Privacy Policy

Introduction

Welcome to Palabra ("we", "our", or "us"). We are committed to protecting your privacy and ensuring you have a positive experience while using our Spanish vocabulary learning application (the "App").

This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our App. Please read this privacy policy carefully. If you do not agree with the terms of this privacy policy, please do not access the App.

We reserve the right to make changes to this Privacy Policy at any time. We will notify you of any changes by updating the "Last updated" date of this Privacy Policy. You are encouraged to periodically review this Privacy Policy to stay informed of updates.

Information We Collect

Personal Information You Provide to Us

We collect the following personal information that you voluntarily provide when you register for an account:

• Email Address: Used for account creation, authentication, and communication
• Password: Stored securely using industry-standard bcrypt hashing (we never store plain-text passwords)
• Display Name: Optional, used to personalize your experience

Learning Data

To provide our core vocabulary learning service, we collect and store:

• Vocabulary Words: Spanish words you add to your vocabulary list
• Translations and Examples: English translations and example sentences
• Review History: Your review attempts, ratings, and performance data
• Study Statistics: Cards reviewed, accuracy rates, study time, streaks
• Proficiency Level: Your self-selected CEFR level (A1-C2)
• Preferences: App settings, notification preferences, and learning preferences

Automatically Collected Information

When you use the App, we automatically collect certain information:

• Device Information: Browser type, operating system, device type
• Usage Data: Pages visited, features used, time spent in app
• Performance Data: App performance metrics, error logs
• Log Data: IP address (anonymized), timestamps, referrer URL

Payment Information

If you subscribe to Premium features:

• Payment Processing: Handled entirely by Stripe (we never see or store your credit card information)
• Subscription Data: We store your subscription tier, status, and dates
• Stripe Customer ID: Used to manage your subscription and billing

How We Use Your Information

We use the information we collect for the following purposes:

• Provide Core Functionality: Enable vocabulary learning, spaced repetition, and progress tracking
• Personalization: Adapt content to your proficiency level and learning patterns
• AI-Generated Content: Generate contextual examples tailored to your level
• Cloud Synchronization: Sync your data across devices (optional)
• Account Management: Create and manage your account
• Subscription Management: Process payments and manage premium features
• Analytics & Improvement: Understand usage patterns and improve the App
• A/B Testing: Test new features to improve learning effectiveness
• Customer Support: Respond to your inquiries and provide assistance
• Security: Protect against fraud, abuse, and unauthorized access
• Legal Compliance: Comply with legal obligations and enforce our Terms of Service

Data Storage & Security

Local Storage (Your Device)

Palabra is an offline-first application. Your vocabulary data is primarily stored locally on your device using:

• IndexedDB: Stores vocabulary, review history, and progress data
• LocalStorage: Stores preferences and app settings
• Service Worker Cache: Enables offline functionality

Important: This local data is not automatically backed up. If you delete the app or clear browser data, your local vocabulary will be lost unless you have enabled cloud sync.

Cloud Storage (Optional)

If you create an account, your data is synchronized to our cloud database:

• Database: Neon PostgreSQL (hosted in the US)
• Encryption: Data encrypted in transit (TLS 1.3) and at rest (AES-256)
• Backups: Automated daily backups with 30-day retention
• Access Control: Strict access controls and authentication

Security Measures

We implement industry-standard security measures:

• Password Hashing: Bcrypt with salt (industry standard)
• JWT Authentication: HTTP-only cookies prevent XSS attacks
• HTTPS: All data transmission encrypted with TLS 1.3
• Rate Limiting: Prevents brute-force and abuse
• Regular Updates: Dependencies updated to patch security vulnerabilities

However, no method of transmission over the Internet or electronic storage is 100% secure. While we strive to use commercially acceptable means to protect your information, we cannot guarantee absolute security.

Third-Party Services

We use the following third-party services to provide and improve the App:

Important: We do not use third-party analytics (Google Analytics, Facebook Pixel, etc.) or advertising networks. Your data is never sold to third parties.

