Privacy Policy

Last updated: June 2, 2026

This Privacy Policy explains how Effortless Thai ("Effortless Thai", "we", "us", "our") collects, uses, shares, and protects your personal data when you use our app, website, and related services (the "Service"). Effortless Thai is operated by LittleBits s.r.o., a company registered in the Czech Republic. We are the data controller for the personal data described here.

Because our audience is primarily expats living in Thailand, and our company is established in the EU, this policy is written to address the EU/EEA General Data Protection Regulation (GDPR), the Thailand Personal Data Protection Act (PDPA), and US state privacy laws (including the CCPA/CPRA). Jurisdiction-specific rights are described in Section 11.

Legal Entity

Company: LittleBits s.r.o.
Company ID: IČO: 08604363
VAT ID: CZ08604363
Legal Address: Wolkerova 1533, 738 01 Frýdek-Místek, Czech Republic
Email: effortlessthai@littlebits.dev

1. What You Should Know First

We process voice and audio, including audio of other people you record (for example, a Thai partner, spouse, or friend). You are responsible for getting that person's consent before you record or import their voice. See Section 4.
We send your content (text and audio) to third-party AI providers — Google (Gemini) and ElevenLabs — to transcribe, translate, and generate audio. See Section 5.
We use PostHog for product analytics and error diagnostics, and the Meta Pixel and Meta Conversions API for advertising and conversion measurement, which involves sharing data with Meta. You can opt out using the methods in Section 6.
We never sell your personal data for money. Some advertising activity may count as a "sale" or "share" under US state privacy law — see Section 11.
You have rights over your data under GDPR (EU/EEA), the PDPA (Thailand), and US state privacy laws. See Section 11.

2. Data We Collect

We collect information to provide and improve the Service. This includes:

Account and identity data: Email address, name or username, account preferences, and authentication identifiers (for example, your Google sign-in identifier or a magic-link sign-in token).
Voice and audio data: In-app microphone recordings; imported voice notes (for example, messages from LINE or WhatsApp); audio of third parties you choose to record (see Section 4); and AI-generated text-to-speech audio derived from your content.
User content and learning data: Flashcards you create, text you enter or share into the app, translations, romanization and tone details, and your learning progress.
Transcription and derived text: Text transcribed from your audio by AI, and translations generated from your content.
Billing data: Subscription status, plan, and transaction records. Payments are handled by our Merchant of Record, Polar (see Section 7); we do not store your full payment card number.
Technical, product, and diagnostic data: Device and browser type, operating system, approximate location derived from your IP address, pages and screens viewed, feature interactions, performance metrics, and error or crash diagnostics (see Section 6).
Advertising and conversion data: Page-view and conversion events, and identifiers (which may include a hashed version of your email address) shared with Meta for advertising measurement (see Section 6).
Communications: Transactional emails, marketing emails (where you have consented), and support correspondence.
Push notification data: Your web push subscription details, if you enable browser notifications (see Section 10).
Cookies and similar technologies: See our Cookie Policy for detail.

We do not intentionally collect special-category or sensitive data. Audio recordings may, however, incidentally capture sensitive content; please avoid recording sensitive personal information.

3. How We Use Your Information

To provide the Thai language learning Service and the features you request
To transcribe, translate, and generate audio from your content (see Section 5)
To personalize your learning path
For authentication, account security, and fraud prevention
To maintain, secure, diagnose, and improve the Service
To measure how the Service and our advertising perform (see Section 6)
To send transactional emails (login links, billing and refund notices)
To send product updates and marketing emails (where you have consented)
To comply with our legal obligations

4. Voice and Audio Data — Including Other People's Voices

Voice is core to the Service, and we treat it as a distinct, sensitive category.

4.1 What we collect and why

We collect audio when you record in-app using your device microphone, and when you import voice notes (for example, messages from LINE or WhatsApp) in common audio formats. We use this audio to deliver the features you ask for: your audio is sent to Google (Gemini) for transcription (speech-to-text) and to generate learning content such as translations, romanization, and tone details, and spoken audio may be generated via ElevenLabs (text-to-speech). See Section 5. We may also review limited audio where necessary to fix problems, maintain quality, and keep the Service secure.

4.2 Recording another person's voice (for example, your partner or spouse)

A central use of Effortless Thai is learning from a real person — often the account holder's Thai partner, spouse, family member, or friend. When you record or import someone else's voice, that person's voice is their personal data, and processing it carries responsibilities.

Your responsibilities as the account holder:

You must obtain the consent of any other person before you record or import their voice, and inform them that their audio will be sent to our AI providers (Google and ElevenLabs) for transcription and processing as described in this policy.
You confirm you have the lawful right and all consents required under applicable law — including Thailand's PDPA and any recording or consent laws that apply where you are — to provide that audio to us.
You must not record anyone covertly or in violation of any law.

