Back to home

Privacy Policy

Last Updated: May 2026
Version: 1.0

This Privacy Policy explains how Eyal Lapid (“we”, “us”, or “our”) collects, uses, and protects your personal information when you use TypingPlace.

Note on current state: TypingPlace is currently a static practice site with no user accounts. Sections of this policy describing account features (registration and learning progress) apply only if account-based features are introduced or enabled. Today, the personal data we process from your visit is limited to visitor analytics, security logs, and observability/error monitoring described in the “Information We Collect” section below.

Who We Are

Eyal Lapid is the data controller responsible for your personal information.

We are committed to protecting your privacy in accordance with applicable data protection laws, including the EU General Data Protection Regulation (GDPR).

Information We Collect

Information You Provide

The current public TypingPlace practice site does not collect account information or
store practice progress. You may provide personal information if you contact us
directly, for example by email.

If account features are introduced or enabled, we may collect:

  • Account information: Email address, name, and password (stored securely hashed)
  • Practice data: Your typing exercise responses, performance metrics (WPM, accuracy), and progress
  • Communications: Messages you send to our support team

Information Collected Automatically

  • Usage data: Pages visited and features used
  • Device information: Browser type, operating system, device type, and screen size
  • Log data: IP address, access times, and referring URLs
  • Observability data: Error reports, performance telemetry, request metadata, and
    stack traces used to operate and secure the service. These reports may include limited
    request context needed to diagnose failures. We do not use observability tools to
    intentionally collect lesson or practice content.
  • Cookies: Essential cookies for authentication and session management if account
    features are enabled (see Cookies section)

Visitor Analytics

We use Umami — an open-source, privacy-focused analytics tool — to understand how
visitors use TypingPlace. Umami runs on our own EU infrastructure (analytics.joinwith.com);
no third-party analytics provider processes this data. Our infrastructure sub-processors
may process hosting and network traffic as described in our sub-processor list.

What we collect:

  • Page URL (hostname and path; query parameters are discarded)
  • Referrer URL (the page that linked you here)
  • Browser type and version
  • Operating system
  • Device type and screen size
  • Language preference
  • Country, region, and city — derived from IP address; the raw IP address is not stored

How we count returning visitors without tracking you: Umami uses a server-side
hash salt to derive visitor identifiers from request data such as IP address and
user-agent. Raw IP addresses and user-agent strings are not stored in the analytics
database. These identifiers are used only for first-party aggregate analytics and do not
track you across other websites.

No cookies, no cross-site tracking, no advertising profiles. Umami does not set
cookies or persistent identifiers in your browser. We do not share visitor analytics
data with advertising networks or any third party.

Lawful basis:

  • GDPR (EU users): Article 6(1)(f) — legitimate interest in operating, securing, and
    improving our service. We have considered your rights and freedoms in a balancing
    assessment and concluded that this minimized, pseudonymous analytics processing does not
    override them. You have the right to object to this processing at any time (see “Your
    privacy choices” below).
  • Israeli PPL (Israeli users): processing is necessary for the operational provision and improvement of the service. You may opt out at any time (see “Your Privacy Choices” below).
  • CCPA (California users): we honor the Global Privacy Control signal as an opt-out
    request.

Retention: Aggregated visitor analytics data is retained for 24 months, after which it is deleted. This period allows year-over-year comparison of seasonal traffic patterns; aggregated data older than 24 months is deleted because it no longer serves a documented operational purpose.

How We Use Your Information

We use your information to:

  • Provide our service: Operate the platform and deliver typing practice pages
  • Account features, if enabled: Track typing practice progress and personalize your experience
  • Communicate with you: Respond to support requests and notify you of important updates. If account features are enabled, we may send login links.
  • Improve and protect: Analyze usage to improve our service, fix bugs, and ensure security

We process current visitor analytics, security, and observability data based on our
legitimate interests in operating, securing, and improving the service. If account
features are enabled, we may also process account and practice data based on our
contract with you. We may process data when necessary to comply with legal obligations.