Your Rights & Choices

You have the following rights regarding your personal information:

Access & Portability

You can access and export your data at any time:

• Export Vocabulary: Settings → Data Management → Export to CSV
• View All Data: Contact us at kbrookes2507@gmail.com for a complete data export

Correction & Update

You can update your personal information:

• Account Settings: Settings → Account → Update email, name, proficiency level
• Vocabulary Data: Edit or delete any vocabulary word at any time

Deletion (Right to be Forgotten)

You can delete your data:

• Account Deletion: Settings → Account → Delete Account (permanent, cannot be undone)
• What Gets Deleted: All personal information, vocabulary, review history, and progress data
• What Remains: Anonymized analytics (no personal identifiers), cached AI-generated examples (shared across users)
• Processing Time: Immediate deletion from active database, complete removal from backups within 30 days

Opt-Out of Cloud Sync

You can use Palabra without creating an account:

• Guest Mode: Use the App with 100% local storage (no cloud sync)
• Offline-First: All features work offline without an account
• Limitations: No multi-device sync, data lost if you clear browser data

Marketing Communications

We do not send marketing emails. You will only receive:

• Transactional Emails: Account creation, password reset, subscription changes (cannot opt out)
• Push Notifications: Optional daily review reminders (can be disabled in Settings)

Children's Privacy (COPPA Compliance)

Palabra is intended for users aged 13 and older. We do not knowingly collect personal information from children under 13 years of age.

If you are a parent or guardian and believe your child under 13 has provided us with personal information, please contact us at kbrookes2507@gmail.com. We will delete such information from our systems within 48 hours.

Users aged 13-17 may use the App but should do so with parental consent and supervision.

International Users (GDPR & CCPA)

European Users (GDPR)

If you are located in the European Economic Area (EEA), you have additional rights under the General Data Protection Regulation (GDPR):

• Legal Basis: We process your data based on consent (account creation), contract (subscription), and legitimate interest (app improvement)
• Data Transfers: Your data may be transferred to the US (where our servers are located). We ensure adequate safeguards through standard contractual clauses.
• Right to Object: You can object to processing of your data for direct marketing or legitimate interests
• Right to Restrict: You can request restriction of processing in certain circumstances
• Right to Lodge Complaint: You can file a complaint with your local data protection authority

California Users (CCPA/CPRA)

If you are a California resident, you have rights under the California Consumer Privacy Act (CCPA):

• Right to Know: Request information about personal data collected, used, and shared
• Right to Delete: Request deletion of your personal information
• Right to Opt-Out: We do not sell personal information, so no opt-out is necessary
• Right to Non-Discrimination: We will not discriminate against you for exercising your CCPA rights

To exercise your rights, contact us at kbrookes2507@gmail.com with "CCPA Request" in the subject line.

Data Retention

We retain your data for the following periods:

• Active Accounts: Indefinitely, as long as your account is active
• Inactive Accounts: 2 years of inactivity, then we send a warning email. After 30 days, account is deleted.
• Deleted Accounts: Immediately removed from active database, purged from backups within 30 days
• Anonymized Analytics: Retained indefinitely (no personal identifiers)
• Payment Records: 7 years (required by law for tax purposes)

Cookies & Tracking Technologies

We use the following technologies:

Essential Cookies

• Authentication Cookie: HTTP-only cookie storing your JWT token (expires in 30 days)
• Purpose: Keep you logged in between sessions
• Cannot be disabled: Required for app functionality

Functional Storage

• LocalStorage: Stores app preferences, theme, notification settings
• IndexedDB: Stores vocabulary data for offline access
• Service Worker Cache: Caches app files for offline functionality
• Purpose: Enable offline-first experience

No Third-Party Tracking

We do not use:

• Google Analytics or similar analytics platforms
• Facebook Pixel or social media tracking
• Advertising cookies or ad networks
• Cross-site tracking or fingerprinting

Changes to This Privacy Policy

We may update this Privacy Policy from time to time. We will notify you of any material changes by:

• Updating the "Last updated" date at the top of this policy
• Sending an email to your registered email address (for material changes)
• Displaying a prominent notice in the App

Your continued use of the App after changes constitutes acceptance of the updated Privacy Policy.

Contact Us

If you have questions, concerns, or requests regarding this Privacy Policy or your data, please contact us: