Privacy Policy

• Account data: your email address and a display handle (via Google sign-in or email magic link). We never receive your Google password.
• Age confirmation: a date of birth or 16+ confirmation collected at sign-up to meet age requirements.
• Study data: the decks, vocabulary, and study progress you create or upload — stored so we can sync them across your devices (cloud-primary for Max).
• AI request data: the words and sentences you submit to AI features.
• Subscription data: your plan, trial status, and a Stripe customer/subscription ID. We do not store your full card number.
• Technical data: minimal logs (e.g., access and error logs) needed to run and secure the Service.

We do not sell your personal data.

• Provide and sync the Service — performance of our contract with you.
• Generate AI study aids you request — performance of our contract.
• Process subscriptions and billing — contract / legal obligation.
• Prevent abuse and secure the Service — legitimate interests.
• Communicate about your account (e.g., trial-ending and billing emails) — contract / legitimate interests.
• Comply with legal obligations (e.g., tax, accounting) — legal obligation.

We use the following providers. We rely on their Data Processing Agreements (DPAs) and, for transfers out of the EU/UK, on their Standard Contractual Clauses (SCCs) and/or Data Privacy Framework participation.

Important note on the AI provider (Google Gemini). On the free AI tier, content sent to the API may be used by Google to improve its models. We send only the vocabulary content you choose to process — never your password and never deliberately your identity or other personal data. To reduce this, we plan to move to a paid AI tier, where such content is not used for model training; we will update this policy when we do. Please do not submit personal, sensitive, or confidential information to AI features.

Your data is stored with the providers above. We protect it with per-user access controls (Row-Level Security) so other users cannot read your data, plus reasonable technical and organizational safeguards. No system is perfectly secure.

Your data may be processed in countries other than where you live, including the United States. Where we transfer personal data from the EEA or UK, we rely on appropriate safeguards such as our providers’ Standard Contractual Clauses and/or Data Privacy Framework certifications.

We keep your data while your account is active. When you delete your account, we delete or anonymize your personal data within 30 days, except records we must keep for legal, tax, or billing reasons (typically up to 7 years for financial records). Backups containing your data are purged on our regular rotation within 90 days.

You can edit or delete your decks at any time, and you can delete your account and associated data from Settings → Account or by contacting privacy@rikai.ai.

Depending on where you live, you may have rights to:

• Access the personal data we hold about you;
• Correct inaccurate data;
• Deleteyour data (“right to erasure”);
• Port / export your data;
• Object to or restrict certain processing; and
• Withdraw consent where processing is based on consent.

EU/UK (GDPR / UK GDPR): you may also lodge a complaint with your local supervisory authority. California (CCPA/CPRA): you have rights to know, delete, correct, and to opt out of “sale”/“sharing” of personal information — we do not sell or share your personal information for cross-context behavioral advertising. We will not discriminate against you for exercising your rights.

We respond to verified requests within the timeframes required by law (e.g., about 30 days under GDPR; 45 days under CCPA, extendable).

If a data breach affects your personal data, we will notify the relevant authorities and affected users as required by law (for example, within 72 hours of becoming aware, to the relevant EU/UK supervisory authority, and to affected users where required).

rikai is not directed to children under 16 (or the local minimum digital-consent age, if higher). We do not knowingly collect personal data from children under that age. We use an age confirmation at sign-up; if we learn we have collected a child’s data without proper consent, we will delete it. If you believe a child has provided us data, contact privacy@rikai.ai.

We use only the cookies/storage needed to keep you signed in and run the Service.

We will post updates here and update the Version and Last updated date. For material changes we will notify you in-app or by email.

Privacy questions or requests: privacy@rikai.ai.