Effective Date: [DATE]
This Privacy Policy explains how Thaively ("Thaively," "we," "us," or "our") collects, uses, and protects your information when you use thaively.com (the "Service").
Account Information. When you create an account, we collect your email address, a username, and any other information you provide (such as a display name), stored and managed through our authentication provider, Supabase.
Payment Information. If you subscribe to a paid tier, payment is processed by Stripe. We do not directly collect or store your full credit card number; Stripe handles this in accordance with its own security standards and privacy policy. We retain limited billing metadata (such as subscription status, a Stripe customer identifier, and billing history) needed to manage your account.
Learning and Usage Data. We collect information about how you use the Service in order to operate spaced-repetition scheduling and improve the product. This includes which levels and items you learn and review, your review answers and accuracy, review timestamps, streaks, daily goals, and achievements. We also keep a log of individual review events (item, correctness, and time) to power your progress statistics.
Content You Provide. If you save personal content within the Service (such as custom notes or memory aids attached to vocabulary items) or send us feedback or support messages, we store that content.
Analytics Data. We use PostHog, a product analytics service, to understand how the Service is used. PostHog collects events such as page views, sign-ups, lesson and review completions, paywall views, and subscription starts and cancellations, along with technical information like browser type and device information. When you are logged in, these events are associated with your account identifier so we can understand usage across sessions. We do not use analytics data for third-party advertising.
Device and Log Information. Like most web services, our hosting provider (Vercel) and other infrastructure may automatically log technical information such as IP address, browser type, and access times for security and operational purposes. We also log failed login attempts (including the identifier used and IP address) for a short period to protect accounts against brute-force attacks.
Cookies and Similar Technologies. We use cookies or similar technologies that are necessary for the Service to function, such as keeping you logged in, and cookies or local storage used by PostHog for analytics as described above. You can control cookies through your browser settings, though disabling essential cookies may prevent you from logging in.
We use the information we collect to:
Where laws such as the GDPR apply, we rely on the following legal bases: performance of our contract with you (providing the Service and processing payments), our legitimate interests (improving and securing the Service), your consent where required (for example, for non-essential cookies where applicable), and compliance with legal obligations.
We do not sell your personal information, and we do not share your personal information for cross-context behavioral advertising.
We share information with the following third parties as necessary to operate the Service:
Each of these providers has its own privacy practices governing data they process on our behalf. We only share the minimum information necessary for these providers to perform their function.
We retain your account information for as long as your account is active. If you delete your account, we will delete or anonymize your personal information within a reasonable period, except where we are required to retain certain records (such as billing and tax records) for legal or accounting purposes. Security logs, such as failed login attempts, are retained only briefly.
Depending on your location, you may have rights to access, correct, delete, or export your personal information, or to object to or restrict certain processing. You can delete your account and associated data through your account settings. To exercise your other rights, or if you need help with deletion, contact us at contact@thaively.com. We will respond within a reasonable timeframe and, where a specific legal deadline applies, within that deadline.
If you are located in the European Economic Area, United Kingdom, or a jurisdiction with similar data protection laws (e.g., GDPR, UK GDPR), you also have the right to lodge a complaint with your local data protection authority. If you are a California resident, you may have additional rights under the California Consumer Privacy Act (CCPA/CPRA), including the right to know what personal information is collected, the right to request deletion, and the right not to be discriminated against for exercising these rights.
Thaively is not directed at children under 13, and we do not knowingly collect personal information from children under 13. If you believe a child under 13 has provided us with personal information, contact us at contact@thaively.com and we will take steps to delete it.
We use commercially reasonable measures to protect your information, including access controls, row-level security on our database, login rate limiting, and the security infrastructure of our providers (Supabase, Stripe, Azure, Vercel, PostHog). No method of transmission or storage is 100% secure, and we cannot guarantee absolute security.
Our service providers may process and store data in countries other than your own, including the United States. Where required by applicable law, we rely on appropriate safeguards for such transfers, such as our providers' standard contractual clauses or equivalent mechanisms.
We may update this Privacy Policy from time to time. If we make material changes, we will provide notice (such as posting an update on the Service or emailing registered users). The "Effective Date" above reflects the most recent revision.
Questions about this Privacy Policy or your personal information can be sent to contact@thaively.com.