Privacy Policy

1. Data Controller

The responsible entity for the processing of personal data within the meaning of Article 4 paragraph 7 GDPR is:

2. Personal Data We Collect

2.1 Account and Login Information

When you create an account or sign in using a third-party authentication provider, the following data may be transmitted to us:

• Email address
• Name or display name
• Profile picture (if available)
• Provider-specific identifier
• Authentication metadata (such as creation date)

We do not receive or store passwords from any authentication provider.

Currently supported authentication provider:

• Google (via Supabase Auth)

Additional providers may be added in the future. This policy will be updated accordingly.

2.2 Technical and Usage Data

When you access our service, we automatically collect:

• IP address
• Browser type and version
• Device information
• Time and date of access
• Pages visited and interactions
• Referring and exit URLs

This information is required to maintain the functionality, stability and security of the service. Legal basis: Art. 6(1)(f) GDPR (legitimate interest).

2.3 User-Generated Content

To provide our flashcard creation features we store:

• Flashcard set titles and descriptions
• Flashcard content (questions and answers)
• Images uploaded to flashcards

This content is private and only visible to you unless you choose to share it in the future.

2.4 Uploaded Files

When you upload documents (PDF files or images) for AI-assisted flashcard generation, these files are temporarily processed to extract text content. The extracted text is sent to third-party AI services (see Section 6) for flashcard generation. Uploaded files are not stored permanently beyond the processing period unless they are attached to flashcard sets.

2.5 Payment Data

When you subscribe to a paid plan, the following data is processed by our payment provider Stripe:

• Name and email address
• Payment method details (credit card, SEPA, etc.)
• Billing address
• Transaction history and subscription status

We do not store full payment card numbers on our servers. Payment data is processed exclusively by Stripe, Inc. (USA) under PCI-DSS Level 1 certification. We only store your Stripe customer ID and subscription status in our database. For details see Stripe's Privacy Policy.

2.6 Cookies

We use strictly necessary cookies to maintain sessions and provide secure login. These cookies do not require consent under Art. 5(3) of the ePrivacy Directive as they are essential for the service to function. We do not use advertising or tracking cookies.

3. How We Use Your Data

We process personal data only for the following purposes:

• To create and manage user accounts
• To authenticate users via third-party providers
• To store and synchronise flashcard sets
• To generate flashcards from uploaded documents using AI
• To process payments and manage subscriptions
• To enable PDF export of flashcards
• To send transactional emails (e.g. feedback confirmations)
• To detect and prevent abuse (bot protection)
• To monitor errors and maintain service stability
• To operate, improve and secure our service
• To fulfil legal obligations

We never sell personal data.

4. Legal Basis for Processing

Under the GDPR we rely on:

• Art. 6(1)(b) GDPR — Performance of a contract: Account creation, flashcard storage, AI-based flashcard generation, payment processing, PDF export
• Art. 6(1)(f) GDPR — Legitimate interest: Error tracking, server logging, bot protection, security measures, service stability
• Art. 6(1)(a) GDPR — Consent: Optional analytics (if implemented in the future)

5. Third-Party Service Providers (Data Processors)

We use the following third-party providers to operate our service. Where required, data processing agreements (Art. 28 GDPR) are in place.

6. AI-Based Data Processing

Our service uses artificial intelligence to generate flashcards from content you provide. This involves the following processing:

• Document extraction: Uploaded PDF files and images are converted to text using Cloudflare Workers AI or LlamaParse (fallback)
• Flashcard generation: The extracted or manually entered text is sent to OpenAI's API (currently GPT-4.1-mini) to generate structured flashcard content

Important information about AI processing:

• Data is sent to servers in the United States. Transfer safeguards are described in Section 8
• OpenAI does not use data submitted via its API for training its models
• Uploaded documents are processed transiently and are not stored permanently by the AI providers
• You should not upload documents containing sensitive personal data of third parties (e.g. medical records, financial data of others)

Legal basis: Art. 6(1)(b) GDPR (performance of a contract — the AI-based flashcard generation is a core feature of the service you use).

