Privacy Policy

1. Introduction and Scope

This Privacy Policy governs the collection, use, storage, disclosure, and protection of personal information by Surge Flashcards LLC ("we," "our," "us," or "Company") in connection with our mobile application, web application, and related services (collectively, the "Service" or "Platform").

Legal Entity: This Privacy Policy is issued by Surge Flashcards LLC, operating under applicable laws and regulations.

Jurisdiction: This Privacy Policy is designed to comply with applicable privacy and data protection laws including, but not limited to, the General Data Protection Regulation (GDPR), California Consumer Privacy Act (CCPA), Children's Online Privacy Protection Act (COPPA), and other applicable federal, state, and international data protection laws.

2. Information We Collect

2.1 Information You Provide Directly

When you create an account and use our Service, we collect:

• Account Information: Email address (required), display name (optional), password (stored encrypted)
• Profile Information: User preferences, settings, and configuration choices
• Communication Data: Messages, support requests, feedback, and correspondence with our team
• User-Generated Content: Flashcards, decks, quiz responses, study notes, and educational content you create or upload
• Team Collaboration Data: Team invitations, shared decks, and collaboration settings (Premium tier only)

2.2 Information Collected Automatically

When you access or use our Service, we automatically collect:

• Device Information: Device type, operating system, app version, device identifiers, screen resolution
• Usage Data: Pages viewed, features used, time spent, interactions with content, study sessions, quiz attempts
• Performance Data: App crashes, errors, load times, performance metrics
• Log Data: IP address, browser type, access times, referring URLs
• Location Data: General geographic location derived from IP address (not precise GPS location)
• Cookies and Similar Technologies: See Section 11 for detailed cookie information

2.3 Information from Third-Party Services

• Authentication Providers: If you sign in using third-party services (Google, Apple), we receive basic profile information as permitted by those services
• Payment Information: See Section 4 for detailed payment processing information
• AI Service Providers: Content generated through AI services (see Section 5)

3. How We Use Your Information

We use your information for the following lawful purposes:

3.1 Service Provision and Operation

• Creating and managing your account
• Providing core flashcard and study features
• Processing and fulfilling your requests
• Personalizing your learning experience
• Tracking study progress and generating analytics
• Enabling team collaboration features (Premium tier)

3.2 Communication

• Sending transactional emails (account verification, password reset, receipts)
• Providing customer support and responding to inquiries
• Sending service updates, security alerts, and important notices
• Sending promotional communications (only if you opt-in, with ability to unsubscribe)

3.3 Service Improvement and Development

• Analyzing usage patterns to improve features
• Conducting research and development
• Testing new features and functionality
• Generating anonymized, aggregated analytics

3.4 Security and Fraud Prevention

• Detecting and preventing fraud, abuse, and unauthorized access
• Monitoring for security threats and suspicious activity
• Enforcing our Terms of Service and other policies
• Protecting our rights, property, and safety

3.5 Legal Compliance

• Complying with applicable laws, regulations, and legal processes
• Responding to lawful requests from government authorities
• Protecting against legal liability

4. Payment Processing

4.1 Stripe Payment Processing

All payment transactions are processed exclusively through Stripe, Inc., a third-party Payment Card Industry Data Security Standard (PCI DSS) Level 1 certified payment processor.

Information Handled by Stripe:

• Credit card numbers, expiration dates, and CVV codes
• Billing addresses and payment method details
• Transaction history and payment records

Information We Receive from Stripe:

• Transaction confirmation and receipt information
• Last 4 digits of card number (for display purposes only)
• Payment success/failure status
• Stripe customer ID (tokenized reference)

We explicitly DO NOT:

• Store full credit card numbers
• Have access to CVV codes
• Process payment card data on our servers
• Retain payment card information after transaction completion

Stripe's privacy policy governs their collection and use of your payment information. We encourage you to review Stripe's Privacy Policy at https://stripe.com/privacy.

4.2 Purchase Information We Store

We store the following purchase-related information in our secure database:

• Subscription tier and status
• Credit purchase history (amounts and dates)
• Transaction IDs and timestamps
• Invoice and receipt information

5. Third-Party Services and Data Sharing

5.1 Service Providers We Use

Service Provider	Purpose	Data Shared
Supabase	Database hosting, authentication, backend infrastructure	Account info, user content, usage data
Stripe	Payment processing	Transaction details (NOT card data)
Anthropic (Claude)	AI content generation	User prompts, generated content (anonymized)
Grok AI (xAI)	AI content generation	User prompts, generated content (anonymized)
Firebase (Google)	Web hosting, analytics	Usage data, performance metrics
InfoLinks	Web advertising (free tier users only)	Ad impressions, clicks, device info
Unity Ads	Mobile advertising (free tier users only)	Ad impressions, clicks, device info

Data Processing Agreements: We maintain data processing agreements with all service providers that handle personal information on our behalf, ensuring they comply with applicable data protection laws.

