This Privacy Policy explains how independent developer Serhii Chertkov (hereinafter the "Developer", "we") collects, uses, and protects your personal information when using the mobile application "English Notes" (EduScar) (hereinafter the "Application"). Please also review our Terms and Conditions, which govern your use of the Application.
We respect your privacy. We do not sell your personal data to data brokers or third-party advertising agencies.
0. DEFINITIONS
For the purposes of this Privacy Policy, the following terms shall have the meanings set forth below:
- "Personal Data" means any information relating to an identified or identifiable natural person (“User”).
- "Processing" means any operation or set of operations performed on Personal Data, whether or not by automated means.
- "Controller" means the Developer, who determines the purposes and means of the Processing of Personal Data.
- "Processor" means third-party service providers (Firebase, Cloudflare, Resend, etc.) that process Personal Data on behalf of the Controller.
- "Profiling" means any form of automated processing of Personal Data consisting of the use of Personal Data to evaluate certain personal aspects relating to a natural person.
1. INFORMATION WE COLLECT
We collect the minimum necessary amount of data to ensure the operation of the Application:
1.1. Data provided by you:
- Registration Data: Name, email address, and unique user identifier (UID) obtained during registration via Apple, Google, or Email (using Firebase Authentication).
- Profile Data: Nickname, selected English level, learning goals, pace, and native language.
1.2. Data collected automatically:
- Analytics and Usage: Information about completed tests, number of added words, statistics on spaced repetition (FSRS), and session times.
- Technical Data: OS version, Application version, time zone, device language, anonymized Device ID, and IP address.
- Push Notifications: Firebase Cloud Messaging (FCM) and Apple Push Notification service (APNs) tokens to send you study reminders.
- Cookies and Similar Technologies: The Application uses minimal technical cookies and SDKs (Firebase, Cloudflare) solely for authentication, security, and basic functionality. We do not use advertising cookies or cross-site tracking. You can manage preferences through your device settings.
- Biometric and Health Data: We do not request access to, collect, or process any biometric data. Specifically, the Application does not use Apple's TrueDepth API, HealthKit, or any facial recognition technologies.
1.3. Local and Synchronized Data:
Your personal text notes and added words are stored locally on your device.
To ensure the safety of your information and allow access from different devices, the Application may perform automatic backups and synchronization of this data with our secure cloud servers.
2. HOW WE USE YOUR INFORMATION
2.0. Legal Bases for Processing
We process your Personal Data only when we have a valid legal basis under applicable data protection laws, including Article 6 of the GDPR:
- Performance of a contract (Art. 6(1)(b) GDPR) – to provide the core functionality of the Application, including account creation, data synchronization, and spaced repetition algorithms.
- Your consent (Art. 6(1)(a) GDPR) – for marketing emails, push notifications, and certain non-essential analytics. You may withdraw consent at any time.
- Legitimate interests (Art. 6(1)(f) GDPR) – for fraud prevention, security, product improvement, and crash analytics. We have conducted a Legitimate Interest Assessment (LIA) to ensure our interests do not override your rights.
- Compliance with legal obligations – when required by law or lawful government requests.
2.1. Purposes of Processing
We use the collected data solely for the following purposes:
- Ensuring the operation of algorithms and personalization of tests.
- Synchronizing your data, profile, and progress between devices.
- Sending transactional emails (e.g., password resets), as well as informational and marketing email newsletters (e.g., weekly statistics or Application news), if you have given explicit consent in the profile settings. You may opt-out of marketing mailings at any time via Application settings or the "Unsubscribe" link in the email itself.
- Sending push notifications (study reminders, achievements), if you have given consent.
- Analyzing crashes (Crashlytics) and improving user experience using our own analytical system.
2.2. Processing of Personal Notes and Words
The texts of your personal notes and added words are processed by the Application automatically and solely for the purpose of cloud synchronization and backup.
The Developer's policies and technical measures (role-based access control, logging, and the absence of a manual interface) exclude manual access to the content of your notes, except in strictly necessary cases: (i) automated server maintenance, (ii) compliance with lawful requests from law enforcement authorities, or (iii) protection of the Developer's rights in legal proceedings. The Developer does not manually review, edit, or moderate the content of your personal notes.
2.3. Automated Decision-Making and Profiling
The Application uses algorithms, including the FSRS spaced repetition system, to personalize tests and learning recommendations. This constitutes profiling within the meaning of Article 4(4) GDPR. However, it does not result in decisions that produce legal effects or similarly significantly affect you (Art. 22 GDPR).
3. THIRD-PARTY SERVICES
3.1. Service Providers
As the Application is maintained by an independent developer, we use reliable third-party cloud services (BaaS) for data processing:
- Google (Firebase): For user authentication (Firebase Auth), sending notifications (FCM), and collecting basic crash analytics.
- Apple: For authorization (Sign in with Apple).
- Cloudflare: For secure routing of analytical data and profile synchronization.
- Resend: For secure sending of transactional emails (password reset, account confirmation), as well as informational and marketing newsletters (subject to your consent).
These providers comply with strict international security standards (GDPR, CCPA) and process data only according to our instructions.
3.2. International Data Transfers
Since our processors (Google, Cloudflare, Resend) are located in the United States and other countries outside your jurisdiction, your data may be transferred outside the EEA, Ukraine, or your country of residence.
To ensure an adequate level of protection, we rely on the European Commission's Standard Contractual Clauses (SCCs) – Module 2 (Controller-to-Processor), adopted by Decision 2021/914. We also implement additional technical safeguards (encryption in transit and at rest) and have conducted a Transfer Impact Assessment.
By using the Application, you consent to such international transfers.
