repeat.cards logorepeat.cards

Privacy Policy

Last updated: 2026-05-01

This page explains what data repeat.cards collects when you use the service, why we collect it, who else sees it, and what you can do about it. We've kept the language plain on purpose — if anything is unclear, write to us at [email protected].

What we collect

Account information

When you create an account, we store:

  • Your email address (required to sign in and to send you essential emails).
  • A hashed version of your password if you signed up with a password — we never store the password itself in readable form.
  • If you signed up with Google Sign-In, we additionally store the first and last name that Google sends us as part of the sign-in. We use it to greet you in the app — nothing else. We don't ask you for your name in the email-and-password sign-up form.

Settings and preferences

Things you choose in your profile and settings — your timezone (used to schedule daily review reminders at a sensible local hour), your daily new-card and review limits, your preferred AI model and voice, your reminder schedule. These are stored alongside your account.

Your flashcards and learning data

Everything you create inside the app:

  • Decks and the cards inside them — words, translations, example sentences, mnemonics.
  • Audio files and images attached to your cards (those you uploaded or that we generated for you using AI).
  • Your training history — when you reviewed each card, how you rated it, what the FSRS spaced-repetition algorithm thinks your next review should be.
  • Statistics derived from the above (cards due today, daily streaks, etc.).

AI keys and AI usage

If you choose to use AI features (generating mnemonics, audio, example sentences, or images), you provide your own OpenAI or Google AI API key. We store that key in your account so the app can call the AI provider on your behalf when you click an AI button. We never share or reuse your key. If you remove it from your settings, it's deleted from our database.

Email verification and reminders

When you register, we send a verification email. If you opt in to daily review reminders, we send a single email per day at the time you choose. Both go through a transactional email provider.

Analytics

We use Google Analytics to understand which pages people use and where the app is slow. It sets cookies and may collect your IP address (anonymized), browser, device type, country-level location, and the pages you visit. We do not use this for ad targeting.

Cookies and session tokens

We use the following types of cookies and stored tokens:

  • Authentication tokens. When you sign in, we store an access token and a refresh token in your browser so you don't have to log in on every page. These are essential for the service.
  • Analytics cookies. Set by Google Analytics, see above.

We do not use advertising cookies, third-party tracking pixels, or social sharing widgets that track you across sites.

Why we collect it

We use your data only to:

  • Provide the flashcard service — store your decks, schedule your reviews, train you.
  • Generate AI content when you request it (using your own API key).
  • Send essential transactional emails (verification, password reset, opt-in reminders).
  • Understand and improve the product (anonymized usage analytics).
  • Detect abuse and keep the service available for everyone.

We do not sell your data to anyone. We do not use your flashcard content to train any AI model. We do not share your account information with advertisers.

Who else sees your data

We use a small number of third-party services to run repeat.cards. The following providers may process some of your data on our behalf:

  • OpenAI and Google AI — when you click an AI button, the relevant card text is sent to whichever provider matches the API key you set. The call is billed to your key. These providers have their own privacy policies.
  • Google Cloud Text-to-Speech — when you generate audio for a card, we send the text to Google Cloud TTS to synthesize the audio file, which we then store in your deck.
  • Google Analytics — usage data, as described above.
  • Email provider — to send transactional emails (verification, reminders, password resets).
  • Hosting provider — our servers and database run on a hosting platform that processes data on our behalf.

We may also disclose data if required by law (court order, legal subpoena, regulatory request). If that happens, we'll push back on overbroad requests where we can.

Where your data lives

Your account, decks, cards, and training history live in a PostgreSQL database. Generated audio and image files live in object storage. Backups are encrypted at rest.

When you use AI features, your card text travels to OpenAI or Google AI servers. The AI provider's own privacy policy and data-processing terms apply to that flow.

How long we keep it

  • Account and learning data — for as long as your account exists. If you delete your account, we delete everything within 30 days, except where law requires us to retain certain records.
  • Email logs — up to 90 days for delivery troubleshooting.
  • Analytics data — retained per Google Analytics defaults (currently 14 months).
  • Backups — rolled over on a 30-day cycle.

Your rights

If you live in the EU, EEA, UK, or another GDPR-aligned jurisdiction, you have:

  • The right to access — ask us what data we hold about you.
  • The right to correction — fix anything that's wrong. Most fields you can correct yourself in your profile.
  • The right to deletion — delete your account and all associated data.
  • The right to data portability — get your data in a machine-readable format.
  • The right to object — opt out of any processing based on our legitimate interests (analytics, for example).
  • The right to withdraw consent — for anything we do based on consent (e.g. opt-in email reminders).
  • The right to lodge a complaint — with your local data protection authority.

To exercise any of these rights, email [email protected] from the address associated with your account. We'll respond within 30 days.

Children

repeat.cards is not directed at children under 16. If you're under 16, please don't create an account without your parent or guardian's permission. If we learn we have collected data from a child without proper consent, we'll delete it.

Changes to this policy

If we change this policy in a material way, we'll update the “Last updated” date at the top and email registered users about the change. Smaller editorial changes (typos, clarifications) may go in without notification.

Questions

Email [email protected]. We read every message.