This Privacy Policy explains how Matthew Fabling, a sole trader trading as "Smooth English" ("we", "us", "ActuallySpeak"), collects, uses, shares and protects personal data when you use the ActuallySpeak web app and related pages. We comply with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018.
We collect the minimum data needed to (1) sign you in by email, (2) score your speaking with AI, (3) process your subscription, and (4) keep in touch about your progress. We do not sell your data. You can delete your account and all associated data at any time by emailing actuallyspeak.help@gmail.com.
The data controller is Matthew Fabling, a sole trader trading as "Smooth English", United Kingdom, in connection with [Smooth English Company — VERIFY legal entity name and registered address].
Contact: actuallyspeak.help@gmail.com
Postal address for data requests: 4 Earlsburn Road, Lenzie, Glasgow, East Dunbartonshire, Scotland, G66 5PF, United Kingdom
We are not required to appoint a Data Protection Officer; the contact above handles all data protection queries.
| Category | Examples | Why |
|---|---|---|
| Account | Email address, sign-in timestamps | Magic-link authentication, support |
| Speaking practice | Audio recording (transcribed then discarded), transcript text, target words attempted | To score your answer and give feedback |
| Diagnostic results | Band score estimate, sub-scores, CEFR level, your written/spoken answers | To show your results page and improve scoring |
| Onboarding answers | Your responses to the goals/pain-points questions | To personalise the trainer and email guidance |
| Subscription | Stripe customer ID, subscription status, trial end date, plan tier | To grant/revoke premium access |
| Usage analytics | Page views, button clicks, A/B variant, country (from IP, not stored) | To improve the product (Google Analytics 4) |
| Community content | Posts, comments, likes, display name and avatar | To show your contributions to other learners in the Academy community |
| Direct messages | Message text, sender/recipient, timestamps | To deliver your messages; also for safety moderation (see section 9 on children) |
| Live class bookings | Class booked, date/time, payment status (via Stripe), attendance | To reserve your place and email you the class link |
| Points & gamification | Points earned, level, leaderboard position, prize/coupon awards | To run the points, levels, leaderboard and monthly prize features |
| Minor status & parental consent | Whether the learner is under 18, parent/guardian email, date consent was given | To meet our child-safety and parental-consent obligations |
We do not collect: payment card numbers (Stripe handles payment directly), passwords (we use magic-link only), or your real-time location.
Audio recordings: Depending on your browser and the feature you use, your speech is transcribed in one of two ways: (1) in your browser via the built-in Web Speech API, which may send audio to your browser provider (for example Google or Apple) under their own terms; or (2) by sending a short audio clip to our speech-to-text processor (Groq) which converts it to text. In both cases we do not store the raw audio — only the resulting transcript, which is used to score your answer.
We use the following third-party services to deliver ActuallySpeak. Each is bound by their own privacy and security obligations.
| Processor | What they handle | Where |
|---|---|---|
| Supabase | Database (account, profile, diagnostic, community, messaging, booking, points and subscription data), magic-link email delivery | Hosted in Seoul, South Korea (see section 5 on international transfers); some Supabase services EU / US |
| Stripe | Payment processing, card details (we never see your card number) | EU / US |
| Groq | Speech-to-text transcription (audio → text). Audio is not retained. | US |
| Anthropic | AI scoring of your speaking answers (Claude API). Inputs are not used to train models. | US |
| Netlify | Web hosting and serverless function execution | US |
| Mailery (self-hosted) | Email marketing list management and nurture sequences (our own email system) | Our infrastructure |
| Resend | Transactional email delivery (e.g. class links, booking confirmations) — used only when enabled | US |
| VooV Meeting / Tencent Meeting | Live class video delivery. If you attend a live class you join their service directly under their own terms and privacy policy; we share no data with them beyond your attendance via the class link | Varies (Tencent) |
| Pexels | Stock images and videos used as practice scenes (no personal data sent) | US / DE |
| Google Analytics 4 | Anonymised usage analytics (only if you accept cookies) | US |
South Korea: our main database (Supabase) is hosted in Seoul, South Korea, which means your account, profile, practice, community, messaging, booking and points data is stored there. The Republic of Korea benefits from UK adequacy regulations, so this transfer is recognised as providing adequate protection under UK GDPR.
Several of our other processors are based in the United States (Stripe, Anthropic, Netlify, Groq, Resend and Google) and in the EU/EEA. The EU/EEA benefits from a UK adequacy decision. The United States does not have full UK adequacy, so where we transfer personal data there we rely on an appropriate safeguard: the UK Extension to the EU–US Data Privacy Framework (the "UK–US Data Bridge") where the processor is certified under it, or the UK International Data Transfer Agreement (IDTA) / the UK Addendum to the EU Standard Contractual Clauses, supported by a transfer risk assessment. You can ask us which safeguard applies to a particular processor by emailing actuallyspeak.help@gmail.com.
Note for users in China: if you use ActuallySpeak from mainland China, please be aware that your personal data is stored and processed outside mainland China (primarily in South Korea, the UK, the EU/EEA and the US, as described above). By using the service you acknowledge this cross-border processing. Live classes are delivered via VooV Meeting / Tencent Meeting, which operates under its own privacy policy.
Deletion: you can request deletion of your account and all associated data at any time by emailing actuallyspeak.help@gmail.com from the email address on your account. We action deletion requests within 30 days, except where the law requires us to keep specific records (for example billing records for tax purposes).
You have the right to: access your data, correct inaccurate data, request deletion, restrict processing, port your data to another service, object to processing based on legitimate interests, and withdraw consent at any time. You also have the right to lodge a complaint with the UK Information Commissioner's Office (ico.org.uk).
To exercise any of these rights, email actuallyspeak.help@gmail.com. We respond within 30 days.
We use a small number of cookies and similar storage technologies:
You can change your cookie preferences at any time using the banner on first visit or by clearing your browser storage.
Learners of any age may use ActuallySpeak, but accounts must be created, owned and paid for by an adult (18 or over). Where a child uses the service, the parent or guardian who holds the account is responsible for supervising that use and consents, on the child's behalf, to our processing of the child's practice data for the purpose of providing feedback.
For children under 13, we require verifiable parental consent before processing their personal data, in line with the UK GDPR and the Data Protection Act 2018. We design any child-facing features in line with the ICO's Age Appropriate Design Code (the "Children's Code"): we minimise the data we collect from children, do not use it for profiling or targeted marketing, and do not sell it. If you believe a child has provided us with personal data without the account-holding adult's consent, contact actuallyspeak.help@gmail.com and we will delete it.
How we record parental consent. Where a learner under 18 has their own profile in the Academy, we record their minor status, the parent or guardian's email address, and the date and time consent was given. We use this information only to demonstrate that consent exists and to contact the parent or guardian about the learner's account where needed.
Messaging safety for minors. Direct messages sent to or from accounts marked as belonging to a minor may be subject to additional oversight and moderation, and messaging may be restricted or disabled for such accounts, to keep younger learners safe.
We use HTTPS everywhere, row-level security on our database, signed webhook verification from Stripe, and never expose secret keys to the browser. No system is perfectly secure; if we discover a personal data breach we will notify the ICO within 72 hours where required by law and, where high risk to your rights, notify you directly.
If we make material changes we will email subscribed users and update the "Last updated" date at the top of this page. Continued use of the service after changes constitutes acceptance.
Matthew Fabling, sole trader trading as "Smooth English"
United Kingdom
actuallyspeak.help@gmail.com