Our responsibilities: We process third-party audio under the same limited-purpose, retention, and security terms as your own audio. A person whose voice has been recorded may contact us at effortlessthai@littlebits.dev to request access to or deletion of their audio. We will act on such requests as required by law and may need to coordinate with the account holder to locate the relevant recordings.

4.3 Where audio is stored and how long we keep it

Audio is stored in Supabase storage and served to you through time-limited signed URLs. We keep a recording for as long as the associated flashcard exists; the audio is removed when you delete the flashcard, and is removed when you delete your account, subject to the retention exceptions in Section 12. You can delete a recording or flashcard at any time in the app.

5. AI Processing of Your Content

To provide the Service, we send your content to third-party AI providers. We name them so you know exactly who processes your data.

Google (Gemini): receives your audio (for transcription / speech-to-text), and text you enter or import, to produce transcriptions, translations, romanization, and tone details.
ElevenLabs: receives text derived from your content to generate spoken audio (text-to-speech).

We share with each provider only what is needed to deliver the relevant feature, and we use reputable providers under their commercial API terms. We do not control these providers' internal practices; their handling of the content we send is governed by their own terms and privacy policies, which we encourage you to review (Google's privacy policy and AI/Gemini terms, and ElevenLabs' privacy policy).

Because AI features process the content you submit, please do not submit personal, confidential, or sensitive information you would not want processed by a third-party AI provider. AI output — translations, tones, and generated audio — is automated and may be inaccurate; see our Terms of Service for the full accuracy disclaimer.

6. Analytics and Advertising

6.1 Product analytics and error diagnostics — PostHog

We use PostHog (hosted on its US cloud) to understand how the Service is used and to diagnose problems. PostHog captures events and interactions — such as features used, pages and screens viewed, device and browser information, approximate location derived from your IP address, performance metrics, and error or crash logs. We attach a profile to identified (signed-in) users so we can understand usage across a session. We do not currently configure session or screen recording in PostHog.

6.2 Advertising and conversion measurement — Meta Pixel and Conversions API

We measure the effectiveness of our advertising using the Meta Pixel (which runs in your browser) and Meta's Conversions API (which sends events server-to-server). These tools share page-view and conversion events with Meta, and to match those events to a Meta account we may share identifiers, which can include a hashed version of your email address and technical identifiers. Meta may use this data to measure and optimize advertising and to match activity across devices.

Please note: the Meta Pixel currently loads for all visitors to our website, and we do not currently operate a cookie consent banner or a prior-consent gate for it. We are telling you this plainly so you can make an informed choice and use the opt-out methods below.

6.3 Your choices

You can limit or stop advertising and conversion tracking using any of the following:

Adjust the ad and privacy settings on your browser or device.
Manage your Meta ad preferences in your Facebook/Instagram account settings, or opt out via industry choices pages such as the European Interactive Digital Advertising Alliance (youronlinechoices.eu) and the Digital Advertising Alliance (optout.aboutads.info).
Use a browser, extension, or content/ad blocker that blocks tracking scripts.
Enable a "Do Not Track" or Global Privacy Control signal in your browser; we treat such signals as an opt-out where required by applicable law.
Opt out of marketing emails at any time via the unsubscribe link in each message.

You can also exercise the privacy rights described in Section 11, including the right to object to processing and, where applicable, to opt out of the "sale" or "sharing" of your personal information.

7. Billing — Polar (Merchant of Record)

Payments and subscriptions are handled by Polar, acting as our Merchant of Record. This means Polar is the seller of record for your purchase and processes your payment and billing information (for example, card details, billing address, and tax data) and manages subscriptions, invoices, and refunds.

We do not store your full payment card number; card data is handled by Polar and its payment processors.
We receive limited billing information (for example, your plan, subscription status, and a transaction reference) to operate your account.
Polar's own privacy terms govern its processing of your payment data; please review Polar's privacy policy.

8. Sub-processors and Third Parties We Share Data With

We share personal data only with the service providers below, each for the stated purpose. We do not sell personal data for money.

