Privacy Policy
Last updated · 2026-06-29
Galdero Technologies Ltd ("we", "us", "our") is the data controller for personal data processed by Vocabay under UK GDPR and the Data Protection Act 2018.
1. Who we are
| Controller | Galdero Technologies Ltd |
|---|---|
| Company number | 17103268 |
| Registered office | 128 City Road, London, United Kingdom, EC1V 2NX |
| Privacy contact | hello@vocabay.com |
2. What we collect
- Account data: name, email, profile picture (from Google OAuth).
- Learning data: words you save, articles you read, review history, language preferences.
- Usage data: anonymous device identifier for users not signed in, used to meter daily quotas.
- Smart-explanation context: when you tap a word, we send the word and its surrounding sentence to our AI provider.
- Technical data: IP address, browser type, request timestamps held briefly in server logs for security and debugging.
3. Lawful bases (UK GDPR Art. 6)
- Contract: to provide the Service.
- Legitimate interests: to operate, secure, and improve the Service; to meter free-tier usage; to prevent abuse.
- Legal obligation: to comply with tax, accounting, and law-enforcement requirements.
4. Subprocessors
We share data with these subprocessors. Transfers outside the UK use Standard Contractual Clauses where required.
| Subprocessor | Role | Location |
|---|---|---|
| Supabase Inc. | Authentication + database | United States |
| OpenRouter | AI inference (word + sentence context only) | United States |
| Vercel Inc. | Hosting + content delivery | United States |
| Polar Software Inc. | Billing + subscription management; merchant of record (uses Stripe for card processing) | United States |
| Google Ireland Ltd | OAuth identity (EU/UK users) | Ireland |
| Spaceship, Inc. | Domain registrar, authoritative DNS, and Spacemail inbound routing for hello@vocabay.com | United States |
| PostHog, Inc. (EU Cloud) | Product analytics — pseudonymous usage events only (no name, no email, no content); data hosted in the EU | European Union |
| Resend, Inc. | Email delivery — sign-in links, account and billing notices, and occasional service emails (each of which carries a one-click unsubscribe) | United States |
Analytics are first-party and cookieless: we record pseudonymous product events (for example "an article was opened") keyed to the same random device identifier that meters free-tier usage. No advertising trackers, no cross-site cookies, no session recordings.
5. How long we keep your data
- Account + learning data: until you delete your account.
- Server logs: 30 days, then automatically purged.
- Quota counters: 7 days for anonymous, until account deletion for signed-in users.
- Backups: rotated within 30 days.
6. Your rights
Under UK GDPR you have the right to:
- Access: see what data we hold about you.
- Rectification: correct inaccurate data.
- Erasure: delete your account and data via Account → Delete account.
- Portability: download your saved words, progress, and review history via Account → Download my data.
- Objection: object to processing based on legitimate interests.
- Complaint to the regulator: complain to the UK Information Commissioner's Office (ico.org.uk).
Email hello@vocabay.com to exercise any of these rights. We respond within 30 days.
7. Cookies
We use cookies and localStorage to keep you signed in. No analytics, advertising, or tracking cookies.
8. Security
All traffic is encrypted in transit (TLS 1.2+). Data at rest is encrypted by our subprocessors (Supabase, Vercel). Access to production data is restricted to authorised personnel and audited.
9. Children
The Service is not directed to children under 13 (or 16 in the EEA / UK without parental consent). If you believe a child has provided us with personal data, contact hello@vocabay.com and we will delete it.
10. Changes
Material changes are announced by email or in-app notice.