Privacy Policy

Version 2026-05-28 · Effective 2026-05-28

Privacy Policy

SUFX (“we”, “us”) respects your privacy. This policy explains what personal data we collect when you use our mobile application, how we use it, and what rights you have.

At a glance

We collect your email, the learning content you create, and basic device information.
We do not sell or share your data for advertising; we do not track you across other apps.
AI features process your submitted text only to give you the answer — we do not use it for training.
You can export or delete your data at any time from the in-app settings.
Primary user data is stored in the European Union (Germany), under GDPR.

Operator

SUFX is operated by Ilia Gavrichenko, a private individual based in Hungary.

Postal address: 1024 Budapest, Kapas utca 21, Hungary
Contact: [email protected]

Data we collect

Account data — email address, display name, profile picture (when you sign in with Google or Apple). If you sign in with Apple and choose Apple’s private email relay, we receive only a per-app relay address.
Subscription data — your subscription status and product identifier, received from the App Store or Google Play via RevenueCat. We do not receive your payment card details.
Learning data — vocabulary you save, review history, essay drafts, and other progress you choose to record in the app.
Device data — device platform (iOS or Android), application version, language preference, and time zone, used to operate the service.
Push-notification tokens — Expo push tokens (format ExponentPushToken[...]) issued to your device by the Expo SDK at install time, used to send the reminders you enable in app settings. Expo internally maps these to APNs (iOS) or FCM (Android) device tokens when delivering each notification.
Diagnostic data — crash reports and performance traces, processed by Sentry to keep the service reliable.

How we use your data and legal basis

Purpose	Legal basis (GDPR Art. 6)
Operating the SUFX learning platform and personalising your experience	Contract performance (Art. 6(1)(b))
Sending transactional messages (email verification, password reset, deletion confirmation, security notices)	Contract performance (Art. 6(1)(b))
Sending marketing communications (feature announcements, learning tips, promotional offers)	Consent (Art. 6(1)(a)) — opt-in only, withdrawable at any time
Monitoring service health, preventing abuse, securing the service	Legitimate interest (Art. 6(1)(f))
Optional AI-assisted features (Ask AI, essay feedback, automatic translation)	Contract performance (Art. 6(1)(b))

We do not sell or share your personal data for advertising. We do not perform automated decision-making with legal or similarly significant effects on you (e.g., we do not deny services, set prices, or make hiring decisions through automated profiling). SUFX itself does not use your submitted text (Ask AI prompts, essay drafts, vocabulary notes) to train any machine-learning or AI models.

Data residency

Primary user data (account information, learning content, subscription status, push-notification tokens) is stored on servers physically located in the European Union, operated by Hetzner Online GmbH (Germany). We deliberately choose EU-based hosting to minimise international transfers of personal data and to keep your data under GDPR jurisdiction.

Third-party processors

We share the minimum necessary data with the following processors, each bound by a data-processing agreement (or equivalent contractual safeguards) that restricts use to operating SUFX on our behalf:

Hetzner Online GmbH (Germany) — hosting and storage. Primary user data resides here.
Sendinblue / Brevo (France) — transactional email delivery. Receives recipient email address, message subject, and body for the specific transactional message being sent.
RevenueCat, Inc. (USA) — subscription management. Receives the store purchase token from the App Store or Google Play, a pseudonymous app-user identifier mapped to your SUFX account, and standard subscription metadata (product ID, expiration date, renewal status, country). We never receive or process your payment-card details — these stay with Apple or Google.
Sentry (Functional Software, Inc.) (USA) — error monitoring and performance traces. Receives stack traces of unhandled errors, Prisma database-query spans (parametrised SQL with no parameter values), GraphQL operation names, and pseudonymous user context: your internal SUFX user ID, role (USER/ADMIN), and emailVerified flag. We do not transmit email addresses, request bodies, cookies, IP addresses (Sentry’s sendDefaultPii is disabled), or any learning content to Sentry. Business-level errors are filtered out before transmission.
OpenAI, L.L.C. (USA) — AI-assisted features (Ask AI, essay feedback). Only the text fragments you submit to those features are processed. OpenAI does not use this data to train its models, per the OpenAI API Data Usage Policy.
DeepL SE (Germany) — automatic translation. When you use translation features, the text fragment you submit is sent to DeepL. DeepL does not retain submitted text after translation per its Pro API data-processing terms.
PostHog, Inc. (EU instance, hosted in Frankfurt, Germany) — pseudonymous product analytics, used to understand which features are used and to improve the service. We use the EU cloud of PostHog so that analytics events remain within the EU/EEA.
650 Industries, Inc. (Expo / Expo Application Services) (USA) — push-notification relay. Our backend sends push notifications through the Expo push service, which acts as a relay that converts our messages into the format required by Apple Push Notification service (APNs) for iOS and Firebase Cloud Messaging (FCM) for Android, then forwards them downstream. Expo receives the Expo push token (an opaque identifier issued by Expo to your device) and the notification payload (title, body, and any custom data we attach for in-app navigation). We deliberately do not include sensitive learning content (such as full lemma definitions, essay text, or personal notes) in push payloads — payloads contain only short reminder text such as “You have cards to review today”.
Apple Inc. (USA) — (a) Sign in with Apple identity provider. When you sign in with Apple, we receive your name (only on the first sign-in, if you choose to share it) and either your email address or a per-app Apple private email relay (if you choose to hide your email). (b) Downstream push transport (APNs), reached via Expo, for delivery to iOS devices.
Google LLC (USA) — (a) Sign in with Google identity provider. When you sign in with Google, we receive your email address, display name, and profile picture URL from your Google account. (b) Downstream push transport (Firebase Cloud Messaging / FCM), reached via Expo, for delivery to Android devices.

