Back to Legal

Privacy Policy

Effective Date: May 9, 2026

1. Introduction

Island Cookie Shop LLC ("we", "us") respects your privacy. This Privacy Policy outlines what data we collect, why we collect it, and how we handle it. We operate on a principle of "Data Minimization"—we only collect what is strictly necessary to provide the Service.

2. Information We Collect

  • Email Address: Required to deliver your audit results and provide customer support.
  • User Content (Flashcards): The .apkg files you upload. These contain your flashcard text, images, audio, and scheduling data.
  • Payment Information: Processed entirely by Stripe. We do not store or see your full credit card number.
  • Technical Data: IP addresses and browser headers (required for security and fraud prevention via Cloudflare).

3. Analytics

We use Vercel Web Analytics to understand website traffic and performance. This tool is cookie-free and designed to respect user privacy.

  • No Personal Profiling: It does not track your browsing history across other websites.
  • Data Minimization: It collects anonymized metrics (e.g., browser type, geography, page load speeds). Visitor IPs are anonymized and not stored permanently.
  • No "Consent Banner" Needed:Because this data is anonymized and strictly necessary for benchmarking our site's performance, it typically does not require a "Cookie Consent" opt-in.

4. How We Use Data

  • To Provide the Service:We process your flashcards to generate "QualityScores" and audit reports.
  • Communication: We use your email to send: (a) your audit results (Transactional); and (b) occasional updates or newsletters about the Service (Marketing). You may unsubscribe from Marketing emails at any time.

5. Data Retention

  • Raw Uploads: We automatically interpret and delete your raw .apkg files from our processing servers within 30 days of upload.
  • Anonymized Data:We may retain indefinitely (a) aggregated, anonymized statistics derived from your User Content (e.g., "Average score for Anatomy cards"); and (b) de-identified text excerpts, structural transformations, and underlying factual concepts derived from your User Content. This anonymized data is essential for maintaining our global card registry, improving the "QualityScore" algorithm, conducting internal research, and powering related educational tools, features, and services across our platform. It cannot be linked back to you and is not used to train third-party generative AI models.
  • Email Records: We retain email addresses indefinitely to maintain a record of your audit history, unless you request deletion.

6. Third-Party "Sub-Processors"

We share specific data with the following trusted third-party vendors to operate the Service:

  • Google Cloud (GCP/Vertex AI):AI Model Inference & Compute (Iowa, US).
  • Supabase: Database hosting (Ohio, US).
  • Cloudflare & Vercel: Security (DDoS protection), DNS, and Hosting (Global Edge Network).
  • Vercel Analytics: Website traffic measurement and performance monitoring (Data is anonymized).
  • Stripe: Payment processing.
  • Upstash: Rate limiting and caching.
  • Resend: Sending transactional and marketing emails.

7. International Transfers

The Service is hosted in the United States. If you access the Service from the European Union (EU) or other regions, you acknowledge and consent to your data being transferred to and processed in the United States, which may have different data protection laws than your jurisdiction.

8. Children's Privacy

The Service is not intended for children under 13. We do not knowingly collect data from children under 13. Given that we do not require accounts or verify IDs, we rely on our Terms of Service Age Restriction (18+). If a parent discovers their child has provided us with personal information, please contact us to have it deleted.

9. Your Privacy Rights (GDPR, CCPA, & Other Privacy Laws)

We operate under the principle of data minimization and strive to extend core privacy rights to all our users, regardless of their geographic location.

  • For European Economic Area (EEA) and UK Users (GDPR): We process your personal data under specific "Lawful Bases." Processing your email and uploaded files is necessary for the performance of a contract (delivering the audit Service you requested). We rely on our legitimate business interests to cache anonymized data to improve site performance, maintain security, and prevent fraud. Under the GDPR, you have the right to access, rectify, erase, restrict, or object to our processing of your personal data, as well as the right to data portability.
  • For California Residents (CCPA/CPRA):While Island Cookie Shop LLC may not currently meet the statutory revenue or data-volume thresholds that strictly mandate CCPA compliance, we voluntarily grant you the right to know what personal information we collect, the right to request its deletion, and the right to non-discrimination for exercising these rights. We explicitly do not sell or "share" (for cross-context behavioral advertising) your personal information to third parties.
  • Exercising Your Rights: To request the deletion of your email, raw uploaded files, or cached data, or to exercise any of the rights listed above, please contact us via our Contact Page.