Privacy Policy
Last updated: November 13, 2025
1. Introduction
Welcome to NATO Alphabet Learning. We are committed to protecting your privacy and ensuring transparency about how we collect, use, and protect your personal information.
This Privacy Policy applies to our website and application (collectively, the "App") and explains our practices regarding personal data in compliance with the General Data Protection Regulation (GDPR) and other applicable privacy laws.
Data Controller
VANDEREIJT.COM
Netherlands
Email: privacy@vandereijt.com
Data Protection Officer: dpo@vandereijt.com
2. What Data We Collect
2.1 Account Information (Optional)
If you choose to create an account to purchase our Premium Features, we collect:
- Email address - Used for account authentication and purchase verification
- Password - Stored in encrypted form (bcrypt hashing) for account security
- Purchase records - Transaction history for Premium Features
You can use most features of our App without creating an account.
2.2 Usage Data (Automatically Collected)
When you use our App, we automatically collect:
- Device information - Device type, operating system, unique device identifiers
- App usage data - Features used, learning progress, quiz scores (stored locally on your device)
- Technical data - App version, crash reports, error logs
2.3 Payment Information
Payment processing is handled securely by our payment partners:
- Web: Stripe - We never see or store your credit card details
- iOS: Apple In-App Purchase - Processed by Apple
- Android: Google Play Billing - Processed by Google
We only receive confirmation of successful purchases and transaction IDs.
2.4 Cookies and Similar Technologies
On our website, we use cookies for:
- Essential cookies - App functionality, authentication sessions
- Functional cookies - Remembering your preferences and settings
- Analytics cookies - Understanding how users interact with our App (Google Analytics)
See our Cookie Policy for detailed information.
3. How We Use Your Data
| Purpose | Legal Basis (GDPR) |
|---|---|
| Account management and authentication | Contract performance (Art. 6(1)(b)) |
| Processing Premium purchases | Contract performance (Art. 6(1)(b)) |
| Delivering app functionality and features | Legitimate interest (Art. 6(1)(f)) |
| Improving app performance and fixing bugs | Legitimate interest (Art. 6(1)(f)) |
| Analytics and usage statistics (cookies) | Consent (Art. 6(1)(a)) - EU users only with opt-in |
| Complying with legal obligations | Legal obligation (Art. 6(1)(c)) |
Consent for Analytics Cookies
For EU users, we require your opt-in consent before placing analytics cookies (Google Analytics) on your device. You can manage your cookie preferences through our cookie consent banner and withdraw consent at any time. See our Cookie Policy for details.
4. Third-Party Services
4.1 Payment Processors
Stripe (Web Payments)
- Purpose: Processing credit card payments for Premium Features
- Data shared: Transaction amount, email address
- Privacy Policy: stripe.com/privacy
Apple In-App Purchase & Google Play Billing
- Purpose: Processing mobile app purchases
- Data shared: Purchase verification tokens
- Note: Handled directly by Apple and Google
4.2 Hosting and Infrastructure
Replit
- Purpose: Application hosting and database services
- Data shared: Account data, purchase records (encrypted in transit and at rest)
- Location: Servers may be located in the EU and USA
4.3 Google Analytics (GA4)
Google LLC
- Purpose: Website analytics and usage statistics to improve our App
- Data shared: Device information, browsing behavior, page views, session duration, geographic location (country/city level)
- Cookies used: _ga, _ga_*, _gid (see our Cookie Policy for details)
- Cookie retention: _ga and _ga_* cookies expire after 2 years; _gid expires after 24 hours
- Data retention: Analytics data is retained for 2 months in Google Analytics
- Privacy Policy: policies.google.com/privacy
- Opt-out: You can opt out of Google Analytics by installing the Google Analytics Opt-out Browser Add-on
Note: We use Google Analytics with anonymized IP addresses to enhance user privacy.
5. Data Retention
- •Account data: Retained until you delete your account
- •Purchase records: Retained for 7 years for legal and tax compliance
- •Analytics data: Retained for 2 months in Google Analytics (cookies may persist up to 2 years)
- •Cookies: See our Cookie Policy for retention periods
6. Your Privacy Rights (GDPR)
Under the GDPR, you have the following rights:
Right to Access (Art. 15)
Request a copy of your personal data
Right to Rectification (Art. 16)
Correct inaccurate or incomplete data
Right to Erasure (Art. 17)
Request deletion of your data ("right to be forgotten")
Right to Restriction (Art. 18)
Limit how we use your data
Right to Data Portability (Art. 20)
Receive your data in a machine-readable format
Right to Object (Art. 21)
Object to processing based on legitimate interests or for marketing
To exercise your rights:
- • Email us at privacy@vandereijt.com
- • Delete your account in the App Settings (removes all personal data)
- • Manage your cookie preferences through our cookie consent banner
Right to lodge a complaint:
You have the right to file a complaint with the Dutch Data Protection Authority (Autoriteit Persoonsgegevens):
Autoriteit Persoonsgegevens
Website: autoriteitpersoonsgegevens.nl/en
7. Children's Privacy
Our App is designed for users aged 13 and older. We do not knowingly collect personal information from children under 13 without verifiable parental consent.
For EU users under 16, parental consent is required to create an account.
If we become aware that we have collected data from a child under the applicable age without proper consent, we will delete it immediately.
8. International Data Transfers
Your data may be transferred to and processed in countries outside the European Economic Area (EEA), including the United States, when using third-party services like Replit (hosting) and Google Analytics.
Transfer Safeguards
We ensure adequate protection for international data transfers through:
- •Standard Contractual Clauses (SCCs): European Commission-approved contractual terms that require recipients to protect your data to EU standards
- •Data Processing Agreements: GDPR-compliant contracts with all processors
- •Technical Safeguards: Encryption in transit and at rest, access controls, regular security audits
Recipients in Third Countries
- Replit (USA): Application hosting and database services - Protected by SCCs
- Google LLC (USA): Analytics services - Protected by SCCs and Google's EU-U.S. Data Privacy Framework certification
- Stripe (USA): Payment processing - Protected by SCCs and PCI-DSS compliance
Access to Transfer Documentation
You can request copies of the safeguards we have in place for international transfers (such as Standard Contractual Clauses) by contacting us at dpo@vandereijt.com
9. Data Security
We implement appropriate technical and organizational measures to protect your data:
- ✓Encryption in transit (HTTPS/TLS)
- ✓Encrypted password storage (bcrypt hashing)
- ✓Secure authentication using JWT tokens
- ✓Regular security updates and monitoring
- ✓Access controls and authorization systems
However, no method of transmission over the Internet is 100% secure. We cannot guarantee absolute security.
10. Changes to This Privacy Policy
We may update this Privacy Policy from time to time to reflect changes in our practices or legal requirements.
We will notify you of significant changes by:
- •Updating the "Last Updated" date at the top of this policy
- •Displaying a notice in the App
- •Sending an email to registered users (for material changes)
Continued use of the App after changes constitutes acceptance of the updated policy.
11. Contact Us
If you have questions, concerns, or requests regarding this Privacy Policy or our data practices:
We will respond to your inquiry within 30 days as required by GDPR.