Privacy Policy

Last updated: 13 May 2026 · Version 1.0

1. Who We Are

VocabFlow ("we", "us", "our") is a vocabulary learning platform developed and operated by Anatolii Krotov.

Data Controller
Anatolii Krotov
Email: anatolii.krotov@gmail.com

For all privacy-related requests, contact us at the email above. We aim to respond within 30 days (the GDPR statutory deadline).

2. Scope of This Policy

This Privacy Policy applies to all personal data we collect when you:

Download and use the VocabFlow mobile application (iOS or Android).
Create an account or interact with the Service in any way.
Contact us by email or through in-app feedback.

It does not apply to third-party websites or services that may be linked from within the app; those are governed by their own privacy policies.

3. Data We Collect

3.1 Data You Provide Directly

Data	When collected
Email address	Account registration (email/password flow)
Password (stored as a one-way hash — never in plain text)	Account registration (email/password flow only)
Display name (optional)	Profile setup
Language pair preferences	Onboarding
Custom word lists and personal notes	During use
Feedback or support messages	When you contact us

3.2 Data Received from Social Login Providers

If you choose to sign in with Sign in with Apple or Sign in with Google, we receive a limited set of data from that provider to create or link your account:

Provider	Data received	Notes
Apple	Email address (or Apple-relayed private address), full name (first sign-in only), a unique Apple user identifier	Apple may provide a private relay email that forwards to your real address. We store the identifier and the email we receive.
Google	Email address, display name, profile picture URL, a unique Google user identifier	Received via OAuth 2.0 / OpenID Connect.

We do not receive or store your Apple or Google password. The identity token is verified server-side and then discarded — only the user identifier and email are persisted.

You can revoke VocabFlow's access to your Apple or Google account at any time through your Apple ID settings (Settings → [Your name] → Password & Security → Apps Using Apple ID) or Google account settings (myaccount.google.com → Security → Third-party apps with account access). Revoking access does not delete your VocabFlow account; use the in-app deletion flow for that.

3.3 Data Collected Automatically

Data	Purpose
Learning session logs (words reviewed, ratings, timestamps)	Spaced repetition scheduling (FSRS algorithm)
Review statistics (streaks, retention rates, session counts)	Progress dashboard
Device type and operating system version	Compatibility and bug fixes
App version	Compatibility and bug fixes
Crash reports and error logs	Service reliability
IP address (transient, not stored long-term)	Security, abuse prevention

3.4 Data We Do NOT Collect

We do not collect payment card data — all purchases are processed by Apple or Google.
We do not collect precise geolocation.
We do not build advertising profiles or sell your data to advertisers.
We do not use third-party advertising SDKs.

4. How We Use Your Data

Purpose	Data used
Provide and operate the Service	Account data, learning logs
Authenticate you via social login (Apple / Google)	Social provider identifier, email
Personalise your learning schedule	Review history, FSRS scheduling data
Generate AI-powered word content	The word or phrase you are studying (sent to our AI provider — see §6)
Send progress notifications (if enabled)	Email address or device push token
Respond to support requests	Email address, message content
Detect and prevent fraud and abuse	IP address, account activity
Improve the Service	Aggregated, anonymised usage statistics
Comply with legal obligations	As required by applicable law

5. Legal Bases for Processing (GDPR)

We process your personal data under the following legal bases as defined in Article 6 GDPR:

Processing activity	Legal basis
Creating and managing your account	Contract (Art. 6(1)(b)) — necessary to provide the Service
Social login (Apple / Google) — verifying identity and creating/linking your account	Contract (Art. 6(1)(b))
Delivering spaced repetition scheduling	Contract (Art. 6(1)(b))
Sending push notifications	Consent (Art. 6(1)(a)) — you may withdraw at any time
Sending service emails (password reset, account notices)	Legitimate interest (Art. 6(1)(f)) — necessary for account security
Crash reporting and error logging	Legitimate interest (Art. 6(1)(f)) — maintaining service reliability
Complying with legal obligations	Legal obligation (Art. 6(1)(c))

Where we rely on legitimate interest, you may object at any time (see §11).

6. AI-Powered Features

VocabFlow uses Google Gemini (operated by Google LLC) to generate word definitions, example sentences, pronunciation hints, and other educational content.

What we send to Google Gemini: Only the word or phrase being studied — no email addresses, user IDs, or other personal identifiers are included in AI requests. We take reasonable technical measures to minimise the personal data in prompts.

Google's data handling: Requests are processed subject to Google's Privacy Policy and their Gemini API terms. Google may process data outside the EEA; where this occurs, Google relies on Standard Contractual Clauses (SCCs) as an appropriate transfer mechanism.

7. Data Sharing and Third Parties

We do not sell your personal data. We share data only in the following limited circumstances:

7.1 Infrastructure Providers

Provider	Role	Location
Google Cloud Run / Cloud SQL	Hosting and database	EU (europe-west1)
Google Gemini API	AI content generation	See §6

All infrastructure providers act as data processors under a Data Processing Agreement (DPA) with us.

7.2 Social Login Providers

When you sign in using a third-party identity provider, that provider acts as an independent data controller for your account with them. We receive only the data described in §3.2.

Provider	Their privacy policy
Apple (Sign in with Apple)	apple.com/legal/privacy
Google (Sign in with Google)	policies.google.com/privacy

7.3 App Distribution Platforms

Apple (App Store) and Google (Play Store) have access to data associated with your purchases and device, governed by their own privacy policies.

7.4 Legal Requirements

We may disclose your data if required to do so by law, court order, or a competent regulatory authority, or where necessary to protect the rights, property, or safety of VocabFlow, its users, or the public.

7.5 Business Transfers

In the event of a merger, acquisition, or sale of all or substantially all of our assets, your data may be transferred to the successor entity. We will notify you before your data is subject to a different privacy policy.

8. International Data Transfers

Our primary infrastructure is hosted in the European Union (europe-west1). Where data is transferred outside the EEA, the transfer is subject to appropriate safeguards under Art. 46 GDPR:

Transfer	Mechanism
Google Gemini API (AI content generation)	Google's Standard Contractual Clauses (SCCs)
Sign in with Apple — token verification	Apple's SCCs / adequacy-equivalent safeguards
Sign in with Google — OAuth token verification	Google's SCCs

You can obtain copies of the relevant SCCs by contacting us or through the respective provider's data transfer documentation.

9. Data Retention

Data category	Retention period
Account data (email, hashed password or social provider identifier, display name)	For the life of your account, then deleted within 30 days of account deletion
Learning history and progress data	For the life of your account, then deleted within 30 days of account deletion
Crash logs and error logs	90 days, then automatically purged
Support correspondence	2 years from last contact
Aggregated, anonymised analytics	Indefinitely (no personal data retained)

When you delete your account (see §11), we delete your personal data within 30 days, except where a longer retention period is required by applicable law (e.g., financial records for tax purposes).

10. Security

We implement appropriate technical and organisational measures to protect your personal data, including:

Encryption in transit: All communication between the app and our backend uses HTTPS/TLS.
Encryption at rest: Data stored on Google Cloud is encrypted at rest by default.
Hashed passwords: Passwords are stored as irreversible hashes using a strong hashing algorithm (bcrypt). We never store plain-text passwords. Social login users have no password stored with us at all — authentication is delegated entirely to Apple or Google.
Access controls: Only authorised personnel can access production systems; access is logged and audited.
JWT authentication: Session tokens are short-lived and invalidated on password change.

No system is 100% secure. If you believe your account has been compromised, contact us immediately at anatolii.krotov@gmail.com.

Data breach notification: In the event of a personal data breach that is likely to result in high risk to your rights and freedoms, we will notify you without undue delay as required by Art. 34 GDPR.

11. Your Rights Under GDPR

As a data subject in the European Union (or where equivalent rights apply), you have the following rights:

Right	What it means
Access (Art. 15)	Request a copy of the personal data we hold about you
Rectification (Art. 16)	Ask us to correct inaccurate or incomplete data
Erasure (Art. 17)	Ask us to delete your data ("right to be forgotten")
Restriction (Art. 18)	Ask us to limit how we process your data
Portability (Art. 20)	Receive your data in a structured, machine-readable format
Objection (Art. 21)	Object to processing based on legitimate interest
Withdraw consent (Art. 7(3))	Withdraw consent at any time where processing relies on consent

How to exercise your rights:

In-app account deletion: Go to Settings → Account → Delete Account to permanently erase your account and all associated data.
Email requests: Send your request to anatolii.krotov@gmail.com. We will respond within 30 days. We may ask you to verify your identity before fulfilling the request.

We will not discriminate against you for exercising any of these rights.

12. Children's Privacy

The Service is not directed at children under the age of 16. We do not knowingly collect personal data from children under 16. If you become aware that a child under 16 has provided us with personal data without appropriate parental consent, please contact us at anatolii.krotov@gmail.com and we will delete the data promptly.

13. Push Notifications

With your permission, we may send push notifications to your device (e.g., daily review reminders). You can withdraw this permission at any time in your device's operating system settings (iOS: Settings → Notifications → VocabFlow; Android: Settings → Apps → VocabFlow → Notifications).

We do not use push notification tokens for advertising purposes.

14. Analytics and Crash Reporting

We collect aggregated, anonymised usage statistics and crash reports solely to improve the reliability and performance of the Service. We do not use third-party advertising analytics or cross-app tracking SDKs. Any analytics data is either processed on our own infrastructure or through Google Cloud's built-in logging, which is subject to our DPA with Google.

We do not participate in Apple's App Tracking Transparency framework for advertising purposes. No advertising identifier (IDFA/GAID) is collected.

15. Changes to This Policy

We may update this Privacy Policy from time to time. When we make material changes, we will:

Update the "Last updated" date at the top of this document.
Notify you via in-app notification or email.
Where required by law, seek your renewed consent.

Continued use of the Service after the updated policy takes effect constitutes acceptance of the changes.

16. Contact and Supervisory Authority

For privacy-related questions or to exercise your rights:

Email: anatolii.krotov@gmail.com
Response time: within 30 days

Supervisory authority:

If you are not satisfied with our response, you have the right to lodge a complaint with your local EU data protection supervisory authority. A list of EU supervisory authorities is available at: edpb.europa.eu