Privacy Policy

1. INTRODUCTION AND SCOPE

1.1 Limeslime Ltd (“we”, “us”, “our”) is committed to protecting the privacy and personal data of users of the Endlessly mobile application (“App”). This Privacy Policy describes how we collect, use, disclose, and protect your personal data, and explains the rights you have in relation to that data.

1.2 This Privacy Policy applies to all users of the App, including visitors to our website at endlessly.io and users of any related services. It should be read together with our Terms of Service and Cookie Policy, which are incorporated herein by reference.

1.3 We are registered with the Information Commissioner’s Office (ICO) under the Data Protection Act 2018. ICO Registration Number: 00013253909

1.4 If you have any questions about this Privacy Policy or how we handle your personal data, please contact us at legal@endlessly.io.

1.5 The App is intended for users who are at least 13 years old (or the applicable minimum age in your jurisdiction). If you are under the applicable minimum age, you may only use the App with verified parental or guardian consent.

2. DATA CONTROLLER

2.1 For the purposes of the UK General Data Protection Regulation (“UK GDPR”), the Data Protection Act 2018, and the Data (Use and Access) Act 2025 (“DUAA 2025”), the data controller is:

2.2 The DUAA 2025 updates and supplements the UK GDPR framework, including by reinforcing data protection requirements for services accessible to children (as reflected in Section 6 of this Policy). Our processing activities comply with all three instruments.

2.3 Our Data Protection Officer (DPO) can be contacted at legal@endlessly.io for all data protection queries, Subject Access Requests, and data rights exercises.

3. PERSONAL DATA WE COLLECT

3.1 Data You Provide Directly

When you create an account and use the App, we collect the following data that you provide to us:

3.2 Data Collected Automatically

When you use the App, we automatically collect certain technical and usage data:

3.3 Data from Third Parties

We may receive personal data from third parties in the following circumstances:

• Social Login: If you sign in via Apple, Google, or Facebook, we receive your name and email address from that provider, subject to your settings with that provider.
• App Stores: Apple App Store and Google Play Store may provide limited purchase and subscription data in connection with your in-app purchases.
• Analytics Providers: We may receive aggregated or pseudonymised analytics data from providers such as Firebase and Mixpanel.
• AI Service Providers: When you use AI features, our AI providers may return data about your interaction for processing and feedback purposes.

3.4 Mandatory and Optional Data

3.4.1 Some personal data is required to provide the App and our contractual obligations to you. Other data is optional. The table below summarises which data is mandatory for core service delivery and what happens if you choose not to provide it:

4. HOW WE USE YOUR PERSONAL DATA

4.1 We use your personal data for the following purposes, on the corresponding legal bases:

4.2 We will not use your personal data for any purpose incompatible with the purposes described above without first notifying you and, where required by law, obtaining your consent.

4.3 Where we rely on legitimate interests as our legal basis, we have balanced our interests against your rights and freedoms. Our legitimate interests in analytics and product improvement, fraud prevention, and security monitoring do not override your interests because: (a) the processing is limited to pseudonymised or aggregated data where possible; (b) you have meaningful controls via App Settings > Privacy; (c) the processing is reasonably expected in the context of a digital service; and (d) you have the right to object at any time by contacting legal@endlessly.io.

5. AI FEATURES AND DATA PROCESSING

5.1 The App incorporates artificial intelligence and machine learning features including AI conversation partners, speech recognition, pronunciation analysis, and adaptive learning algorithms.

5.2 When you interact with AI features, your text inputs and audio recordings are transmitted to and processed by our third-party AI service providers. These may include providers such as Microsoft Azure, OpenAI, Google Cloud, and Amazon Web Services. These providers:

• Process your inputs in real time to generate responses and feedback
• May retain copies of your inputs for purposes such as quality assurance, safety monitoring, and AI model improvement, subject to the maximum retention periods set out in our data processing agreements with them
• Are bound by data processing agreements that require them to protect your personal data, process data only on our instructions, and comply with applicable data protection law

5.3 Please do not submit sensitive personal information (such as financial data, passwords, or sensitive health information) when using AI conversation features.

5.4 Audio recordings made for pronunciation practice are processed by speech recognition providers. Where audio is stored, it is retained for the period described in Section 9 and you have the right to request deletion at any time.

