Privacy Policy

1. Information We Collect

To provide a core AI-powered language learning experience, we collect the following information:

• Account Information: When signing in via Google OAuth, we obtain your email address, name, and avatar for identification and personalization.
• User-Generated Content: Including generated reading materials, saved translation notes, learning progress, and custom prompts.
• Service Configuration: Third-party API keys (e.g., Gemini Key) and service account files you voluntarily provide to drive the core AI features.

2. Google API Data Policy

Over Hill strictly complies with the Google API Services User Data Policy.

Our use of information received from Google APIs will adhere to the Google API Services User Data Policy, including the Limited Use requirements. We will never use this data for advertising, sell it to third parties, or transfer it to unrelated services without your explicit authorization.

3. How Information is Used

Your information is processed only for the following purposes:

• Authentication: Ensuring your learning records and private keys are securely accessible only by you.
• AI Services: Sending requests to LLMs (like Gemini) to generate content, translate, or perform text-to-speech tasks.
• Localization: Adjusting the interface language based on your preferences.
• Optimization: Analyzing system crashes and improving the performance of generation and playback services.

4. Data Security & Protection

We take data security seriously and have implemented multiple layers of protection:

• Encrypted API key hosting: In the default hosted mode, third-party credentials are stored in Supabase Vault while the database keeps only previews and non-sensitive metadata. Decryption happens only when you trigger the related AI feature and is used on the server-to-provider path.
• Transport and proxy protection: Browsers, MiniApps, and public APIs receive only short-lived proxy tokens, not raw keys. All communication with servers and third-party AI interfaces is encrypted via HTTPS/TLS.
• Minimization: We only store data necessary for application functionality and do not record biometric or other highly sensitive personal data.

5. Cookies & Local Storage

We use necessary cookies and local storage to save your login session, cached voice settings, and interface preferences to improve response times.

6. Your Rights & Data Withdrawal

You have full control over your data:

• Access & Correction: You can view and update your API configurations at any time in the Settings Center.
• Deletion: You can delete saved API keys at any time, which stops future calls. Data already included in historical platform backups expires according to the hosting provider's retention period. If you wish to delete your account and all associated data permanently, please contact our support.