Privacy Policy
Last updated: March 22, 2026
1. Introduction
memcard ("we", "us", "our") operates the memcard.dev website and application. This Privacy Policy explains what personal data we collect, how we use it, and your rights regarding that data.
The data controller for your personal data is memcard. If you have any questions, you can contact us at support@memcard.dev.
2. Data We Collect
We collect and process the following categories of personal data:
Account data: your name, email address, email verification status, and profile image URL (if provided via an OAuth provider).
Authentication data: hashed password (for email/password accounts), OAuth provider identifiers and tokens (for GitHub or Google sign-in), and session tokens.
Session metadata: your IP address and browser User-Agent string, stored with each session for security purposes.
Learning data: decks (title, description), cards (front and back content, tags, card type), review history (pass/fail results, box transitions, timestamps), and Leitner box state.
Course data: courses, course sections, and any source material you provide for AI-powered course generation.
AI generation data: when you use our AI features, the text or PDF content you submit, the generated output, the model used, prompt version, duration, and any rating you provide. This is stored in a generation log.
Notification preferences: your email and push notification settings, preferred reminder time, timezone, and quiet days.
Push subscription data: Web Push endpoint URL, encryption keys, and browser User-Agent (required for delivering push notifications).
Subscription data: your subscription status and trial end date, managed via our payment provider Polar.
Onboarding responses: your stated learning goals and card creation preferences.
3. How We Use Your Data
We use your personal data to:
- Provide and operate the Service — store your flashcards, schedule reviews, and track your learning progress.
- Authenticate you and maintain session security.
- Process AI generation requests by sending your submitted text or PDF content to Google Gemini.
- Send transactional emails (verification, password reset, review reminders) via our email provider, Resend.
- Deliver push notifications for review reminders, if you have opted in.
- Process payments and manage subscriptions via Polar.
- Collect aggregated, anonymised product analytics using Cloudflare Analytics Engine (e.g., number of reviews completed, decks created).
- Monitor AI output quality using generation logs, to improve the Service.
4. Third-Party Services
We share data with the following third-party services, solely to provide and operate the Service:
| Service | Purpose | Data Shared |
|---|---|---|
| Google Gemini | AI card and course generation | Text or PDF content you submit for generation |
| Resend | Transactional email delivery | Email address, name |
| Polar | Payment and subscription processing | Email address, subscription status |
| Cloudflare | Hosting, database, analytics | All data (as infrastructure provider); analytics are aggregated and non-personally-identifiable |
| GitHub / Google | OAuth authentication | OAuth tokens, profile information (name, email, avatar) |
5. AI Data Processing
When you use our AI-powered generation features, the text or PDF content you provide is sent to Google Gemini for processing. Both your input and the generated output are logged in our database to monitor quality and debug issues. These logs are retained for as long as your account exists and are permanently deleted when you delete your account.
AI generation is limited to 3 requests per 24-hour period per user.
6. Cookies and Local Storage
We use only essential cookies (session token, access token, theme preference). We do not use any third-party tracking or advertising cookies. We also use your browser's local storage for UI preferences and offline caching.
For full details, see our Cookie Policy.
7. Data Retention
We retain your personal data for as long as your account is active. Session data expires according to its lifecycle. AI generation logs are retained while your account exists. When you delete your account, all associated data is permanently removed after the grace period described below.
8. Account Deletion
You can request account deletion from within the app. Once requested, there is a 30-day grace period during which you can cancel the deletion. After 30 days, all data associated with your account — including decks, cards, review history, generation logs, notification settings, and subscription data — is permanently and irreversibly deleted.
9. Your Rights
Under the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018, you have the right to:
- Access your personal data.
- Rectification — request correction of inaccurate data.
- Erasure ("right to be forgotten") — available via account deletion.
- Restriction of processing.
- Data portability — we do not currently offer automated data export. Contact us at support@memcard.dev to request a manual export.
- Object to processing.
- Withdraw consent at any time, where processing is based on consent.
- Lodge a complaint with the Information Commissioner's Office (ICO) at ico.org.uk.
To exercise any of these rights, contact us at support@memcard.dev.
10. Children's Privacy
memcard is not intended for children under the age of 13. We do not knowingly collect personal data from anyone under 13. If we become aware that we have collected data from a child under 13, we will delete it promptly. Users aged 13 to 17 should have parental or guardian consent before using the Service.
11. International Transfers
Your data is processed on Cloudflare's global network. Cloudflare provides appropriate safeguards for international data transfers in accordance with applicable data protection law.
12. Changes to This Policy
We may update this Privacy Policy from time to time. The "Last updated" date at the top of this page will reflect the most recent revision. We encourage you to review this page periodically.
13. Governing Law
This Privacy Policy is governed by and construed in accordance with the laws of England and Wales.
14. Contact
For any privacy-related questions or to exercise your rights, please contact us at support@memcard.dev.