Privacy Policy

The controller of your personal data is Vocadino ("we", "us"). You can reach us at yosumitsu587@gmail.com.

• Account data: email address, name (provided at registration), password as a hash. If you sign in with Google — the name and email Google shares with us.
• Learning progress: completed lessons, exercise scores, flashcard review history (FSRS), card state, time spent in the app.
• User content: flashcards, decks and sessions you create or import from the marketplace.
• Technical data: IP address, browser type, session time, error logs — only to keep the app working and to diagnose outages.
• Payment data (if you buy a subscription): handled by Stripe — we do not store card numbers.

• Providing the service (account, learning, spaced-repetition, AI grading) — Art. 6(1)(b) GDPR (contract performance).
• Security and abuse prevention (Cloudflare Turnstile, rate limits, error logs) — Art. 6(1)(f) GDPR (legitimate interest).
• Billing — Art. 6(1)(b) and (c) GDPR (contract + tax law).
• Service communication (email verification, password reset, important changes) — Art. 6(1)(b) GDPR.
• Marketing / newsletter — only after your explicit consent, Art. 6(1)(a) GDPR. You can withdraw consent at any time.

We share data with trusted providers who process it on our behalf under data-processing agreements:

• Supabase — database hosting and authentication (Ireland / EU).
• Vercel — application and serverless function hosting.
• OpenAI — open-ended exercise grading and example hints (transfer outside the EEA under EU standard contractual clauses).
• DeepL — translations, if you use them.
• Stripe — payment processing (transfer outside the EEA, EU SCCs).
• Cloudflare Turnstile — bot protection at sign-in.
• Google — only if you sign in via OAuth.

We use cookies and similar technologies (localStorage). They fall into two categories:

• Essential — keep the login session, interface preferences (language, theme, selected course). The app does not work without them. They do not require consent.
• Analytics / marketing — we don’t currently use them. If that changes, we will ask for your consent before storing any such cookies.

You can manage cookies in your browser settings — but turning off essential cookies will block sign-in.

• Account data and learning progress — for as long as the account exists and 90 days after deletion (for recovery).
• Technical logs — 30 days.
• Billing data — 5 years from the end of the tax year, under accounting law.

Under GDPR you have the right to:

• access your data and obtain a copy,
• rectify inaccurate data,
• erase data ("right to be forgotten"),
• restrict processing,
• data portability (export of learning progress),
• object to processing based on legitimate interest,
• withdraw consent where consent is the basis — without affecting lawful processing before withdrawal,
• lodge a complaint with the supervisory authority (in Poland: Prezes UODO, uodo.gov.pl).

To exercise these rights, email yosumitsu587@gmail.com.

If we significantly change the scope of processing, we will notify you by email or in-app message at least 14 days before the changes take effect.