Privacy Policy

1. What data we collect

When you use Word Cards, we collect the data needed to provide the service, keep it secure, improve the product, and operate subscriptions, analytics, notifications, and ads. The categories include:

• Account data: your account may be created with Sign in with Apple, Sign in with Google, email, or another supported sign-in method. We may receive or collect your display name and email address. With Apple, you may use private email relay (Hide My Email).
• Preferences: interface language, selected language pair and CEFR level, daily goal, theme, audio settings, notification settings, and time zone.
• Learning data: words you have learned or struggle with, word/expression view counts, quiz results and review boxes, favorite expressions, custom lists you create, daily activity and streak.
• Device and technical data: app-generated device identifier, platform (iOS/Android), device model, operating system, app version, app instance/installation identifiers, last backup time, security/debug logs, and IP address.
• Notification data: reminders are currently scheduled locally. When remote push notifications are enabled, Expo / APNs / FCM notification tokens and related device information may be collected to deliver notifications.
• Usage, analytics, and performance data: in-app events, screen views, feature usage, crash/error, and performance signals may be processed through Google Firebase Analytics and related Firebase services.
• Advertising data (when AdMob is enabled): Google AdMob and the Google Mobile Ads SDK may process advertising identifiers (IDFA/AAID), device information, approximate location derived from IP/country-region, ad interactions, cookies or similar local storage technologies, and consent preferences for ad delivery and measurement.
• Subscription data (once premium launches): subscription status, entitlement information, purchase history/receipt data, and store transaction references may be processed by RevenueCat, Apple, and Google. Your payment card/bank details are not shared with us; they are handled by Apple and Google.

2. Why we process data

• Create your account, authenticate you, and keep your session secure
• Save learning progress, provide cloud backup, and sync your account
• Operate the app, fix bugs, measure performance, secure the service, and prevent abuse
• Send study reminders, account/security messages, and service notifications if enabled
• When AdMob is enabled, show ads, measure ad performance, apply frequency capping, prevent ad fraud, and respect your consent choices
• Manage premium subscriptions, verify purchases, restore entitlement, and comply with store/platform rules
• Comply with legal obligations and defend our rights

3. Notifications

Currently reminder notifications are scheduled locally on your device. When remote push notifications are added, a notification token is used to send study reminders, account/security messages, and service notifications. If marketing notifications are introduced, we will provide the required consent and preference controls. You can turn notifications off at any time from the app or your device settings.

4. Ads, analytics, and consent choices

Word Cards may use Firebase Analytics for usage and performance analytics. When AdMob is added, the Google Mobile Ads SDK may be used to serve and measure ads.

In regions that require consent, including the European Economic Area, the United Kingdom, and Switzerland, we use a Google-certified consent management platform or Google UMP SDK to collect advertising and personalization preferences. Depending on your choices, personalized ads, non-personalized ads, or limited ad features may be used.

You can reset your advertising identifier or limit ad personalization in your device settings. On Apple devices, tracking permission is managed through iOS settings and App Tracking Transparency.

On our website (wordcards.app), we use cookieless, anonymous Cloudflare Web Analytics; because it collects no personal data, it does not require cookie consent.

5. Third parties we share data with

We do not sell your personal data. We share personal data only with infrastructure and service providers needed to provide the service, secure it, verify subscriptions, perform analytics, serve ads, or comply with legal obligations:

• Supabase — authentication, data storage, cloud backup, and security logs. Servers are hosted in the European Union region (Frankfurt).
• Apple and Google — Sign in with Apple/Google, app stores, in-app purchases, and subscription payments.
• RevenueCat — subscription verification, purchase/receipt processing, and premium entitlement management. Payment card details are not shared with RevenueCat or Word Cards.
• Google Firebase (Analytics, Messaging/related services) — usage, error, performance analytics, and future remote notification infrastructure.
• Google AdMob / Google Mobile Ads — ad delivery, ad measurement, frequency capping, fraud prevention, and consent enforcement.
• Public authorities, courts, law enforcement, or legal advisers — only when required by applicable law, to protect our rights, or to investigate abuse.
• Cloudflare — website visit statistics (cookieless and anonymous; page views, country, device type).

6. International transfer and retention

Because Supabase infrastructure is located in the European Union region, your main app data is stored in the EU region. Apple, Google, Firebase, AdMob, and RevenueCat may process data in other countries through their own infrastructure and subprocessors. These transfers are handled under applicable privacy laws and provider data processing terms.

We retain account, profile, learning, list, preference, backup, and subscription entitlement data while your account is active. After an account deletion request, personal data that must be deleted is deleted or anonymized within 30 days at the latest. Limited records required for security, fraud prevention, disputes, accounting, tax, payment, store/platform audit, or legal obligations are retained only as long as necessary and then deleted, destroyed, or anonymized. Apple, Google, RevenueCat, and advertising/analytics providers may apply their own retention policies.

7. Data security

Session tokens are stored in secure device storage (iOS Keychain / Android Keystore). Communication with the server uses TLS, and database row-level security (RLS) is used to restrict access to your own data. We apply reasonable administrative, technical, and organizational safeguards; however, no method is 100% secure, so absolute security cannot be guaranteed.

8. Deleting your account and data

You can delete your account in the app through Settings > Delete Account, or by emailing support@wordcards.app. Deletion covers your account, profile, cloud backups, learning progress, custom lists, and personal data that Word Cards is not legally required to retain. When complete, your app account is closed; limited records legally required to be retained may be kept only for the required period.

9. Children’s privacy

Word Cards is a general-audience education app; it is not specifically directed to children under 13. The age 13 reference is used because of COPPA and similar children’s privacy rules. Children under 13 should use the app only with permission and supervision from a parent or legal guardian. If you believe we collected personal data from a child under 13 without appropriate parental consent, contact us and we will take appropriate steps to delete it.

10. Changes to this policy

We may update this policy from time to time. For significant changes, we may notify you in the app, on the website, or by email. The “Last updated” date at the top shows the current version.

11. Contact

For privacy questions and data requests: support@wordcards.app