← Back to FlashcardAI

Privacy Policy

Last updated: April 2026

This Privacy Policy explains how FlashcardAI ("we", "us", or "our"), operated by Mohammad M. Movahedi Najafabadi, collects, uses, and protects your personal data when you use flashcardai.app. It applies to users in the European Union, Germany, the United Kingdom, Canada, and the United States.

1. Data Controller

The data controller responsible for your personal data is:

Mohammad M. Movahedi Najafabadi
[ADDRESS PLACEHOLDER — to be updated]
Email: privacy@flashcardai.app

2. Data We Collect

Account data

When you register, we collect your email address, display name, and a hashed (bcrypt) password. We also store your subject preference (e.g. Medicine, Pharmacy, Chemistry) chosen during onboarding.

IP addresses

We record your IP address at the time of account registration (registration IP) and update it on each successful login (last known IP). These are stored as part of your account record for security, fraud prevention, and compliance with legal obligations under EU DSA and German NetzDG. They are not stored only in server logs — they are retained as account data until your account is deleted or as required by law.

Phone number (optional)

You may voluntarily provide a phone number in your account settings. This is used solely for identity verification if required by law enforcement or regulatory authorities. It is never used for marketing.

User-generated content

Flashcard decks and individual cards you create, including any text content used to generate AI flashcards. Public decks are visible to all users and may be subject to content moderation.

Study and usage data

Spaced repetition (SRS) progress, study session history, and daily/weekly/monthly activity statistics.

Content reports and moderation data

When a user submits a report about a public deck, we store: the reporter's user ID, the reported deck ID, the reason category, and any details provided. We also store moderation actions taken against accounts (warnings, bans, and ban history), including reasons and the IP address at the time of action. This data is retained for platform integrity and legal compliance purposes.

Technical data

Browser type and device information sent as part of standard HTTP requests.

Communications

Email address used to send account verification codes and transactional notifications (e.g. password reset, 2FA codes).

3. Legal Basis for Processing (GDPR / UK GDPR)

  • Contract performance (Art. 6(1)(b) GDPR): Account registration, authentication, flashcard storage, and study features are necessary to provide the service.
  • Legitimate interest (Art. 6(1)(f) GDPR): IP logging for fraud prevention, abuse detection, and platform security.
  • Legal obligation (Art. 6(1)(c) GDPR): Retaining moderation records, IP addresses, and user identity data as required by EU DSA (Regulation (EU) 2022/2065), German NetzDG (Netzwerkdurchsetzungsgesetz), and other applicable law, including cooperation with law enforcement authorities.
  • Consent (Art. 6(1)(a) GDPR): Phone number collection — provided voluntarily and removable at any time.

4. Third-Party Processors

We share data with the following processors solely to operate the service:

ProcessorPurposeLocation
Groq Inc.AI flashcard generation from textUSA
OpenRouter / GoogleAI flashcard generation from PDFUSA
Resend Inc.Transactional email deliveryUSA
VPS ProviderServer hosting and databaseEU

Transfers to US-based processors are carried out under Standard Contractual Clauses (SCCs) or equivalent safeguards as required by GDPR Chapter V.

5. Data Retention

  • Account data (name, email, username, bio): retained until you delete your account.
  • Flashcard content and study data: retained until account deletion.
  • IP addresses (registration IP and last known IP): retained as part of your account record until account deletion, or longer if required by law.
  • Phone number: retained until you remove it in settings or delete your account.
  • Content reports: retained for 2 years from submission for audit and legal compliance purposes.
  • Moderation records (warnings, bans, ban history): retained for 3 years from the date of action, in accordance with EU DSA Art. 17 record-keeping obligations.
  • Email verification and 2FA codes: expire after 10 minutes and are deleted after use.

5a. Content Moderation & EU DSA Compliance

FlashcardAI operates a content moderation system for public decks in compliance with the EU Digital Services Act (DSA, Regulation (EU) 2022/2065) and German NetzDG.

  • Reporting: Any registered user may report a public deck for illegal content, copyright violation, hate speech, misinformation, spam, violence, or other policy violations.
  • Review: Reports are reviewed by our moderation team within 24 hours.
  • Actions: We may issue warnings, remove content (set decks to private), or suspend/ban accounts. Account bans are logged permanently for legal compliance.
  • Auto-escalation: Accounts that receive 3 or more warnings within a rolling 90-day period are automatically suspended pending review, in line with EU DSA Art. 23 obligations regarding repeat infringers.
  • Appeals: You may appeal any moderation decision by contacting privacy@flashcardai.app. We respond within 14 days.

5b. Law Enforcement & Disclosure

We may be required by law to disclose personal data to law enforcement, courts, or regulatory authorities. Data that may be disclosed includes: account information, IP addresses (registration and last known), phone number (if provided), flashcard content, and moderation history.

We will notify you of such a request unless we are legally prohibited from doing so (e.g. by a court order or gag order). Disclosures under German NetzDG are made without prior user notification where the law requires.

6. Your Rights

Depending on your location, you have the following rights regarding your personal data:

  • Access: Request a copy of the personal data we hold about you.
  • Rectification: Correct inaccurate or incomplete data.
  • Erasure ("Right to be Forgotten"): Request deletion of your account and all associated data.
  • Portability: Receive your data in a structured, machine-readable format.
  • Restriction: Request that we limit processing of your data.
  • Objection: Object to processing based on legitimate interest.
  • Withdraw consent: Where processing is based on consent, withdraw it at any time.
  • California (CCPA): Right to know, delete, and opt out of sale of personal information. We do not sell personal data.
  • Canada (PIPEDA): Right to access and challenge accuracy of your personal information.

To exercise any right, email privacy@flashcardai.app. We respond within 30 days.

You also have the right to lodge a complaint with your local data protection authority. In Germany: Bundesbeauftragte für den Datenschutz (BfDI).

7. Cookies

We use only essential cookies required to operate the service (authentication tokens). We do not use tracking, analytics, or advertising cookies. See our Cookie Policy for details.

8. Children's Privacy

FlashcardAI is not directed at children under 16. We do not knowingly collect personal data from children under 16. If you believe a child has provided us with personal data, please contact privacy@flashcardai.app.

9. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify registered users of material changes by email. Continued use of the service after changes constitutes acceptance.

10. Contact

For any privacy-related questions or data requests:
privacy@flashcardai.app