5.2 AI Content Generation

We Do Not Share with AI Providers:

• Your name, email address, or account information
• Your payment information
• Your study progress or analytics

We May Share with AI Providers:

• Content generation prompts you submit
• Topic and subject matter requests
• Generated flashcard content

5.3 Advertising (Free Tier Users Only)

If you use the free tier of our Service, we display advertisements through InfoLinks on web and Unity Ads on mobile platforms (iOS and Android). These ad networks may:

• Collect device information and usage data
• Use cookies and similar tracking technologies
• Serve personalized advertisements based on your interests
• Track ad impressions, clicks, and interactions

Paid Tier Users: If you subscribe to a paid tier, we do not display advertisements, and ad network tracking does not apply.

Ad Network Privacy Policies:

• InfoLinks: https://www.infolinks.com/privacy-policy/
• Unity Ads: https://unity.com/legal/privacy-policy

5.4 Legal Disclosures

We may disclose your information if required by law or if we believe in good faith that such disclosure is necessary to:

• Comply with legal obligations, court orders, or valid legal processes
• Respond to claims that content violates third-party rights
• Protect the rights, property, or personal safety of Surge Flashcards, our users, or the public
• Detect, prevent, or investigate security incidents, fraud, or illegal activities
• Enforce our Terms of Service or other agreements

5.5 Business Transfers

In the event of a merger, acquisition, reorganization, sale of assets, or bankruptcy, your personal information may be transferred to the successor entity. We will provide notice before your information is transferred and becomes subject to a different privacy policy.

6. Data Storage and Security

6.1 Where Your Data is Stored

Your data is stored on secure servers provided by Supabase, which utilizes Amazon Web Services (AWS) infrastructure. Data may be processed and stored in multiple geographic locations to ensure redundancy and service availability.

6.2 Security Measures

We implement industry-standard security measures to protect your information:

• Encryption: All data is encrypted in transit (TLS/SSL) and at rest (AES-256)
• Authentication: Secure password hashing (bcrypt), multi-factor authentication support
• Access Controls: Role-based access controls, principle of least privilege
• Monitoring: 24/7 security monitoring, intrusion detection systems
• Regular Audits: Periodic security assessments and vulnerability testing
• Backups: Regular automated backups with secure, encrypted storage
• Incident Response: Documented procedures for security incident response

6.3 Data Breach Notification

In the event of a data breach that compromises your personal information, we will:

1. Investigate the breach and assess the impact within 72 hours
2. Notify affected users via email within the timeframe required by applicable law
3. Report the breach to relevant regulatory authorities as required
4. Take immediate remedial action to prevent further unauthorized access
5. Provide information about steps you can take to protect yourself

7. Data Retention and Deletion

7.1 Retention Periods

We retain your information for as long as necessary to fulfill the purposes outlined in this Privacy Policy, unless a longer retention period is required or permitted by law.

Data Type	Retention Period	Reason
Account Information	Duration of account + 90 days after deletion	Service provision, legal compliance
User Content (Flashcards, Decks)	Duration of account + immediate deletion upon request	Service provision
Transaction Records	7 years	Tax and financial compliance
Support Communications	3 years	Customer service, dispute resolution
Analytics Data (Anonymized)	Indefinite	Service improvement (cannot be linked to individuals)
Security Logs	1 year	Security monitoring, fraud prevention

7.2 Account Deletion

You may request deletion of your account at any time by:

• Using the account deletion feature in the app (Profile > Settings > Delete Account)
• Emailing us at legal@surgeflashcards.com with your deletion request

7.3 Data You Can Delete

You can delete the following data directly from the app at any time:

• Individual flashcards and decks
• Quiz history and results
• Study progress data
• Account settings and preferences

8. Your Rights and Choices

8.1 Access and Correction

You have the right to:

• Access: Request a copy of the personal information we hold about you
• Correction: Update or correct inaccurate personal information
• Review: Review and verify the accuracy of your data

To exercise these rights, email us at legal@surgeflashcards.com or use the in-app settings.

8.2 Data Portability

You have the right to receive a copy of your personal information in a structured, commonly used, and machine-readable format.

