Privacy Policy

Information you provide directly:

• Email address (required for account creation)
• Full name (optional, for personalisation)
• Password (stored as a one-way hash — we never see your plaintext password)
• Marketing preference (whether you opted in to product updates at signup)

Information generated by the Service:

• Usage data: pages processed per month, plan type, cycle reset date
• Generation logs: file name, file type, page count, AI token counts (used to calibrate pricing — no file content is stored)
• Session tokens (for authentication, stored in secure cookies)

Payment information:

All payment processing is handled entirely by Lemon Squeezy. We never receive, store, or have access to your credit card or payment details. We only receive a customer ID and subscription status confirmation.

• The content of files you upload — they are processed transiently and deleted immediately after flashcard generation
• The content of generated flashcards — these exist only in your browser/Anki
• Precise location data (we use country-level only, if applicable)
• Tracking pixels, ad network cookies, or cross-site behavioural data
• Your uploaded files for AI model training — ever

• To authenticate you and maintain your account session
• To enforce your plan's monthly page quota and reset it correctly
• To send transactional emails (e.g., receipts, password resets) — these are always sent regardless of marketing preference
• To send product updates, tips, and offers — only if you explicitly opted in at signup
• To monitor aggregate token usage (anonymised) to ensure the service remains financially sustainable
• To investigate abuse, fraud, or violations of our Terms of Service

We do not sell your personal data. We share data only with the following third-party service providers, solely to operate the Service:

• Supabase(database & authentication) — stores your account data, usage counts, and generation logs. Data is hosted on servers in the region you signed up from.
• Google Gemini API— receives your uploaded files temporarily for flashcard generation. Files are deleted from Google's servers within seconds of processing via the Gemini File API delete endpoint. Google's data use is governed by their API terms.
• Lemon Squeezy (payments) — handles all payment processing. We receive only your subscription status; no card data ever reaches our servers.
• Vercel(hosting & CDN) — hosts the web application. Request logs (IP address, URL, timestamp) may be stored for up to 30 days for security purposes.

• Uploaded files: deleted from Gemini servers immediately after processing (within seconds)
• Generation logs: retained indefinitely for quota calibration; contain no file content — only token counts and metadata
• Account data: retained until you delete your account
• Marketing subscriber list: retained until you unsubscribe; you can opt out at any time by emailing us
• Payment records: retained as required by applicable financial regulations (typically 7 years)

We use only the following types of cookies:

• Authentication cookies: Supabase session tokens required to keep you logged in. These are strictly necessary and cannot be disabled.
• Preference cookies: We store your UI preferences (dark/light theme, font size, default settings) in browser localStorage. This data never leaves your device.

We do not use advertising cookies, analytics pixels, or any third-party tracking scripts.

Depending on your location, you may have the following rights:

• Access: Request a copy of the personal data we hold about you
• Correction: Request correction of inaccurate personal data
• Deletion: Delete your account and all associated data via Account Settings → Danger Zone, or by emailing us
• Opt-out of marketing: Unsubscribe from marketing emails at any time using the unsubscribe link in any email, or by emailing us
• Data portability: Request an export of your data in a machine-readable format

To exercise any of these rights, contact us at support@notes2cards.com. We respond to all requests within 30 days.

We implement the following security measures:

• All data in transit is encrypted via TLS 1.2+
• Passwords are hashed using bcrypt (managed by Supabase Auth)
• Database access requires authenticated API calls; the database is not publicly exposed
• Row Level Security (RLS) is enabled on all Supabase tables — users can only access their own data
• API routes enforce authentication before any data operation

Despite these measures, no method of internet transmission is 100% secure. In the event of a data breach affecting your personal information, we will notify you within 72 hours of becoming aware of it.

The Service is not directed to children under 13. We do not knowingly collect personal information from children under 13. If we become aware that a child under 13 has provided us with personal information, we will delete it promptly. If you believe a child under 13 has created an account, please contact us at support@notes2cards.com.

We may update this Privacy Policy from time to time. We will notify you of material changes via email or a prominent notice on the Service. The "Last updated" date at the top of this page reflects the most recent revision. Continued use after changes take effect constitutes acceptance of the updated Policy.

For privacy-related questions, data requests, or to report a concern, contact us at: