Vocua

Privacy Policy

Last updated: February 2, 2026

1. Data Controller

The data controller for Vocua is [Your Name], [Your Address], Vienna, Austria. You can reach us at contact@vocua.com.

2. Data We Collect

We collect the following categories of personal data:

  • Account data: Name, email address, and hashed password when you register.
  • User content: Templates, entries, flashcard data, collections, and uploaded files (images, audio) that you create within the Service.
  • Study data: Card review history, spaced repetition progress, and study session statistics.
  • API keys: If you use the Bring Your Own Key (BYOK) feature, we store your third-party API keys (e.g., Google Gemini, OpenAI) to provide AI features.
  • Technical data: IP address, browser user agent, and session tokens for authentication and security purposes.

3. Legal Basis for Processing (GDPR Art. 6)

We process your personal data based on the following legal grounds:

  • Contract performance (Art. 6(1)(b)): Processing necessary to provide the Service to you, including account management, data storage, and study features.
  • Legitimate interest (Art. 6(1)(f)): Security measures, abuse prevention, and service improvement.
  • Consent (Art. 6(1)(a)): For optional features like AI-powered autofill via BYOK. You can withdraw consent at any time by removing your API key in Settings.

4. How We Use Your Data

We use your data to:

  • Provide and maintain the Service
  • Authenticate your identity and secure your account
  • Store and display your flashcard content
  • Calculate spaced repetition schedules
  • Process AI requests when you use BYOK (your data is sent to your chosen AI provider)
  • Send password reset emails when requested

5. Third-Party Services

When you use the BYOK feature, your flashcard content may be sent to third-party AI providers (Google Gemini, OpenAI) to generate suggestions. This data transfer is initiated by you and governed by the respective provider's privacy policy. We do not share your data with third parties for advertising or marketing purposes.

6. Data Storage and Security

Your data is stored in a PostgreSQL database. We use industry-standard security measures including encrypted connections (HTTPS), hashed passwords, and secure session management via Better Auth. API keys stored via BYOK are kept in the database and are never exposed in API responses — only a boolean indicator of whether a key is saved is returned to the client.

7. Data Retention

We retain your data for as long as your account is active. When you delete your account (via Settings), all your data — including templates, entries, collections, study progress, uploaded files, and API keys — is permanently deleted. Session data is automatically cleaned up upon expiration.

8. Your Rights (GDPR)

Under the General Data Protection Regulation (GDPR), you have the following rights:

  • Right of access (Art. 15): Request a copy of your personal data.
  • Right to rectification (Art. 16): Correct inaccurate data via your account settings.
  • Right to erasure (Art. 17): Delete your account and all associated data at any time.
  • Right to data portability (Art. 20): Request your data in a machine-readable format.
  • Right to restrict processing (Art. 18): Request that we limit how we use your data.
  • Right to object (Art. 21): Object to processing based on legitimate interest.
  • Right to withdraw consent (Art. 7(3)): Withdraw consent for optional features (e.g., BYOK) at any time without affecting the lawfulness of prior processing.

To exercise any of these rights, contact us at contact@vocua.com. You also have the right to lodge a complaint with the Austrian Data Protection Authority (Datenschutzbehörde) at www.dsb.gv.at.

9. Cookies

We use only essential cookies required for the Service to function:

  • Session cookie: Maintains your authenticated session.
  • Theme preference: Stores your light/dark mode choice in localStorage (not a cookie).
  • Sidebar state: Stores sidebar open/closed preference.

We do not use analytics cookies, tracking cookies, or any third-party cookies. No cookie consent banner is required as we only use strictly necessary cookies (per GDPR and the Austrian TKG 2021).

10. International Data Transfers

If you use the BYOK feature with a US-based AI provider (e.g., OpenAI), your flashcard content may be transferred to servers outside the EU/EEA. This transfer is based on your explicit consent when you configure and use the BYOK feature. You can stop this transfer at any time by removing your API key.

11. Children's Privacy

The Service is not intended for children under 16 years of age. We do not knowingly collect personal data from children under 16. If you believe a child has provided us with personal data, please contact us and we will delete it.

12. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of material changes by posting the updated policy on this page and updating the "Last updated" date. Your continued use of the Service after changes constitutes acceptance of the updated policy.

13. Contact

For any privacy-related questions or to exercise your rights, contact us at contact@vocua.com.