5.5 Links to the privacy policies of our key AI providers:

• Microsoft Azure: https://privacy.microsoft.com
• OpenAI: https://openai.com/privacy
• Google Cloud: https://cloud.google.com/terms/cloud-privacy-notice
• Amazon Web Services: https://aws.amazon.com/privacy

5.6 AI Features and Child Accounts

5.6.1 For users identified as children, AI feature data processing is subject to the following additional restrictions, consistent with the ICO Children’s Code and COPPA:

• AI interaction data from child accounts is used solely to provide the requested in-app language feedback and is not used for profiling, behavioural advertising, or any commercial purpose
• We configure our AI service provider integrations to disable persistent model training on data from child accounts where such configuration is technically available
• Audio recordings from children’s pronunciation practice are processed in real time and are not retained beyond the 90-day maximum period set out in Section 10
• AI conversation data from child accounts is not shared with third parties except as strictly necessary to deliver the in-app service

5.6.2 The App’s AI conversation features do not enable users to share AI-generated content with other users or to encounter content generated by other users. The AI Features therefore do not constitute a ‘user-to-user service’ within the meaning of the Online Safety Act 2023, section 3.

6. CHILDREN’S PRIVACY

6.1 Enhanced Protections for Child Users

6.1.1 We take the privacy of children very seriously. Where a user is identified as a child (under the applicable minimum age in their jurisdiction), the following enhanced protections apply:

• High privacy settings are applied by default and cannot be reduced by the child
• No behavioural profiling, targeted advertising, or data-driven personalisation based on personal characteristics
• Geolocation (beyond country-level IP detection) is disabled
• No social features that could expose child users to unknown adults
• Minimum data collection necessary to provide the core educational service
• No sharing of children’s personal data with third parties for commercial purposes
• No use of children’s User Content for marketing or promotional purposes, regardless of parental consent
• Child-friendly privacy notices provided separately within the App

6.2 Age Assurance

6.2.1 We use a risk-based age assurance approach to identify child users. This goes beyond simple self-declaration of age and includes:

• Date-of-birth declaration at registration, with automatic flagging of accounts where the declared age indicates the user may be a child
• Contextual signals including device type and app store age restriction settings, which provide additional indicators of user age
• Automatic application of child-appropriate defaults where age-related risk indicators are present, pending verification

6.2.2 We do not rely solely on self-declaration of age. Where contextual signals indicate a user may be a child, child-appropriate protections are applied automatically regardless of the declared age.

6.3 Children’s Data Protection Impact Assessments

6.3.1 In accordance with ICO Children’s Code Standard 15 and UK GDPR Article 35, we conduct Data Protection Impact Assessments (DPIAs) before launching new features or making significant changes to existing features that involve the processing of children’s personal data. Summaries of completed DPIAs are available upon request at legal@endlessly.io.

6.4 Age Requirements and Parental Consent

6.5 Parental Rights

6.5.1 Parents and guardians of child users may at any time: review personal data collected from their child; request correction or deletion; revoke consent; and refuse further data collection. Contact legal@endlessly.io. Upon receiving a verified parental deletion request, we will respond and action the request in accordance with the timeframes set out in Section 12.1 (without undue delay and in any event within one calendar month), subject to legal retention obligations.

7. COOKIES AND TRACKING TECHNOLOGIES

7.1 We use cookies, SDKs, and similar tracking technologies in the App and on our website. These fall into the following categories:

7.2 You can manage your cookie and tracking preferences at any time via App Settings > Privacy. You may withdraw consent for non-essential cookies without affecting your use of core App features.

7.3 Our full Cookie Policy, listing all SDKs, trackers, and third-party tools used in the App, is available at https://endlessly.io/cookie-policy.

7.4 Do-Not-Track (DNT): Some browsers and devices offer a Do-Not-Track (“DNT”) signal. We currently do not alter our data collection practices in response to DNT signals. This is because no uniform technical standard for interpreting DNT has been established, and DNT does not carry legal recognition under any applicable law. You can manage your privacy preferences directly through our in-app privacy settings.

7.5 Global Privacy Control (GPC) — California Residents: Unlike DNT, the Global Privacy Control (“GPC”) signal has legal recognition under the California Privacy Rights Act (CPRA), Cal. Civ. Code §1798.135(d). We honour the GPC signal as a valid opt-out request from California residents. If your browser or device transmits a GPC signal, we will treat it as a request to opt out of the sharing of your personal information for cross-context behavioural advertising. Note: DNT and GPC are technically distinct signals with different legal statuses. Our different treatment of each reflects this legal distinction and is not inconsistent.

8. HOW WE SHARE YOUR PERSONAL DATA

8.1 We do not sell your personal data. We share personal data only in the following circumstances:

8.2 All third-party processors with whom we share personal data are bound by Data Processing Agreements (DPAs) requiring them to process data only on our instructions, implement appropriate security measures, and comply with applicable data protection law.

8.3 A full list of our sub-processors is available upon request at legal@endlessly.io.

9. INTERNATIONAL DATA TRANSFERS

9.1 Our primary operations are based in the United Kingdom. However, our infrastructure, third-party service providers, and AI partners are located in multiple countries including the United Kingdom, United States, Canada, Netherlands, Germany, and other countries.

9.2 By using the App, you acknowledge and understand that your personal data may be transferred to and processed in these jurisdictions. We take steps to ensure your data is handled securely regardless of where it is processed, including through the use of UK International Data Transfer Agreements (IDTAs) and other appropriate contractual safeguards where required by UK GDPR. The legal basis for international transfers is the use of IDTAs and other appropriate safeguards as described in § 9.3 below, not consent.

9.3 If you are a UK resident and your personal data is transferred outside the UK, we ensure appropriate safeguards are in place in accordance with UK GDPR Chapter 5. You may request details of the applicable transfer safeguards by contacting legal@endlessly.io.

10. DATA RETENTION

10.1 We retain personal data only for as long as necessary for the purposes for which it was collected, or as required by applicable law. Our retention periods are:

10.2 When your data is no longer required, we will securely delete or anonymise it. Where immediate deletion is not technically practicable (e.g., in backup systems), we will isolate the data from further processing until it can be deleted. Backup systems are typically purged within 90 days.

11. DATA SECURITY

11.1 We implement appropriate technical and organisational measures to protect your personal data. These include:

• Encryption of data in transit using TLS 1.2 or higher
• Encryption of data at rest using AES-256 or equivalent standards
• Passwords stored as salted hashes (bcrypt or equivalent) — plaintext passwords are never stored
• Access controls limiting employee access to personal data on a need-to-know basis
• Regular security testing, vulnerability assessments, and penetration testing
• Incident response procedures and a 72-hour breach notification process to the ICO where required by UK GDPR
• Multi-factor authentication for internal systems

11.2 While we take all reasonable steps to protect your data, no system is entirely secure. You are responsible for keeping your account credentials confidential and notifying us immediately if you suspect unauthorised account access.

11.3 In the event of a personal data breach, we will notify the ICO within 72 hours where required by UK GDPR Art. 33. Where a breach is likely to result in a high risk to your rights and freedoms, we will also notify you directly without undue delay, in accordance with UK GDPR Art. 34, describing the nature of the breach, its likely consequences, and the measures we are taking to address it.

12. YOUR DATA RIGHTS

12.1 Subject to applicable law, you have the following rights in relation to your personal data. To exercise any right, submit a request to legal@endlessly.io. We will respond without undue delay and in any event within one calendar month of receipt, in accordance with UK GDPR Art. 12(3). For complex or multiple requests, we may extend this period by up to two further calendar months (three calendar months total from receipt). We will notify you of any extension within the initial calendar month, with reasons for the delay.

12.2 We will not charge a fee for exercising your rights unless a request is manifestly unfounded or excessive. We may need to verify your identity before processing your request.

13. AUTOMATED DECISION-MAKING AND PROFILING

13.1 We use automated systems to personalise your learning experience, including adaptive lesson sequencing, difficulty adjustments based on performance, and personalised review schedules. These processes are designed to improve your learning outcomes and do not produce legal or similarly significant effects on you.

13.2 We do not use automated decision-making that produces significant legal effects without human review. If we introduce any such processing in future, we will update this Policy and provide the required information under UK GDPR Art. 22.

13.3 We do not engage in profiling of child users for advertising or any commercial purpose.

14. REGIONAL ADDENDA

14.1 United Kingdom

14.1.1 Our processing of UK users’ personal data is subject to the UK General Data Protection Regulation (“UK GDPR”), the Data Protection Act 2018, and the Data (Use and Access) Act 2025 (“DUAA 2025”). The DUAA 2025 supplements the UK GDPR framework and reinforces data protection requirements for services accessible to children, as reflected in Section 6 of this Policy. You have the right to lodge a complaint with the Information Commissioner’s Office (ICO) at ico.org.uk/make-a-complaint.

14.2 United States

California (CCPA/CPRA): California residents have the following rights: (a) Right to Know — what personal information we collect, use, and disclose; (b) Right to Delete — request deletion of personal information; (c) Right to Correct — request correction of inaccurate personal information; (d) Right to Opt-Out — we do not sell or share personal information for cross-context behavioural advertising; (e) Right to Non-Discrimination — we will not discriminate against you for exercising your rights. Submit CCPA/CPRA requests to legal@endlessly.io.

14.2.2 Categories of personal information collected in the past 12 months:

Virginia (VCDPA): Virginia residents have the right to access, correct, delete, and obtain a copy of their personal data, and to opt out of targeted advertising and profiling. Submit requests to legal@endlessly.io. If we decline your request, you may appeal by contacting us; if your appeal is denied, you may contact the Virginia Attorney General.

COPPA: We comply fully with the Children’s Online Privacy Protection Act for users under 13. See Section 6 for full details.

