Privacy Policy

1. Introduction

This Privacy Policy explains how Repetra ("we," "us," or "our") collects, uses, shares, and protects your personal information when you use our mobile application (available on iOS and Android) and our website at repetra.app (collectively, the "Service").

By using Repetra, you agree to the collection and use of your information as described in this policy. If you do not agree, please do not use the Service.

If you have questions about this policy or your data, you can reach us at [email protected].

2. Information We Collect

Information You Provide

• Account information: Email address, username, password (hashed using Argon2 — we never store or have access to your plaintext password), display name, bio, avatar image, and timezone.
• Learning preferences: Your chosen languages, study goals, notification preferences, and app settings.
• Content you create: Vocabulary cards, decks, definitions, notes, and any media (such as photos) you upload to your flashcards.

Information from Third-Party Authentication

• Google OAuth: If you sign in with Google, we receive your name, email address, and profile picture from Google.
• Apple Sign-In: If you sign in with Apple, we receive your name and email address (or a relay email if you choose to hide it) from Apple.

We only receive the information these providers share during sign-in. We do not access your contacts, calendar, or other account data.

Information Collected Automatically

• Device information: Device identifier, device name, operating system and version, and push notification tokens.
• Usage data: Review history, streaks, study statistics, session duration, and feature usage patterns.
• Error reports: If you opt in, we collect crash reports and error logs through a third-party error tracking service to help us fix bugs.
• Analytics: If you opt in, we collect anonymized usage analytics through a third-party analytics provider to understand how people use Repetra and improve the experience.

Payment Information

All payments are processed through the Apple App Store or Google Play Store via a third-party subscription management provider. We never directly collect or store your payment card details, bank account numbers, or other financial information. Payment processing is handled entirely by Apple, Google, and our payment partners under their respective privacy policies.

3. How We Use Your Information

We use the information we collect to:

• Operate and improve the Service: Provide vocabulary learning features, manage your account, and continuously improve the app.
• Power the spaced repetition algorithm: Our FSRS-6 algorithm uses your review history, response times, and difficulty ratings to schedule reviews at optimal intervals for long-term retention.
• Generate AI flashcards: When you use AI card generation, your text prompts are sent to a third-party AI provider for processing. Only the text you submit is shared — no other personal data.
• Send transactional communications: Account confirmations, password resets, and important service updates via a third-party email delivery service.
• Deliver push notifications: Study reminders, streak alerts, and other notifications you have enabled, delivered through a third-party push notification service.
• Show advertisements: Free-tier users may see rewarded video ads served by a third-party advertising network. Upgrading to a paid plan removes all ads.
• Manage subscriptions: Process and manage your subscription status through a third-party subscription management provider.
• Operate referral and partner programs: Track referrals and reward participants when applicable.

4. Legal Basis for Processing (GDPR)

If you are located in the European Union or European Economic Area, we process your personal data under the following legal bases:

• Contract performance: Processing necessary to provide the Service to you — including account management, spaced repetition scheduling, content storage, and subscription management.
• Legitimate interest: Analytics to improve the Service, security measures to protect our users and infrastructure, and bug fixing through error reports.
• Consent: Marketing communications, optional analytics tracking, and optional error reporting. You can withdraw consent at any time through the app settings.

5. How We Share Your Information

We share your information only with the following categories of third-party service providers, and only to the extent necessary for them to perform their function:

• AI service provider: Processes text prompts for AI-powered flashcard generation. Only the text you submit is shared.
• Subscription management provider: Manages subscription status and in-app purchases across App Store and Google Play.
• Advertising network: Serves rewarded video ads to free-tier users. The ad provider may collect device identifiers and usage data for ad personalization.
• Email delivery service: Delivers transactional emails such as password resets and account confirmations.
• Push notification service: Delivers push notifications to your device.
• Error tracking service: Receives crash reports and error logs if you opt in to error reporting.
• Analytics provider: Receives anonymized usage analytics if you opt in to analytics.
• Hosting and CDN provider: Provides hosting, content delivery, and DDoS protection for our website and API.

We do not sell your personal data. We have never sold personal data and have no plans to do so.

We may also disclose your information if required by law, court order, or governmental regulation, or if necessary to protect our rights, safety, or property.

6. Data Storage & Security

Server-Side Storage

Your data is stored in secure databases on our servers, including a primary relational database for account data, vocabulary content, and learning history, and an in-memory data store for sessions, rate limiting, and temporary data.

Client-Side Storage

• Secure device storage: Authentication tokens are stored in your device's secure keychain/keystore.
• Local preferences: App preferences and non-sensitive settings are stored locally on your device.
• Offline database: Learning data is stored locally so you can study without an internet connection.

