Version 1.0 — May 1, 2026

Effective date: April 26, 2026 · Last updated: May 1, 2026

Privacy Policy

Vocab Quest (“we,” “us,” or “our”) provides a vocabulary-learning service for children, used by their parent or legal guardian. This Privacy Policy explains what information we collect, how we use it, who we share it with, and the choices you have. We have written this policy to comply with the EU/UK General Data Protection Regulation (GDPR), the California Consumer Privacy Act (CCPA/CPRA), and the U.S. Children's Online Privacy Protection Act (COPPA).

Plain-English summary. We collect the minimum information needed to run the service. We do not sell your data. We do not share your child's data with advertisers. We do not use your child's data to train third-party AI models. You can export everything we have on you and your child, and you can delete your account at any time. Children's data is stored under a parent account and is governed by COPPA — we will obtain verifiable parental consent before collecting personal information from any child under 13.

1. Who we are

Vocab Quest is operated as a sole-proprietor service, contactable at hello@vocabquest.app. We act as the “data controller” for the personal information described below. Our service is hosted in the United States.

2. Information we collect

2.1 Information you give us directly

Pre-launch waitlist: the email address you submit on our website, plus the page you submitted from and any UTM parameters in the URL you arrived through.
Account registration (post-launch): your email address, a password (stored only as a salted hash — never in plaintext), and an optional display name.
Child profiles (post-launch): first name (or pseudonym — your choice), age or grade level, and reading level. You decide what to enter.
Books you upload: EPUB or text files of books your child is reading. We store these to extract vocabulary candidates and to display reading excerpts in exercises.
Quiz performance: which words your child has been shown, which they got right or wrong, response times, and which words are scheduled for review.
Payment information (paid subscribers): when you convert to a paid subscription, our payment processor Stripe collects your full card number and processes the transaction directly. We never see your full card number. We receive only a payment token, the last four digits of the card, the card brand (e.g., Visa), the country of issue, and the transaction history needed to manage your subscription, issue refunds, and comply with tax law.
Support correspondence: if you email us, we keep that thread.

2.2 Information we collect automatically

Log data: IP address, browser type and version, operating system, request timestamps, and the pages or API endpoints you accessed. We retain this for security and abuse-prevention purposes.
Session cookies: a single HTTP-only, SameSite=Strict cookie (vq_session) is set when you log in. It contains a signed reference to your account, never your password.
Hashed identifiers: for the waitlist signup, we store a salted hash of your IP address (not the raw IP) so we can rate-limit abuse without retaining identifying data.

2.3 Information we do not collect

We do not run Google Analytics, Facebook Pixel, or any third-party advertising or behavioral-tracking pixels.
We do not collect precise geolocation, device microphone, or camera data.
We do not buy data about you or your child from data brokers.

3. How we use information

We use the information described above only to:

Provide and operate the Vocab Quest service, including scheduling spaced-repetition reviews tailored to each child.
Authenticate you when you log in and keep your account secure.
Generate quiz content (word definitions, example sentences, illustrative images, audio pronunciations).
Send transactional emails (signup confirmation, password reset, billing receipt, important security notices).
Process payments and manage paid subscriptions, including the $0.50 charge-and-refund step that establishes verifiable parental consent at trial-to-paid conversion.
Send up to a small number of pre-launch updates and a launch announcement to people on our waitlist. You can unsubscribe at any time.
Detect, investigate, and prevent fraudulent or abusive activity.
Comply with legal obligations and enforce our Terms of Service.
Diagnose and fix bugs and outages.

We do not use children's data to train third-party AI or machine-learning models, to target advertising, or for any purpose unrelated to operating the service.

4. Legal bases for processing (GDPR / UK GDPR)

If you are in the European Economic Area or the United Kingdom, we rely on the following legal bases under Article 6 of the GDPR:

Contract: to provide the service you have asked us to provide.
Consent: to send you waitlist and marketing emails. You may withdraw consent at any time.
Legitimate interest: to keep the service secure, prevent abuse, and improve quality. We assess that these interests are not overridden by your privacy rights.
Legal obligation: to comply with tax, accounting, child-protection, and other applicable laws.
Parental consent: for personal information collected from a child under 13 (or 16 in some EEA jurisdictions), as required by COPPA and Article 8 of the GDPR.

