Last updated: 10 March 2026
Effective date: 10 April 2026
Vocab Magnet is committed to protecting your privacy. This policy explains what data we collect, how we use it, and what rights you have over it.
We only collect the minimum amount of personal data necessary to operate the service (data minimization principle).
You can use Vocab Magnet without providing any personal data by signing up as a Guest. No email address, name, or any other identifying information is collected.
To preserve your progress, you can link your Guest account to Google or Facebook at any time from your profile page. Once linked, your data is retained under the rules for registered accounts.
This data is collected for both permanent and guest accounts, but for Guests it is tied only to an anonymous ID.
This data is only collected when you use the feedback form which is accessible from most pages. We don't attach any information about your current session.
Provision of data: For registered accounts, your email address, timezone, and learning data are necessary to create an account and provide the core service. Without this information, we cannot offer you a linked Vocab Magnet account. Guest accounts require no directly identifying personal data - only anonymous session data is stored.
Under the General Data Protection Regulation (GDPR), we must have a valid legal basis for each processing activity. Below we explain the purposes and the corresponding legal bases.
Your learning data powers Vocab Magnet's core functionality - spaced repetition, streak tracking, and personalised study sessions. This applies to both Guest and registered accounts.
Legal basis: Performance of a contract (Art. 6(1)(b) GDPR) - necessary to deliver the service you have requested.
Paddle handles subscription billing. We only see your subscription status and a Paddle customer reference ID to manage your subscription - not your payment details or address.
Legal basis: Performance of a contract (Art. 6(1)(b) GDPR) - necessary to fulfil your paid subscription.
When you use our contact form, we use your email and message to help resolve your issue and contact you back. No account or session information is collected when you use the contact form.
Legal basis: Legitimate interest (Art. 6(1)(f) GDPR) - responding to user inquiries and providing support.
Privacy-friendly, pseudonymized analytics that do not directly identify users (via Umami) help us understand which features are used and where to focus development.
Legal basis: Legitimate interest (Art. 6(1)(f) GDPR) - improving our service based on aggregated, non‑personal usage data.
We do not use automated decision‑making, including profiling, that produces legal or similarly significant effects concerning you.
We do not:
We do not sell your data to anyone. We work with the following trusted third-party providers to operate Vocab Magnet. Each has been selected for GDPR compliance.
Vercel hosts the Vocab Magnet application and provides built‑in analytics tools. All data is encrypted in transit and at rest.
Stores your account, learning progress, and custom words. All data is encrypted at rest and in transit. Also handles anonymous Guest sessions.
Handles all subscription billing as our Merchant of Record. Paddle is PCI DSS compliant. We never see or store your payment details.
Provides secure login. Facebook does not share your password with Vocab Magnet.
Provides secure login. Google does not share your password with Vocab Magnet.
Protects anonymous Guest account creation from bot signups and abuse. hCaptcha processes certain technical data (such as IP address and browser information) to determine whether a request is made by a human user. We never store this data.
Transmits contact form messages securely to our support team. Formcarry stores form submissions temporarily on servers located in Frankfurt, Germany, before forwarding them to our email.
We use Umami Cloud, a privacy-focused analytics service, to understand how visitors use our site. Umami is cookieless, does not track individuals across websites, and is designed with strong privacy protections and GDPR considerations. Analytics data is pseudonymized and designed to avoid identifying individual users.
Vocab Magnet does not use tracking cookies or advertising cookies.
Some infrastructure providers may use essential cookies that are required for security, authentication,
and basic service functionality. These cookies are strictly necessary for the operation of the website and cannot be disabled.
Our analytics tools (Vercel Web Analytics and Umami) operate without tracking cookies and are designed to avoid identifying individual users.
If required by law (e.g., via court order or subpoena), we may be required to disclose your data to government agencies or courts. We will notify you of such requests unless legally prohibited from doing so.
Vocab Magnet is based in Germany. Some of our service providers operate outside the European Union:
All such transfers are protected by appropriate safeguards, including the EU Standard Contractual Clauses (2021/914) approved by the European Commission, ensuring your data receives equivalent protection regardless of where it is processed.
When you sign out of a Guest account, your session is immediately invalidated and you can no longer access it. Any associated data records (learning progress, custom words) are permanently purged from our database within 30 days of your last activity, as part of our routine anonymous account cleanup process. This data cannot be recovered after sign-out. If you wish to export your learning data, you must do so before signing out (see Section 6). If you wish to make your learning data permanent, you must link your account to Google or Facebook, which can be done from your profile settings page.
