Memicorn ("we," "our," "us," or the "Service") is a language learning application that helps users create, manage, and practice vocabulary through flashcards and AI-powered features. We are committed to protecting your privacy and ensuring transparency about how we collect, use, and protect your personal information.
This Privacy Policy applies to our mobile applications (iOS and Android), web services, and API (collectively, the "Service"). By using Memicorn, you agree to the collection and use of information in accordance with this policy.
Table of Contents
- 1. Information We Collect
- 2. How We Use Your Information
- 3. Legal Basis for Processing
- 4. Information Sharing and Disclosure
- 5. Third-Party Services
- 6. AI Services and Automated Processing
- 7. Data Retention and Deletion
- 8. Data Security
- 9. International Data Transfers
- 10. Your Privacy Rights
- 11. Regional Privacy Rights
- 12. Children's Privacy
- 13. Cookies and Tracking Technologies
- 14. Push Notifications
- 15. Data Breach Notification
- 16. Changes to This Policy
- 17. Contact Information
1. Information We Collect
1.1 Information You Provide Directly
- Account Information: Email address, full name, display name, and birth date (optional)
- Authentication Data: Hashed password (for email registration), OAuth tokens (for Google/Apple Sign-In)
- Profile Information: Avatar image (optional), language preferences (primary and learning languages)
- User-Generated Content:
- Flashcard categories (name, description, language settings, public/private status)
- Flashcards (questions and answers)
- Review data and learning progress (scores, review dates, spaced repetition data)
- Imported content from CSV, text files, or other formats
- Communication Preferences: Email notification settings, push notification tokens
1.2 Information Collected Automatically
- Usage Data:
- App interaction events and feature usage
- Session duration and frequency
- Learning statistics and progress metrics
- API request logs (method, endpoint, response time)
- Device Information:
- Device type and model
- Operating system and version
- App version
- Device identifiers (for push notifications only)
- IP address (for security and regional compliance)
- User-Agent string
- Time zone settings
- Authentication Logs: Login timestamps, authentication methods used, last login date
1.3 Information from Third-Party Services
- OAuth Providers: When you sign in with Google or Apple, we receive your email address, name, and unique identifier from these services
- Firebase Analytics: Anonymous usage analytics including app events, crashes, and performance metrics
2. How We Use Your Information
We use the collected information for the following purposes:
2.1 Service Provision and Improvement
- Create and maintain your account
- Store, sync, and display your flashcards across devices
- Track your learning progress and implement spaced repetition algorithms
- Enable sharing of public categories with other users
- Provide customer support and respond to inquiries
- Improve and optimize our Service based on usage patterns
2.2 AI-Powered Features
- Generate language learning content using OpenAI's API
- Create quiz options and multiple-choice questions
- Provide translations and explanations
- Enhance flashcard content with AI-generated suggestions
2.3 Communication
- Send welcome emails and account-related notifications
- Notify you of privacy policy updates or terms changes
- Send push notifications for learning reminders (with your consent)
- Communicate about new features or service updates (with your consent)
2.4 Legal and Security
- Comply with legal obligations and regulatory requirements
- Detect, prevent, and address fraud, abuse, or security issues
- Enforce our terms of service and protect rights and safety
- Maintain audit logs for security and compliance purposes
3. Legal Basis for Processing
We process your personal data under the following legal grounds:
- Contract Performance: To provide the core functionality of Memicorn as described in our terms of service
- Consent: For optional features like push notifications, promotional emails, public category sharing, and analytics
- Legitimate Interests: For service improvement, fraud prevention, security measures, and anonymous analytics
- Legal Obligations: To comply with applicable laws, regulations, and legal processes
- Vital Interests: To protect the vital interests of you or another person (rare circumstances)
4. Information Sharing and Disclosure
We do not sell, rent, or trade your personal information. We share information only in the following circumstances:
- With Your Consent: When you explicitly agree to share information, such as making categories public
- Service Providers: With trusted third-party services that help us operate Memicorn (see Section 5)
- Legal Requirements: When required by law, court order, or government request
- Safety and Rights Protection: To protect the rights, property, or safety of Memicorn, our users, or the public
- Business Transfers: In connection with a merger, acquisition, or sale of assets (with notice to users)
- Aggregated Data: We may share anonymized, aggregated data that cannot identify individuals
5. Third-Party Services
We use the following third-party services to operate Memicorn. Each service has its own privacy policy and data protection measures:
| Service Provider | Purpose | Data Shared | Privacy Policy |
|---|---|---|---|
| Supabase | Database hosting (PostgreSQL) | All user data, flashcards, categories, reviews | Privacy Policy |
| Amazon Web Services (S3) | File storage | Avatar images, imported files, exports | Privacy Policy |
| OpenAI | AI content generation | Flashcard content for AI processing, prompts | Privacy Policy |
| Firebase (Google) | Push notifications, analytics | Device tokens, usage analytics, crash reports | Privacy Policy |
| Google OAuth | Authentication | Email, name, unique identifier | Privacy Policy |
| Apple Sign In | Authentication | Email (optional), name, unique identifier | Privacy Policy |
We have Data Processing Agreements (DPAs) in place with all service providers that process personal data on our behalf.