We share personal information only in the following circumstances:

With service providers who help us operate the service, listed in section 6. These providers are bound by contract to use the information only on our instructions.
To comply with legal obligations — for example, in response to a valid court order, subpoena, or other lawful request from a government authority. We will challenge requests we believe to be overbroad and notify you when we are legally permitted to do so.
To protect rights and safety — to investigate violations of our Terms of Service, prevent fraud, or address actual or suspected illegal activity.
In a business transfer — if Vocab Quest is acquired or its assets are transferred, your information may be one of the transferred assets, subject to the terms of this policy. We will notify you in advance of any such transfer.

We do not and will not sell your personal information or your child's personal information to anyone, for any purpose, ever.

6. Third-party services we rely on

We use the following service providers (sub-processors) to operate Vocab Quest. Each receives only the data necessary for the function described. The privacy policy of each sub-processor is linked below; collectively those policies — together with the API and data-processing agreements we have entered into with each provider — describe how each provider handles the data we route through them.

Provider	Purpose	Data location	Privacy policy
Railway (US)	Application hosting and database storage.	USA (us-west region)	railway.com/legal/privacy
Backblaze B2 (US)	Encrypted offsite backups of account data.	USA (primarily US-East bucket region)	backblaze.com/privacy
Stripe (US)	Payment processing for paid subscriptions, including the $0.50 charge-and-refund used for verifiable parental consent at trial-to-paid conversion. Card numbers and full payment details are handled by Stripe; we receive only a payment token, the last four digits of the card, and the card brand.	USA + EU (depending on customer location; see Stripe's Privacy Center for specifics)	stripe.com/privacy
Resend (US)	Transactional and notification email delivery (signup confirmation, password reset, billing receipt, security notices).	USA (AWS us-east-1)	resend.com/legal/privacy-policy
Kit (formerly ConvertKit, US)	Waitlist email list management.	USA	kit.com/privacy
Anthropic (US)	Generation of quiz content (definitions, example sentences, novel quiz items, sense-extension cards) via the Claude API. Per Anthropic's API terms, content submitted to the API is not used to train Anthropic's models.	USA (Amazon AWS us-west-2 + us-east-1)	anthropic.com/legal/privacy
OpenAI (US)	Generation of selected quiz content via the OpenAI API. Per OpenAI's API terms, content submitted to the API is not used to train OpenAI's models.	USA (Microsoft Azure US regions)	openai.com/policies/row-privacy-policy
Google (Gemini API) (US)	Generation of vocabulary illustration images. Per Google's API terms, content submitted to the Gemini API is not used to train Google's models.	USA (with global edge)	policies.google.com/privacy
Free Dictionary API	Pronunciation audio lookup. We proxy these requests through our own server so your browser never contacts the third party directly.	n/a (no PII transmitted)	(no PII transmitted)
Sentry (US)	Error and performance monitoring. We have configured Sentry to scrub IP addresses and to receive only a hashed user identifier, never email addresses or child names.	USA (EU hosting available; we use US)	sentry.io/privacy

Sub-processors may also use redundant or supporting infrastructure in additional regions; the location listed is the primary processing region for your account's data.

A current list of sub-processors is maintained on this page. We will update it before adding any new sub-processor.

7. Children's privacy (COPPA)

Vocab Quest is designed for children, used under the supervision of a parent or legal guardian. We comply with the Children's Online Privacy Protection Act (COPPA) and the FTC's COPPA Rule, 16 CFR Part 312.

7.1 Verifiable parental consent — our two-step method

Before we collect any personal information from a child under 13, we obtain verifiable consent from that child's parent or legal guardian. We use a two-step method that follows the methods explicitly approved by the FTC under COPPA Rule 16 CFR § 312.5(b):

Step 1 — Affirmative consent at signup. When the parent creates the account, they must check a clearly-labeled consent box affirming that (a) they are the parent or legal guardian of the child being added, (b) they have read and agree to this Privacy Policy and our Terms of Service, and (c) they consent to our collection and use of their child's information as described here. The IP address and timestamp of this consent are logged in our records.
Step 2 — Card-based confirmation at trial-to-paid conversion. When the parent converts from the 14-day free trial to a paid subscription, we run a $0.50 USD authorization on the parent's credit or debit card and immediately refund it. The parent will see both the charge and the refund on their card statement; the net is zero. The use of a credit-card transaction is one of the methods the FTC has explicitly approved for obtaining verifiable parental consent under 16 CFR § 312.5(b)(2)(ii). We retain the Stripe authorization record (token, last four digits of the card, and timestamp) as evidence of consent.

Until both steps are complete, we collect only the minimum data necessary to operate the free trial — first name or pseudonym, age or grade level, reading level, quiz performance, and uploaded books. We never share or disclose a child's personal information except to the sub-processors listed in section 6, all of whom are bound by contract to use the information only on our instructions. The parent creates the account, the parent adds the child profile, and the child interacts with Vocab Quest only through that parent's account.

7.2 What we collect from children

The first name (or pseudonym) the parent enters for the child profile.
Age or grade level entered by the parent.
Reading level entered by the parent or estimated from quiz performance.
Quiz interactions — which words the child has seen, accuracy, response timing, and review schedule.
Books the parent uploads to the account.

7.3 What we do not collect from children

Child's last name, home address, phone number, or precise geolocation.
Child's email address or any other direct contact information.
Photographs, audio recordings, or video of the child.
Persistent identifiers used for behavioral advertising.

7.4 Parental rights

A parent may, at any time, by emailing hello@vocabquest.app:

Review the personal information we have collected from their child.
Direct us to delete the child's personal information.
Refuse further collection or use of the child's personal information.
Receive an export of the child's data in machine-readable JSON format.
Revoke verifiable parental consent. You may revoke your verifiable parental consent at any time by deleting your account from the parent dashboard or by emailing hello@vocabquest.app. Within the 7-day soft-delete grace window we will permanently remove your child's data from our production systems; backups age out within 90 days. Revocation does not affect data we are legally required to retain (e.g., tax records of paid subscriptions).

We will respond to verifiable parental requests within 30 days.

8. Data retention

Waitlist email addresses: retained until 90 days after public launch, until you unsubscribe, or until you ask us to delete the record — whichever comes first.
Account data (post-launch): retained for as long as the account is active. When you delete your account (or we delete it under section 15 of the Terms of Service), we apply a 7-day soft-delete grace window:
- Your data is locked immediately at the moment of deletion. You and your child can no longer access the Service.
- For 7 days, you can restore the account by clicking the recovery link we email to you at the moment of deletion.
- After 7 days, the data is permanently removed from our primary systems.
- Encrypted offsite backups age out and are destroyed within 90 days.
Quiz performance data: retained for the life of the account; deleted under the schedule above when the account is deleted.
Server logs: retained for 30 days, then automatically deleted.
Support correspondence: retained for 24 months after the last contact, unless you ask us to delete it sooner.
Payment records: Stripe retains transaction records under its own retention schedule and applicable U.S. and international financial-services rules. We retain the minimum metadata (Stripe customer ID, subscription history, last four digits of the card, country) required to honor refunds, comply with tax law, and detect fraud.
Information we are legally required to retain (such as tax records of paid subscriptions) is kept for the period required by applicable law.

9. Your rights

Subject to applicable law, you have the right to:

Access a copy of the personal information we hold about you.
Correct personal information that is inaccurate or incomplete.
Delete your account and personal information.
Port your data — receive an export in a machine-readable format and have it transmitted to another service where technically feasible.
Object to processing based on legitimate interest.
Restrict processing while we resolve a dispute about accuracy or legitimacy.
Withdraw consent at any time, where we rely on consent.
Lodge a complaint with your local data-protection authority. In the EU, find yours at edpb.europa.eu. In the UK, contact the ICO.

To exercise any of these rights, email hello@vocabquest.app. We will respond within 30 days. We do not charge a fee for exercising your rights, and we will not retaliate or discriminate against you for doing so.

9.1 Self-service data export

You can download a complete copy of your account data at any time, without contacting us, in either of two ways:

From the parent dashboard: click Account → Export Data. We assemble a JSON archive of your parent record, every child profile, every uploaded book, the quiz cache for each book, all session and review history, and your preference settings, and we deliver it as a downloadable file.
Programmatically: after authenticating with your account, send a GET request to /api/my-data. The endpoint returns the same JSON archive in a single response and is intended for parents who want to script their own backups.

