Privacy Policy
This Privacy Policy explains how Mehmet Ugur Kebir collects, uses, and protects your personal data when you use devocab.com. We comply with the EU General Data Protection Regulation (GDPR) and the German Bundesdatenschutzgesetz (BDSG).
1. Data Controller
Mehmet Ugur Kebir
Peter-Dörfler-Str. 24
88161 Lindenberg im Allgäu, Germany
support@devocab.com
We are a small operation and not legally required to appoint a Data Protection Officer (DPO). Direct all privacy enquiries to the email above.
2. What We Collect
At signup
- Email address
- Display name (optional, derived from your provided first/last name)
- Authentication session tokens (managed by Supabase)
During use
- Study progress: which words you have learned, review history, Leitner box state
- User-added synonyms (translations you have explicitly accepted)
- App settings: language, theme, current level
- Aggregate statistics (counts, streaks) and adaptive-learning metrics (e.g. a rolling recent-accuracy and review-load signal used to size your personalised daily plan) derived from your study activity
- A daily counter of premium-vocabulary fetches per account (used solely for abuse detection and rate limiting; see §10).
- Vocabulary watermark seed (premium users only). When a premium user first downloads the gated vocabulary set, we generate a small random seed (a number, not derived from any personal data) and store it on the account. The seed is used to select a per-account subset of marker words that are merged into the premium copy. This lets us trace an unauthorised public copy back to the originating account (see Terms §6). The seed is never shared with third parties and cannot be read by any other user.
At purchase
Payment is processed entirely by Paddle. We do not see, store, or have any access to your payment card data. From Paddle's webhooks we receive only:
- Paddle customer ID and subscription ID
- Subscription status (trial, active, cancelled, expired)
- Subscription end date
We do NOT collect
- IP addresses for tracking, profiling, or advertising. (Our hosting/CDN providers, Cloudflare and Supabase, necessarily process your IP address transiently to deliver and secure the Service, but we do not use it to track or profile you and do not store it for analytics.)
- Browsing history outside the app
- Precise location, contacts, biometric data
- Marketing analytics; we do not use tracking cookies
3. Legal Basis (GDPR Art. 6)
- Contract (Art. 6(1)(b)): account creation, study features, subscription management.
- Legitimate interest (Art. 6(1)(f)): fraud prevention, service improvement, security logging.
- Consent (Art. 6(1)(a)): only where explicitly requested in-app.
4. Third-Party Processors
To deliver the Service we use the following sub-processors, each handling your data under their own privacy terms and EU-compliant data protection agreements:
- Supabase — Authentication and database hosting. Privacy Policy
- Paddle — Payment processing as Merchant of Record. Privacy Policy
- Google LLC — OAuth sign-in (only if you choose "Sign in with Google"). Google may set its own cookies and process data on its domain under its policy. Privacy Policy
- Meta Platforms Ireland Limited (Facebook) — OAuth sign-in (only if you choose "Sign in with Facebook"). Meta may set its own cookies and process data on its domain under its policy. We receive only your email address and the OAuth identifier; no friend list, profile picture, or social-graph data is requested. Privacy Policy
- Cloudflare, Inc. — Web application hosting and CDN. Privacy Policy
- Anthropic PBC — Used offline by us to generate or refine vocabulary synonyms and example sentences before publication. No personal data, study progress, or user-generated content is ever sent to Anthropic. Only impersonal German vocabulary terms are processed. Privacy Policy
Our infrastructure processors provide GDPR Article 28 Data Processing Agreements (DPAs) as part of their service terms, governing their processing of personal data on our behalf: Cloudflare's DPA is incorporated by reference into its Self-Serve Subscription Agreement, and Supabase's DPA is accepted through its self-service legal flow. Paddle acts as our Merchant of Record; for the payment transaction it is largely an independent controller, and its DPA applies to any data processed on our behalf. Google and Meta are independent controllers for the OAuth sign-in step.
