Privacy Policy

Last updated: April 27, 2026

This Privacy Notice, issued by Pavel Evtushenko ("we", "us", or "our"), explains how and why we access, collect, store, use, and/or share ("process") your personal information when you interact with our services ("Services"), including when you:

Download and use our mobile application 3000 English Words Flashcards (the "App") or any other application that links to this Privacy Notice;
Engage with us in any other related ways, such as customer support, marketing, or feedback.

If you have questions or concerns, reading this Privacy Notice will help you understand your privacy rights and options. We are responsible for deciding how your personal information is handled (we are the "controller" under the UK GDPR and EU GDPR). If you do not agree with our practices, please do not use our Services. For any questions, you can contact us at pashaevtushenko@gmail.com.

SUMMARY OF KEY POINTS

What personal information do we process?

When you use the App, we process: (a) account identifiers from Apple or Google (your provider user ID, email, display name where provided), (b) your private study progress (per-card spaced-repetition state) which is stored in your own user document and is not visible to other users, (c) purchase / subscription state from Apple via RevenueCat, and (d) standard mobile-app diagnostic data (device model, OS version, IP, crash logs, anonymous usage events).

Do we process any sensitive personal information?

No. We do not process special-category data such as racial or ethnic origins, sexual orientation, religious beliefs, biometrics, or precise geolocation.

Do we collect any information from third parties?

We receive limited account-profile data (user ID, email, display name) from Apple and Google when you choose to sign in with one of those providers, and subscription / receipt status from RevenueCat (which validates your Apple receipt on our behalf). We do not buy data from data brokers.

How do we process your information?

To create and run your account, sync your study progress across your devices, manage your subscription entitlement, diagnose crashes, improve the App, and comply with law.

With whom do we share personal information?

With our processors: Google (Firebase), Apple, and RevenueCat. We do not sell your personal information and we do not share it for cross-context behavioural advertising.

How do we keep your information safe?

Apple device authentication, OAuth via Apple/Google (no passwords stored by us), encrypted transport (TLS), encryption at rest by Firebase, App Check / App Attest to limit backend access to genuine instances of the App, and strict per-user Firestore security rules.

What are your rights?

Depending on your location, you have rights to access, correct, delete, port, or restrict processing of your data, to object, and to withdraw consent. You can exercise the most common of these in-app via Settings → Delete Account, or by emailing pashaevtushenko@gmail.com.

WHAT INFORMATION DO WE COLLECT?
HOW DO WE PROCESS YOUR INFORMATION?
WHAT LEGAL BASES DO WE RELY ON TO PROCESS YOUR PERSONAL INFORMATION?
WHEN AND WITH WHOM DO WE SHARE YOUR PERSONAL INFORMATION?
WHERE DO WE STORE AND TRANSFER YOUR INFORMATION?
DO WE USE COOKIES OR OTHER TRACKING TECHNOLOGIES?
HOW DO WE HANDLE SOCIAL / OAUTH LOGINS?
HOW LONG DO WE KEEP YOUR INFORMATION?
HOW DO WE KEEP YOUR INFORMATION SAFE?
DO WE COLLECT INFORMATION FROM CHILDREN?
WHAT ARE YOUR PRIVACY RIGHTS?
CONTROLS FOR DO-NOT-TRACK FEATURES
DO UNITED STATES RESIDENTS HAVE SPECIFIC PRIVACY RIGHTS?
DO OTHER REGIONS HAVE SPECIFIC PRIVACY RIGHTS?
APPLE APP STORE PRIVACY DISCLOSURES
DO WE MAKE UPDATES TO THIS NOTICE?
HOW CAN YOU CONTACT US ABOUT THIS NOTICE?
HOW CAN YOU REVIEW, UPDATE, OR DELETE THE DATA WE COLLECT FROM YOU?

1. WHAT INFORMATION DO WE COLLECT?

1.1 Personal information you disclose to us

In short: we collect the minimum information needed to authenticate you and to sync your study progress across your devices.

Account identifiers from Apple or Google. To use the App you must sign in with Sign in with Apple or Google Sign-In. From the chosen provider we receive:

a stable user identifier (Firebase Auth UID);
your email address (which may be a relay address, e.g. an @privaterelay.appleid.com alias if you choose to hide your email with Apple);
your display name and profile photo URL where you have made them available to the provider.

We do not collect or store any password — authentication is delegated to Apple or Google.

Study data. Your per-card spaced-repetition state (which words you've seen, in which mode and CEFR level, current FSRS difficulty/stability, due date, last reviewed date, repetitions, lapses, learning step). This is written to your own document tree in Firebase Cloud Firestore (users/{your_uid}/cards/*). It is not visible to other users and is protected by per-user security rules.

Feedback. Any content you voluntarily send us by email (e.g. bug reports, support requests).

