Vocabul

Last updated: May 3, 2026

Vocabul Privacy Policy

Vocabul is a vocabulary-learning app operated by FOP Kostiantyn Zghara, a sole proprietor registered in Ukraine (“Vocabul”, “we”, “us”, or “our”). This Privacy Policy explains what personal data we collect, how we use it, who we share it with, and the choices and rights you have when you use our website at https://vocabul.app, our iOS and Android apps, and any related services (together, the “Services”).

By creating an account, installing the app, or using the Services, you agree to the practices described here. If you do not agree, please stop using the Services. Where required by law, we will ask for your consent separately for specific processing activities.

1. Who is responsible for your data

The data controller for personal data processed through the Services is:

  • FOP Kostiantyn Zghara (Фізична особа-підприємець Костянтин Згара), Ukraine.
  • Privacy contact: hello@vocabul.app.

2. The data we collect

We collect only the data we need to run the Services. The categories below describe what we collect, in plain language.

Account data

When you sign in, our identity provider Auth0 (operated by Okta, Inc.) handles authentication on our behalf. We receive a persistent user identifier together with your email address, your display name, and, if you provide one, an avatar image. Your authentication credentials (passwords, social-login tokens) are held by Auth0 and never reach us.

Subscription and billing data

Paid subscriptions are sold through the Apple App Store and Google Play and managed for us by RevenueCat, Inc. We receive transaction identifiers, plan names, entitlement status, renewal and expiry dates, and an internal credit balance for AI features. We do not receive or store payment-card numbers, bank-account details, or billing addresses — those stay with Apple, Google, and their payment processors.

Content you create

The Services let you create vocabulary content — Sets, Cards, terms, pronunciations, definitions, examples, collocations, and cover images. We store this content so we can show it back to you across devices and so the AI features can operate on it. This content belongs to you (see Section 6 of our Terms of Service).

AI inputs, outputs, and embeddings

When you use AI features such as Card Completion, Term Suggestion, or duplicate detection, we send the term you submitted (and, where relevant, the conversation messages) to AI model providers so they can return a result. We also generate numerical vector representations (“embeddings”) of the terms in your library so we can detect duplicates and power semantic search. We store the AI output, the embedding, and a record of the request.

Usage and inference records

Each AI request is logged as a usage record containing the model used, token counts, the credit cost, and a timestamp. We use these records for billing, abuse prevention, and product analytics in aggregate.

Device and log data

When you use the Services, our infrastructure receives technical data such as IP address, device type, operating system version, app version, locale, request timestamps, and error traces. We use this data to operate, secure, and debug the Services.

On-device storage

The mobile app stores small amounts of state on your device (such as whether you have completed onboarding) using the operating system's local storage. This data does not leave your device unless we explicitly say so.

Communications you send us

If you email us, post in our public feedback portal, or reply to a transactional message, we keep a record of that exchange so we can respond and improve the product.

3. Why we use your data and the legal basis

Where the EU/UK General Data Protection Regulation applies, we rely on the legal bases below. Where Ukrainian or other local law applies, we rely on the equivalent grounds permitted there.

  • Performing our contract with you. Creating and maintaining your account, syncing your library across devices, generating AI cards, suggesting root forms, detecting duplicates, running search, granting and accounting for AI credits.
  • Legitimate interests. Keeping the Services secure and abuse-free, debugging errors, and improving the product based on aggregated usage. We balance these interests against your rights and you can object at any time.
  • Legal obligations. Tax and accounting records, responding to lawful requests from authorities, and complying with consumer-protection rules.
  • Consent. Where we ask for it explicitly — for example, before sending non-essential communications. You can withdraw consent at any time without affecting prior processing.

4. AI features and what happens to your inputs

The AI features in Vocabul are delivered by sending your request to third-party model providers. Today this includes OpenAI for embeddings and an inference provider integrated through the Vercel AI SDK for streamed completions. The providers we use may change as we improve the product; we will keep this list current.

We do not use your private Sets and Cards to train our own models, and we instruct our providers to operate in a mode that does not use your data to train their general-purpose models. Providers may still process your inputs and outputs to deliver the service, monitor for abuse, and meet their own legal obligations under their privacy policies.

AI output can be wrong, biased, or out of date. Treat it as a starting point and verify anything that matters before relying on it.

