Privacy Policy

Last updated:

VocabuLens collects only what is necessary to operate your account and deliver the learning features. We do not sell your data, display advertising, or share your information with third parties beyond what is described in this policy.

1. Who we are

VocabuLens is a language-learning platform accessible at app.vocabulens.com. For privacy-related inquiries, contact us at hello@vocabulens.com.

2. Data we collect

Account and identity

• Email address — used to identify your account, send authentication codes, and deliver critical service messages (password resets, security alerts).
• Display name — shown in the app and on your public profile.
• Password hash — if you register with email/password, we store only a one-way bcrypt hash. We cannot retrieve or reverse it.
• Google sign-in identifiers — if you use "Sign in with Google", we store your Google-issued email and profile identifier instead of a password hash.
• Preferences and settings — daily goal, session length, UI language, timezone, and similar in-app options.

Learning data

• Vocabulary and courses — the words, translations, examples, mnemonics, and course structures you create or enroll in.
• Review history and progress — which cards you answered correctly or incorrectly, when each card is scheduled next, and your overall mastery per word. This is what drives spaced-repetition scheduling.
• Daily activity and streak — aggregate counts of words reviewed per day, used to calculate your streak and render the activity heatmap.

Session and security

• Authentication token — a JWT stored in your browser's localStorage. It expires automatically and is removed when you sign out.
• Approximate country — on each successful sign-in, your IP address is passed to a geolocation service (ip-api.com) to obtain a 2-letter ISO country code (e.g. FI, US). We store the country code and the timestamp of the detection on your account; the IP address itself is not stored. This is used for regional statistics and language-option ordering. The lookup is best-effort — if the service is unavailable we proceed without it.

Anonymous visit data

• When you load the public landing page, we set a first-party cookie (vl_visitor_id) containing a random identifier with no personal information, with a maximum lifetime of two years. We record the UTM parameters (e.g. utm_source, utm_medium), the referring host, the landing path, and the country code derived from the IP lookup. This is used to understand which acquisition channels are effective. If you subsequently create an account, the cookie identifier is linked to your account so that channel attribution persists. Deleting your account also removes that link. You can clear the cookie at any time via your browser.

Feedback you submit

• If you report a problem with a card or submit in-app feedback, the content of that report is stored and associated with your account for support purposes.

3. Third-party services

Operating the platform requires sharing limited data with the following external services:

• Anthropic (AI enrichment, USA) — when you add a word, the word text and its target language are sent to Anthropic's Claude API to generate definitions, example sentences, and mnemonics. Your email address, name, country, and review history are not included. Do not enter passwords, health information, or other sensitive personal data as vocabulary material — that content reaches Anthropic's servers and is subject to their privacy policy.
• Audio providers (pronunciation) — individual word terms are sent to one or more speech services (Forvo, Google Cloud Text-to-Speech, or Microsoft Azure Cognitive Services, depending on the language) to obtain pronunciation audio. The resulting audio files are cached on our servers. No account information is included in these requests.
• Google (sign-in) — if you use "Sign in with Google", Google shares your email, display name, and a profile identifier with us. This is governed by Google's privacy policy.
• ip-api.com (country lookup) — your IP address at the moment of sign-in is sent to ip-api.com to resolve a 2-letter country code. Only the resulting country code is stored; the IP is not. The call has a hard 2-second timeout; if it fails we skip it silently.

4. Where your data is stored

Our primary servers are hosted by Hetzner Online GmbH in Frankfurt, Germany (European Union). Your account data, learning progress, audio cache, and review history are all stored there.

5. International data transfers

Some features rely on third-party services that process data outside the EU/EEA — primarily in the United States. Where this occurs, we rely on the European Commission's Standard Contractual Clauses (SCCs), which these providers publish in their data processing agreements, as the transfer safeguard required by the GDPR.

• Anthropic (USA): word text and target language only — no account identifiers.
• Audio providers: the single word being synthesised only — no account information. Azure audio stays in the EU when hosted in an EU region.
• Google sign-in (USA): email, name, and profile identifier — only when you choose to use Google sign-in.
• ip-api.com: your IP address at sign-in — the resulting country code is stored; the IP is not retained by us.

We do not transfer your data to any country for which we do not have an appropriate GDPR safeguard in place.

6. What we do not do

• We do not sell or rent your personal data to any third party.
• We do not display advertising or load third-party advertising or tracking scripts.
• We do not share your learning data with other users, except through content you explicitly make public (public courses).

7. Cookies and local storage

The app stores a JWT authentication token in your browser's localStorage to keep you signed in. The landing page sets a single first-party cookie (vl_visitor_id) for analytics as described above. We do not load third-party cookies or advertising cookies.

8. Your rights under the GDPR

If you are located in the EU, EEA, or UK, you have the following rights:

• Access — request a copy of the personal data we hold about you.
• Rectification — correct inaccurate data via your profile settings.
• Erasure — request deletion of your account and personal data.
• Portability — download an export of your data from the Profile page.
• Restriction — ask us to restrict processing while a dispute is resolved.
• Objection — object to processing based on legitimate interests.
• Complaint — lodge a complaint with your local data protection authority.

The first two are available as self-service actions from the Profile page. To exercise any other right, email hello@vocabulens.com. We will respond within 30 days as required by the GDPR.

9. Data exports

The Profile page includes a "Download export" function that produces a single file containing everything stored against your account: profile and settings, enrolled and authored courses, inbox drafts, daily activity and streak, follows, and optionally your full review history. Exports are limited to one per day to protect server resources.

10. Account deletion and data retention

You can delete your account from the Profile page at any time. Your account is closed immediately upon confirmation and you will be signed out.

We retain your data for a 30-day recovery window in case the deletion was accidental. During this period you may email us to restore your account. After 30 days, deletion is permanent and the following data is removed:

• Email address, display name, photo, and country code.
• Password hash and any linked Google sign-in.
• Inbox drafts, learning progress, review history, daily activity, and follows.
• Push notification subscriptions.
• Private courses you authored.

Public courses you authored are retained so that enrolled learners do not lose their progress. Your name is replaced with "Deleted user" and no personal identifier is retained in the course record.

We may retain a minimal set of de-identified records after deletion — for example, aggregate referral statistics with no link back to your identity, and security audit entries with user identifiers removed. This is the minimum necessary to maintain analytics integrity and is no longer personal data.

11. Use of de-identified data for academic research

We may use de-identified, aggregated data — for example, learning patterns, review outcomes, spaced-repetition performance distributions, capture-source statistics, and anonymised usage metrics — for academic research into language learning, memory, and pedagogy. This includes work conducted in collaboration with universities or shared with the broader research community through publications or open datasets.

Before any such use, data is irreversibly stripped of identifiers (email, name, nickname, country, IP, free-text content you authored, and any other field that could reasonably be linked back to you). We do not share the underlying personal data with researchers, and de-identified records cannot be re-associated with your account. This processing remains lawful even after you delete your account, because the resulting dataset is no longer personal data under the GDPR (Recital 26).

If you would prefer your activity not to contribute to research datasets, contact us at hello@vocabulens.com and we will exclude your account from research exports going forward.

12. Children

VocabuLens is not directed at or intended for use by children under the age of 13. We do not knowingly collect personal data from children. If you believe a child has registered an account, please contact us at hello@vocabulens.com and we will close the account promptly.

13. Changes to this policy

If we make material changes to this policy, we will update the "last updated" date at the top of the page and notify existing users via an in-app notice on their next sign-in. Continued use of the service after the effective date of a change constitutes your acceptance of the updated policy.

14. Contact

For any questions or concerns about your data or this policy, contact us at hello@vocabulens.com.