Sign In Request Beta Access

Privacy Policy

Last updated: December 2024

1. Introduction

Welcome to Deckloop. We respect your privacy and are committed to protecting your personal data. This privacy policy explains how we collect, use, and safeguard your information when you use our service.

2. Information We Collect

2.1 Account Information

When you create an account, we collect:

  • Email address
  • Name (if provided)
  • Password (hashed)

2.2 Usage Data

We automatically collect certain information when you use our service:

  • Study sessions and review history
  • Deck creation and management activities
  • Device information and browser type
  • IP address and approximate location data (for example, based on IP)

2.3 Cookies and Analytics

We use cookies and similar technologies to improve your experience. With your consent, we use Google Analytics to understand how users interact with our service. You can change your cookie preferences at any time via Cookie Settings in the footer.

2.4 Uploaded Content

When you use features that involve uploading or importing content, we may collect and store:

  • Documents you upload for deck creation (such as PDFs or text)
  • Images and media attached to your cards
  • Import files (such as Anki decks) and any related media
  • Audio generated by text-to-speech features

2.5 AI-Generated Content

When you use AI features (such as deck generation or explanations), we may store the AI-generated results so you can access them again without reprocessing. This helps avoid repeated processing (and, where applicable, repeated AI credit usage) and improves loading times.

2.6 Sync and Device Data

To support offline use and synchronisation across your devices, we collect information such as device identifiers and activity events. We use this information only to keep your content and progress in sync across devices and support offline use.

3. How We Use Your Information

We use your information for purposes described below. Where required, we rely on your consent (for example, for analytics cookies). For other processing, we rely on performing our contract with you, our legitimate interests, or legal obligations.

3.1 Processing details

The table below explains the main purposes for which we process personal data, the categories of data involved, our lawful basis, how long we keep it, and who we share it with.

Purpose Data Lawful basis Retention Sharing
Provide the Service Account details (email, name if provided), authentication data, decks and study content you create, study sessions and review history Contract (provide the Service) While your account is active; then deleted or anonymised within a reasonable period unless we need to keep it for legal reasons Hosting and infrastructure providers (e.g., Supabase) as needed to operate the Service
Analytics and improvements Device and browser info, IP address (used for approximate location), usage events (pages visited, interactions) Consent (analytics cookies) Until you withdraw consent, then we stop collecting; existing analytics cookies can be removed by clearing browser cookies Google Analytics (only enabled if you consent)
Support and communications Email address, messages you send us, and related account context needed to resolve your request Legitimate interests (provide support) and/or Contract As long as needed to handle your request, then retained for a reasonable period for audit/troubleshooting Service providers used for customer support (if any)
Security and abuse prevention Login and security events, IP address, device/browser info, activity logs Legitimate interests (keep the Service secure) and/or Legal obligation Retained for a limited period appropriate for security monitoring and incident investigation Hosting/infrastructure providers; legal/authorities where required
AI-assisted features (if used) Content you submit for AI processing (for example, prompts, text you paste, or study material you upload) and generated outputs Contract (provide requested feature) and/or Legitimate interests (improve learning experience) Stored with your account content unless you delete it; provider-side retention depends on the AI provider’s terms and settings AI providers used to deliver AI-assisted features

3.2 AI Features

When you use AI-powered features (such as generating decks from documents, URLs, or prompts, or requesting explanations for cards), we send relevant content to our AI provider (Google Gemini) for processing. This may include:

  • Card content (such as questions and answers)
  • Deck context (such as subject or level)
  • Prompts you enter
  • Text extracted from documents you upload, and content from URLs you provide (for example, webpage text or video transcripts where available)

AI-generated results may be stored in your account so you can access them again without additional processing or credit usage.

4. Data Sharing and Disclosure

We do not sell your personal data. We may share your information only in the following circumstances:

  • Service Providers: Third-party services that help us operate (e.g., hosting, analytics, customer support)
  • Legal Requirements: When required by law or to protect our rights, users, or the public
  • Business Transfers: In connection with a merger, acquisition, or sale of assets

4.1 Third-Party Processors

We use the following third-party service providers to operate Deckloop:

  • Vercel (Hosting): Our website and application are hosted on Vercel's infrastructure. Privacy Policy
  • Google Gemini (AI): When you use AI features, relevant content you provide (such as card text, prompts, or text extracted from documents) is sent to Google Gemini to generate results. We may store the generated results in your account. Privacy Policy | API Terms
  • Resend (Email): We use Resend for transactional emails such as account verification and notifications. Privacy Policy
  • Wikimedia Commons (Images): Some educational images are sourced from Wikimedia Commons. Depending on how assets are delivered, Wikimedia may receive request metadata such as IP address and user agent.

5. International Data Transfers

Some of our service providers may process personal data outside the UK or European Economic Area (EEA). For example, Google Analytics and certain AI providers may involve processing in other countries (including the United States).

Where we transfer personal data internationally, we take steps designed to ensure an adequate level of protection, such as relying on recognised transfer mechanisms (for example, Standard Contractual Clauses) and implementing appropriate safeguards where required.

6. Your Rights Under GDPR and UK GDPR

If you are in the European Economic Area or the United Kingdom, you have the following rights (subject to certain legal limitations):

  • Access: Request a copy of your personal data
  • Rectification: Correct inaccurate or incomplete data
  • Erasure: Request deletion of your personal data
  • Restriction: Limit how we process your data
  • Portability: Receive your data in a structured format
  • Objection: Object to certain processing (including processing based on legitimate interests)
  • Withdraw Consent: Withdraw consent at any time (where processing is based on consent)

To exercise these rights, please contact us at privacy@deckloop.io.

Your data rights & requests

You can request a copy of your personal data, ask us to correct it, or request deletion by emailing privacy@deckloop.io.

To help us verify your identity, please email us from the address associated with your Deckloop account.

What we can provide as part of a "copy of your data" request typically includes: your account/profile details, a CSV export of your decks (front/back), and a summary of your learning activity (aggregated statistics similar to what you see in the app). If we have support correspondence or emails we've sent to you on record, we can include those as well.

We respond within 30 days (one month). If your request is complex or involves a large amount of data, we may need more time, but we'll let you know within 30 days and explain why.

You also have the right to lodge a complaint with your local data protection authority. In the UK, this is the Information Commissioner’s Office (ICO). In the EEA, you can contact your local supervisory authority.

7. Cookie Management

You can manage your cookie preferences at any time. See our Cookie Policy for details. You can also use the Cookie Settings link in the footer to change your preferences.

8. Data Security

We implement appropriate technical and organizational measures to protect your personal data against unauthorized access, alteration, disclosure, or destruction. However, no method of transmission over the internet is 100% secure.

9. Data Retention

We keep your content and learning data, including AI-generated results you've saved, until you delete your account or request deletion, unless we are required to keep it longer for legal reasons. You can request deletion of your account at any time by contacting us.

10. Children's Privacy

Our service is not intended for children under 14. We do not knowingly collect personal data from children under 14. If you believe we have collected information from a child under 14, please contact us immediately. See our Age Policy for more details.

11. Changes to This Policy

We may update this privacy policy from time to time. We will notify you of any material changes by posting the new policy on this page and updating the "Last updated" date.

12. Contact Us

If you have any questions about this privacy policy or our data practices, please contact us: