Privacy Policy

Last updated: 11 June 2026

This Privacy Policy explains what data the bleambrowser extension and the bleam dashboard (together, “bleam”, “we”, “us”) collect, why we collect it, and the choices and rights you have. bleam translates the web pages you choose into the language you are learning, lets you look words up, and remembers the vocabulary you meet so it can schedule reviews.

1. Who is responsible

The controller responsible for your data under the GDPR is:

Full contact details are in our Impressum / legal notice.

2. What we collect

We only collect what bleam needs to do its single job — helping you read and learn a language:

• Account & authentication data. When you sign in we use Auth0 to authenticate you. We receive and store your email address, and any name/profile information your login provides. Sign-in tokens are stored locally in your browser (chrome.storage.local) so you stay logged in.
• Your settings. The language you are learning, your native language, your CEFR level, the sites you have enabled translation on, and display preferences.
• Page content you choose to translate.On sites you enable, the text of the page is sent to our backend and to our translation provider to produce the translation and word tooltips. The page’s URL, domain, and title are recorded as a site visit so your reading history and statistics appear on your dashboard.
• Learning activity. The words you encounter, hover, or look up; how long you dwell on them; phrases you save; and your spaced-repetition review results. This is what powers your vocabulary, progress, and flashcards.
• Usage metering. Counts of translation/lookup requests and the associated token usage, used to apply trial and subscription limits.
• Product analytics (pseudonymous).We use PostHog to understand how bleam is used so we can improve it. This captures events such as “translation requested”, “word looked up”, or “flashcard reviewed”. We intentionally do not log the actual text you translate, the words you looked up, or the content of your flashcards in PostHog. Events are linked with a pseudonymous identifier (your Auth0 user ID) so we can measure aggregate behaviour, not individual reading habits. See section 9 for full details.
• Technical data. Your IP address is processed transiently by our servers to deliver responses and to rate-limit and protect the service. We do not use it to determine your location.

We do not collect health data, and the extension never accesses pages you have not enabled. Payment card details, if you subscribe, are entered directly with our payment processor (Stripe) and are never seen or stored by bleam.

3. How we use your data

• To translate the pages you enable and provide dictionary tooltips and pronunciation.
• To record the vocabulary you meet and schedule reviews (spaced repetition).
• To show your history, statistics, and progress on the dashboard, and sync your settings across the devices you sign in on.
• To meter usage and enforce trial and subscription limits, and to process subscriptions.
• To keep the service secure, reliable, and free of abuse.

4. Legal bases (GDPR)

• Performance of a contract (Art. 6(1)(b)) — to provide the translation, dictionary, learning, and sync features you ask for.
• Legitimate interests (Art. 6(1)(f)) — to secure, maintain, and improve the service and prevent abuse.
• Legitimate interests (Art. 6(1)(f)) — for pseudonymous product analytics (PostHog). The data is minimized, pseudonymised (no names, emails, or page content in events), and used only to improve the service. You can object at any time; see section 9 for how to opt out.
• Consent (Art. 6(1)(a)) — where required; you give it by enabling translation on a site, and can withdraw it at any time by disabling the site or signing out.

5. Service providers we share data with

We do not sell your data and we do not share it for advertising. We use a small number of processors strictly to run bleam, each only receiving what they need:

• Auth0 / Okta — authentication and login.
• Mistral AI — translation and dictionary generation (receives the page text to be translated and words to be looked up).
• Voxtral — text-to-speech for pronunciation.
• MongoDB Atlas — database storage of your account, vocabulary, and history.
• Redis — short-lived translation/cache storage.
• Cloud hosting providers (e.g. Vercel, Railway) — running the application.
• Stripe — subscription payments (only if you upgrade).
• PostHog — pseudonymous product analytics (see section 9).

Some providers are located outside the EU/EEA (e.g. in the United States). Where that is the case, transfers are protected by appropriate safeguards such as the EU Standard Contractual Clauses.

6. Data stored on your device

The extension keeps your sign-in tokens, settings, and a local cache of recent translations in your browser’s extension storage. You can clear all of it at any time by removing the extension. Removing the extension does not delete your account-side data — for that, contact us (below).

The dashboard and landing pages store a small PostHog identifier in your browser’s localStorage (with cookie fallback) so that analytics events from the same browser session can be linked together. PostHog does not use this data for cross-site tracking or advertising.

7. Retention

We keep your account and learning data for as long as your account exists, because it is what makes your vocabulary and progress meaningful over time. Cached translations expire automatically. You can ask us to delete your account and associated data at any time.

8. Your rights

Under the GDPR you have the right to:

• access the data we hold about you;
• have inaccurate data corrected;
• have your data deleted (“right to be forgotten”);
• restrict or object to processing;
• receive your data in a portable format;
• withdraw consent at any time; and
• lodge a complaint with a supervisory authority.

To exercise any of these rights, email hello@8null.com.

9. Product analytics with PostHog

We use PostHog, a product-analytics platform, to understand which features people use, where the app breaks, and how we can improve it. PostHog is a processor under the GDPR, and this section explains how we use it in a privacy-respecting way.

What is captured

Typical events include:

• Feature usage: “translation requested”, “word looked up”, “checkout started”, “flashcard reviewed”
• Onboarding steps: language chosen, level picked, extension install clicked
• Conversion events: trial banner dismissed, subscription upgraded
• Errors: JavaScript exceptions and API failures

Each event carries a small, anonymous property payload such as the target language, CEFR level, or the number of translation fragments requested.

What is NOT captured in PostHog

• The actual text of pages you translate
• The specific words you looked up or saved
• The content of your flashcard reviews or their answers
• Your name, email, or payment card
• Any health, biometric, or special-category data

How you are identified in PostHog

When you sign in, we call posthog.identify() with your Auth0 user ID (a pseudonymous identifier like auth0|abc123). Before sign-in, PostHog assigns a random anonymous ID. This lets us understand whether a visitor returns, but the ID itself is meaningless outside bleam. We never send personal data to PostHog as person properties.

Data residency

We use PostHog’s European (EU/EEA) infrastructure. Events are sent to PostHog’s servers located in the European Union.

How to opt out

You have the right to object to this analytics processing under Art. 21 GDPR. The easiest way is to block PostHog locally:

• Disable JavaScript (this is a blunt instrument but effective).
• Use a content blocker that blocks eu-assets.i.posthog.com and eu.i.posthog.com on bleam domains.
• If you are not signed in, browsing in a private/incognito window also resets the anonymous tracking ID.
• Contact us and we can suppress your pseudonymous identifier from our PostHog instance manually.

Please note: opting out of PostHog analytics does not stop bleam from collecting the functional learning data (vocabulary, reviews, settings) described in section 2, because those are necessary to run the service.

PostHog as processor

Name: PostHog Inc.
Role: Processor under GDPR
Purpose: Product analytics, error tracking, and feature-usage measurement
Data residency: EU (eu.posthog.com / eu.i.posthog.com)
Further information: PostHog Privacy Policy

10. Children

bleam is not directed at children under 16, and we do not knowingly collect their data.

11. Security

We use encryption in transit, authenticated access, and access controls to protect your data. No method of transmission or storage is perfectly secure, but we take reasonable measures to safeguard it.

12. Changes to this policy

We may update this policy from time to time. We will revise the “last updated” date above and, for material changes, provide additional notice where appropriate.

13. Contact

Questions about this policy or your data? Email hello@8null.com.