5. Who we share data with

We share data only with vendors that help us run the Services and only to the extent needed for the purposes described here. Our main service providers are:

  • Auth0 (Okta, Inc.) — authentication and identity management.
  • RevenueCat, Inc. — subscription management, entitlements, and the in-app paywall.
  • Apple App Store and Google Play — distribution of the apps and processing of in-app purchases. Their stores own the payment relationship with you.
  • AI model providers — currently including OpenAI, L.L.C. for embeddings, and the model provider integrated through the Vercel AI SDK for streamed Card and term-suggestion completions.
  • Cloud hosting and infrastructure — providers that host our backend and database (PostgreSQL with the pgvector extension), object storage for Card images, and content-delivery networks for the website and the apps.
  • Featurebase — the public feedback and changelog portal at vocabul.featurebase.app. It only sees what you choose to post there.

We may also disclose data to comply with legal obligations, enforce our terms, defend our rights, or in connection with a corporate transaction such as a merger or asset sale — in which case we will notify you and give you a chance to exercise your rights before your data moves.

We do not sell your personal data, and we do not share it with advertising networks for targeted advertising. The Services currently contain no third-party advertising trackers.

6. International transfers

We are based in Ukraine, and several of our service providers are located in the United States, the European Union, and other countries. When we transfer personal data internationally, we rely on lawful transfer mechanisms such as the European Commission's Standard Contractual Clauses, the UK International Data Transfer Addendum, and adequacy decisions where they are available. Copies of the relevant safeguards are available on request from hello@vocabul.app.

7. How long we keep data

  • Account data, your Sets, Cards, definitions, and embeddings are kept for as long as your account is active.
  • When you delete your account from Settings → Delete account, we permanently delete your account and the content tied to it from production systems within 30 days.
  • Subscription and billing records and AI usage records are kept for the period required by accounting, tax, and consumer-protection laws (typically up to seven years).
  • Server logs and security-event records are retained for up to 12 months, then deleted or anonymised.
  • Encrypted backups roll off on their normal cycle; deletion from production is reflected in backups within 90 days.

8. Your rights

Depending on where you live, you may have some or all of the rights below. We honour these rights regardless of your location to the extent we can do so practically:

  • Access — request a copy of the personal data we hold about you.
  • Correction — ask us to correct inaccurate data; you can also edit your name, avatar, and your Cards directly in the app.
  • Deletion — ask us to delete your account and content. You can do this yourself from Settings → Delete account.
  • Portability — request a machine-readable export of your Sets and Cards.
  • Restriction and objection — ask us to pause or stop processing based on legitimate interests.
  • Withdraw consent — where we rely on consent, you can withdraw it without affecting prior processing.
  • Lodge a complaint — with your local data-protection authority if you believe your rights have been infringed. In Ukraine this is the Verkhovna Rada Commissioner for Human Rights; in the EU, your national supervisory authority.

To exercise any of these rights, email hello@vocabul.app. We may need to verify your identity before we act, and we will respond within the time limits set by applicable law (typically 30 days).

California residents. You have the right to know what personal data we collect, the right to delete it, the right to correct it, and the right to opt out of any “sale” or “sharing” of personal data as those terms are defined under the California Consumer Privacy Act. We do not sell or share personal data, and we do not use or disclose sensitive personal information for purposes that would require an opt-out right under California law. You will not be discriminated against for exercising these rights.

9. Children

The Services are intended for adults and for users at least 13 years old (or the higher age required by your local law — for example, 16 in some EU countries). We do not knowingly collect personal data from children under that age. If you believe a child has provided us with personal data, contact us at hello@vocabul.app and we will delete it.

10. Security

We use technical and organisational measures designed to protect your data — including encryption in transit, access controls, audit logging, and least-privilege access for our team. No system is perfectly secure, and we cannot guarantee the security of data in transit over the public internet. Please use a strong password through Auth0 and notify us immediately if you believe your account has been compromised.

11. Cookies and similar technologies

The vocabul.app marketing website uses only essential browser-side storage required to display the page and remember your theme preference. We do not currently run third-party analytics, advertising, or behavioural-tracking cookies on the marketing site. The mobile apps do not use browser cookies; the limited on-device state we store is described in Section 2.

If we add analytics or similar technologies in future, we will update this Privacy Policy and, where required, ask for your consent before they run.

12. Third-party links and content

The Services link out to third-party platforms — for example, the Apple App Store, Google Play, Auth0's sign-in pages, and our public feedback portal on Featurebase. Those platforms have their own privacy policies. We are not responsible for their practices and recommend you review their policies before interacting with them.

13. Changes to this Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in the Services, in our practices, or in the law. We will post the updated version here and change the “Last updated” date at the top. If the changes are material, we will tell you in the app or by email before they take effect.

14. Contact us

If you have questions or want to exercise your rights, contact us at hello@vocabul.app. We read every message.