vocab

Privacy Policy

Last updated: April 2026

1. Data Controller

3z digital GmbH
St.Leonhard-Strasse 45
9001 St. Gallen, Switzerland

2. Data We Collect

  • Account data: Email address, display name
  • Learning data: Texts you upload, words you learn, exercise attempts and results
  • Analytics: Anonymized usage data via PostHog (EU instance)

3. How We Use Your Data

  • To provide and improve the vocabulary learning service
  • To generate personalized exercises from your content
  • To track your learning progress and spaced repetition schedule
  • To analyze usage patterns and improve the product (analytics)

4. Legal Basis

We process your data under the Swiss Federal Act on Data Protection (nFADPG/DSG). The nFADPG is recognized as providing adequate data protection equivalent to the EU GDPR.

  • Contract performance: Account and learning data are processed to provide the service you signed up for
  • Legitimate interest: Analytics data is processed to improve the service. You may opt out at any time via the cookie banner.

5. Data Processors

  • Supabase (EU region) — database, authentication, file storage
  • OpenAI (US) — AI-powered exercise generation. Standard contractual clauses apply.
  • Vercel (EU/US) — website and application hosting
  • PostHog (EU instance) — anonymized product analytics

6. Data Retention

Your account data and learning history are kept for as long as your account is active. You may request deletion at any time. Upon deletion, all personal data is permanently removed within 30 days.

7. Your Rights

Under the nFADPG, you have the right to:

  • Access your personal data
  • Request rectification of inaccurate data
  • Request deletion of your data
  • Request data portability
  • Object to data processing

8. Cookies

We use a PostHog analytics cookie to understand how visitors use the site. This cookie is loaded by default under the Swiss opt-out model. You may opt out at any time using the cookie banner or by contacting us. We also use essential session cookies for authentication in the application.

9. Cross-Border Transfers

All data processors operate in the EU or Switzerland, except OpenAI (US), which processes data under standard contractual clauses ensuring adequate protection.

10. Contact

For privacy inquiries, contact us at the address listed above or email us at privacy@vocab.so.