Hanlexon (“we,” “us,” or “our”) operates the website located at www.hanlexon.com and related services (collectively, the “Service”). This Privacy Policy describes how we collect, use, disclose, and safeguard your information when you use our Service. By accessing or using the Service, you agree to the terms of this Privacy Policy.
1. Information We Collect
1.1 Information You Provide
- Account Registration. When you create an account, we collect your email address and a password. Passwords are stored in hashed form and are never accessible in plaintext.
- Profile Information. You may voluntarily provide information such as your learning goals, HSK level, preferred language, and role (student, teacher, parent, or administrator).
- User-Generated Content. Content you create on the Service, including worksheets, vocabulary lists, reading materials, study notes, and feedback submissions. Study materials you create (such as vocabulary lists and reading materials) are shared with the Hanlexon learning community as described in Section 3.
- Payment Information. If you purchase a subscription, payment is processed by our third-party payment processor, Stripe, Inc. We do not store your full payment card number. We retain your Stripe customer identifier, subscription status, and transaction history.
- Communications. If you contact us via email or in-app feedback, we retain the content of your messages to respond to your request and improve the Service.
1.2 Information Collected Automatically
- Learning Activity Data. We collect data about your study activity, including characters studied, mastery levels, review schedules, session duration, and assessment results. This data is essential for our spaced repetition and adaptive learning algorithms.
- Usage Data. We collect information about how you interact with the Service, including pages visited, features used, and performance metrics, for the purpose of improving the Service.
- Device Information. We may collect information about the device you use to access the Service, including browser type, operating system, and screen resolution.
1.3 Information from Third Parties
If you sign in using a third-party service (such as Google or Apple), we receive your name, email address, and profile picture from that service, as authorized by you during the sign-in process. We do not receive or store your third-party password.
2. How We Use Your Information
We use the information we collect for the following purposes:
- To provide, maintain, and improve the Service;
- To personalize your learning experience through adaptive algorithms and content recommendations;
- To enable classroom features, including teacher-student interaction, assignment tracking, and progress reports;
- To enable parent monitoring features for linked student accounts;
- To process payments and manage subscriptions;
- To communicate with you about your account, including password resets, subscription changes, and service announcements;
- To respond to your inquiries and feedback;
- To detect, prevent, and address technical issues and security threats;
- To comply with legal obligations.
3. How We Share Your Information
We do not sell, rent, or trade your personal information. We share your information only in the following limited circumstances:
- Service Providers. We use third-party service providers to process payments (Stripe), host infrastructure (Amazon Web Services), and deliver content. These providers are contractually obligated to protect your data and use it only for the purposes we specify. A current list of sub-processors is available at /v2/schools/privacy.
- Language Processing Services. When you use features such as the tutor, voice conversation, or pronunciation coaching, your input text and audio may be transmitted to third-party service providers for processing. We do not transmit your personal identity information to these providers, and the data transmitted is limited to the content necessary to perform the requested function. Where these providers offer commercial API settings that prohibit the use of submitted content for model training, we configure our integrations to use those settings. We do not authorize providers to use your input to train artificial-intelligence models.
- Shared Study Materials. Vocabulary lists and reading materials you create on the Service are visible to other Hanlexon users. Other users may search for, view, and study from your materials, but they cannot edit or delete them. Your personal information (name, email address, account details) is not attached to or displayed with shared materials. Only the educational content itself is visible.
- Educational Context. If you join a classroom, your teacher may view your learning progress, activity, and assessment results within that class. Linked parent accounts may view their child’s learning progress.
- Legal Requirements. We may disclose your information if required to do so by law, regulation, legal process, or governmental request.
- Business Transfers. In the event of a merger, acquisition, or sale of assets, your information may be transferred as part of that transaction. We will notify you of any such change.
4. Data Security
We implement industry-standard technical and organizational measures to protect your personal information against unauthorized access, alteration, disclosure, or destruction. These measures include encryption of data in transit and at rest, access controls, regular security assessments, and secure software development practices. However, no method of transmission over the Internet or method of electronic storage is completely secure, and we cannot guarantee absolute security.
In the event of a confirmed unauthorized disclosure of personal information that materially affects users, we will notify affected users without unreasonable delay and no later than seven (7) days of confirmation by email or by prominent in-Service notice, unless a stricter timeline is required by an applicable Data Privacy Agreement or law.
Student-to-student interaction features are restricted to within authorized classroom contexts. We do not provide public messaging or open-network social features.
5. Data Retention
We retain your personal information for as long as your account is active or as needed to provide the Service. If you request deletion of your account, we will permanently delete or anonymize your personal data within thirty (30) days, except where retention is required by law or for legitimate business purposes (such as resolving disputes or enforcing our agreements).
6. Children’s Privacy
The Service may be used by children under the age of 13 in educational settings. In such cases, the child’s school or teacher acts as the agent of the parent or guardian for purposes of consent under the Children’s Online Privacy Protection Act (COPPA). We collect only the minimum information necessary to provide the educational service. Parents and guardians may review their child’s information, request deletion, or withdraw consent by contacting us at admin@hanlexon.com.
For users under the age of 18 in the United Kingdom, we follow the principles of the Information Commissioner’s Office (ICO) Age-Appropriate Design Code (Children’s Code).
7. Cookies and Local Storage
We use essential cookies for authentication and security purposes (session management and cross-site request forgery protection). We use browser local storage to save your preferences (such as display theme and study state). We do not use third-party advertising or tracking cookies.
You may control display settings, study preferences, and the visibility of AI-powered features through your Account Settings.
8. Your Rights
Depending on your jurisdiction, you may have the following rights regarding your personal information:
- Access. You may request a copy of the personal information we hold about you.
