Privacy Policy

• Personal Data: Name, email address, username, date of birth, profile photo, encrypted password, language preferences, and educational progress.
• Voice and Audio Data: Voice and audio recordings you create when using speaking, pronunciation, dictation, or other voice-enabled features.
• Social and Video Content: Posts and short-form videos in the cultural/social feed, plus pictures, audio, comments, likes, follows, private messages, and mentions.
• Advertising & Device Identifiers: Advertising IDs (Apple IDFA, Google GAID), approximate (IP-derived) location, ad-interaction events, and device telemetry used to serve, cap, and measure ads via third-party ad networks and SDKs (such as Google AdMob and Unity Ads).
• Technical Data: IP address, operating system, device model, time zone, app version, crash logs, and feature usage statistics.
• Payment Data: We do not store full card details. Payments are processed via PCI DSS-compliant providers (e.g., Stripe).

• Provide and personalise your language-learning experience.
• Enable social, community, and Instagram-style cultural video-feed features.
• Track progress, generate reports, and display leaderboards.
• Deliver client support, technical troubleshooting, and helpdesk ticketing.
• Enhance platform security, detect fraud, and maintain application stability.
• Serve, measure, and limit advertising, including immersive and rewarded video streams.
• Develop, train, evaluate, and improve our artificial intelligence and machine learning models.
• Send automated system alerts, operational reminders, and promotions (where consent is given).

We process your data based on contractual necessity, explicit consent (e.g., personalised ads, marketing, or model training), legitimate interests (e.g., security, fraud prevention, contextual advertising, and app optimization), and legal obligations (such as content-moderation and statutory compliance logs). In strict accordance with UAE Federal Decree-Law No. 45 of 2021 on the Protection of Personal Data (UAE PDPL), all local data storage and automated processing operated via Core Alpha Services FZ-LLC establishes specific legal bases for processing user metrics, voice profiles, and user telemetry under approved statutory frameworks.

Malegado's underlying intellectual property, including its artificial-intelligence and machine-learning models, is owned by our affiliate holding entity, Core Alpha Investments (Cyprus) Ltd, located in Paphos, Cyprus. The Service is operated globally with the administrative and compliance support of our corporate affiliates, including our UK-based entity. The day-to-day operations, technical management, server administration, content moderation, and platform maintenance of the Service are executed by vetted third-party sub-contractors and technical partners based internationally, including in Africa, acting under strict corporate instruction. All corporate group members and sub-contracting partners are bound by robust Data Processing Agreements (DPAs), absolute confidentiality mandates, and rigorous cross-border data transfer safeguards (such as Standard Contractual Clauses), fully protecting your privacy rights and supporting your right to opt out at any time.

Malegado offers free access supported by banner, interstitial, immersive, and rewarded video ads via programmatic networks like Google AdMob and Unity Ads. Contextual ads are delivered without tracking across other apps. Personalised/targeted ads rely on identifiers (IDFA/GAID) and cross-context behavioural tracking, which requires explicit user opt-in consent within the EU/UK/EEA via our IAB TCF v2.2 compliant banner, or provides an opt-out mechanism for United States residents via our 'Do Not Sell or Share My Personal Information' link and Global Privacy Control (GPC) integrations. We do not sell or share your voice recordings, images, or learning metrics with third-party advertisers.

• Malegado's baseline age for unsupervised use is 16. We apply a neutral age gate at sign-up. For users accessing the Service globally who are under 13 (US/COPPA) or under 16 (EU/GDPR-K), third-party behavioural tracking and advertising SDKs are completely disabled, and voice/video features are processed on-device where feasible.

UAE Child Digital Safety Compliance: In alignment with Federal Decree-Law No. 26/2025 on Child Digital Safety (CDS Law) in the United Arab Emirates, for users identified as minors under the age of 13, Malegado enforces a zero-profiling protocol. We completely disable behavioral ad tracking, cross-app data sharing, and precise telemetry extraction. In accordance with local CDS mandates, the platform provides an adult-managed 'Custodian Mode / Parental Dashboard' allowing UAE parents or legal guardians to track active screen-time metrics, completely toggle off or restrict exposure to the public cultural video feed, and manage account-level privacy configurations.

We use content you provide—including voice recordings, images, text, and short-form videos—to develop, train, fine-tune, evaluate, and improve our proprietary artificial-intelligence and machine-learning models (such as speech-recognition, text-to-speech, pronunciation assessment, translation, and multimodal loops). Wherever feasible, we anonymise, pseudonymise, or aggregate content before model integration. You have an absolute right to opt out of having your content used for model training at any time via in-app settings or by contacting privacy@malegado.com. Opting out does not affect datasets or weights that were already fully trained prior to the request.

Users maintain statutory rights to access, rectify, erase, restrict, or object to processing, as well as data portability and consent withdrawal. Data is kept only as long as needed to support active profiles or satisfy legal retention obligations. If an EU, UK, or UAE data subject exercises their right to erasure ('Right to Be Forgotten'), our operations team executes full technical deletions across production systems within the legally mandated 30-day Service Level Agreement (SLA).

Because our operations leverage a distributed global model (UAE corporate anchor, Cyprus asset holding, UK administration, and African support loops), cross-border data transfers are safeguarded via Standard Contractual Clauses (SCCs), Transfer Impact Assessments (TIAs), and direct compliance frameworks approved by the UAE Data Office under the UAE PDPL. Data in transit and at rest is secured via HTTPS/TLS encryption, role-based access tokens, and routine firewalls.

For compliance matters or to exercise your privacy rights, please contact our designated representatives below:

• Operating Entity (UAE OpCo): Core Alpha Services FZ-LLC — FDRK8541 Compass Building, Al Shohada Road, Al Hamra Industrial Zone-FZ, Ras Al Khaimah, United Arab Emirates. Email: privacy@malegado.com
• EU Representative (GDPR Art. 27): Core Alpha Investments (Cyprus) Ltd — Apt./ Office 101 - 102, Gladstonos 12 - 14, Paphos, 8046, Cyprus. Email: privacy@malegado.com
• UK Representative (UK GDPR Art. 27): Core Alpha Investments Ltd — Suite 2a, 6th Floor Cobalt Square, 83-85 Hagley Road, Birmingham, B16 8QG, United Kingdom. Email: privacy@malegado.com
• Data Protection Officer (DPO): Central Compliance Department. Email: privacy@malegado.com