What We Don’t Do

  • We do not sell your personal information
  • We do not use your data for third-party advertising
  • We do not make automated decisions that significantly affect you without human oversight

Information Sharing

We do not sell your personal information. We share data only with carefully evaluated
sub-processors to operate the service. The current list, including each sub-processor’s
purpose, location, and legal transfer mechanism, is published at
typingplace.com/legal/sub-processors.

We may also disclose information when required by law or to protect our rights.

International Data Transfers

Your data is primarily stored in the European Union (DigitalOcean). Some data is
transferred to the United States for processing by sub-processors listed at
typingplace.com/legal/sub-processors.

These transfers are protected by Standard Contractual Clauses approved by the
European Commission and Data Processing Agreements with each provider.

Data Retention

We keep your data only as long as necessary:

Account data, if account features are enabled: Retained while your account is active. Deleted within 30 days of account closure.

Practice progress, if account features are enabled: Deleted with your account.

Consent records, if collected: Retained for 7 years as required by law, even after account deletion.

Security logs: Retained for 24 months for security and compliance.

Application logs: Retained for 90 days for service improvement.

If account features are enabled and you delete your account, we remove your personal
data within 30 days. Some data may persist in encrypted backups for up to 90 days before
being permanently erased.

Your Rights

You have the right to access, correct, export, or delete your personal data. If account
features are enabled, you may be able to manage some settings directly in your account.

For requests we can’t handle through account settings—or if you have concerns about how we handle your data—contact us at privacy@typingplace.com. We respond within 30 days.

You can also contact your local data protection authority.

Cookies

The current public TypingPlace practice site uses an essential first-party Phoenix
session cookie (_typing_place_hub_key) to support session integrity and CSRF
protection. It does not currently use login or remember-me cookies because account
features are not enabled.

If account features are enabled, we may also use essential cookies required for account
features:

  • Session cookie: Keeps you logged in during your visit
  • Remember-me cookie: Keeps you logged in between visits (if selected)

These cookies are necessary for account features and do not require consent. We do not
use advertising or tracking cookies. We do use cookieless visitor analytics, which does
not set cookies in your browser — see the “Visitor Analytics” section above.

Your Privacy Choices

You can opt out of visitor analytics at any time:

  • Global Privacy Control (GPC): if your browser supports GPC (e.g., Brave, DuckDuckGo, or Firefox with the appropriate extension), we honor the GPC signal as an opt-out request under applicable law (including California’s CCPA).
  • Do Not Track (DNT): if your browser sends the DNT: 1 header, our analytics tracker will not record your visit. Note: DNT support has been removed from current versions of Chrome and Safari; Firefox still exposes the setting.
  • Advanced — per-site browser flag: open the browser console on TypingPlace and run localStorage.setItem('umami.disabled', '1'). Your visits will not be recorded from that browser. Run localStorage.removeItem('umami.disabled') to re-enable.

We are adding a “Privacy preferences” UI toggle so this opt-out can be exercised without the browser console; until that lands, the three mechanisms above are the available paths.

TypingPlace also stores the phx:theme local-storage value when you choose a light,
dark, or system theme preference. This preference stays in your browser until you
change it or clear site data.

Security

We protect your data with:

  • Encrypted connections (HTTPS) for all data in transit
  • Encrypted storage for sensitive data
  • Secure password hashing
  • Regular security updates and monitoring
  • Access controls limiting who can view your data

No system is 100% secure. If you discover a vulnerability, please contact us at security@typingplace.com.

Children

TypingPlace is for users 18 and older. We do not knowingly collect data from anyone under 18. If we become aware that we have collected personal data from a person under 18, we will delete that data promptly.

Changes to This Policy

We may update this policy from time to time. We will notify you of significant changes by email or through the app. Continued use after changes constitutes acceptance.

Contact

For privacy-related questions or to exercise your rights:

Email:privacy@typingplace.com

We aim to respond within 30 days.