6. AI Services and Automated Processing
6.1 OpenAI Integration
When you use AI-powered features:
- Your flashcard content may be sent to OpenAI's API for processing
- OpenAI processes this data according to their privacy policy and data usage policies
- We have configured our OpenAI integration to opt-out of training on your data
- OpenAI may temporarily retain data (up to 30 days) for security and abuse monitoring
- Generated content is stored in your account and treated as your user-generated content
6.2 Automated Decision-Making
We use automated processing for:
- Spaced Repetition Algorithm (SM-2): Automatically calculates optimal review intervals based on your performance
- Learning Analytics: Generates statistics and progress reports based on your review history
- Content Suggestions: AI-generated quiz options and explanations
You have the right to request human review of automated decisions that significantly affect you.
7. Data Retention and Deletion
7.1 Retention Periods
- Active Account Data: Retained while your account is active and you use the Service
- Deleted Account Data: Removed within 30 days of account deletion request
- Backup Data: May be retained in backups for up to 90 days
- Legal Hold Data: Retained as required by law or legal proceedings
- Anonymized Analytics: May be retained indefinitely in aggregated form
7.2 Account Deletion
You can delete your account at any time through:
- The app settings menu: Settings → Account → Delete Account
- Contacting us at info@memicorn.com
Upon deletion, we will:
- Remove your personal data from active systems within 30 days
- Delete or anonymize your content and learning data
- Retain only data required for legal compliance or legitimate business purposes
8. Data Security
We implement industry-standard security measures to protect your data:
- Encryption in Transit: All data transmitted between your device and our servers uses HTTPS/TLS encryption
- Encryption at Rest: Sensitive data is encrypted using AES-256 encryption in our databases and storage systems
- Access Controls: Limited access to production systems with multi-factor authentication (MFA) required
- Password Security: Passwords are hashed using secure cryptographic functions (never stored in plain text)
- Regular Security Audits: Periodic review of security practices and vulnerability assessments
- Secure Development: Following OWASP guidelines and security best practices in our development process
- Incident Response: Established procedures for detecting and responding to security incidents
While we strive to protect your personal information, no method of transmission or storage is 100% secure. We cannot guarantee absolute security but commit to using commercially reasonable efforts to protect your data.
9. International Data Transfers
Your information may be transferred to and maintained on servers located outside your country of residence:
- Data Centers: Our primary data is hosted in the United States through our service providers
- Safeguards: We ensure appropriate safeguards are in place for international transfers, including:
- Standard Contractual Clauses (SCCs) approved by the European Commission
- Data Processing Agreements with all service providers
- Adherence to Privacy Shield principles where applicable
- Your Consent: By using Memicorn, you consent to the transfer of your information to countries that may have different data protection laws than your jurisdiction
10. Your Privacy Rights
Depending on your location, you may have the following rights regarding your personal data:
- Access: Request a copy of the personal data we hold about you
- Correction: Request correction of inaccurate or incomplete personal data
- Deletion: Request deletion of your personal data (subject to legal requirements)
- Portability: Receive your data in a structured, machine-readable format
- Restriction: Request restriction of processing of your personal data
- Objection: Object to processing based on legitimate interests or direct marketing
- Withdraw Consent: Withdraw consent for processing where consent is the legal basis
- Non-Discrimination: Not be discriminated against for exercising your privacy rights
To exercise these rights, contact us at info@memicorn.com. We will respond to your request within 30 days (or as required by applicable law).