7. Bot Protection (Cloudflare Turnstile)

We use Cloudflare Turnstile to protect certain forms from automated abuse. Turnstile is a privacy-preserving alternative to traditional CAPTCHAs. It may process:

• IP address
• Browser and device characteristics
• Interaction patterns on the page

No personal tracking cookies are set by Turnstile. Legal basis: Art. 6(1)(f) GDPR (legitimate interest in preventing abuse and protecting the service).

8. International Data Transfers

Several of our service providers are based in the United States (OpenAI, Stripe, Cloudflare, Sentry, BetterStack, LlamaParse). When personal data is transferred outside the European Economic Area, we ensure appropriate safeguards are in place:

• EU-US Data Privacy Framework (where the provider is certified under the DPF)
• Standard Contractual Clauses (SCCs) approved by the European Commission
• Adequacy decisions by the European Commission
• Additional technical and organisational measures

Where possible, we use EU-based endpoints (e.g. Mailgun EU, Supabase EU regions).

9. Data Retention

We retain personal data only as long as necessary for the purposes described in this policy:

• Account data: Stored for the duration of your account. Deleted upon account deletion request, subject to legal retention obligations
• Flashcard content: Stored for the duration of your account. Deleted when you delete sets or your account
• Uploaded files: Processed transiently for text extraction. Images attached to flashcards are stored for the duration of your account
• Payment data: Transaction records are retained for the legally required period (up to 10 years under German commercial and tax law, §§ 147 AO, 257 HGB)
• Server logs: Retained for up to 90 days for security and debugging purposes, then automatically deleted
• Error tracking data (Sentry): Automatically deleted after 90 days

10. Your Rights under the GDPR

You have the following rights regarding your personal data:

• Right of access (Art. 15 GDPR) — obtain information about your stored data
• Right to rectification (Art. 16 GDPR) — correct inaccurate data
• Right to erasure (Art. 17 GDPR) — request deletion of your data
• Right to restriction (Art. 18 GDPR) — restrict processing in certain cases
• Right to data portability (Art. 20 GDPR) — receive your data in a structured, machine-readable format
• Right to object (Art. 21 GDPR) — object to processing based on legitimate interest
• Right to withdraw consent (Art. 7(3) GDPR) — withdraw consent at any time without affecting the lawfulness of prior processing
• Right to lodge a complaint — with a supervisory authority, in particular in the Member State of your habitual residence. The competent authority for us is: Der Landesbeauftragte für den Datenschutz und die Informationsfreiheit Rheinland-Pfalz (www.datenschutz.rlp.de)

To exercise your rights please contact us at studycardsio@outlook.de. We will respond within one month of receiving your request.

11. Security Measures

We apply appropriate technical and organisational measures to protect personal data including:

• TLS encryption for all data in transit
• Encryption at rest for database and file storage
• Row-Level Security (RLS) policies on all database tables
• JWT-based authentication with secure token handling
• Input validation and sanitisation (Zod schemas, XSS protection)
• Continuous error monitoring and structured logging

Although no online service can guarantee complete security, we continuously improve our processes.

12. Accounts Created through Third-Party Providers

When you use Google (or another third-party provider) to sign in:

• The provider remains responsible for the authentication process
• We only store basic profile information required to operate the service
• You may manage or revoke access permissions directly within the provider account (e.g. Google Account Permissions)
• Deleting your studycards.io account does not delete your provider account

13. Children's Privacy

The service is not intended for children under the age of sixteen. We do not knowingly collect personal data from users under this age. If we become aware of such processing, we will promptly delete the data and the associated account.

14. Changes to this Policy

We may update this Privacy Policy periodically. The latest version is always available on this page with the updated date shown at the top. Significant changes will be announced through the website. We recommend reviewing this page regularly.

15. Contact

For questions or privacy-related requests please contact: