Privacy Policy

Last updated: July 2026

This Privacy Policy explains how Matthew Fabling, a sole trader trading as "Smooth English" ("we", "us", "ActuallySpeak"), collects, uses, shares and protects personal data when you use the ActuallySpeak web app and related pages. We comply with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018.

The short version.

We collect the minimum data needed to (1) sign you in by email, (2) score your speaking with AI, (3) process your subscription, and (4) keep in touch about your progress. We do not sell your data. You can delete your account and all associated data at any time by emailing actuallyspeak.help@gmail.com.

1. Who we are

The data controller is Matthew Fabling, a sole trader trading as "Smooth English", United Kingdom, in connection with [Smooth English Company — VERIFY legal entity name and registered address].

Contact: actuallyspeak.help@gmail.com
Postal address for data requests: 4 Earlsburn Road, Lenzie, Glasgow, East Dunbartonshire, Scotland, G66 5PF, United Kingdom

We are not required to appoint a Data Protection Officer; the contact above handles all data protection queries.

2. What we collect

CategoryExamplesWhy
AccountEmail address, sign-in timestampsMagic-link authentication, support
Speaking practiceAudio recording (transcribed then discarded), transcript text, target words attemptedTo score your answer and give feedback
Diagnostic resultsBand score estimate, sub-scores, CEFR level, your written/spoken answersTo show your results page and improve scoring
Onboarding answersYour responses to the goals/pain-points questionsTo personalise the trainer and email guidance
SubscriptionStripe customer ID, subscription status, trial end date, plan tierTo grant/revoke premium access
Usage analyticsPage views, button clicks, A/B variant, country (from IP, not stored)To improve the product (Google Analytics 4)
Community contentPosts, comments, likes, display name and avatarTo show your contributions to other learners in the Academy community
Direct messagesMessage text, sender/recipient, timestampsTo deliver your messages; also for safety moderation (see section 9 on children)
Live class bookingsClass booked, date/time, payment status (via Stripe), attendanceTo reserve your place and email you the class link
Points & gamificationPoints earned, level, leaderboard position, prize/coupon awardsTo run the points, levels, leaderboard and monthly prize features
Minor status & parental consentWhether the learner is under 18, parent/guardian email, date consent was givenTo meet our child-safety and parental-consent obligations

We do not collect: payment card numbers (Stripe handles payment directly), passwords (we use magic-link only), or your real-time location.

Audio recordings: Depending on your browser and the feature you use, your speech is transcribed in one of two ways: (1) in your browser via the built-in Web Speech API, which may send audio to your browser provider (for example Google or Apple) under their own terms; or (2) by sending a short audio clip to our speech-to-text processor (Groq) which converts it to text. In both cases we do not store the raw audio — only the resulting transcript, which is used to score your answer.

3. Legal bases for processing

4. Who we share your data with (sub-processors)

We use the following third-party services to deliver ActuallySpeak. Each is bound by their own privacy and security obligations.

ProcessorWhat they handleWhere
SupabaseDatabase (account, profile, diagnostic, community, messaging, booking, points and subscription data), magic-link email deliveryHosted in Seoul, South Korea (see section 5 on international transfers); some Supabase services EU / US
StripePayment processing, card details (we never see your card number)EU / US
GroqSpeech-to-text transcription (audio → text). Audio is not retained.US
AnthropicAI scoring of your speaking answers (Claude API). Inputs are not used to train models.US
NetlifyWeb hosting and serverless function executionUS
Mailery (self-hosted)Email marketing list management and nurture sequences (our own email system)Our infrastructure
ResendTransactional email delivery (e.g. class links, booking confirmations) — used only when enabledUS
VooV Meeting / Tencent MeetingLive class video delivery. If you attend a live class you join their service directly under their own terms and privacy policy; we share no data with them beyond your attendance via the class linkVaries (Tencent)
PexelsStock images and videos used as practice scenes (no personal data sent)US / DE
Google Analytics 4Anonymised usage analytics (only if you accept cookies)US

5. International transfers

South Korea: our main database (Supabase) is hosted in Seoul, South Korea, which means your account, profile, practice, community, messaging, booking and points data is stored there. The Republic of Korea benefits from UK adequacy regulations, so this transfer is recognised as providing adequate protection under UK GDPR.

Several of our other processors are based in the United States (Stripe, Anthropic, Netlify, Groq, Resend and Google) and in the EU/EEA. The EU/EEA benefits from a UK adequacy decision. The United States does not have full UK adequacy, so where we transfer personal data there we rely on an appropriate safeguard: the UK Extension to the EU–US Data Privacy Framework (the "UK–US Data Bridge") where the processor is certified under it, or the UK International Data Transfer Agreement (IDTA) / the UK Addendum to the EU Standard Contractual Clauses, supported by a transfer risk assessment. You can ask us which safeguard applies to a particular processor by emailing actuallyspeak.help@gmail.com.

Note for users in China: if you use ActuallySpeak from mainland China, please be aware that your personal data is stored and processed outside mainland China (primarily in South Korea, the UK, the EU/EEA and the US, as described above). By using the service you acknowledge this cross-border processing. Live classes are delivered via VooV Meeting / Tencent Meeting, which operates under its own privacy policy.

6. How long we keep your data

Deletion: you can request deletion of your account and all associated data at any time by emailing actuallyspeak.help@gmail.com from the email address on your account. We action deletion requests within 30 days, except where the law requires us to keep specific records (for example billing records for tax purposes).

7. Your rights under UK GDPR

You have the right to: access your data, correct inaccurate data, request deletion, restrict processing, port your data to another service, object to processing based on legitimate interests, and withdraw consent at any time. You also have the right to lodge a complaint with the UK Information Commissioner's Office (ico.org.uk).

To exercise any of these rights, email actuallyspeak.help@gmail.com. We respond within 30 days.

8. Cookies

We use a small number of cookies and similar storage technologies:

You can change your cookie preferences at any time using the banner on first visit or by clearing your browser storage.

9. Children

Learners of any age may use ActuallySpeak, but accounts must be created, owned and paid for by an adult (18 or over). Where a child uses the service, the parent or guardian who holds the account is responsible for supervising that use and consents, on the child's behalf, to our processing of the child's practice data for the purpose of providing feedback.

For children under 13, we require verifiable parental consent before processing their personal data, in line with the UK GDPR and the Data Protection Act 2018. We design any child-facing features in line with the ICO's Age Appropriate Design Code (the "Children's Code"): we minimise the data we collect from children, do not use it for profiling or targeted marketing, and do not sell it. If you believe a child has provided us with personal data without the account-holding adult's consent, contact actuallyspeak.help@gmail.com and we will delete it.

How we record parental consent. Where a learner under 18 has their own profile in the Academy, we record their minor status, the parent or guardian's email address, and the date and time consent was given. We use this information only to demonstrate that consent exists and to contact the parent or guardian about the learner's account where needed.

Messaging safety for minors. Direct messages sent to or from accounts marked as belonging to a minor may be subject to additional oversight and moderation, and messaging may be restricted or disabled for such accounts, to keep younger learners safe.

10. Security

We use HTTPS everywhere, row-level security on our database, signed webhook verification from Stripe, and never expose secret keys to the browser. No system is perfectly secure; if we discover a personal data breach we will notify the ICO within 72 hours where required by law and, where high risk to your rights, notify you directly.

11. Changes to this policy

If we make material changes we will email subscribed users and update the "Last updated" date at the top of this page. Continued use of the service after changes constitutes acceptance.

12. Contact

Matthew Fabling, sole trader trading as "Smooth English"
United Kingdom
actuallyspeak.help@gmail.com