11. Regional Privacy Rights
11.1 European Union (GDPR)
If you are in the European Economic Area (EEA), you have additional rights under the General Data Protection Regulation (GDPR):
- Right to lodge a complaint with your local supervisory authority
- Right to object to automated decision-making and profiling
- Enhanced rights for consent withdrawal and data portability
EU Representative: For GDPR inquiries, contact info@memicorn.com
11.2 California (CCPA/CPRA)
California residents have additional rights under the California Consumer Privacy Act (CCPA) as amended by the California Privacy Rights Act (CPRA):
- Right to Know: Details about personal information collected, used, disclosed, or sold
- Right to Delete: Request deletion of personal information (with exceptions)
- Right to Opt-Out: We do not sell personal information, but you can opt-out of certain sharing
- Right to Non-Discrimination: Equal service regardless of privacy choices
- Right to Correct: Request correction of inaccurate personal information
- Right to Limit Use: Limit use of sensitive personal information
Categories of Personal Information Collected: See Section 1 of this policy
Do Not Sell: We do not sell personal information as defined by CCPA/CPRA
To exercise your rights, email info@memicorn.com or call [toll-free number to be added]
11.3 United Kingdom (UK GDPR/DUAA)
UK residents have rights under the UK GDPR as amended by the Data Use and Access Act 2025:
- Similar rights to EU GDPR with UK-specific provisions
- Right to object to automated decision-making with mandatory safeguards
- Right to lodge complaints with the Information Commissioner's Office (ICO)
11.4 Other US States
Residents of Virginia, Colorado, Connecticut, Utah, Texas, Florida, Oregon, Montana, and other states with privacy laws have similar rights to access, delete, correct, and opt-out of certain processing. Contact us to exercise your rights under applicable state law.
11.5 Canada (PIPEDA)
Canadian residents have rights under the Personal Information Protection and Electronic Documents Act (PIPEDA):
- Right to access personal information
- Right to challenge accuracy and completeness
- Right to withdraw consent (subject to legal requirements)
11.6 Brazil (LGPD)
Brazilian residents have rights under the Lei Geral de Proteção de Dados (LGPD), including rights to access, correction, deletion, portability, and information about data sharing.
12. Children's Privacy
Age Requirement: Memicorn is not intended for children under 13 years of age (or 16 in certain jurisdictions).
We do not knowingly collect personal information from children under the applicable age limit. If you are a parent or guardian and believe your child has provided us with personal information, please contact us immediately at info@memicorn.com.
Upon verification, we will:
- Promptly delete the child's personal information
- Terminate any account associated with the child
- Take reasonable measures to prevent future collection from that child
Age Verification: We may implement age verification measures to prevent underage use of the Service.
13. Cookies and Tracking Technologies
Our mobile applications do not use cookies in the traditional web browser sense. However, we use similar technologies:
- Local Storage: To store user preferences and session data on your device
- Device Identifiers: Anonymous identifiers for analytics and push notifications
- Analytics SDKs: Firebase Analytics collects anonymous usage data (can be disabled in settings)
Managing Tracking: You can limit tracking by:
- Disabling analytics in app settings
- Using your device's privacy settings to limit ad tracking
- Revoking permissions for the app in your device settings
14. Push Notifications
With your consent, we may send push notifications for:
- Learning reminders and review schedules
- Achievement milestones and progress updates
- Important service announcements
- New feature notifications (optional)
Device Tokens: We collect device tokens solely to deliver push notifications. These tokens are:
- Stored securely and encrypted
- Never used for tracking or profiling
- Deleted when you disable notifications or delete your account
Managing Notifications: You can disable push notifications at any time through:
- Your device's notification settings
- The app's settings menu
15. Data Breach Notification
In the event of a data breach that may compromise your personal information:
- Notification Timeline: We will notify affected users within 72 hours of discovery (or as required by applicable law)
- Notification Method: Via email to your registered email address and in-app notification
- Information Provided: Nature of the breach, types of data involved, steps taken, and recommendations for protection
- Regulatory Reporting: We will notify relevant data protection authorities as required by law
- Mitigation: We will take immediate steps to secure the breach and prevent future occurrences
16. Changes to This Privacy Policy
We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors.
- Notification: Material changes will be notified via:
- Email to your registered email address
- In-app notification
- Prominent notice on our website
- Review Period: For material changes, we will provide at least 30 days notice before the changes take effect
- Continued Use: Your continued use of Memicorn after changes indicates acceptance of the updated policy
- Previous Versions: We maintain an archive of previous policy versions for transparency
17. Contact Information
For privacy-related questions, concerns, or to exercise your rights, please contact us:
Email: info@memicorn.com
Response Time: Within 30 days (or as required by law)
Data Protection Officer:
For GDPR-related inquiries: info@memicorn.com
Complaints:
If you believe we have not addressed your concerns adequately, you have the right to lodge a complaint with your local data protection authority:
- EU residents: Your local Data Protection Authority
- UK residents: Information Commissioner's Office (ICO)
- California residents: California Privacy Protection Agency (CPPA)
Accessibility
This privacy policy is available in alternative formats upon request. Contact us at info@memicorn.com for assistance.