Privacy Policy
Effective July 8, 2026
This policy explains what Impressionary (“we”, “us”) collects when you use the Impressionary app, website, and API (the “Service”), why we collect it, and the choices you have. The short version: we collect what is needed to run an AI dictionary tied to your account — your sign-in details, your language settings, the words you look up and the cards generated from them, and how you study them. We do not sell your data and we do not show ads.
1. What we collect
Account and sign-in
- Your email address and the identifiers provided by your chosen sign-in method: Sign in with Apple, Google, a one-time email code, or a passkey. Authentication is handled by Supabase on our behalf.
- If you use Sign in with Apple’s “Hide My Email”, we only see the relay address Apple gives us.
Profile and settings
- Your language settings (the language you speak and the language you are learning), timezone (used to reset daily limits at your local midnight), appearance and display preferences, and your subscription tier.
Learning content
- The words and text you look up, and the cards generated from them: definitions, example sentences, grammar explanations, facts, mnemonic images, and synthesized audio.
- Word lists you create and cards shared with you.
Study activity
- How you interact with your cards: views, time spent on a card, and swipe choices (keep / dismiss). We use this to sequence your daily review and to recommend new words.
- Study-session records and daily usage counters (how many lookups and image generations you have used today), which enforce free-tier limits.
Purchases
- Subscriptions are purchased through Apple. We receive purchase and subscription-status events (not your payment details) via RevenueCat, our subscription-management provider. We never see your payment card information.
Technical data
- Standard request metadata — IP address, user agent, timestamps — processed by Cloudflare, which sits in front of our servers for security, rate limiting, and bot protection (Cloudflare Turnstile). Short-lived operational logs may include this metadata.
- The app stores working data (your cards, settings, session state) on your device so it works quickly and offline-tolerantly.
We do not collect your contacts, location, photos, browsing history, or advertising identifiers, and we do not use third-party advertising or cross-app tracking SDKs.
2. How we use your data
- To provide the Service: generate your cards, store your library, sync it across your devices, sequence your daily review, and recommend new words based on what you are learning.
- To operate fairly: meter free-tier usage, resolve your subscription tier, and apply rate limits and anti-abuse protections.
- To keep the Service working: debug problems using logs and diagnostics.
- To communicate: send sign-in codes and important service or account messages. We do not send marketing email unless you opt in.
We do not sell or rent your personal data, and we do not use your personal content to train AI models.
3. AI processing
When you look up a word, the text you submit (plus your language settings) is sent to AI providers to generate your card:
- OpenAI generates text content (definitions, sentences, grammar explanations), routed through Cloudflare AI Gateway.
- Cloudflare Workers AI generates mnemonic images.
- Microsoft Azure synthesizes pronunciation audio.
These providers process your lookup text as our service providers under their API terms, which do not permit them to use it to train their models. Lookups are not sent with your name or email attached. To keep the Service fast and affordable, generated results for a given word and language pair may be cached and reused, including for other users who look up the same word.
These AI, cloud, and speech providers are independent third parties. Their outages, model changes, rate limits, content filters, regional availability, or discontinuation are outside our control and can affect whether and how content is generated. See our Terms of Service for how provider changes may affect the Service.
4. Where your data lives
| Provider | What it handles |
|---|---|
| Supabase | Authentication and the database holding your profile, cards, lists, study activity, and usage counters |
| Cloudflare | API hosting, security (WAF, rate limiting, Turnstile), AI Gateway, image generation, and media storage (R2) for generated images and audio |
| OpenAI | Text generation for your lookups |
| Microsoft Azure | Speech synthesis for pronunciation audio |
| RevenueCat / Apple | Purchases and subscription status |
These providers operate globally, so your data may be processed in the United States and other countries. Where required, transfers rely on appropriate safeguards such as standard contractual clauses. We share personal data with no one else, except if required by law or to protect the rights, safety, or integrity of the Service and its users.
5. Retention and deletion
- Your account data is kept while your account is active.
- You can delete individual cards and lists in the app at any time.
- You can delete your entire account in the app or by emailing support@impressionary.org. Account deletion removes your profile, cards, lists, study activity, and usage records within 30 days from our live systems, except the minimal records described below.
- Backups. Deleted data may persist in encrypted, rolling backups for a limited period until those backups expire and are overwritten on their normal cycle. Backups are not used to restore deleted accounts and are not accessed except for disaster recovery.
- Cached and CDN media. Cached generated media (images, audio) is stored keyed by content, not by user, and may persist in our storage and in content-delivery caches after account deletion; it contains no personal information about you.
- Security and operational logs. Short-lived logs and security records (including at Cloudflare, which sits in front of our servers) are retained briefly for security, abuse prevention, and debugging, then rotate and are deleted automatically. Some provider-side logs are controlled by those providers under their own retention terms.
- Purchase and legal records. We retain the minimal records we are required to keep for legal, tax, accounting, fraud- prevention, and security reasons — including subscription and purchase history (App Store receipts and RevenueCat subscription status) — for as long as the law requires, even after account deletion.
- De-identified data. We may retain and use aggregated or de-identified data (which cannot reasonably be used to identify you) — for example, counts and quality metrics — without time limit to operate and improve the Service.
6. Your rights
Wherever you live, we extend the same rights: you can ask us to access, correct, export, restrict, or delete your personal data, and you can object to a use of it. Email support@impressionary.org and we will respond within 30 days. If you are in the EEA, UK, or a jurisdiction with a supervisory authority, you also have the right to lodge a complaint with your local data-protection authority. We do not discriminate against you for exercising any privacy right.
7. Children
The Service is not directed to children under 13 (or the higher minimum age your country sets), and we do not knowingly collect data from them. If you believe a child has created an account, contact us and we will delete it.
8. Security
Data is encrypted in transit, database access is restricted per-user via row-level security, and API access requires authentication. No system is perfectly secure; if a breach affects your personal data, we will notify you as required by law.
9. Changes to this policy
We may update this policy as the Service evolves. For material changes we will give notice in the app or by email before they take effect. The “Effective” date above always shows the current version.
10. Contact
Privacy questions and requests: support@impressionary.org.