Legal

Privacy Policy

How StartDutch collects, uses, and protects your personal data.

Last updated: 1 January 2026  ยท  Governed by Dutch law (GDPR)

Contents

1. Who We Are
2. What We Collect
3. How We Use Your Data
4. Payments & PayPal
5. Analytics & Cookies
6. How We Keep You Safe
7. Your GDPR Rights
8. Data Retention
9. Third-Party Partners
10. Children's Privacy
11. Policy Updates
12. Contact Us

Who We Are

StartDutch is an online Dutch vocabulary learning application operated by Pinuno, a software and education products company. In this policy, "StartDutch", "we", "us", or "our" refers to Pinuno as the data controller for all personal information collected through startdutch.app.

We respect your privacy and are committed to protecting your personal data in accordance with the General Data Protection Regulation (GDPR) and Dutch privacy law. We process personal data only when we have a lawful basis to do so.

What We Collect

Account Information
  • Username and email address
  • Password (stored as a one-way hash โ€” never readable)
  • Language preference
  • Registration date
Learning Data
  • Words practiced and accuracy per word
  • Dictation answers (correct and incorrect)
  • Practice streak and daily goal progress
  • Resume position in the word list
Subscription Data
  • Active plan (free / monthly / yearly)
  • Subscription start and expiry dates
  • PayPal order reference number (no card details)
Technical Data (when you accept analytics)
  • IP address (used only for security)
  • Browser type and device information
  • Pages visited and time on page
  • reCAPTCHA bot-detection score
We do not collect: payment card details (handled entirely by PayPal), your real name, phone number, or any data unrelated to Dutch language learning.

How We Use Your Data

We only use your information for the following purposes:

Delivering the Learning App
  • Show your personalised vocabulary list
  • Track your progress and resume dictation
  • Prioritise words you find difficult
  • Calculate accuracy, streak, and XP
Security & Account Management
  • Authenticate you on login
  • Send password reset emails
  • Prevent automated abuse (reCAPTCHA)
  • Keep your account and data secure
Subscription & Billing
  • Activate and manage your Premium plan
  • Verify PayPal payment confirmation
  • Handle cancellations and renewals
Service Improvement (with your consent)
  • Understand how learners use the app
  • Fix bugs and improve performance
  • Develop new vocabulary and features

We never use your data for advertising, and we never sell or rent it to third parties.

Payments & PayPal

Premium subscriptions are processed through PayPal (Europe) S.ร  r.l. et Cie, S.C.A.. When you click "Subscribe", you are redirected to PayPal's secure payment page. StartDutch never sees or stores your card number, bank details, or full billing address.

After a successful payment, PayPal sends us a transaction reference number and confirmation of payment. We store only this reference alongside your plan type and expiry date โ€” the minimum needed to activate and manage your subscription.

PayPal's own privacy policy applies to the checkout experience. See paypal.com/privacy.

Analytics & Cookies

We use Google Analytics 4 (GA4) to understand how learners use StartDutch. GA4 only loads if you click Accept on the cookie banner. If you decline (or never respond), no analytics data is sent. This choice is stored in your browser's local storage and you can change it at any time by clearing your browser data.

We use Google reCAPTCHA Enterprise on registration, login, and contact forms to distinguish human visitors from bots. reCAPTCHA collects hardware and software information and sends it to Google for analysis. This operates under Google's Privacy Policy.

Strictly Necessary Cookies

Session cookie (keeps you logged in), CSRF token (security). These cannot be disabled โ€” without them the app does not function.

Analytics Cookies (optional)

GA4 cookies set only after you accept the banner. They collect anonymised usage data. You can decline these with no loss of functionality.

How We Keep You Safe

Your security matters to us. Here is what we do to protect your data:

Technical Measures
  • HTTPS / TLS encryption on all connections
  • Passwords hashed with bcrypt (never stored in plain text)
  • Password reset tokens expire after 1 hour
  • CSRF protection on all forms
  • HTTP security headers (HSTS, X-Frame-Options, CSP)
Organisational Measures
  • Access to production data is strictly limited
  • Regular security reviews
  • No marketing or advertising third parties with access to your data

Despite these measures, no system is perfectly secure. If you suspect unauthorised access to your account, please contact us immediately at privacy@pinuno.nl.

Your GDPR Rights

Under GDPR you have the following rights. To exercise any of them, email privacy@pinuno.nl with the subject "Data Rights Request". We will respond within 30 days.

Access

Request a copy of all data we hold about you.

Correction

Ask us to correct inaccurate or incomplete data.

Deletion

Request that we delete your account and all associated learning data.

Portability

Receive your data in a machine-readable format.

Objection

Object to processing based on legitimate interest.

Withdraw Consent

Withdraw consent for optional analytics at any time by clearing your browser data.

You also have the right to lodge a complaint with the Dutch Data Protection Authority (Autoriteit Persoonsgegevens).

Data Retention

Data typeKept for
Account information (email, username)While your account is active + 12 months after deletion
Learning data (word progress, mistakes, streak)While your account is active; deleted on account deletion
Subscription records7 years (Dutch statutory accounting obligation)
Password reset tokens1 hour (automatically expired)
Analytics data (GA4)14 months (Google's default, if consent given)
Server logs30 days (rolling)

Third-Party Partners

We work with a small number of trusted third parties. Each processes your data only as necessary for the stated purpose.

PartnerPurposeData shared
PayPal (Europe) Payment processing for Premium subscriptions Email address, subscription plan chosen
Google (reCAPTCHA Enterprise) Bot detection on auth forms Browser/hardware fingerprint, interaction patterns
Google Analytics 4 Anonymised usage analytics (consent-gated) Pages visited, session duration, device type (anonymised IP)
SMTP provider Transactional emails (password reset) Email address, reset link

We do not share your data with any advertising networks, data brokers, or marketing platforms.

Children's Privacy

StartDutch is intended for users aged 16 and above. We do not knowingly collect personal data from children under 16. If you believe a child under 16 has registered an account, please contact us at privacy@pinuno.nl and we will delete the account promptly.

Policy Updates

We may update this policy from time to time to reflect legal changes or improvements to our practices. The "Last updated" date at the top of this page will change when we do. For material changes we will notify registered users by email or by a notice on the site. Continued use of StartDutch after a change constitutes acceptance of the revised policy.

Contact Us

Pinuno โ€” Data Controller for StartDutch

privacy@pinuno.nl โ€” for all privacy and data rights requests

pinuno.nl

Netherlands ยท GDPR applies