Privacy Policy

1. Who we are

The data controller is the operator of the Practice app. For privacy-related questions, contact us at privacy@practiceapp.io. For users in the EEA / UK, the same address serves as the contact point for our Data Protection Officer.

EU representative (GDPR Article 27). The Practice operator is established outside the European Union. An EU representative is being appointed; in the meantime, EU residents may direct GDPR-related requests to privacy@practiceapp.io, which is monitored and treated as the equivalent contact point. We will update this section with the representative's name and address once appointed.

2. Data we collect

We collect four categories of data:

• Account data — email address, name, profile picture, authentication credentials (password hash or passkeys).
• Learning content — flashcards, decks, study schedules, quiz answers, learning progress, voice recordings (only when you actively record), images you upload, and content you publish to the creator marketplace.
• Technical data — device model, operating system, app version, IP address, anonymous device identifier, crash logs, performance metrics, and a small sample (~1%) of session recordings for debugging purposes (you can opt out in Settings → Privacy).
• Creator-attribution fingerprint (short-lived) — if you visit a Creator's page on our website before installing the app, we record a server-side fingerprint with a 30-day TTL so we can attribute your install to the introducing Creator after you sign in. The fingerprint stores a truncated IP prefix (/24 for IPv4 or /48 for IPv6 — never the full IP), a normalized user-agent string, your device class, screen dimensions, timezone, and locale. See §3 for how this is used.

3. How we use your data

We use your data to (a) operate the Service, (b) personalize learning, (c) process purchases and creator payouts, (d) detect fraud, (e) comply with legal obligations, and (f) improve the Service.

We do not use your data for advertising. We do not sell your personal data. We do not use your voice recordings or learning content to train AI models.

No personalized pricing. We do not personalize prices based on your personal data — all users see the same prices for the same products.

How discovery decisions are made. Our discovery surfaces (search results, recommended creators, suggested decks) use a small set of transparent signals: which creators you have explicitly opened, how long you have been on the Platform (see Creator Agreement §13 for the 12-month subscriber-isolation grace period), the popularity and recency of content, and the language of your active workspace. We do not build behavioural advertising profiles. We do not use AI to predict personal traits, sexual orientation, political views, health status, or any other special category of personal data about you.

Pre-install Creator attribution. If you visited a Creator's page on our website before installing the app, the anonymized fingerprint described in §2 is compared with the device that installs the app, and the closest match (if any) is recorded as that Creator introducing you to the Platform. After you sign in, this attribution record is linked to your account. We use it only to (a) apply the Creator Agreement §13 subscriber-isolation grace period so that the introducing Creator's content shows in your feed first and (b) calculate the introducing Creator's payout share when you make a purchase. We never use it for advertising, never share it with ad networks, and never join it with third-party data. The pre-install fingerprint itself is purged after 30 days; only the resolved Creator-to-user link is retained on your account. You can avoid attribution by visiting Creator pages from a different browser, in private/incognito mode, or with tracking-protection enabled.

4. Legal basis for processing

We process your personal data on the legal bases set out in GDPR Article 6 and equivalent provisions in the UK GDPR, the Ukrainian Law on Personal Data Protection No. 2297-VI, and other applicable laws:

• Performance of a contract — for creating and operating your account, providing the learning service, processing your purchases, delivering published content you buy from creators, and processing creator payouts. Without this processing we cannot provide the Service.
• Consent — for optional anonymous diagnostics (sampled session recording at ~1%, your IP address, and your user-agent string sent to our third-party crash-reporting provider) and any marketing communications you opt into. We disclose IP collection in advance because EU/UK case law treats IP addresses as personal data (CJEU Breyer, 2016). We ask for your explicit choice via a one-time in-app prompt after sign-in; you may also change it at any time via Settings → Legal → Share anonymous diagnostics, or by emailing privacy@practiceapp.io. Withdrawal does not affect processing that took place before the withdrawal.
• Legitimate interests — for security, fraud prevention, debugging crash reports, protecting the rights of other users, and improving the Service. We have assessed in each case that our interest does not override your fundamental rights and freedoms.
• Legal obligation — for retaining tax-relevant payout records (creator marketplace), responding to lawful government and law-enforcement requests, and complying with consumer-protection law.