The export includes everything we have stored that is associated with your account, in a structured, machine-readable format. It does not include data held by sub-processors under their own data-controller relationships (for example, Stripe transaction records — for those, contact Stripe directly through your Customer Portal, or contact us and we will coordinate).

10. California privacy rights (CCPA / CPRA)

If you are a California resident, you have the rights described in section 9 above, plus the following CCPA-specific rights:

The right to know what categories of personal information we have collected, the sources from which it was collected, the business or commercial purposes for collecting it, and the categories of third parties with whom we share it.
The right to opt out of the “sale” or “sharing” of personal information, as those terms are defined in the CCPA. We do not sell or share personal information for cross-context behavioral advertising.
The right to limit the use and disclosure of sensitive personal information. We do not collect sensitive personal information beyond what is necessary to provide the service.
The right to non-discrimination for exercising your rights.

For purposes of the CCPA disclosures, in the preceding 12 months we have collected the categories of personal information described in section 2 (Identifiers, Customer Records, Internet Activity, and Inferences derived from quiz performance), and we have disclosed those categories only to the service providers listed in section 6, only for the business purposes described in section 3. We have not sold or shared any personal information.

To submit a CCPA request or to designate an authorized agent, email hello@vocabquest.app with “California Privacy Request” in the subject line. We will verify your identity using information you have already provided to us before fulfilling the request.

11. Security

We protect personal information using industry-standard safeguards, including:

Encryption in transit (HTTPS / TLS 1.2+) for all communication between your browser and our servers.
Encryption at rest for offsite backups using AES-256-GCM.
Passwords stored only as scrypt-derived hashes, never in plaintext.
HTTP-only, SameSite=Strict, signed session cookies.
Per-user data isolation on the server (each user's data is namespaced to its own directory).
Strict Content Security Policy headers, CSRF protection, and rate-limiting on authentication endpoints.
Regular review of dependencies for known vulnerabilities.

No system is perfectly secure. If we discover a data breach affecting your personal information, we will notify you and the appropriate authorities within the timelines required by applicable law (72 hours under the GDPR; the timeline required by your state's breach-notification law if you are in the United States).

12. Cookies and similar technologies

We use only the cookies strictly necessary to operate the service:

vq_session — a signed authentication token. HTTP-only, SameSite=Strict, expires after 30 days. Without this cookie you cannot log in.
vq_csrf — a CSRF protection token. Set when you log in; expires with the session.

We do not use any third-party advertising, analytics, or behavioral-tracking cookies. Because we set only strictly-necessary cookies, no consent banner is required under the EU ePrivacy Directive — but you can disable cookies in your browser if you choose, with the consequence that you will not be able to log in.

13. International data transfers

Vocab Quest is hosted in the United States. If you are located outside the United States, your information will be transferred to and processed in the United States. We rely on the European Commission's Standard Contractual Clauses (SCCs), the UK International Data Transfer Addendum, and equivalent safeguards in other jurisdictions to ensure that your data continues to receive an adequate level of protection. A copy of the SCCs is available on request.

14. Changes to this policy

We may update this Privacy Policy from time to time. When we make material changes, we will revise the “Last updated” date at the top of this page and, where required by law, notify you by email or through a prominent notice in the service before the change takes effect. We will not retroactively reduce your privacy rights without your consent. The previous versions of this policy are archived and available on request.

May 1, 2026 update. Added Stripe to the list of sub-processors in section 6 to support paid subscriptions. Documented the two-step verifiable parental consent method, including the $0.50 charge-and-refund step at trial-to-paid conversion (section 7.1). Documented the 7-day soft-delete grace window in section 8. Added the self-service data-export endpoint in section 9.1. Cross-linked to the new Terms of Service and Refund Policy.

15. How to contact us

For any privacy question, request to exercise a right described above, or notice of a data breach, write to:

Vocab Quest — Privacy
Email: hello@vocabquest.app
Subject line: Privacy Request

We aim to respond within seven business days and to fully resolve every request within 30 days, as required by GDPR Article 12 and CCPA §1798.130. If you are not satisfied with our response, you have the right to escalate to your local data-protection authority (see section 9).

This policy was prepared by Vocab Quest. It is not legal advice. If you are using a similar service in another jurisdiction, you should consult a qualified attorney about the applicable rules in your country.

→ Read the Terms of Service · → Read the Refund Policy · → Join the waitlist