1.2 Subscription and purchase information

When you purchase a subscription (Oxford Pro), payment is processed by Apple through the App Store. We do not see your payment-card data. Receipt validation and entitlement state are handled on our behalf by RevenueCat, Inc., which receives your Firebase Auth UID and the App Store transaction identifier in order to track your subscription state.

1.3 Information automatically collected

When you use the App, we and our processors automatically collect standard diagnostic and usage information so that the App can run reliably:

Device information: device model, manufacturer, iOS version, App version, language and region, time zone.
Identifiers: Firebase installation ID, Firebase App Check / App Attest attestation, Firebase Auth UID, RevenueCat customer ID. We do not use the IDFA (Apple's advertising identifier) and we do not ask for App Tracking Transparency permission.
Network data: IP address (used by Firebase to serve requests and to detect abuse), approximate region derived from IP.
Crash and performance data (Firebase Crashlytics): stack traces, last log breadcrumbs, device state at crash, non-fatal error reports.
Anonymous usage analytics (Firebase Analytics): session start/stop, screens viewed, key product events (e.g. card reviewed, paywall shown, subscription started). Where possible these events are linked only to a Firebase pseudonymous ID, not to your account.

We do not collect:

precise geolocation (GPS);
contacts, photos, microphone, camera, calendar, health, motion;
browsing history outside the App;
biometric data.

The only audio used by the App is the pre-recorded vocabulary pronunciation that ships with the App; we do not record or transmit audio from your microphone.

2. HOW DO WE PROCESS YOUR INFORMATION?

We process your information for the following purposes:

Account creation and authentication (via Apple / Google) — to allow you to sign in and to associate your study progress with you.
Cloud sync of your study progress across your devices using Firebase Cloud Firestore.
Subscription management — verifying that your Oxford Pro entitlement is active via RevenueCat.
Crash diagnostics and stability — using Firebase Crashlytics to identify and fix bugs.
Aggregated analytics and product improvement — using Firebase Analytics to understand how the App is used in aggregate (e.g. which CEFR levels are most popular, where users drop off).
Abuse prevention and security — App Check / App Attest to ensure traffic to our backend originates from the genuine App, plus IP-based rate-limiting at the Firebase level.
Customer support — responding to emails you send us.
Legal compliance — responding to lawful requests from public authorities.

We do not use your personal information to make automated decisions that produce legal or similarly significant effects on you, and we do not profile you for behavioural advertising.

3. WHAT LEGAL BASES DO WE RELY ON TO PROCESS YOUR INFORMATION?

If you are located in the UK, EU, or EEA, this section applies to you.

The UK GDPR and EU GDPR require us to identify a legal basis for each processing activity. We rely on the following:

Performance of a contract (Art. 6(1)(b)): to authenticate you, sync your study progress, and provide subscription features once you have agreed to our Legal Terms.
Legitimate interests (Art. 6(1)(f)): to keep the App secure (App Check, App Attest, abuse prevention), to diagnose crashes, and to run aggregated, non-targeted product analytics. We have balanced these interests against your privacy rights.
Consent (Art. 6(1)(a)): where required by local law (for example, certain non-essential analytics or push notifications). You can withdraw consent at any time.
Legal obligations (Art. 6(1)(c)): to comply with applicable laws and lawful requests from authorities.
Vital interests (Art. 6(1)(d)): in the unlikely event that processing is necessary to protect someone's life.

If you are located in Canada, we may process your information based on your express or implied consent, or in the limited statutory exceptions permitted by PIPEDA (e.g. fraud detection, legal investigations, compliance with subpoenas).

4. WHEN AND WITH WHOM DO WE SHARE YOUR PERSONAL INFORMATION?

We share your information only with the processors and parties listed below, and only to the extent necessary to operate the Services.

We may also disclose your information:

In a business transfer — if we are involved in a merger, acquisition, or sale of all or part of our business, your information may be transferred as part of that transaction, subject to standard confidentiality protections.
For legal reasons — to comply with applicable law, lawful requests, court orders, or to protect our rights, property, or safety, or that of our users or the public.

We do not:

sell your personal information for money or other valuable consideration;
share your personal information for cross-context behavioural advertising;
display third-party "offer walls" or in-app advertising;
transfer your data to data brokers.

5. WHERE DO WE STORE AND TRANSFER YOUR INFORMATION?

We are based in the United Kingdom. Our processors (Google/Firebase, RevenueCat, Apple) operate global infrastructure, which means your personal information may be processed outside your country of residence, including in the United States and in the European Union.

Where data is transferred from the UK or EEA to a country that has not been deemed adequate by the UK government or the European Commission, we and our processors rely on appropriate safeguards, including the EU Standard Contractual Clauses and the UK International Data Transfer Addendum, supplemented where appropriate by the EU–US Data Privacy Framework (to which Google LLC and Apple Inc. are certified) and by additional technical and organisational measures (encryption in transit and at rest).