Security Measures

• Password hashing: All passwords are hashed using Argon2, a memory-hard algorithm resistant to brute-force attacks.
• Token-based authentication: Short-lived JWT access tokens (60-minute expiry) paired with 90-day refresh tokens.
• Encryption in transit: All data transmitted between your device and our servers is encrypted with HTTPS/TLS.
• Rate limiting: Protection against brute-force and abuse attempts.
• CORS and CSRF protection: Standard web security protections on all API endpoints.
• Webhook signature verification: All incoming webhooks from third-party providers are cryptographically verified.

While we implement industry-standard security measures, no system is 100% secure. If you become aware of any security issues, please contact us immediately at [email protected].

7. Data Retention

• Active accounts: Your data is retained for as long as your account is active.
• Review and learning data: Retained while your account is active because it is essential for the FSRS-6 spaced repetition algorithm to function correctly. Deleting this data would reset all your learning progress.
• Account deletion: When you delete your account, we initiate a 30-day soft-delete grace period during which you can recover your account and data. After 30 days, all your data is permanently and irreversibly deleted, including all associated vocabulary cards, decks, review history, and media.
• Automated cleanup: Expired authentication tokens, old server logs, temporary files, and orphaned media are regularly purged through automated processes.

8. Your Rights & Choices

All Users

• Update your profile: Edit your display name, bio, avatar, email, and learning preferences at any time through the app.
• Notification preferences: Control which push notifications you receive in the app settings.
• Analytics opt-out: Disable optional analytics and error reporting in the app settings.
• Delete your account: Request account deletion through the app settings. Your data enters a 30-day recovery window before permanent deletion.

Additional Rights for EU/EEA Residents (GDPR)

• Right of access: Request a copy of the personal data we hold about you.
• Right to rectification: Request correction of inaccurate or incomplete data.
• Right to erasure: Request deletion of your personal data.
• Right to data portability: Request your data in a structured, machine-readable format.
• Right to restriction: Request that we limit the processing of your data in certain circumstances.
• Right to object: Object to processing based on legitimate interest.
• Right to withdraw consent: Withdraw consent for optional data processing at any time without affecting the lawfulness of prior processing.

To exercise any of these rights, contact us at [email protected]. We will respond within 30 days.

Additional Rights for California Residents (CCPA)

• Right to know: Request disclosure of the categories and specific pieces of personal information we have collected.
• Right to delete: Request deletion of your personal information.
• Right to opt-out of sale: We do not sell personal information, so this right is already satisfied.
• Right to non-discrimination: We will not discriminate against you for exercising any of your privacy rights.

9. Children's Privacy

Repetra is not directed at children under the age of 16 (as defined by GDPR) or 13 (as defined by COPPA in the United States). We do not knowingly collect personal information from children under these ages. If you believe a child has provided us with personal data, please contact us at [email protected] and we will promptly delete the information.

10. Device Permissions

Repetra may request the following device permissions:

• Camera: To take photos directly for your flashcards. Only accessed when you choose to capture a photo.
• Photo library: To select existing images from your device for your flashcards. Only accessed when you choose to upload a photo.
• Microphone: To record audio for pronunciation practice. Only accessed when you use the pronunciation feature.
• Notifications: To send study reminders and streak alerts. Requested only when you enable notifications.
• Storage (Android): To save and access flashcard media on your device.

All permissions are requested at the time of use (not on first launch) and can be revoked at any time through your device's settings.

11. International Data Transfers

Your data may be processed in countries outside your country of residence, including countries that may not provide the same level of data protection. When we transfer data internationally, we ensure appropriate safeguards are in place, including standard contractual clauses where applicable, to protect your information in accordance with this Privacy Policy.

12. Cookies & Tracking

Website (repetra.app)

Our website uses minimal cookies and tracking. Our hosting provider may set functional cookies for security and performance purposes (such as DDoS protection). We do not use third-party advertising cookies on our website.

Mobile App

The Repetra app does not use cookies. Optional analytics can be controlled through the app settings. If you opt in, our analytics provider collects anonymized usage data to help us understand how the app is used and improve the experience.

13. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technologies, or legal requirements. When we make material changes, we will notify you by email and/or through an in-app notification at least 30 days before the changes take effect.

We encourage you to review this page periodically. The "Last updated" date at the top indicates when the policy was last revised.

14. Contact Us

If you have questions about this Privacy Policy, want to exercise your data rights, or have concerns about how we handle your information, please contact us:

• Email: [email protected]

We aim to respond to all privacy-related inquiries within 30 days.