Privacy Policy

1. Information We Collect

We collect the following information to operate the Service:

• Account: email address, display name, hashed password (hashing handled by Supabase)
• Learning data: user-created decks and cards, review history, FSRS scheduler state, study session statistics, streak counts
• Uploaded content: CSV, PDF, image, and APKG import files (retained for a limited period after processing)
• Payment: subscription status and payment verification identifiers (handled by RevenueCat/PortOne; card numbers are never stored)
• Service usage: AI grading/generation request counts, anonymized ad impression history

2. How We Collect It

• Entered directly by the user at sign-up or login
• Generated automatically during study and review activity
• Received from payment partners (RevenueCat, PortOne, Apple, Google) for purchase verification

3. How We Use It

• Service delivery: authentication, learning data storage and sync, AI grading/generation features
• FSRS-based review scheduling and personalized notifications
• Verifying paid subscriptions, showing ads to free-tier users, and processing refunds
• Improving service quality, preventing abuse, and meeting legal obligations

4. Third-Party Processors

We rely on the following processors for specific tasks. Each has its own privacy policy that governs the data it handles:

• Supabase Inc. — authentication, database, and file storage
• Google LLC — Gemini API (AI grading, card generation, image generation), AdMob (mobile ads), AdSense (web ads)
• RevenueCat Inc. — mobile subscription management and payment verification
• PortOne — web payment processing
• Apple Inc. / Google LLC — in-app purchases and social sign-in (when applicable)

5. Sharing With Third Parties

We do not sell or share personal data externally, except where required by law or with the user's explicit consent. The processors in Section 4 operate on our behalf and may not use the data for any purpose outside the contracted scope.

6. Retention Period

• While the account is active: retained for the life of the account
• Upon account deletion: permanently erased after a 30-day grace period (to allow accidental-deletion recovery)
• Payment records: retained for 5 years in accordance with applicable commerce laws
• Access logs: retained for 3 months, then deleted

7. Your Rights

You may exercise the following rights at any time:

• Access and correct your personal data
• Request deletion (account deletion triggers immediate removal)
• Restrict processing of your data
• Data portability: download your study data as JSON via Settings > Full Export
• Withdraw consent

8. Security Measures

• Encryption in transit (HTTPS/TLS)
• Encryption at rest through Supabase infrastructure
• Passwords are hashed; the raw value is never stored
• Row Level Security (RLS) isolates each user's data in Supabase
• Least-privilege access controls and log monitoring

9. Children Under 14

The Service is not intended for children under the age of 14 and does not knowingly allow them to register. If we become aware that such data has been collected, we delete it immediately.

10. International Transfers

Some processors (Supabase in the US, Google across multiple regions) operate servers outside your home country. These transfers are necessary to deliver the Service, and the processors comply with GDPR and other major privacy regulations.

11. Cookies and Similar Technologies

We use cookies and local storage to maintain login sessions, remember language preferences, and manage ad frequency. You may block non-essential cookies via your browser settings, though some features may stop working.

12. Policy Changes

We may update this Policy to reflect legal or service changes. We will notify you in-app or by email at least 7 days before material changes take effect.