- Correction. You may request that we correct inaccurate or incomplete personal information.
- Deletion. You may request that we delete your personal information, subject to certain legal exceptions. See Account Deletion below for the standard self-service flow.
- Data Portability. You may request a copy of your data in a structured, machine-readable format.
- Opt-Out. You may opt out of non-essential communications at any time through your account settings.
- Withdraw Consent. Where processing is based on your consent, you may withdraw consent at any time without affecting the lawfulness of prior processing.
To exercise any of these rights, please contact us at admin@hanlexon.com. We will respond to your request within thirty (30) days.
Account Deletion. You can delete your account at any time from Account Settings. After you submit a deletion request, your account enters a 7-day grace period during which you can cancel the request from any sign-in or by clicking the link in the confirmation email. After the grace period, your personal data (profile, learning history, mastery records, recordings, AI conversations, session activity) is permanently deleted from our databases and storage; financial records (payment history, subscription records) are anonymized and retained for legal/tax purposes per applicable law. Educational content you created (vocabulary lists, reading materials, worksheets, classroom materials) may be retained as anonymous, system-owned content for the benefit of other learners, with all attribution to you removed. An administrator reviews retained content and may keep it in the public library or delete it. If you would prefer immediate erasure of all personal data without the 7-day grace, you may request GDPR Right-to-Erasure mode on the deletion page, and your request will be processed within 24 hours.
9. International Data Transfers
Your information may be processed and stored in the United States or other countries where our service providers operate. By using the Service, you consent to the transfer of your information to countries outside your country of residence, which may have different data protection laws.
Where personal data is transferred outside the United Kingdom or European Economic Area, we rely on Standard Contractual Clauses (SCCs) approved by the European Commission and the UK International Data Transfer Agreement (IDTA), supplemented by transfer impact assessments where required. Personal data of Australian users may be transferred to and stored in the United States; consistent with Australian Privacy Principle 8, we take reasonable steps to ensure overseas recipients comply with the APPs.
10. Changes to This Policy
We may update this Privacy Policy from time to time. If we make material changes, we will notify registered users by email or by posting a prominent notice on the Service. Your continued use of the Service after such changes constitutes your acceptance of the updated Privacy Policy.
11. Educational Institutions and Student Data
When the Service is used by a school, school district, or other educational institution (“Institution”) under a written agreement, the following terms apply to personal information collected from students enrolled through that Institution (“Student Data”):
- Ownership. Student Data remains the property of the Institution and the parents or guardians as applicable. We act as a service provider and “school official” with a legitimate educational interest under the Family Educational Rights and Privacy Act (FERPA), 20 U.S.C. § 1232g.
- Permitted Use. We use Student Data solely to provide the Service to the Institution and its students. We do not use Student Data for advertising, behavioral profiling for non-educational purposes, or sale to any third party.
- AI Processing. Student Data sent to third-party AI providers is limited to the content needed for the requested feature. Where AI providers offer commercial API terms or settings that prohibit the use of submitted content to train models, we configure our integrations accordingly. Specifically: student-submitted text, voice recordings, and generated work product are not used to train AI models. Aggregated, de-identified usage telemetry (counts, latencies, error rates) may be used to improve the Service.
- Sub-processors. We engage carefully selected third-party processors for hosting, payment processing, and AI processing under contractual data-protection terms. A current list of sub-processors is published at /v2/schools/privacy. Material changes (new sub-processor or significant scope change) are subject to thirty (30) days’ notice.
- Breach Notification. In the event of a confirmed unauthorized disclosure of Student Data, we will notify the Institution in writing without unreasonable delay and no later than seven (7) days of confirmation, describing the nature of the incident and the remediation steps taken, unless a stricter timeline is required by an applicable Data Privacy Agreement or law.
- Data Return or Deletion. Upon termination of an Institution agreement, we will, at the Institution’s election, return or permanently delete Student Data within sixty (60) days, except where retention is required by law.
- Compliance with Law. We comply with applicable federal and state student-data laws, including FERPA, the Children’s Online Privacy Protection Act (COPPA), and state laws such as the Illinois Student Online Personal Protection Act (SOPPA, 105 ILCS 85). On request and subject to mutually acceptable terms, we will execute commonly used data privacy addenda, such as the Student Data Privacy Consortium National Data Privacy Agreement (NDPA).
- Data Controller / Processor (UK / EU). For Institution accounts subject to UK GDPR or EU GDPR, the Institution is the Data Controller and Hanlexon is the Data Processor under Article 28. Our data processing terms are available in our pre-signed Data Processing Agreement at /v2/schools/privacy.
- Australia. For Australian Institution accounts, we comply with the Australian Privacy Principles (APPs) under the Privacy Act 1988 (Cth) and applicable state-level privacy laws (NSW Privacy and Personal Information Protection Act 1998; Victorian Privacy and Data Protection Act 2014; Queensland Information Privacy Act 2009).
For institutional inquiries, sub-processor lists, or data privacy addenda, please use our Schools & Institutions inquiry form or email admin@hanlexon.com.
12. Contact Us
If you have questions or concerns about this Privacy Policy or our data practices, please contact us:
Hanlexon LLC
Email: admin@hanlexon.com
UK / EU Representative (GDPR Article 27). Hanlexon LLC is established in the United States and does not maintain a physical establishment in the United Kingdom or the European Economic Area. We will appoint a UK / EU Representative under UK GDPR Article 27 / EU GDPR Article 27 upon request from any UK or EU institutional customer or data subject, and we will update this section with the Representative’s contact details. In the meantime, UK and EU data subjects and institutional buyers may contact us at admin@hanlexon.com for any privacy-related inquiry.