Back

Privacy Policy

Last updated: May 28, 2026

1. Controller

Email:

2. Data we collect

DataSourcePurpose
Email addressSign-in (OTP or GitHub)Authentication, account recovery
NameGitHub profileDisplay purposes
Profile imageGitHub profileDisplay purposes
IP addressAutomaticSecurity, abuse prevention
User agentAutomaticSecurity, session management
Learning dataYour activityProviding the flashcard service (attempts, review queue, settings)

3. Legal basis

  • Contract performance (Art. 6(1)(b) GDPR) — processing your account data and learning data is necessary to provide the flashcard service.
  • Legitimate interest (Art. 6(1)(f) GDPR) — we store IP addresses and user agents for security and abuse prevention.

4. Third-party services

Cloudflare, Inc.

Hosting, CDN, database

All requests pass through Cloudflare infrastructure. The database is hosted on Cloudflare D1. Cloudflare is certified under the EU-US Data Privacy Framework.

Privacy policy

GitHub, Inc.

Social login (OAuth)

If you choose to sign in with GitHub, your name, email, and profile image are received from GitHub. GitHub participates in the EU-US Data Privacy Framework.

Privacy policy

Amazon Web Services EMEA SARL

Email delivery (SES)

Your email address and a one-time verification code are sent when you sign in via email. Processed in the EU (eu-central-1).

Privacy policy

5. Cookies

This app uses only strictly necessary session cookies to maintain your login session. These cookies are essential for the service to function and are exempt from consent requirements under Art. 5(3) of the ePrivacy Directive.

No tracking, analytics, or advertising cookies are used.

6. Data retention

  • Account data and learning data — retained until you delete your account.
  • Sessions — expire automatically after their validity period.
  • Verification codes — expire automatically after use or timeout.

7. International data transfers

Some data is processed outside the EU/EEA (see Section 4). Transfers to the United States are safeguarded by the EU-US Data Privacy Framework and/or Standard Contractual Clauses where applicable.

8. Your rights

Under the GDPR, you have the following rights:

  • Right of access (Art. 15) — request a copy of your data. You can use the data export feature in Settings.
  • Right to rectification (Art. 16) — request correction of inaccurate data.
  • Right to erasure (Art. 17) — delete your account and all data. You can use the account deletion feature in Settings.
  • Right to restriction (Art. 18) — request restriction of processing.
  • Right to data portability (Art. 20) — receive your data in a machine-readable format via the export feature.
  • Right to object (Art. 21) — object to processing based on legitimate interest.

To exercise any of these rights, contact us at the email address listed above.

9. Supervisory authority

You have the right to lodge a complaint with the Austrian Data Protection Authority:

Österreichische Datenschutzbehörde

Barichgasse 40-42, 1030 Vienna, Austria

Email: dsb@dsb.gv.at

Website: www.dsb.gv.at

10. Changes to this policy

We may update this privacy policy from time to time. The date of the last revision is shown at the top of this page.