Privacy Policy

Last updated: April 3, 2026

VocaDeck ("we", "us", or "our") is operated by Felix Martinsson. This policy explains what data we collect, why, and how we protect it. We built this app to help learners — not to monetize their data.

1. Data We Collect

Email address. You provide your email to sign in. We use it to send you a magic link (one-time login link) via our email provider, Resend. We do not use your email for marketing unless you explicitly opt in.

Flashcards, vocabulary, and review history. The vocabulary you generate, the cards you create, and your review session data (ratings, scheduling state) are stored on our servers so you can sync across devices and keep your progress over time. This data is tied to your account and is only accessible to you.

Prompts you type for generation. When you ask VocaDeck to generate flashcards or reading texts, the text you type is sent to OpenAI's API to produce the output. OpenAI processes this request on our behalf. We do not store your prompts separately beyond what is saved as part of your flashcard deck.

Word lookups. When you tap a word in a reading text to get a translation, that word and its context may be sent to Amazon Translate or OpenAI's API for translation. We do not store individual lookup requests.

Settings and profile data. Your app preferences (target language, native language, known languages, proficiency levels, learning profile settings) are stored on our servers as part of your account.

2. Data We Do NOT Collect

• We do not use advertising SDKs or sell your data to advertisers.
• We do not use third-party analytics platforms (no Google Analytics, Mixpanel, etc.).
• We do not collect location data.
• We do not collect device identifiers for tracking purposes.
• We do not read your contacts, camera, microphone, or any data outside the app.

3. How We Use Your Data

• To provide the service: syncing your cards, scheduling reviews, personalizing vocabulary difficulty to your level.
• To send authentication emails: magic login links via Resend.
• To generate content: your prompts are forwarded to OpenAI's API to produce flashcards and reading texts.
• To improve the service: we may analyze aggregate, anonymized usage patterns (e.g., which languages are most used) to improve the app. We do not analyze individual user content for this purpose.

4. Third-Party Services

We use third-party services to operate VocaDeck. These fall into the following categories:

• AI content generation — prompts you submit for flashcard and reading text generation are processed by OpenAI on our behalf.
• Subscription management — in-app purchases are handled by RevenueCat and Apple.
• Email delivery — we use a transactional email provider to send magic login links. Your email address is shared with this provider solely for authentication.
• Machine translation — word lookups may be processed by a cloud translation service. Only the word and its surrounding context are sent.
• Cloud hosting — our backend and database are hosted on servers in the United States by a managed cloud provider.

5. Data Retention

Your account data (email, flashcards, review history, settings) is retained for as long as your account is active. If you delete your account, we delete all associated data within 30 days. Anonymized, aggregated data may be retained beyond that period.

Magic link tokens expire after 15 minutes and are not retained beyond that.

6. Your Rights (GDPR)

If you are in the European Economic Area (EEA) or UK, you have rights under the GDPR:

• Access: you may request a copy of the data we hold about you.
• Rectification: you may correct inaccurate data.
• Erasure: you may delete your account and all associated data at any time via Settings → Account → Delete Account.
• Data portability: you may request an export of your data in a machine-readable format.
• Objection: you may object to processing in certain circumstances.

To exercise any of these rights, contact us at [email protected].

The legal basis for processing your data is:

• Contract performance — processing your email to authenticate you and your prompts to generate content you requested.
• Legitimate interests — maintaining the security and integrity of the service, improving it based on aggregated usage patterns.

7. Children's Privacy

VocaDeck is intended for users aged 13 and older. We do not knowingly collect personal data from children under 13. If you believe a child under 13 has created an account, please contact us at [email protected] and we will delete the account promptly.

8. Security

We use industry-standard security practices:

• All data in transit is encrypted via HTTPS/TLS.
• Passwords are not used — authentication is entirely via single-use email magic links.
• JWT tokens used for session authentication are short-lived and stored client-side.
• Our database is hosted on Render's managed PostgreSQL with encrypted storage.

No system is perfectly secure. If you discover a security vulnerability, please report it to [email protected].

9. International Transfers

VocaDeck's backend infrastructure is hosted in the United States (Render). If you are located in the EEA, your data is transferred to the US. We rely on Standard Contractual Clauses (SCCs) where applicable, and use service providers who maintain their own transfer mechanisms.

10. Changes to This Policy

We may update this privacy policy from time to time. When we do, we will update the "Last updated" date at the top. If changes are material, we will notify you via email. Continued use of VocaDeck after changes are published constitutes acceptance of the updated policy.

11. Contact

For privacy-related questions, data requests, or GDPR inquiries:

Email: [email protected]
Controller: Felix Martinsson, VocaDeck