Privacy Policy

Data controller: Wisot LLC (ООО «ВИЗОТ»), a Russian limited liability company.

TIN 9707053050, registered office: Moscow, Russia, 117218.

Data Protection Officer: Mikhail Orlov, CEO. Reach us at hello@wisot.app.

1. Hashed IP address on APK download. When you hit /api/download/apk your IP is hashed (SHA-256 with a salt) and written into the download_events table. Used solely for abuse protection: no more than 5 downloads per IP per hour. The original IP cannot be reconstructed from the hash. Records older than 7 days are deleted automatically.

2. User-Agent string and HTTP Referer on APK download. Stored alongside the IP hash in the same download_events table. Used to detect abuse patterns and to localize the /paused page.

3. UTM parameters from the URL. Stored with the download event for traffic-source attribution.

4. Session technical data: browser type, interface language, visit timestamp. Collected via Google Analytics and Yandex Metrica — ONLY after you have explicitly accepted cookies via the banner on your first visit. Before consent, analytics are not loaded at all.

5. Inside the Wisot app (after Google sign-in):

• Your Google account email
• Text transcripts of the lectures you listened to (NOT the raw audio)
• Your answers to Wisot's questions and the AI's grading of those answers
• Learning progress: which concepts you've mastered, FSRS-5 scheduling state, session statistics
• App settings: interface language, learning language, theme

Important: the wisot.app site does NOT collect email for APK access. APK downloads are direct, with no sign-up and no email form. We only receive your email inside the app after you sign in with your Google account (for cross-device progress sync).

We do NOT upload the raw audio of your lectures, podcasts, or audiobooks to our servers. Speech recognition (ASR) runs locally on your device via the sherpa-onnx library. Only the resulting text transcript is sent to our servers — and only if you've signed in with Google for cross-device sync.

We do NOT collect biometric data, location data, contacts, or photos.

We do NOT sell your data to third parties or share it with ad networks.

We process personal data on the following legal bases under Article 6 of 152-FZ (and GDPR Article 6 where applicable):

• Consent of the data subject (cookie acceptance, app account creation)
• Performance of a contract (delivering paid subscription functionality)
• Legitimate interest of the controller (anti-spam protection, anonymized traffic analytics)

Supabase (US/EU) — hosts the download_events table (hashed IP, User-Agent, Referer, download timestamp) used for abuse protection. No email and no personal identifiers.

Google Cloud Platform — Google account authentication inside the Wisot app. Receives: Google account identifier.

Google Analytics (Google Ireland Ltd.), Yandex Metrica (Yandex LLC, Russia) — aggregated website behaviour analytics. Loaded ONLY after you accept cookies via the banner. Without consent, analytics are never loaded.

We do not share data with any other third party without your explicit consent. Unisender and any other email providers are no longer used for APK delivery.

download_events table (hashed IP, User-Agent, Referer, timestamp) — 7 days. Enough for the 1-hour rate-limit window and incident audit.

waitlist_archive table — contains the handful of records left over from the old email form before 2026-04-08. Retained until July 8, 2026, then automatically deleted. No new records are added.

App data — until you delete your account or stop using the service (after 12 months of inactivity, data is automatically deleted).

Google Analytics and Yandex Metrica analytics data — 26 months per the services' default settings. Only collected with explicit cookie-banner consent.

• Confirm whether we process your data and request a copy of what we hold
• Request correction, restriction, or deletion of inaccurate or outdated data
• Withdraw consent to processing at any time
• Delete your account and all associated data with one click in the app settings, or by emailing hello@wisot.app
• Lodge a complaint with Roskomnadzor (Russian DPA) if you believe we're violating the law

We respond to requests within 30 days. To submit a request, email hello@wisot.app with the subject "Personal data request".

All connections to the website and API are protected by TLS 1.3 (HTTPS).

The download_events table is stored in Supabase with at-rest encryption enabled (AES-256).

IP addresses are hashed with a salt before being stored — they cannot be reverted.

Production database access is limited to Mikhail Orlov (CEO) and Yulia Galkina (CTO).

Every APK release is scanned by Kaspersky OpenTIP and VirusTotal, and the SHA-256 hash is published on the website.

wisot.app uses only functional cookies for the language switcher and i18n routing. We don't use advertising cookies or third-party retargeting trackers.

Google Analytics and Yandex Metrica set their own cookies for anonymous analytics. You can disable them in your browser settings.

We may update this policy. All changes are published on this page with an updated date in the header. Material changes affecting your rights will also be announced via the Telegram channel @wisot_app and inside the Wisot app.

If you disagree with the changes, you can unsubscribe or delete your account at any time.