International data transfers

While primary user data is stored in the EU (Hetzner, Germany), some sub-processors are based in the United States (RevenueCat, Sentry, OpenAI, Apple, Google, Expo). Transfers of personal data outside the EU/EEA rely on the EU-US Data Privacy Framework (where the processor is self-certified) or on Standard Contractual Clauses approved by the European Commission, in line with GDPR Chapter V. Where additional safeguards are required (e.g., supplementary technical measures under Schrems II case-law), we implement them.

Data retention

We retain your account data while your account exists. When you delete your account, the data is removed on the schedule described in the Account Deletion Policy. Diagnostic data is retained for up to 90 days; transactional-email logs for up to 12 months. Anonymised aggregate metrics, which contain no personal identifiers, may be retained indefinitely for service-quality analysis.

Children’s privacy

SUFX is not directed to children under the minimum age of digital consent in your country (13 in the United States under COPPA; 16 in Hungary and most of the EU under GDPR Article 8, unless your country has set a lower age between 13 and 16). We do not knowingly collect personal data from such children. If you believe a child has provided us data, contact [email protected] and we will delete it.

Sensitive data

SUFX does not knowingly collect or process special categories of personal data under GDPR Article 9, including data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade-union membership, genetic or biometric data, health data, or data concerning sex life or sexual orientation.

Please do not submit such information through the Ask AI feature, essay drafts, or vocabulary notes. If you do, we will treat it as ordinary personal data and process it only to provide the requested feature.

App Tracking Transparency (Apple)

SUFX does not track you across other apps or websites owned by other companies. We do not request access to your device’s IDFA (Identifier for Advertisers) through Apple’s App Tracking Transparency framework because we have no need to. Our analytics is limited to product-improvement metrics gathered within the SUFX app only.

Your rights

Under GDPR you can:

Access the data we hold about you.
Rectify inaccurate data.
Erase your data (“right to be forgotten”).
Restrict processing in certain cases.
Port your data to another service in a machine-readable format.
Object to processing based on legitimate interest.
Withdraw consent at any time, where processing is based on consent.
Opt out of marketing. You can unsubscribe from marketing emails using the link in each marketing message, or by emailing [email protected]. Transactional messages (email verification, password reset, security and deletion notices) cannot be opted out of while your account exists, as they are necessary to operate your account.

To exercise any right, contact [email protected] from your registered email. You can also access, export, or delete your data from the in-app settings.

Data breach notification

If we become aware of a personal-data breach that is likely to result in a risk to your rights and freedoms, we will:

notify the Hungarian Data Protection Authority (NAIH) without undue delay and, where feasible, within 72 hours, per GDPR Article 33;
notify affected users without undue delay if the breach is likely to result in a high risk to your rights and freedoms, per GDPR Article 34;
document the facts, effects, and remedial actions taken.

Supervisory authority

You have the right to lodge a complaint with a data-protection authority. In Hungary this is the Nemzeti Adatvédelmi és Információszabadság Hatóság (NAIH) — naih.hu. Residents of other EU/EEA countries may complain to their local DPA.

California residents (CCPA / CPRA)

If you are a California resident, you additionally have the right to know, delete, and correct your personal information, and to opt out of the sale or sharing of personal information. We do not sell or share personal information as those terms are defined under the CCPA/CPRA.

Changes

We may update this policy. The current version is always available at /legal/privacy-policy. When changes are material, we will notify you through the app before they take effect.

Contact

Questions about this policy go to [email protected].