Home
Privacy Policy

How Tilingu handles your data

Last updated: May 26, 2026

Plain-language summary

  • We collect the minimum we need to run the service — your email, your saved words, your study progress.
  • We do not sell your data. We do not share your email or any personal information with any third-party company.
  • The Chrome extension only activates when you Alt-click, right-click, or press Alt+D. It never reads pages on its own.
  • You can delete your entire account (and everything in it) anytime from Settings → Account.
  • Questions? hello@tilingu.com

1. Who we are

Tilingu ("we", "us") operates the website at tilingu.com and the Tilingu Chrome extension distributed via the Chrome Web Store. This policy explains what data we collect through both surfaces, how we use it, and the choices you have.

2. Data we collect (web app)

When you create an account and use Tilingu on the web, we store:

  • Account basicsemail address, display name, password hash (managed by Supabase Auth; we never see the plaintext password).
  • Learning preferenceschosen CEFR level, exam mode (IELTS/TOEFL/YDS/YÖKDİL/General), daily goal, learning pace, language.
  • Your vocabularythe words you add, their definitions, examples, IPA, audio URLs, and tags.
  • Progress dataspaced-repetition state per word (ease factor, intervals, mastery score), session history, daily streak.
  • AI-generated artifactschat session transcripts, end-of-session reports, fill-in-the-blank attempts, writing submissions you create on the site.
  • Feedback & contact submissionsthe message you send through the Help / Feedback / Contact form (with the page URL if you ticked "include current page URL").
  • Operational logstimestamps of AI calls (for rate limiting and abuse prevention), last-active timestamp, basic browser user-agent string for support purposes.

We do not collect: your browsing history, your location, your contacts, payment information (no payment infra yet), or any biometric data.

3. Chrome extension — what it sees and what it doesn't

The Tilingu browser extension is a thin client that connects your Chrome to your Tilingu account. By design it is passive: it does not run on a page until you explicitly invoke it.

What triggers it

  • You hold Alt and click a word.
  • You select text and choose "Look up in Tilingu" from the right-click menu.
  • You select text and press Alt+D.
  • You open the extension popup from the toolbar (to sign in or open a Tilingu page).

What it sends

  • The single word you tapped — looked up against a public dictionary endpoint that does not receive your account info.
  • If you click "Add Selected": that word plus the meanings you ticked, sent to your Tilingu account.
  • Your authentication token, on every backend request, so we know it's really you.

What it does NOT do

  • It does not read or transmit page contents.
  • It does not track which sites you visit.
  • It does not run on pages where you don't interact with it.
  • It does not inject ads.
  • It does not load remote scripts.

Where the extension stores data locally

The extension uses chrome.storage.sync to remember your Tilingu user ID, email, theme preference, and the day's lookup/add count (for the daily limit). This is synced via your Chrome profile — not via Tilingu's servers — and is deleted when you uninstall the extension or click "Sign Out" inside the popup.

4. How we use your data

  • To run the core features you signed up for (saving words, generating exercises, scheduling spaced repetition, AI conversation practice).
  • To enforce per-account daily limits and prevent abuse of our AI quota.
  • To respond to your help / feedback / contact requests.
  • To notify you about events on your account (e.g. someone subscribed to a word pack you created).
  • To send transactional emails: email confirmation, password reset.
  • To improve the product in aggregate (e.g. which features get used). We do not build per-user behavioural profiles.

5. Sharing & third parties

We do not share your email, name, or any other personal information with any third-party company. We do not sell your data. We do not share it with advertisers. Standard infrastructure providers (hosting, database) process data only to deliver the service — they cannot access your account contents and are bound by their own data-processing agreements with us.

6. Storage & security

  • Data is stored in a managed Postgres database, encrypted at rest with AES-256.
  • All traffic between you and Tilingu runs over TLS.
  • Passwords are hashed using bcrypt. We never see your plaintext password.
  • Database access is gated by Row-Level Security policies so each user can only see their own rows.
  • We keep operational backups for 7 days. Account-deletion requests purge from backups within 30 days.

7. Your rights & deletion

You can:

  • Accessview your words in /vocabulary, your progress in /stats, and your settings in /settings.
  • Correctdisplay name, exam mode, daily goal and all other preferences are editable from /settings.
  • Exportemail us at hello@tilingu.com and we will send you a JSON dump of your account data within 30 days.
  • Deletego to Settings → Account → Delete account. Everything you created (profile, words, progress, feedback, chat history) is removed via cascade. The Chrome extension stops working immediately since it can no longer authenticate.
  • Object / restrict / withdraw consent(EU/EEA/UK users under GDPR) — contact us and we will action your request within the statutory window.

8. Cookies & local storage

  • Auth cookies — keep you signed in across page refreshes.
  • Language cookie (tilingu-lang) — remembers whether you picked English, Turkish or German.
  • Theme + onboarding state (browser localStorage) — light/dark preference and whether you've completed the first-time tour.
  • Goal progress cache (browser localStorage) — speeds up the daily-goal ring in the navbar.

None of these are used for cross-site tracking or advertising.

9. Children's privacy

Tilingu is not directed at children under 13 (under 16 in the EEA/UK). We do not knowingly collect personal data from anyone in that age group. If you believe a child has signed up, email us at hello@tilingu.com and we will delete the account.

10. International transfers

Tilingu is operated from Turkey. Our hosting providers operate globally. Where data crosses borders, we rely on standard contractual clauses or the providers' own certified transfer mechanisms.

11. Changes to this policy

We will update this page when something material changes (new data type, new feature that collects user input). The "Last updated" date at the top reflects the latest revision. For substantial changes we will also email signed-in users at least 30 days in advance.

12. Contact

Questions, complaints, or data requests: write to or use the contact form. We respond within 7 days for general questions, 30 days for formal data-protection requests.hello@tilingu.com / /contact.

© 2026 Tilingu · Privacy Policy