This Privacy Policy explains what personal data we collect, how we use it, who we share it with, and what rights you have. If anything is unclear, you are welcome to contact us.
The controller of your personal data is:
Łukasz Ciastko Software Development
Łukasz Ciastko, sole proprietorship registered in Poland (CEIDG)
NIP: 9492245030
For privacy-related questions or to exercise your data protection rights, contact us at privacy@vocamemo.com.
We are not required to appoint a Data Protection Officer under Article 37 of the GDPR. For all data protection inquiries, please use the email address above.
A Vocamemo account is required to use the app. You create an account using Sign in with Apple, which provides us with your email address (or an Apple-generated private relay address, if you choose to hide your email). We need this information to create your account, sync your learning progress, and provide the service.
| Category | Examples | Required |
|---|---|---|
| Account data | Email address, sign-in method (Sign in with Apple) and associated account identifier, optional display name, account timestamps. | Yes |
| Authentication and security data | Secure session data used to keep you signed in (session tokens, token hashes, expiry and revocation records). | Yes |
| Learning data | Selected course, study goals and settings, per-item progress, review schedule dates, performance history, course restart timestamp. | Yes |
| Technical and usage diagnostics | Event type and category, IP address, user-agent, session identifier (if present), timestamps. | Needed to run and secure the service |
| Privacy operation records | Export request history and privacy audit events (for example, deletion and export processing logs). | Needed for legal and operational accountability |
| Support communications | Information you send us when contacting support (for example by email). | Optional unless needed to resolve your request |
The table below describes each processing purpose, the data involved, and the legal basis we rely on under Article 6(1) of the GDPR.
| Purpose | Data used | Legal basis (GDPR Art. 6(1)) |
|---|---|---|
| Create and maintain your account | Email, sign-in method, account identifier, display name | Contract (Art. 6(1)(b)) — necessary to provide the service you signed up for |
| Authenticate you and maintain session security | Session tokens, token hashes, expiry and revocation records | Contract (Art. 6(1)(b)) |
| Provide study features, sync progress, and track learning | Selected course, study goals, per-item progress, review schedule, performance history | Contract (Art. 6(1)(b)) |
| Maintain service security, prevent abuse, and troubleshoot reliability | IP address, user-agent, event type, timestamps, session identifier | Legitimate interests (Art. 6(1)(f)) — see Section 7 below |
| Process your privacy requests (export, deletion) and maintain accountability records | Export request history, privacy audit events | Legal obligation (Art. 6(1)(c)) — GDPR accountability requirements under Articles 5(2) and 30 |
| Respond to support inquiries | Information you provide in support communications | Contract (Art. 6(1)(b)) or Legitimate interests (Art. 6(1)(f)), depending on the nature of the inquiry |
We do not sell your personal data. We do not use personal data for advertising or ad-targeting profiles.
We do not currently rely on consent (Art. 6(1)(a)) as a legal basis for any processing activity. If this changes in the future, we will update this policy and provide you with a clear mechanism to give and withdraw consent.
Where we rely on legitimate interests as a legal basis, we have assessed that our interests do not override your fundamental rights and freedoms. Specifically:
You have the right to object to processing based on legitimate interests at any time. See Section 13 below.
We share personal data only when necessary for the purposes described above:
| Category of recipient | Purpose | Data shared |
|---|---|---|
| Cloud infrastructure provider (hosting, database, object storage) | Operating the Vocamemo service | All data categories listed above (processed on our behalf as a data processor) |
| Apple Inc. | Sign in with Apple identity verification | Standard authentication metadata inherent to the Sign in with Apple protocol (e.g., that a sign-in to Vocamemo took place). We do not send your learning data or account content to Apple. |
| Law enforcement or regulatory authorities | Compliance with legal obligations | As required by applicable law or valid legal process |
We do not share your personal data with advertisers or ad networks.
We primarily store and process your personal data on infrastructure located in the European Union.
Some services we use (such as Sign in with Apple) may involve international data transfers. Where transfers occur, we rely on appropriate safeguards under applicable law, including adequacy decisions where available.
| Data type | Retention |
|---|---|
| Account and learning data | Kept while your account is active. Permanently deleted after account deletion and purge (see Section 11). |
| Session and authentication records | Kept until expiry or revocation. Sessions are revoked immediately on sign-out and when deletion is requested. |
| Analytics events linked to your account | Removed when your account is permanently deleted, unless longer retention is required by law. |
| Privacy audit logs | Retained for accountability and legal purposes for up to 730 days. These records may remain in pseudonymised form after your account is permanently deleted. |
When you request deletion of your account:
You can export your data from within the app. The export is delivered as a ZIP file containing CSV files of your account and learning records, in a structured, commonly used, machine-readable format.
Under the General Data Protection Regulation (GDPR), you have the following rights regarding your personal data:
To exercise any of these rights:
We will respond to your request without undue delay and in any event within one month, as required by Article 12(3) of the GDPR. We may need to verify your identity before processing your request.
If you believe that our processing of your personal data violates the GDPR, you have the right to lodge a complaint with a supervisory authority. The supervisory authority for our operations is:
Urząd Ochrony Danych Osobowych (UODO)
ul. Stawki 2, 00-193 Warszawa, Poland
https://uodo.gov.pl
You may also lodge a complaint with the supervisory authority in your EU/EEA Member State of residence or place of work.
We do not make decisions based solely on automated processing, including profiling, that produce legal effects concerning you or similarly significantly affect you (Article 22 of the GDPR).
Vocamemo uses an algorithmic spaced-repetition system to schedule vocabulary review items. This is a core feature of the service and does not constitute automated decision-making under Article 22, as it does not produce legal or similarly significant effects.
Vocamemo is not directed to children under 16 years of age. We do not knowingly collect personal data from children under 16. If you are a parent or guardian and believe your child has provided us with personal data without your consent, please contact us at privacy@vocamemo.com and we will take steps to delete that information.
We use technical and organisational safeguards designed to protect personal data, including access controls, encrypted storage, and session management controls. No system is perfectly secure, but we continuously work to improve our protections.
We may update this Policy when our services or legal requirements change. We will publish the updated version on this page and update the effective and last-updated dates. Where changes are material, we may also provide notice in the app.
For privacy inquiries: privacy@vocamemo.com