DMCA: To submit a DMCA takedown notice or counter-notice, contact legal@endlessly.io.

Biometric Data Notice: In states with biometric privacy laws (including Illinois BIPA — 740 ILCS 14/ — and Texas TBIA), voice recordings used for pronunciation feedback may constitute biometric data. We collect voice data solely to provide pronunciation feedback and do not sell or share biometric data for commercial purposes. You may opt out of voice features at any time via App Settings, which will limit certain pronunciation feedback functionality.

Illinois Residents — Written Release (BIPA §15(b)): Before your first use of pronunciation or voice features, US users will be presented with a dedicated written disclosure screen that sets out: (a) the fact that we are collecting biometric data (voice recordings); (b) the specific purpose of collection (pronunciation feedback only); and (c) the retention period (maximum 90 days). You will be asked to provide a written release by tapping a dedicated confirmation button on that screen. This consent is recorded separately from your general account agreement and includes a timestamp, the version of the disclosure text presented, and your device platform. You may not use pronunciation features until this written release has been given. This flow is required by 740 ILCS 14/15(b) and is separate from your acceptance of our Terms of Service.

Biometric Data Retention Schedule and Destruction Policy (BIPA §15(a)): Voice recordings collected for pronunciation practice are retained for a maximum of 90 days from the date of collection (see Section 10). Upon expiry of this retention period, or upon your opt-out or account deletion request, biometric data is permanently and irreversibly destroyed. We do not sell, lease, trade, or profit from biometric data. This retention schedule and destruction policy is made publicly available in accordance with the Illinois Biometric Information Privacy Act. For a copy of our full biometric data policy, contact legal@endlessly.io.

California Complaint Unit: If any complaint with us is not satisfactorily resolved, you can contact the Complaint Assistance Unit of the Division of Consumer Services of the California Department of Consumer Affairs at 1625 North Market Blvd., Suite N112, Sacramento, California 95834, or by telephone at (800) 952-5210.

14.3 Canada

14.3.1 For Canadian users, we comply with the Personal Information Protection and Electronic Documents Act (PIPEDA) and applicable provincial privacy legislation, including Quebec’s Act respecting the protection of personal information in the private sector (Law 25).

14.3.2 You have the right to access and correct your personal information. To exercise these rights, contact our privacy officer at legal@endlessly.io.

14.3.3 We collect, use, and disclose your personal information only with your knowledge and consent, except as permitted or required by law.

14.3.4 Quebec residents: Privacy impact assessments are conducted for new processing activities involving personal information, in accordance with Law 25 requirements.

14.4 Other Jurisdictions

14.4.1 The App is available globally. Users accessing the App from jurisdictions not specifically addressed above do so on their own initiative and are responsible for compliance with applicable local privacy laws. We comply with applicable local laws in the jurisdictions where we operate to the extent required.

14.4.2 EU GDPR — Article 27 Representative: Limeslime Ltd is a UK-based data controller. The App may be accessed by users in European Union member states. If we process personal data of individuals in the EU on a non-occasional basis, or process special categories of data at scale, we may be required to designate a representative in the EU under EU GDPR Article 27. We are currently assessing whether the volume and nature of EU user data we process triggers this obligation, and we will update this Policy once that assessment is complete. We have committed to reviewing this obligation when our active EU user base reaches a material scale (currently set at 1,000 active EU users), or earlier if we become aware that our EU processing is otherwise non-occasional. If you are an EU resident and have questions about the legal basis for processing your data or how to exercise your EU GDPR rights, please contact us at legal@endlessly.io and we will respond in accordance with applicable EU data protection law.

14.4.3 If you have questions about your rights under local law, please contact us at legal@endlessly.io.

15. CHANGES TO THIS PRIVACY POLICY

15.1 We may update this Privacy Policy from time to time. Material changes will be notified via in-app notification and/or email at least 30 days before they take effect. The date of the most recent revision is displayed at the top of this document.

15.2 Your continued use of the App after the effective date of any update constitutes acceptance of the revised Policy. If you do not agree to the revised Policy, you may request deletion of your account.

15.3 Previous versions of this Privacy Policy are available upon request at legal@endlessly.io.

16. CONTACT AND COMPLAINTS

16.1 For questions, concerns, or data rights requests:

16.2 If you are not satisfied with our response, you have the right to lodge a complaint with the Information Commissioner’s Office (ICO) at ico.org.uk/make-a-complaint, or with the relevant supervisory authority in your jurisdiction.

16.3 We are registered with the Information Commissioner’s Office (ICO) under the Data Protection Act 2018. ICO Registration Number: 00013253909.

Limeslime Ltd — Privacy Policy v2.7 — Effective 20 February 2026 | Last Revised 23 February 2026