Privacy Policy

Cardluent (“we,” “us,” or “our”) operates the Cardluent mobile application (the “App”). This Privacy Policy explains how we collect, use, disclose, and protect your information when you use the App.

By using the App, you agree to the collection and use of information as described in this Privacy Policy. If you do not agree, please do not use the App.

1. Information We Collect

1.1 Information You Provide

• Account Information. When you create an account, we collect your email address, display name, and password. Passwords are hashed and stored securely by our authentication provider.
• User Content. Photos and videos you capture or import to create flashcards, along with any text you add or edit on cards (vocabulary words, translations, example sentences, notes).
• Language Preferences. Your target learning language, native language, and proficiency level (CEFR level where applicable).
• Feedback and Support. Messages, bug reports, feature requests, and survey responses you submit through the App.

1.2 Information Collected Automatically

• Usage Data. We collect information about how you use the App, including cards created and reviewed, review results (pass/fail), streak counts, session activity, daily goals, and cumulative card creation counts (used to manage your starter bonus and daily limits).
• Device Information. We may collect device identifiers, operating system version, app version, and crash data for error tracking and performance monitoring.
• Analytics Events. We track events such as app launches, card creation, review sessions, and feature usage to improve the App. These events are associated with your user ID.

1.3 Information Collected with Your Permission

The following data is collected only if you grant the corresponding permission:

• Camera and Photo Library. Required to capture photos and videos for flashcard creation. Images and videos are processed locally on your device and may be sent to our servers for AI analysis.
• Location Data. If you enable the geotag feature, we collect your approximate latitude and longitude when you create a card. This is disabled by default and entirely optional.
• Push Notifications. If you enable notifications, we collect your device push token to send review reminders and other notifications.
• Device Motion. If you enable motion effects, we access your device's accelerometer for visual effects. This data is not stored or transmitted.
• App Tracking Transparency (iOS). We may request permission to track your activity across other apps and websites via Apple's App Tracking Transparency framework. You can decline without affecting App functionality.

1.4 Information from Third-Party Services

• Apple App Store / Google Play. When you make a purchase, your transaction is processed through the relevant app store. We receive subscription status and entitlement information but do not receive or store your payment card details.

2. How We Use Your Information

We use your information for the following purposes:

• Provide the Service. To create, store, and sync your flashcards; to run spaced repetition reviews; and to manage your account.
• AI-Powered Card Generation. Your photos and videos are sent to our AI service provider to generate vocabulary flashcards. See Section 4.2 for details.
• Cloud Synchronization. If you subscribe to Cardluent Pro, your flashcard data and media are synced across devices via our cloud infrastructure.
• Improve the App. We use anonymized and aggregated usage data to analyze trends, fix bugs, improve features, and develop new functionality.
• Communicate with You. To send push notifications (review reminders, streak alerts), respond to feedback, and provide support.
• Enforce Policies. To enforce our Terms of Service, including starter bonus allocation, daily rate limits, and acceptable use restrictions.
• Error Tracking. To identify, diagnose, and fix crashes and errors using our error monitoring service.
• Security and Fraud Prevention. To detect unusual activity, prevent abuse, and protect the integrity of the Service.

3. How We Store Your Information

3.1 Local Storage

Your flashcards, review history, and preferences are stored locally on your device in an encrypted SQLite database protected by your device's file encryption. Media files (photos and videos) are stored in the App's sandboxed storage on your device.

3.2 Cloud Storage

If you use Cardluent Pro, your flashcard data and compressed media are synced to our cloud infrastructure hosted by Supabase (see Section 4.1). Cloud-stored data is protected by row-level security policies that ensure you can only access your own data.

3.3 Data Retention

• We retain your account and flashcard data for as long as your account is active.
• If you delete your account, all associated data is permanently deleted from our servers, including your profile, flashcards, media files, usage records, and subscription data.
• Local data on your device remains until you uninstall the App.
• Anonymized, aggregated analytics data may be retained indefinitely as it cannot be linked back to you.

4. Third-Party Services

We use the following third-party services to operate the App. Each service receives only the data necessary for its function.

4.1 Supabase (Backend Infrastructure)

• Purpose: Authentication, database, cloud storage, and serverless functions.
• Data Shared: Account information, flashcard data, media files, analytics events, feedback responses, push notification tokens.
• Privacy Policy: supabase.com/privacy

4.2 OpenAI (AI Card Generation)

• Purpose: Analyzing your photos and videos to generate vocabulary flashcards.
• Data Shared: Base64-encoded images or video frames, your target and native language codes, and CEFR proficiency level. No personally identifiable information is sent.
• Processing: Images are sent to OpenAI's API via our secure server-side functions. We do not store the images after processing. OpenAI's data usage policies apply to their processing.
• Privacy Policy: openai.com/privacy

4.3 RevenueCat (Subscription Management)

• Purpose: Managing in-app purchases and subscription status.
• Data Shared: Your anonymous user ID, purchase transactions, subscription status, and entitlement information.
• Privacy Policy: revenuecat.com/privacy

