information when we believe it is necessary and we have a valid legal reason under applicable law.

The General Data Protection Regulation (GDPR) requires us to explain the valid legal bases we rely on:

  • Consent. We may process your information if you have given us permission for a specific purpose.
  • Performance of a Contract. We may process your information to fulfil our contractual obligations to you.
  • Legitimate Interests. We may process your information for our legitimate business interests.
  • Legal Obligations. We may process your information for compliance with legal obligations.

4. When And With Whom Do We Share Your Personal Information?

In Short: We may share information in specific situations and with specific third parties.

We may share your data with third-party vendors, service providers, contractors, or agents who perform services for us. The third parties we may share personal information with include:

  • AI Service Providers: OpenAI
  • Cloud Computing Services: Supabase
  • Email & Communication: Resend
  • Invoice and Billing: Stripe
  • User Authentication: Google Sign-In
  • Web and Mobile Analytics: PostHog, Plausible Analytics
  • Website Hosting: Vercel
  • Performance Monitoring: Sentry

Business Transfers. We may share or transfer your information in connection with any merger, sale of company assets, financing, or acquisition of our business.

5. Do We Use Cookies And Other Tracking Technologies?

In Short: We may use cookies and other tracking technologies to collect and store your information.

We may use cookies and similar tracking technologies (like web beacons and pixels) to gather information when you interact with our Services.

Privacy-Friendly Analytics (Plausible)

We use Plausible Analytics, a privacy-friendly analytics service that does not use cookies and does not collect personal data. Plausible is hosted in the European Union and is fully GDPR compliant without requiring consent. It only collects aggregate statistics (page views, traffic sources, device types) that cannot identify individual users. Learn more at Plausible's data policy.

Consent-Based Analytics (PostHog)

With your consent, we use PostHog for more detailed analytics to understand how users interact with our Services. PostHog cookies are only set after you accept analytics cookies in our consent banner.

Cookie Table

Cookie NamePurposeCategoryDuration
__Secure-authjs.session-tokenAuthentication sessionEssential30 days
__Host-authjs.csrf-tokenCSRF protectionEssentialSession
__Secure-authjs.callback-urlOAuth callback URLEssentialSession
vb_aidTemporary signup attribution. Links your signup to how you found us. Contains only a random identifier (no personal or marketing data). Resolved once at signup and then deleted. Used only for aggregate reporting.*Functional30 minutes
ph_*_posthogAnalytics & session trackingAnalytics365 days

* Legal basis: Legitimate interest (Art. 6(1)(f) GDPR) — understanding how users discover our service, with minimal and short-lived processing.

Local Storage

We also use browser local storage to store certain preferences and functional data:

KeyPurposeCategory
viobean_consentStores your cookie consent preferencesEssential
onboarding_progressTracks onboarding wizard progressFunctional

6. Do We Offer Artificial Intelligence-Based Products?

In Short: We offer products powered by artificial intelligence.

As part of our Services, we offer products, features, or tools powered by artificial intelligence, machine learning, or similar technologies. We provide AI Products through third-party service providers, including OpenAI.

Our AI Products are designed for AI-powered explanations and insights for German exam preparation.

7. How Do We Handle Your Social Logins?

In Short: If you choose to register or log in using a social media account, we may have access to certain information about you.

Our Services offer you the ability to register and log in using your third-party social media account details (like your Google login). The profile information we receive may include your name, email address, and profile picture.

8. Is Your Information Transferred Internationally?

In Short: We may transfer, store, and process your information in countries other than your own.

Our servers are located in the United States. If you are a resident in the European Economic Area (EEA), United Kingdom (UK), or Switzerland, we will take all necessary measures to protect your personal information in accordance with this Privacy Notice and applicable law.

We have implemented measures to protect your personal information, including by using the European Commission's Standard Contractual Clauses (SCCs) for transfers of personal information to the following US-based service providers: Vercel (hosting), OpenAI (AI services), Stripe (payments), Resend (email), and Sentry (error monitoring).

Our database is hosted by Supabase in the European Union (Sweden). Analytics are processed by PostHog (with consent) and Plausible Analytics (no consent needed), both within the EU.

9. How Long Do We Keep Your Information?

In Short: We keep your information for as long as necessary to fulfil the purposes outlined in this privacy notice.

We will only keep your personal information for as long as it is necessary for the purposes set out in this privacy notice. No purpose in this notice will require us keeping your personal information for longer than one (1) month past the termination of the user's account.

Exception for Financial Records: Transaction records, invoices, and related payment data may be retained for up to 10 years as required by German tax law (Abgabenordnung §147).

10. How Do We Keep Your Information Safe?

In Short: We aim to protect your personal information through a system of organisational and technical security measures.

We have implemented appropriate and reasonable technical and organisational security measures designed to protect the security of any personal information we process. However, no electronic transmission over the Internet can be guaranteed to be 100% secure.

11. Do We Collect Information From Minors?

In Short: We do not knowingly collect data from or market to children under 18 years of age.

We do not knowingly collect, solicit data from, or market to children under 18 years of age. By using the Services, you represent that you are at least 18.

12. What Are Your Privacy Rights?

In Short: In some regions, you have rights that allow you greater access to and control over your personal information.

In some regions (like the EEA, UK, and Switzerland), you have certain rights under applicable data protection laws, including:

  • To request access and obtain a copy of your personal information
  • To request rectification or erasure
  • To restrict the processing of your personal information
  • To data portability
  • To object to the processing of your personal information

If you are located in the EEA or UK and you believe we are unlawfully processing your personal information, you have the right to complain to your Member State data protection authority or UK data protection authority.

Withdrawing your consent: If we are relying on your consent to process your personal information, you have the right to withdraw your consent at any time by contacting us.

Automated Decision-Making: We do not use your personal data for automated decision-making that produces legal effects or similarly significantly affects you. Our AI features provide educational content and explanations only and do not make decisions about your access to services or other matters with legal or significant effects.

Account Information: If you would like to review, change, or terminate your account, you can contact us using the contact information provided or log in to your account settings.

Data Protection Officer: We are not required to appoint a Data Protection Officer under GDPR Article 37, as our core activities do not involve large-scale processing of special categories of data or systematic monitoring of individuals.

13. Controls For Do-Not-Track Features

Most web browsers include a Do-Not-Track ("DNT") feature. At this stage, no uniform technology standard for recognising DNT signals has been finalised. As such, we do not currently respond to DNT browser signals.

14. Do We Make Updates To This Notice?

In Short: Yes, we will update this notice as necessary to stay compliant with relevant laws.

We may update this Privacy Notice from time to time. The updated version will be indicated by an updated "Last updated" date at the top of this Privacy Notice.

15. How Can You Contact Us About This Notice?

If you have questions or comments about this notice, you may email us at privacy@viobean.com or contact us by post at:

Phuong Linh Pham - Viobean
Oranienstraße 122
10969 Berlin
Germany

← Back to home