Provider	Purpose	Data shared
Google	Gemini AI (speech-to-text transcription, translation, card details); Google OAuth sign-in	Audio, text and content; a sign-in request if you choose Google login
ElevenLabs	Text-to-speech (AI-generated audio)	Text derived from your content
Supabase	Database (Postgres) and audio file storage	Account, content, audio, and learning data
PostHog	Product and usage analytics; error diagnostics	Technical and usage data, identifiers for signed-in users
Meta	Advertising and conversion measurement	Page-view and conversion events; hashed email and technical identifiers
Polar	Payments and subscriptions (Merchant of Record)	Billing and payment data
Resend	Transactional email delivery (login links, notifications)	Email address and message content
Mailchimp	Marketing and product-update email delivery	Email address and message content
Coolify	Application hosting and infrastructure	Data in transit and processing

Our sign-in and session system is built and run in-house using Better Auth, self-hosted on our own infrastructure; identity and session data are stored in our own Postgres database and are not handed to a third-party identity provider. If you choose to sign in with Google, Google receives a sign-in request as part of the OAuth flow.

We may also disclose data to comply with the law, enforce our Terms, prevent fraud or abuse, or in connection with a corporate transaction (such as a merger or acquisition), with appropriate safeguards.

9. Storage, Security, and International Transfers

We apply industry-standard security, including encryption in transit (TLS) and at rest, access controls, and time-limited signed URLs for audio access. Account, content, and audio data are stored in Supabase, and the application is hosted on Coolify.

Some of our providers (for example, Meta and PostHog, and our AI providers) may process data outside the EU/EEA, including in the United States. Where we transfer personal data internationally, we rely on appropriate safeguards, such as the EU Standard Contractual Clauses and equivalent mechanisms, to protect it.

10. Web Push Notifications

If you enable browser notifications, we store your web push subscription details (the subscription endpoint and associated keys) so we can send you notifications. Push messages are delivered through your browser's push service (for example, those operated by Google, Apple, or Mozilla), which handles the message in transit. You can disable push notifications at any time in your browser settings.

11. Your Privacy Rights

Subject to applicable law, you have the rights below. To exercise them, contact us at effortlessthai@littlebits.dev. We will verify your identity and respond within the time required by law. You will not be discriminated against for exercising these rights.

11.1 EU/EEA and UK — GDPR

You have the rights of access, rectification, erasure ("right to be forgotten"), restriction of processing, data portability, and objection (including to processing based on legitimate interests and to direct marketing). You may withdraw consent at any time, and you have the right to lodge a complaint with your supervisory authority (in the Czech Republic, the Office for Personal Data Protection — Úřad pro ochranu osobních údajů).

Our lawful bases for processing include: performance of a contract (providing the Service), consent (for example, marketing), legitimate interests (security, fraud prevention, advertising measurement, and improving the Service), and legal obligation.

11.2 Thailand — PDPA

Consistent with the Personal Data Protection Act B.E. 2562 (2019), you have the rights of access, rectification, erasure, restriction, objection, data portability, and withdrawal of consent.

11.3 United States — CCPA/CPRA and similar state laws

You have the right to know and access, delete, and correct your personal information, and to opt out of the "sale" or "sharing" of personal information and of targeted advertising. To opt out of advertising-related sharing, use the methods in Section 6. We treat the Global Privacy Control signal as an opt-out where required by law.

12. Data Retention and Deletion

We keep personal data only as long as necessary for the purposes described, or as required by law:

Account, content, and learning data are kept while your account is active. When you delete your account, we delete or anonymize this data, except where we must retain it for legal or operational reasons.
Audio recordings (your own and any third party's) are kept for the life of the associated flashcard — they are removed when you delete the flashcard, and when you delete your account.
AI-derived transcriptions and translations are kept with the associated flashcard until you delete it.
Billing records are retained as required by tax and accounting law.
Backups are retained on our normal backup cycle and then purged.

You can delete individual recordings and flashcards in the app at any time, and you can request full account deletion by contacting us. On deletion we remove or anonymize your personal data except where retention is legally required (for example, financial records).

13. Children's Privacy

The Service is intended for adults learning Thai and is not directed to children. We do not knowingly collect personal data from children under 13 (or under 16 where required in the EU/EEA). If you believe a child has provided us their data, contact us and we will delete it.

14. Email Communications

We send two types of emails:

Transactional emails: login magic links, billing confirmations, and refund notices, sent via Resend. These are essential for service delivery and cannot be opted out of while you hold an account.
Marketing emails: product updates, new feature announcements, and learning tips, sent via Mailchimp, only where you have consented. You can unsubscribe at any time via the link in every marketing email, or by contacting us at effortlessthai@littlebits.dev.

Your email address is shared with these providers solely to deliver the relevant emails.

15. Changes to This Policy

We may update this Privacy Policy from time to time. For material changes, we will provide notice (for example, in-app or by email) at least 30 days before they take effect, and update the "Last updated" date above.

Contact

Questions can be directed to: effortlessthai@littlebits.dev

Company Information: LittleBits s.r.o. IČO: 08604363, DIC: CZ08604363

Last Updated: June 2, 2026