Privacy Policy

Overview

SPEEM ("we", "our", "the app") is an iOS study-habit and exam-prep app built with privacy as a default. This policy explains exactly what data the app handles, where it goes, and what it is used for. By using SPEEM or this website, you agree to the practices described below.

Data controller: SPEEM is operated by Wassim Ansari, based in France. You can reach us at contact@speem.app for any privacy-related question or request.

1. What data we handle

Stored locally on your device

• Your first name (entered during onboarding, used for personalization)
• Your education level and subjects
• Study habits, goals, missions, quests, daily reviews, streaks, achievements, gems
• Your app preferences (language, notifications, theme)

Synced to your personal iCloud (when iCloud is signed in)

Everything listed above syncs to your iCloud account via Apple's CloudKit, so your progress appears on any Apple device signed in with the same Apple ID. Your iCloud data is hosted by Apple, protected by your Apple ID security, and is not accessible to us except in the narrow case described below.

Written to a small public CloudKit record

A UserProfile record scoped to your iCloud account identifier contains your first name, display name, education level, and Apple's internal user ID. This record lets SPEEM recognize you when you reinstall the app so your progress restores without re-onboarding. It is not indexed, not discoverable by other users, and not used for any social feature.

Sent to our backend (Cloudflare Workers at speem-api.speem.workers.dev)

• Anonymous usage analytics. We record which features you use (which paywall screens you see, when you complete your first habit, etc.) grouped by ISO week, locale, and education level. We do not attach your name, Apple ID, device ID, or any identifier, we only see counts per cohort.
• AI exam-prep requests. When you ask SPEEM to generate an exam-prep mission, the subject and topic text you type is sent to our backend, which forwards it to Anthropic's Claude API. Your name, Apple ID, and other identifiers are never included.
• Version check. On launch the app fetches the current version metadata. No identifying data is sent.

Used by Apple directly (we never see it)

• Your Apple Push Notification token, used to deliver study reminders
• In-App Purchase transactions via StoreKit (for the SPEEM Pro lifetime IAP)

2. What we never collect

• Your email address (we don't ask for it)
• Your precise location
• Your contacts, photos, files, health, or fitness data
• Your browsing or search history
• Any advertising identifier, SPEEM does not use ads or tracking SDKs

We never sell your data. We never share it with data brokers. We use no third-party analytics SDK inside the app. We perform no automated decision-making or profiling that produces legal or similarly significant effects on you.

3. Lawful basis for processing (EU / UK GDPR)

Under EU GDPR Article 6 and UK GDPR, we rely on the following lawful bases:

• Contract (Art. 6(1)(b)), to provide the SPEEM service you requested, including habit tracking, mission generation, sync, and in-app purchases.
• Legitimate interest (Art. 6(1)(f)), for anonymous usage analytics (cohort counts with no identifier), fraud prevention, and product improvement. Our interest is balanced against the minimal privacy impact of aggregate, non-identifying data.
• Consent (Art. 6(1)(a)), for optional non-essential cookies on our website (see our Cookie Policy). You may withdraw consent at any time.
• Legal obligation (Art. 6(1)(c)), to comply with tax, accounting, and consumer-protection laws where applicable.

4. International data transfers

Our backend is hosted on Cloudflare Workers, which operates globally on edge servers. When available, requests are served from European data centers. Anthropic's Claude API operates from the United States. Apple iCloud and StoreKit operate globally, governed by Apple's own terms.

Where personal data is transferred outside the European Economic Area or the UK, we rely on the European Commission's Standard Contractual Clauses (SCCs) and each processor's own supplementary safeguards. Cloudflare and Anthropic each publish their SCCs and Data Processing Addenda publicly.

5. Third-party processors

• Anthropic, PBC (San Francisco, USA), processes exam-prep generation requests. Receives the typed subject/topic only. Privacy policy.
• Cloudflare, Inc. (San Francisco, USA; EU data centers), hosts our backend endpoints. Privacy policy.
• Apple Inc., iCloud sync, StoreKit purchases, APNS notifications. Governed by Apple's privacy policy.
• Google LLC (Analytics), used on the speem.app website only, never inside the app, and only after you accept analytics cookies. See our Cookie Policy.

6. Your rights, European Union and United Kingdom

If you are located in the EU, the UK, Switzerland, or another jurisdiction with equivalent laws, you have the right to:

• Access the data we hold that relates to you
• Rectify inaccurate or incomplete data
• Erase your data ("right to be forgotten")
• Port your data in a structured, commonly-used format
• Object to or restrict certain processing
• Withdraw consent at any time where processing relies on consent
• Lodge a complaint with your local supervisory authority (for French users, the CNIL)

Use Settings → Account → Delete Account in the app for immediate erasure, or email contact@speem.app for any other request. We respond within 30 days.

7. Your rights, California (CCPA / CPRA)

If you are a California resident, you have the right to:

• Know what personal information we collect about you
• Delete the personal information we hold about you
• Correct inaccurate personal information
• Limit the use of sensitive personal information (we do not collect any)
• Opt out of the sale or sharing of personal information, we do not sell or share personal information for advertising purposes, and never have
• Be free from retaliation for exercising these rights

To submit a verifiable consumer request, email contact@speem.app. We will verify your identity using the email and Apple account associated with your SPEEM installation before disclosing or deleting data.

8. Your rights, Saudi Arabia (PDPL)

If you are a data subject under Saudi Arabia's Personal Data Protection Law, you have the rights to be informed, to access, to request correction, to request destruction, and to withdraw consent. Contact us at contact@speem.app to exercise these rights. We treat cross-border transfers of Saudi personal data in line with PDPL requirements and the Saudi Data and AI Authority's executive regulations.

9. Children's privacy

SPEEM is designed for students ages 11 and up (middle-school level and above). If you are under 13 (or under the digital-consent age applicable in your jurisdiction, 16 in some EU member states), you must have a parent or guardian's permission before using SPEEM, and a parent or guardian should complete the initial setup.

In line with the US Children's Online Privacy Protection Act (COPPA), we collect no more information from children than is necessary to operate the app (first name + education level), never share children's data with third parties for advertising, and provide parents with a way to review, delete, or stop further collection of their child's data.

Parents and guardians: to review, export, or delete data associated with your child's use of SPEEM, email contact@speem.app. We respond within 14 days and will verify your parental relationship before taking action.

10. Data retention

App data stays on your device and in your iCloud for as long as you keep SPEEM installed and signed into iCloud. Analytics counters on our backend are retained for at most 365 days and then automatically deleted. Deleted account records are permanently removed within 30 days.

11. Security

All network traffic uses HTTPS (TLS 1.2+). We do not store passwords, authentication is handled by Apple via your device and iCloud. Our backend follows industry-standard practices for access control, secret management, and least-privilege credentials. Cloudflare and Anthropic each maintain independent SOC 2 / ISO 27001 certifications.

12. Data breach notification

If a personal data breach affects you, we will notify you without undue delay and within 72 hours of becoming aware where feasible, by email (if available) and by an in-app notice on next launch, and we will notify the relevant supervisory authority (for EU users, the CNIL; for UK users, the ICO; for Saudi users, SDAIA) as required by law.

13. Cookies and similar technologies

Our website uses cookies. The SPEEM app does not. See our Cookie Policy for full details.

14. Changes to this policy

We update this page and the "Last updated" date whenever the policy changes materially. For substantive changes we also announce it in the app's release notes and, where legally required, by email or an in-app notice. Continued use after a change means you accept the revised policy.

15. Contact us

contact@speem.app, we read every message. French, English, and Arabic are all fine. Written mail: SPEEM, Wassim Ansari, France (full address provided on request).