We retain all your learning data, custom words, and account information as long as your account exists. This data is essential for the service to function.
When you delete your account, we initiate permanent removal of your data within 30 days. Residual copies may remain in our backups for up to 90 days, after which they are permanently erased. You may delete your account at any time from your account settings. Please note that if you have an active Premium subscription, you must cancel it before deleting your account. You can do this from your profile settings page.
For security and operational integrity, we maintain an internal log of account deletion events (e.g. the date an anonymous account was cleaned up). For anonymous accounts, this log does not contain any personal data — only the timestamp and type of event. For registered accounts, it may contain the account's email address. This log is used solely for debugging and abuse prevention and is not shared with any third party.
We use two privacy-focused analytics tools to understand how the application is used and to improve the service:
When you use our contact form, the data you provide is sent to us via email through Formcarry, which acts as our data processor. Formcarry stores form submissions temporarily on servers located in Frankfurt, Germany, before forwarding them to our email. We do not store the submission data in any database. The email containing your inquiry is kept only as long as needed to respond and resolve your request, and is deleted within 90 days after the matter has been resolved, unless we are legally required to retain it. Formcarry may retain access and security logs for up to 30 days for security and debugging purposes, after which they are deleted. For more information on how Formcarry handles your data, please see their Privacy Policy.
As a user - particularly within the European Union - you have the following rights under the General Data Protection Regulation (GDPR):
You can request a copy of all data we hold about you.
You can correct or update inaccurate personal data at any time.
You can request deletion of your account and all associated data ("Right to be Forgotten"). For Guest accounts, signing out immediately invalidates your session, and all remaining data is purged within 30 days.
You may request a copy of your User Content (learning data, custom words) at any time. We will provide your data in a commonly used, machine‑readable format within 30 days of your request. This right applies to both registered and Guest accounts - for Guests, you must request the export before signing out, as data is purged within 30 days of your last activity. If a self‑service export feature becomes available, we will notify users accordingly.
You can object to processing of your data, including for analytics. Since our analytics are pseudonymized and do not directly identify individuals, no directly identifying personal data is involved in that processing. For essential service data (account, learning progress), the right to object does not apply because processing is necessary for the contract. If you still wish to opt out of analytics, you can use browser extensions that block analytics scripts or contact us for assistance.
You may lodge a complaint with your local supervisory authority. In Germany this is the data protection authority of your federal state.
To exercise any of these rights, contact us at contact@vocabmagnet.com. We will respond within 30 days as required by GDPR.
All data in transit uses HTTPS. Data at rest in Supabase is encrypted with AES-256 and in transit via TLS.
Supabase's Row-Level Security (RLS) policies ensure you can only access your own data, not any other user's. This applies to both registered and Guest accounts.
We use industry-standard OAuth 2.0 via Google and Facebook. Your password is managed by Google and Facebook, we never store it. Guest accounts use anonymous sessions managed entirely by Supabase with no credentials required.
While we implement reasonable security measures, no system is entirely immune to risk. We select reputable providers and require appropriate security measures, but breaches affecting third-party infrastructure are ultimately controlled by those providers. We will never ask for your password or sensitive information.
In the event of a data breach that is likely to result in a risk to your rights and freedoms, we will notify you and the relevant supervisory authority within 72 hours, as required by law.
Vocab Magnet is not intended for children under 16. We do not knowingly collect personal data from children under 16. If we become aware that we have inadvertently collected such data, we will delete it immediately.
Parents or guardians who believe their child has provided personal data to us should contact us at contact@vocabmagnet.com.
If you have questions about this Privacy Policy or wish to exercise your rights, please contact us:
Controller
João Victor Kalva Tavares
Rykestraße 24, 10405 Berlin
Germany
Website
www.vocabmagnet.comCountry
Germany
Response Time
Typically within 5-7 business days. GDPR requests are handled within 30 days.
For payment-related inquiries, you may also contact Paddle directly at paddle.com.
If you are a resident of California, the California Consumer Privacy Act (CCPA) provides you with additional rights regarding your personal information. This section applies only to California residents.
To exercise your CCPA rights, please contact us at contact@vocabmagnet.com. We will verify your request using the information associated with your account, or by other means if necessary. You may also designate an authorized agent to make a request on your behalf.
We may update this Privacy Policy from time to time. If we make material changes, we will notify you by email or through an in‑app notice at least 30 days in advance. The date at the top of this policy will always show when it was last updated.