8.3 Opt-Out Rights

• Marketing Communications: Unsubscribe from promotional emails using the unsubscribe link in any marketing email
• Cookies: Manage cookie preferences through your browser settings (see Section 11)
• Advertising: Upgrade to a paid tier to remove advertisements

8.4 California Residents (CCPA Rights)

If you are a California resident, you have additional rights under the California Consumer Privacy Act (CCPA):

• Right to Know: Request disclosure of personal information collected, used, and shared
• Right to Delete: Request deletion of personal information (subject to exceptions)
• Right to Opt-Out: We do not sell personal information, so this right does not apply
• Right to Non-Discrimination: We will not discriminate against you for exercising your CCPA rights

To exercise CCPA rights, email legal@surgeflashcards.com with "CCPA Request" in the subject line.

8.5 European Residents (GDPR Rights)

If you are located in the European Economic Area (EEA), United Kingdom, or Switzerland, you have rights under the General Data Protection Regulation (GDPR):

• Right of Access: Obtain confirmation of data processing and access to your data
• Right to Rectification: Correct inaccurate or incomplete data
• Right to Erasure: Request deletion of your data (subject to legal exceptions)
• Right to Restrict Processing: Limit how we process your data
• Right to Data Portability: Receive your data in a portable format
• Right to Object: Object to processing based on legitimate interests
• Right to Withdraw Consent: Withdraw consent for processing at any time
• Right to Lodge a Complaint: File a complaint with your local data protection authority

Legal Basis for Processing (GDPR):

• Contract Performance: Processing necessary to provide our Service
• Legitimate Interests: Service improvement, security, fraud prevention
• Legal Obligation: Compliance with applicable laws
• Consent: Marketing communications, cookies (where required)

9. International Data Transfers

Surge Flashcards operates globally. Your information may be transferred to, stored, and processed in the United States and other countries where our service providers operate.

Data Transfer Safeguards:

• We use Standard Contractual Clauses (SCCs) approved by the European Commission
• We ensure service providers implement adequate security measures
• We comply with applicable data protection laws regarding international transfers

10. Children's Privacy (COPPA Compliance)

Our Service is NOT intended for children under the age of 13. We do not knowingly collect personal information from children under 13.

If you are under 13: Do not use our Service, create an account, or provide any personal information.

If you are a parent or guardian: If you believe your child under 13 has provided personal information to us, please contact us immediately at legal@surgeflashcards.com. We will promptly delete such information.

Users aged 13-17: If you are between 13 and 17 years old, you should review this Privacy Policy with your parent or guardian and obtain their permission before using our Service.

11. Cookies and Tracking Technologies

11.1 What Are Cookies?

Cookies are small text files stored on your device that help us provide and improve our Service. We use cookies and similar tracking technologies (web beacons, pixels, local storage) to collect usage information.

11.2 Types of Cookies We Use

Cookie Type	Purpose	Duration
Essential Cookies	Authentication, security, core functionality	Session / Persistent
Analytics Cookies	Usage statistics, performance monitoring	Persistent (up to 2 years)
Advertising Cookies	Ad delivery and tracking (free tier only)	Persistent (up to 1 year)
Preference Cookies	Remembering your settings and preferences	Persistent (up to 1 year)

11.3 Managing Cookies

You can control cookies through your browser settings:

• Block all cookies
• Allow only first-party cookies
• Delete cookies after each session
• Receive notifications before cookies are set

Note: Blocking essential cookies may prevent you from using certain features of our Service.

11.4 Third-Party Cookies

Third-party services we use (InfoLinks, Unity Ads, Google Analytics) may set their own cookies. We do not control these cookies. Please review the privacy policies of these third parties.

12. Do Not Track Signals

Some browsers support "Do Not Track" (DNT) signals. Our Service does not currently respond to DNT signals because there is no industry standard for how to interpret them. If a legal standard for DNT is established, we will update our practices accordingly.

13. Changes to This Privacy Policy

We may update this Privacy Policy periodically to reflect changes in our practices, legal requirements, or Service features.

How We Notify You of Changes:

• Posting the updated Privacy Policy on our website and in the app
• Updating the "Last Updated" date at the top of this document
• Sending email notification for material changes
• Displaying a prominent in-app notice for significant changes

14. Contact Information and Data Protection Officer

15. Dispute Resolution and Governing Law

Any disputes arising from this Privacy Policy or our data practices shall be governed by the laws of the jurisdiction specified in our Terms of Service, without regard to conflict of law principles.

EU/EEA Residents: You have the right to lodge a complaint with your local supervisory authority if you believe we have violated your data protection rights.

16. Limitations of Liability

17. Severability

If any provision of this Privacy Policy is found to be unenforceable or invalid, that provision will be limited or eliminated to the minimum extent necessary, and the remaining provisions will remain in full force and effect.