3.3. California Privacy Rights (CCPA/CPRA)
We do not sell or share your personal information for monetary consideration as defined under the California Consumer Privacy Act (CCPA/CPRA).
We do not use your data for targeted advertising based on cross-context behavioral advertising without your consent.
California residents have the right to request that we do not sell or share their personal information. Since we do not engage in such activities, a dedicated "Do Not Sell or Share" mechanism is not required. You may withdraw your consent for any processing at any time through the Application settings or by emailing us.
4. DATA SECURITY
4.1. Cloud Infrastructure and Certificates: All data transmitted for synchronization and analytics is processed and stored using Cloudflare's advanced cloud infrastructure.
Network requests are protected by HTTPS encryption protocol and authorization tokens.
Cloudflare's infrastructure regularly undergoes independent audits and possesses leading international security and privacy certificates, ensuring the protection of your data at the highest industry standards. Cloudflare’s certifications include:
- ISO/IEC 27001 (Information Security Management Standard) - Read more
- ISO/IEC 27701 (Privacy Information Management Standard) - Read more
- ISO/IEC 27018 (Protection of Personal Data in the Cloud) - Read more
- SOC 2 Type II - Read more
- Full compliance with GDPR (Read more) and CCPA (Read more)
4.2. Security Limitations: Despite using advanced protection technologies, no method of transmission over the Internet or electronic storage is 100% secure. The Developer makes all reasonable efforts to protect your personal information but cannot guarantee its absolute security against cyberattacks outside of our control.
4.3. Data Breach Notification
In the event of a Personal Data breach that is likely to result in a risk to your rights and freedoms, we will notify the relevant supervisory authority without undue delay and, where feasible, within 72 hours (in accordance with GDPR Article 33). If the breach is likely to result in a high risk to you, we will also notify affected Users without undue delay (GDPR Article 34) and take all reasonable measures to mitigate potential harm.
5. DATA STORAGE AND DELETION
5.1. Retention Periods. The Developer retains your personal data only for as long as your account is active or as necessary to provide the functionality of the Application.
5.2. Deletion of Individual Items (Words, Notes, Tests). When you delete individual records, words, or personal notes within the Application, such items are immediately hidden from your user interface. Final physical deletion from the synchronization servers may take up to thirty (30) days. This period is required solely for technical reasons related to asynchronous data transmission and is necessary to: (i) synchronize database state across your devices that may be offline; (ii) prevent data conflicts from outdated copies upon reconnection; and (iii) complete routine database compaction and log processes on the cloud infrastructure.
During the entire 30-day period, the deleted data remains in a “beyond use” state (inaccessible for any analysis, processing, or access except for automated cleanup processes). The deleted content is not analyzed and is not used for algorithm personalization or any other purpose. Only anonymized technical identifiers — deletion markers (tombstones) that do not contain the original text of notes or words — are stored for synchronization safety. The Developer makes all reasonable efforts to minimize this technical retention period, taking into account the limitations of the cloud infrastructure (Firebase, Cloudflare).
5.3. Account Deletion Procedure. You may initiate full deletion of your account and associated data at any time by:
- Using the in-app function: Profile → Personal Data → Delete Account;
5.4. Consequences of Account Deletion. Upon confirmation of an account deletion request:
- All identification data is immediately and permanently removed from Firebase Auth;
- All associated user data and profile information (including name, nickname, personal notes, word lists, test statistics, FSRS history, and technical analytics such as push tokens) are immediately deleted from the active database servers (however, in case of technical delays, this process may take up to 14 days). Once deleted from the active servers, this data cannot be restored (see backup policy below);
- A full local data wipe is initiated on your mobile device;
- Data in backup systems is automatically removed during the standard backup rotation cycle (up to 30 days). Until full deletion, such data is placed in a protected archive with restricted access. The Developer does not restore or use such data for any purpose.
5.5. Active Subscriptions. Deleting your account within the Application does not automatically cancel any active paid subscription purchased through Apple App Store or Google Play. You must cancel the subscription yourself via your Apple ID or Google account settings prior to account deletion. The Developer has no technical ability to manage subscriptions or billing on the Apple or Google platforms.
5.6. General Data Retention Principles
We retain personal data only for as long as necessary to fulfill the purposes for which it was collected or as required by applicable law. Processing is carried out in accordance with the principles of the GDPR (Article 5) and other applicable data protection regulations.
6. YOUR RIGHTS (GDPR / CCPA)
Depending on your jurisdiction, you have the right to:
- Request access to your personal data.
- Demand correction of inaccurate data.
- Demand full deletion of your data.
- Withdraw consent for push notifications (via your device settings).
To exercise your rights, you can use the built-in functions of the Application or contact us via email.
7. AGE RESTRICTIONS
The Application is intended exclusively for users over 16 years of age.
We do not intentionally collect, store, or process personal data of persons under 16. If you are a parent or guardian and believe your child has provided us with their data, please contact us, and we will immediately delete this information from all our servers and databases.
For users in the United States, we comply with the Children's Online Privacy Protection Act (COPPA). We do not knowingly collect personal information from children under 13 years of age. If we become aware that we have collected such data, we will delete it immediately.
8. CHANGES TO THE POLICY
We may periodically update this Privacy Policy. In the event of significant changes, we will notify you through the Application.
Continued use of the Application after changes are made signifies your agreement with the new edition of the Policy.
9. CONTACTS
If you have questions, suggestions, or requests regarding your privacy, please contact us:
Data controller:
Developer: Serhii Chertkov (Ukraine, Kyiv)
E-mail: [email protected]
Previous versions:
Privacy Policy dated 14 May 2026
Privacy Policy dated 5 February 2026