4.4 Sentry (Error Tracking)

• Purpose: Crash reporting and error monitoring to maintain App stability.
• Data Shared: Error stack traces, your anonymous user ID, and diagnostic information. In some cases, your email may be associated with error reports to help resolve user-reported issues.
• Privacy Policy: sentry.io/privacy

4.5 Expo (Notifications and Updates)

• Purpose: Delivering push notifications and over-the-air app updates.
• Data Shared: Your device push token and device information necessary for notification delivery.
• Privacy Policy: expo.dev/privacy

4.6 Apple / Google (App Stores and Payments)

• Purpose: App distribution, in-app purchase processing, and payment handling.
• Data Shared: We do not share your personal data with Apple or Google beyond what they collect through their app stores. Payment processing is handled entirely by the respective app store.

5. How We Share Your Information

We do not sell your personal information to third parties.

We may share your information only in the following circumstances:

• Service Providers. With the third-party services listed in Section 4, solely to provide and improve the App.
• Legal Requirements. If required by law, regulation, legal process, or governmental request.
• Safety. To protect the rights, safety, or property of Cardluent, our users, or the public.
• Business Transfers. In connection with a merger, acquisition, or sale of assets, in which case your information would remain subject to this Privacy Policy.
• With Your Consent. In any other circumstance where you have given explicit consent.

6. Your Rights and Choices

6.1 All Users

• Access and Review. You can view all your flashcard data, review history, and account information within the App.
• Edit and Delete Content. You can edit or delete individual flashcards at any time.
• Delete Your Account. You can permanently delete your account and all associated data from the Profile screen in the App. This action is irreversible.
• Manage Permissions. You can grant or revoke camera, location, notification, motion, and tracking permissions through your device settings at any time.
• Opt Out of Geotag. Location tagging is disabled by default and can be toggled in the App settings.
• Opt Out of Notifications. You can disable notifications through App settings or your device settings.

6.2 California Residents (CCPA/CPRA)

If you are a California resident, you have the following additional rights under the California Consumer Privacy Act:

• Right to Know. You can request information about what personal data we collect, use, and disclose.
• Right to Delete. You can request deletion of your personal data.
• Right to Opt Out of Sale. We do not sell your personal information.
• Right to Non-Discrimination. We will not discriminate against you for exercising your privacy rights.

To exercise these rights, contact us at support@cardluent.com.

6.3 European Economic Area, United Kingdom, and Switzerland (GDPR)

If you are located in the EEA, UK, or Switzerland, you have the following additional rights under the General Data Protection Regulation:

• Legal Basis for Processing. We process your data based on: (a) your consent (e.g., location data, notifications), (b) performance of a contract (providing the Service), and (c) legitimate interests (improving the App, error tracking, security).
• Right of Access. You can request a copy of the personal data we hold about you.
• Right to Rectification. You can request correction of inaccurate data.
• Right to Erasure. You can request deletion of your data.
• Right to Restrict Processing. You can request that we limit how we use your data.
• Right to Data Portability. You can request your data in a structured, machine-readable format.
• Right to Object. You can object to processing based on legitimate interests.
• Right to Withdraw Consent. Where processing is based on consent, you can withdraw it at any time.

To exercise these rights, contact us at support@cardluent.com. We will respond within 30 days.

International Data Transfers. Your data may be transferred to and processed in the United States and other countries where our service providers operate. We rely on standard contractual clauses and other appropriate safeguards for international data transfers.

7. Children's Privacy

The App is not intended for children under the age of 13. We do not knowingly collect personal information from children under 13. If we become aware that we have collected personal information from a child under 13, we will take steps to delete that information promptly.

If you are a parent or guardian and believe your child has provided us with personal information, please contact us at support@cardluent.com.

8. Data Security

We implement appropriate technical and organizational measures to protect your personal information, including:

• Encryption in Transit. All data transmitted between the App and our servers uses HTTPS/TLS encryption.
• Encryption at Rest. Local data on your device is protected by your device's file encryption. Cloud data is encrypted at rest by our infrastructure provider.
• Access Controls. Cloud data is protected by row-level security policies that restrict access to your own data.
• Secure API Keys. Sensitive API keys (such as our AI service key) are stored server-side and never exposed to the client application.
• Signed URLs. Media files in cloud storage are accessed via time-limited signed URLs that expire after one hour.

No method of electronic storage or transmission is 100% secure. While we strive to protect your information, we cannot guarantee absolute security.

9. Changes to This Privacy Policy

We may update this Privacy Policy from time to time. If we make material changes, we will notify you through the App or by other appropriate means. Your continued use of the App after the effective date of any changes constitutes your acceptance of the updated Privacy Policy.

We encourage you to review this Privacy Policy periodically.

10. Contact Us

If you have questions, concerns, or requests regarding this Privacy Policy or your personal data, please contact us at:

Email: support@cardluent.com