Offline— changes will sync when you reconnect
Back online— syncing your changes

Privacy Policy

Last updated: May 4, 2026

1. Data Controller

The data controller for voxara.cards is Бабич Даниил Дмитриевич (Babich Daniil Dmitrievich), self-employed individual (самозанятый, НПД), Russian Federation.

Contact for privacy matters: hello@voxara.cards

2. What Data We Collect

We collect only the data necessary to provide the Service:

  • Account data — email address. Passwords are hashed and managed by Supabase Auth; we never see your plaintext password.
  • Profile data — display name, native language, target language. You provide this during onboarding.
  • Study content — flashcard decks and cards you create; writing essays you submit for evaluation; speaking recordings you submit for feedback; reading practice results. This content is yours and is used solely to provide the Service.
  • Usage data — which features you use, when, and how often, for example number of writing checks this month. Used to enforce plan limits and show your statistics.
  • Payment data — transaction identifiers and subscription status. We do not store card numbers, CVV, or full payment credentials; these are handled exclusively by our payment processors.
  • Technical data — IP addresses and request metadata processed by Vercel and Supabase infrastructure. We do not run independent analytics or tracking scripts.
  • Push notification subscription — browser push endpoint and encryption keys, only if you explicitly enable reminders.

3. How We Use Your Data

  • To create and manage your account;
  • To provide AI-powered feedback on your writing, speaking, and reading submissions for Pro users;
  • To enforce Pro access controls and manage subscriptions;
  • To send push notification reminders, only with your explicit opt-in;
  • To display your IELTS progress statistics;
  • To process payments and fulfil subscription entitlements;
  • To comply with applicable legal obligations.

We do not sell your personal data. We do not use your submitted content (essays, recordings) to train AI models. We do not display advertising.

4. Legal Basis for Processing (GDPR)

For users in the EU / EEA, we process your data on the following legal bases:

  • Performance of a contract (Article 6(1)(b) GDPR) — processing your account, delivering requested features, and managing your subscription.
  • Legitimate interests (Article 6(1)(f) GDPR) — preventing abuse, improving the Service, ensuring platform security.
  • Legal obligation (Article 6(1)(c) GDPR) — retaining payment records as required by tax law.
  • Consent (Article 6(1)(a) GDPR) — push notifications. You may withdraw consent at any time in your device or browser settings.

5. Third-Party Processors

We share your data only with trusted processors who help us operate the Service. Each is bound by data processing agreements:

ProcessorPurposeLocation
SupabaseDatabase, authentication, file storageUSA (SCCs apply)
VercelApplication hosting and CDNUSA / EU
Anthropic / ProxyAPIAI processing for Writing, Speaking, Reading, translation, roadmap, and daily plansUSA
OpenAI / ProxyAPIAI vocabulary extraction and deck analysisUSA
lava.topCard payment processingCyprus (EU)
NOWPaymentsCryptocurrency payment processingEU

When submitting writing essays or speaking recordings for AI evaluation, the content is transmitted to the AI processor and immediately discarded after a response is returned; it is not retained by the AI provider.

6. International Data Transfers

Some processors (Supabase, Vercel, Anthropic) are located in the United States. Transfers to these processors are governed by Standard Contractual Clauses (SCCs) as approved by the European Commission. By using the Service, you acknowledge that your data may be transferred to and processed in the USA and other countries.

For users in Russia: your personal data is processed in accordance with Federal Law No. 152-ФЗ “On Personal Data”. Storage of personal data of Russian citizens on servers in the Russian Federation is handled by Supabase, which provides regional data residency options.

7. Data Retention

  • Account, profile, and study data — retained for the lifetime of your account. Upon account deletion, all personal data is deleted within 30 days, except where retention is required by law.
  • Payment records — retained for 5 years as required by applicable tax legislation.
  • Server and request logs — retained for up to 30 days by our hosting providers (Vercel, Supabase) for security and debugging purposes.

8. Your Rights

Under GDPR (EU/EEA users) and Federal Law No. 152-ФЗ (Russian users), you have the following rights:

  • Access — request a copy of your personal data;
  • Rectification — correct inaccurate or incomplete data;
  • Erasure — request deletion of your data (“right to be forgotten”);
  • Portability — receive your data in a structured, machine-readable format;
  • Restriction — request that we restrict processing in certain circumstances;
  • Objection — object to processing based on legitimate interests;
  • Withdrawal of consent — withdraw consent, for example push notifications, at any time.

To exercise any of these rights, email us at hello@voxara.cards. We will respond within 30 days. We may ask you to verify your identity before fulfilling a request.

You can delete your account and associated data at any time from Settings → Delete account.

9. Cookies and Local Storage

We use browser cookies and localStorage solely for authentication session management (keeping you logged in) and user preferences (theme, language settings). These are essential for the Service to function.

We do not use advertising cookies, third-party tracking pixels, or analytics platforms such as Google Analytics.

10. Security

We implement industry-standard security measures including TLS encryption for all data in transit, encryption at rest for database storage, and row-level security policies ensuring users can only access their own data. Access to production systems is restricted to authorised personnel only.

No method of transmission or storage is 100% secure. If you discover a security vulnerability, please report it responsibly to hello@voxara.cards.

11. Children

The Service is not directed to persons under 16 years of age. We do not knowingly collect personal data from children under 16. If you believe a child has provided us with personal data, please contact us and we will delete it promptly.

12. Changes to This Policy

We may update this Privacy Policy periodically. For significant changes, we will notify you by email or via an in-app notice before the changes take effect. The “Last updated” date at the top of this page reflects the most recent revision.

13. Supervisory Authorities

EU / EEA: You have the right to lodge a complaint with the data protection authority in your country of residence. A list of EU DPAs is available at edpb.europa.eu.

Russia: You may submit a complaint to Роскомнадзор (Federal Service for Supervision of Communications, Information Technology and Mass Media) at rkn.gov.ru.

14. Contact

For any privacy-related questions or to exercise your rights: hello@voxara.cards

→ Read our Terms of Service