5. Service providers we share data with

We share the minimum necessary data with the following processors, each bound by a data processing agreement:

A complete list of our current service providers, including company names and the regions in which they process data, is available on request to privacy@practiceapp.io.

• Cloud database provider — stores your account data, learning content, payments, and creator records; powers real-time sync across devices.
• Authentication infrastructure — handles email/passkey login and session tokens.
• Media storage and delivery network — stores and serves audio recordings and images you upload.
• Crash reporting and performance monitoring service — receives error traces, device info, IP address, and approximately 1% session sampling.
• AI text-to-speech provider — generates audio narration from text you submit.
• Mobile app store payment processors — handle iOS and Android in-app purchases.
• Web payment processor — handles web checkout and creator monetization payouts; acts as Merchant of Record. Also holds creator identity verification (KYC) documents on our behalf — we never see these documents.
• Mobile over-the-air update service — delivers app updates without store re-submission.

6. How long we keep your data

We retain active account data for as long as your account exists. Inactive accounts are deleted after three years of no sign-in (with a notice email at 30 months). Payment receipts are retained for 5–10 years for tax compliance. Crash logs are retained for 90 days; session recordings for 30 days.

Creator payout records and tax documentation are retained for at least 10 years to comply with applicable tax law.

When you delete your account, your data is deleted or anonymized within 30 days, except records we are legally required to retain.

7. Your rights

You have the right to access, correct, delete, restrict, port, and object to processing of your data. EU/UK users may lodge a complaint with their local Data Protection Authority. California users have rights under the CCPA/CPRA, including the right to know, delete, and opt out of any sale of personal information (we do not sell data).

To exercise these rights, email privacy@practiceapp.io. We respond within 30 days. For data portability specifically, you can tap here to download your data as JSON immediately from inside the app — no email needed.

Scope of the data export. The in-app export covers data we hold on our servers. Content you have not synced to our cloud — for example, unpublished folders, flashcards, and audio recordings stored only on your device — does not pass through our servers and therefore cannot be included in the export. The Service does not currently offer cloud backup or cross-device sync for unpublished local Content (see Terms of Service §4). If you need this data, recover it through your device's standard backup mechanism (iCloud, Google Drive, etc.) before uninstalling or resetting the device, or publish it through the creator marketplace to bring it into your account's server-side record.

To delete your account, go to Settings → Account → Delete Account in the app.

Right to human review of automated decisions. If an account suspension, content removal, or payout withholding decision affecting you was assisted by automated systems, you can request a review by a human at privacy@practiceapp.io or support@practiceapp.io. We respond within 30 days. This mirrors your rights under GDPR Article 22 and equivalent provisions in the UK GDPR.

8. Security

We protect your data with TLS 1.3+ encryption in transit for new connections (with TLS 1.2 fallback only where legacy clients require it), and encryption at rest. Authentication tokens are stored in your device’s secure keychain (iOS Secure Enclave / Android KeyStore). We use Apple App Attest and Google Play Integrity to validate device authenticity.

If we become aware of a personal data breach affecting you, we will notify you and the relevant Data Protection Authority within 72 hours, as required by GDPR Article 33.

9. International data transfers

Some of our service providers process data outside the EEA/UK. We rely on Standard Contractual Clauses (SCCs) approved by the European Commission and, where applicable, the EU-US Data Privacy Framework.

10. Children

The Service is intended for users aged 13 and over, or the higher minimum age set under the data-protection law of your country of residence (for example, 16 in some EU member states under GDPR Article 8 unless that state has lowered the age). We do not knowingly collect data from children below the applicable minimum age. If you believe we have collected data from a child below the applicable minimum age, please contact privacy@practiceapp.io and we will delete it promptly.

11. Creator marketplace

If you publish content as a creator, other users may purchase access. We share with you only aggregated, anonymized purchase counts and earnings — we do not share individual buyers' identities, email addresses, or personal data.

If you buy content from a creator, the creator does not learn your identity. Only the purchase event is recorded, without your personal data attached, in the creator's dashboard.

If you publish content as a creator, separate terms apply to you under the Creator Agreement, which governs revenue sharing, taxes, content rules, and your responsibilities as a creator. You can read it from Settings → Legal → Creator Agreement in the app.

12. Changes to this policy

We may update this Privacy Policy from time to time. Material changes will be announced in the app or by email at least 30 days before they take effect. Continued use of the Service after the effective date constitutes acceptance.