Privacy Policy
Last updated: 8 July 2026
At Vocardulary, we prioritize the protection of your privacy and personal data. This Privacy Policy describes how we collect, use, store, and protect your personal information when you use our mobile applications and website, in compliance with the General Data Protection Regulation (GDPR) and other applicable privacy frameworks.
1. What we collect
- Account Information: Username, email address (or sign-in identifiers from Apple or Google), age range, and user-uploaded profile photos (solely used as inputs to generate personalized avatars using automated AI processes).
- Usage & Learning Progress: Word mastery levels, scores, themed oaths, duel history, streak statistics, and personal settings.
- Technical Device Data: Operating system version, app version, device language, and anonymized device identifier used for crash and error reporting.
- Notification Tokens: Unique push notification tokens (APNs for iOS / FCM for Android) required to deliver the study reminders, duels, and oath alerts you have consented to receive.
2. How we use it
- Provide, maintain, and personalize the Service, including the generation of custom profile avatars and text-to-speech features for language learning.
- Power the adaptive learning algorithm, the spaced-repetition scheduler, and individual progress tracking.
- Manage and deliver crucial push notifications (themed word oath deadlines, multiplayer duel invites, custom study reminders).
- Detect, prevent, and address fraud, unauthorized cheating, user conduct abuse, and technical security vulnerabilities.
3. Who we share with
We share your data only with the following trusted sub-processors and partners essential for operating the application:
- Hosting & Infrastructure Providers: Google Firebase (for user authentication and real-time database hosting in Belgium europe-west1) and Microsoft Azure France Central (for secure media storage and speech synthesis) operating under strict GDPR-compliant data processing agreements.
- Distribution and Technology Partners: Apple and Google (for transaction processing and secure push routing), xAI / Grok (for automated avatar image generation from your photos, without using your data to train their models), and ElevenLabs (for synthesized card audios).
- Legal Authorities & Regulators: We will only disclose your personal information to authorized law enforcement or judicial bodies in strict response to a valid legal process, judicial mandate, or necessary regulatory compliance.
We do not sell your personal data.
4. How long we keep it
We retain your account details and game progress data for as long as your user account remains active. If you request account deletion, we permanently erase or anonymize all your personal data within a maximum of 30 days, except where further retention of transaction records is required by tax laws.
5. Your rights
In compliance with the GDPR and data protection regulations, you possess rights to access, rectify, port, and delete your personal data, as well as rights to object to or restrict its processing. To exercise these rights at any time, please submit your request to privacy@vocardulary.com.
6. Children's privacy
The Service is not directed to children under 15 (the digital age of consent in France / EU). We do not knowingly collect personal data from minors under 15 without the explicit authorization and consent of their parents or legal guardians. If we discover an inadvertent collection, we will immediately delete that data.
7. Security
We implement robust technical and organizational security measures, including HTTPS encryption in transit, encryption at rest for databases, and restricted access controls to prevent data loss or unauthorized access. While no system is completely immune, we regularly audit our practices to minimize security risks.
8. International transfers
Your data is stored primarily within the European Union (France Central for Microsoft Azure, europe-west1 for Firebase). However, some of our third-party subprocessors (including ElevenLabs and xAI services) may process data in the United States. These transfers outside the EEA are governed by appropriate legal safeguards, such as the European Commission's Standard Contractual Clauses (SCCs).
9. Changes to this policy
We may update this Privacy Policy from time to time to reflect changes in our data operations or legal duties. We will announce significant modifications in the app or via email and refresh the 'Last Updated' date at the top of the page.
10. Contact
For any inquiries regarding this policy or to reach our Data Protection Officer/contact, please email privacy@vocardulary.com. The official Data Controller is Vocardulary.