5. International Transfers
Where data is transferred outside the EU/EEA (e.g. via Cloudflare or Paddle global infrastructure), we rely on the EU Standard Contractual Clauses and our processors' adequacy mechanisms.
6. Storage and Retention
- Active account data is retained while your account exists.
- Upon account deletion request, data is removed from the live production database within 30 days, except where retention is legally required (e.g. tax-relevant records: up to 10 years per Abgabenordnung §147; payment records held by Paddle).
- Encrypted backup snapshots. Our database host (Supabase) maintains point-in-time-recovery (PITR) backups so that the database can be restored after an incident. These backups are encrypted at rest and may continue to contain a copy of your data for the rolling backup window (typically 7–30 days) after live deletion, after which they are overwritten in the normal backup rotation. Backups are accessed only for disaster recovery; they are not used for production reads.
- Local browser data (localStorage and IndexedDB) is removed when you sign out or use "Sıfırla" in Settings.
7. Your Rights (GDPR Art. 15–22)
You have the right to:
- Access your personal data (Art. 15)
- Rectify inaccurate data (Art. 16)
- Erase your data ("right to be forgotten", Art. 17)
- Restrict processing (Art. 18)
- Data portability — receive your data in a structured, machine-readable format. The app's built-in JSON export already provides this. (Art. 20)
- Object to processing (Art. 21)
- Withdraw consent at any time
To exercise any of these rights, email support@devocab.com. We respond within 30 days as required by law.
8. Supervisory Authority
You have the right to lodge a complaint with a supervisory authority. The competent authority for us is:
Bayerisches Landesamt für Datenschutzaufsicht (BayLDA)
Promenade 18, 91522 Ansbach, Germany
www.lda.bayern.de
9. Cookies and Local Storage
We use localStorage (a browser API, not cookies) for:
- Authentication session tokens (necessary)
- Application state and user settings (necessary)
- Pending sync queue and study progress cache (necessary)
We do not use marketing or analytics cookies. Supabase Auth may set a session cookie for its own auth flow on its domain (not ours). No third-party cookies are set by our site.
10. Security
We apply technical and organisational measures appropriate to the risk:
- HTTPS / TLS 1.2+ for all data in transit.
- Database access restricted by Postgres Row-Level Security: each user can read and write only their own data.
- Subscription status fields are written exclusively by server-side Edge Functions authenticated against Paddle's HMAC-signed webhooks; clients cannot modify them.
- Authentication uses industry-standard JWT bearer tokens. Passwords (where you use the e-mail/password sign-in option) are never seen or stored by us in plaintext; they are hashed and salted by Supabase Auth using bcrypt before storage. We have no access to your password. OAuth sign-in (Google, Facebook) does not involve a password held by us at all.
- Service-role database credentials and third-party API keys are stored only in server-side environment variables and are never sent to the browser.
- Premium vocabulary delivery is rate-limited per account; abnormal access patterns trigger an internal anomaly alert.
No security measure is perfect; despite our efforts we cannot guarantee that data transmission or storage will be free from unauthorised access.
11. Data Breach Notification
In the event of a personal-data breach that is likely to result in a risk to your rights and freedoms, we will:
- Notify the competent supervisory authority (BayLDA, see §8) within 72 hours of becoming aware of the breach, in accordance with Article 33 GDPR; and
- Notify affected users without undue delay where the breach is likely to result in a high risk to their rights and freedoms, in accordance with Article 34 GDPR — via the e-mail address on the affected account and, where appropriate, an in-app banner.
The notification will describe the nature of the breach, the categories and approximate number of users and records concerned, the likely consequences, and the measures taken or proposed to address it.
12. Children
The Service is not directed to children under 16. We do not knowingly collect data from children. If you become aware that a child has registered, please contact us and the account will be deleted.
13. Changes
Material changes to this Privacy Policy will be communicated by email or in-app banner. Continued use after the effective date constitutes acceptance.