Vocua

Privacy Policy

Version 1.2 — Last updated: March 6, 2026

1. Data Controller

The data controller for Vocua is Mago Negrón, Vienna, Austria. You can reach us at contact@vocua.com.

2. Data We Collect

We collect the following categories of personal data:

  • Account data: Name, email address, and hashed password when you register.
  • User content: Note types, notes, flashcard data, decks, and uploaded files (images, audio) that you create within the Service.
  • Study data: Card review history, spaced repetition progress, and study session statistics.
  • API keys: If you use the Bring Your Own Key (BYOK) feature, we store your third-party API keys (e.g., Google Gemini, OpenAI). These keys are encrypted at rest using AES-256-GCM and are never exposed in API responses — only a boolean indicator of whether a key is saved is returned to the client.
  • Technical data: IP address, browser user agent, and session tokens for authentication and security purposes.
  • Consent records: When you acknowledge the cookie disclosure banner, we record your consent (timestamp and type) for compliance purposes.

3. Legal Basis for Processing (GDPR Art. 6)

We process your personal data based on the following legal grounds:

  • Contract performance (Art. 6(1)(b)): Processing necessary to provide the Service to you, including account management, data storage, and study features.
  • Legitimate interest (Art. 6(1)(f)): Security measures, abuse prevention, platform administration, error monitoring, and service improvement.
  • Consent (Art. 6(1)(a)): For optional features like AI-powered autofill via BYOK. You can withdraw consent at any time by removing your API key in Settings.

4. How We Use Your Data

We use your data to:

  • Provide and maintain the Service
  • Authenticate your identity and secure your account
  • Store and display your flashcard content
  • Calculate spaced repetition schedules
  • Process AI requests when you use BYOK (your data is sent to your chosen AI provider)
  • Send transactional emails (password reset, email verification)
  • Monitor errors and crashes to improve service reliability
  • Monitor platform usage and manage user accounts for service administration purposes
  • Prevent abuse through rate limiting

5. Third-Party Services

We use the following third-party services (sub-processors) to operate Vocua. We do not share your data with third parties for advertising or marketing purposes.

  • Maileroo — Transactional email delivery (password reset, email verification). Receives your email address only when triggered by account actions.
  • S3-compatible object storage (MinIO) — File storage for uploaded images and audio files. Files are stored on European infrastructure.
  • Sentry — Error monitoring and crash reporting. May receive IP addresses, browser information, and error context to help us diagnose and fix issues.
  • Polar — Payment processing (future). Polar acts as Merchant of Record and handles EU VAT compliance. Will receive your email and payment details when you subscribe to a paid plan.
  • Google Gemini / OpenAI — AI content generation, only when you provide your own API key via the BYOK feature. Your flashcard content is sent to your chosen provider to generate suggestions. This transfer is initiated by you and governed by the respective provider's privacy policy.

6. Data Storage and Security

Your data is stored in a PostgreSQL database hosted on a European VPS. We use industry-standard security measures including:

  • Encrypted connections (HTTPS/TLS) for all data in transit
  • Hashed passwords using secure algorithms
  • Secure session management via Better Auth
  • AES-256-GCM encryption for BYOK API keys stored in the database
  • Uploaded files stored in S3-compatible object storage on European infrastructure
  • Rate limiting on sensitive endpoints for abuse prevention

Authorized administrators may access user accounts for debugging and support purposes. Such access is logged, time-limited, and conducted solely to diagnose issues or provide user assistance.

7. Data Retention

We retain your data for as long as your account is active. When you delete your account (via Settings > Account > Delete Account), all your data is permanently deleted, including:

  • Note types, notes, decks, and study progress
  • All uploaded files (images, audio) are purged from S3 storage
  • API keys and user settings
  • Consent records and session data

Soft-deleted records (e.g., items you delete during normal use) are permanently purged when you delete your account. Session data is automatically cleaned up upon expiration.

8. Your Rights (GDPR)

Under the General Data Protection Regulation (GDPR), you have the following rights:

  • Right of access (Art. 15): Request a copy of your personal data. You can export all your data in JSON format via Settings > Account > Export Data.
  • Right to rectification (Art. 16): Correct inaccurate data via your account settings.
  • Right to erasure (Art. 17): Delete your account and all associated data at any time via Settings > Account > Delete Account. This permanently removes all data including uploaded files from S3 storage.
  • Right to data portability (Art. 20): Export your data in a machine-readable JSON format via Settings > Account > Export Data.
  • Right to restrict processing (Art. 18): Request that we limit how we use your data.
  • Right to object (Art. 21): Object to processing based on legitimate interest.
  • Right to withdraw consent (Art. 7(3)): Withdraw consent for optional features (e.g., BYOK) at any time without affecting the lawfulness of prior processing.

To exercise any of these rights, contact us at contact@vocua.com. You also have the right to lodge a complaint with the Austrian Data Protection Authority (Datenschutzbehörde) at www.dsb.gv.at.

9. Cookies and Local Storage

We use only essential cookies and local storage required for the Service to function:

  • Session cookie: Maintains your authenticated session.
  • Theme preference: Stores your light/dark mode choice in localStorage.
  • Sidebar state: Stores sidebar open/closed preference in localStorage.
  • Cookie consent acknowledgment: Stores your cookie disclosure acknowledgment in localStorage (vocua-cookie-consent).

We do not use analytics cookies, tracking cookies, or any third-party cookies. A cookie disclosure banner is displayed on your first visit to inform you about our use of essential cookies. When you acknowledge the banner, your consent is recorded for compliance purposes.

10. International Data Transfers

Your core data (account, content, study progress) is stored on European infrastructure. International data transfers may occur in the following cases:

  • BYOK AI providers: If you use the BYOK feature with a US-based AI provider (e.g., OpenAI), your flashcard content may be transferred to servers outside the EU/EEA. This transfer is based on your explicit consent when you configure and use the BYOK feature. You can stop this transfer at any time by removing your API key.
  • Sentry: Error reports may be processed on Sentry's infrastructure, which may include servers outside the EU/EEA. This is based on our legitimate interest in maintaining service reliability.

11. Children's Privacy

The Service is not intended for children under 16 years of age. We do not knowingly collect personal data from children under 16. If you believe a child has provided us with personal data, please contact us and we will delete it.

12. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of material changes by posting the updated policy on this page and updating the version number and "Last updated" date. Your continued use of the Service after changes constitutes acceptance of the updated policy.

13. Contact

For any privacy-related questions or to exercise your rights, contact us at contact@vocua.com.