Privacy Policy for Final Phase

Effective Date: 09.04.2025

1. Introduction

Welcome to Final Phase ("Final Phase," "we," "us," or "our"). We are committed to protecting your privacy. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our Progressive Web Application (PWA) and related services (collectively, the "Service").

Please read this Privacy Policy carefully. By using the Service, you agree to the terms of this Privacy Policy. If you do not agree with the terms, please do not access or use the Service.

We reserve the right to make changes to this Privacy Policy at any time. We will alert you about any changes by updating the "Effective Date" of this Privacy Policy.

2. Information We Collect

We may collect information about you in a variety of ways. The information we may collect via the Service includes:

• Personal Data: Personally identifiable information received from third-party authentication providers if you register/log in via them. This may include your name, email address, and public profile information associated with your GitHub account or Google account, depending on the permissions you grant during the authentication process.
• User Content: Information and content you create, upload, or generate within the Service, such as the text on your flashcards, set details, study plans, reminders, review logs, focus session data, and any notes or information submitted for processing by our AI features. For logged-out users, this content is stored locally on your device using IndexedDB (via Dexie.js). For logged-in users, this content is stored both locally and synchronized with our secure, self-hosted database (using Supabase software on Hetzner infrastructure) for backup and cross-device access.
• Usage Data: Information automatically collected when you access and use the Service, such as your IP address (potentially anonymized depending on configuration), browser type, operating system, access times, pages viewed, features used, study session duration, spaced repetition progress, referral sources, screen size, language, country, and other interaction data. We utilize Umami Analytics, a privacy-focused analytics service, to gather this information to understand usage patterns and improve the Service. Umami is designed to anonymize data where possible and may not use cookies depending on its configuration.
• Device Data: Information about the computer or mobile device you use to access the Service, such as device model, operating system version, and browser type.
• Push Notification Subscription Data: If you grant permission, we collect and store your web push notification subscription object (provided by your browser) in our secure, self-hosted database (using Supabase software on Hetzner infrastructure). This object contains an endpoint URL and keys necessary to send you push notifications but does not directly identify you personally beyond this subscription context.
• Data Collected by Cookies and Similar Technologies: We may use cookies, web beacons, local storage, and other similar technologies to help customize the Service and improve your experience. This helps us understand usage patterns and maintain your session.
• Payment Data: If you subscribe to our Premium plan, we use a third-party payment processor (Stripe) to handle payments. We do not directly collect or store your full payment card details. Stripe provides us with confirmation of payment and potentially limited information like the last four digits of your card number and expiration date for verification and account management purposes. You should review Stripe's Privacy Policy to understand how they handle your payment information.
• Data Processed by AI: When you use AI features (like generating flashcards, set descriptions, study plans, or review summaries), the relevant User Content (such as topics, existing card summaries, set details, learning preferences, and user prompts) is sent to Google's AI API (such as Google Gemini or Vertex AI) for processing to generate the requested output.

3. How We Use Your Information

Having accurate information permits us to provide you with a smooth, efficient, and customized experience. Specifically, we may use information collected about you via the Service to:

• Create and manage your account.
• Provide, operate, and maintain the Service, including core features like flashcards, spaced repetition, and study plans.
• Synchronize your User Content between your local device storage (IndexedDB) and our cloud database (using Supabase software on Hetzner infrastructure) if you are logged in, enabling backup and cross-device access.
• Process your content using our AI features to generate flashcards, study plans, or other requested outputs.
• Provide and display user statistics and study progress.
• Send you push notifications (e.g., study reminders) if you have opted-in.
• Process payments for Premium subscriptions via our third-party payment processor.
• Respond to your comments, questions, and provide customer support.
• Monitor and analyze usage and trends to improve the Service and user experience using tools like Umami Analytics.
• Maintain the security and integrity of our Service.
• Notify you about updates to the Service or changes to our policies.
• Comply with legal obligations.

4. Disclosure of Your Information

We do not sell your personal information. We may share information we have collected about you in certain situations:

• With Service Providers: We may share your information with third-party vendors, consultants, and other service providers who perform services for us or on our behalf. This includes:
  • Authentication Providers: If you register or log in using a third-party service like GitHub or Google, we share information with and receive information from that service as required to authenticate your account. This interaction is governed by GitHub's and Google's policies. You can review Google's Privacy Policy and GitHub's Privacy Statement.
  • Analytics Providers: We use Umami Analytics to understand how our Service is used. Umami collects usage data as described in Section 2. You can learn more about Umami's privacy practices here.
  • Database and Backend Software: We utilize the open-source Supabase platform for backend functionalities like user authentication management and database services (Postgres).
  • AI Processing Partners: (Google Cloud AI / Gemini API) ... (Refined description) To provide AI-powered features, we send the relevant User Content (e.g., topics, card summaries, prompts) to Google's AI services. Google processes this data solely to provide the AI functionality back to you through our Service. Review Google AI/Cloud privacy terms.
  • Notification Service: We use browser-native Web Push technology and our self-hosted backend infrastructure (using Supabase software) to send notifications to users who have subscribed. This involves using the stored subscription endpoints.
  • Hosting Provider: Our Service infrastructure, including the self-hosted database and backend (using Supabase software), is primarily hosted within the European Union by Hetzner. You can review Hetzner's Data Privacy information.
  • Other service providers for functions like website hosting (if different), customer service, and email delivery. These providers will only have access to your information to the extent necessary to perform their functions.
• With Payment Processors: We share necessary transaction information with Stripe to process your payments when you subscribe to Premium. You should review Stripe's Privacy Policy.
• By Law or to Protect Rights: If we believe the release of information about you is necessary to respond to legal process, to investigate or remedy potential violations of our policies, or to protect the rights, property, and safety of others, we may share your information as permitted or required by any applicable law, rule, or regulation.
• Business Transfers: We may share or transfer your information in connection with, or during negotiations of, any merger, sale of company assets, financing, or acquisition of all or a portion of our business to another company.

5. Security of Your Information

We use administrative, technical, and physical security measures to help protect your personal information. While we have taken reasonable steps to secure the personal information you provide to us, please be aware that despite our efforts, no security measures are perfect or impenetrable, and no method of data transmission can be guaranteed against any interception or other type of misuse. Any information disclosed online is vulnerable to interception and misuse by unauthorized parties. Therefore, we cannot guarantee complete security if you provide personal information.

6. Data Retention

We will retain your personal information and user content for as long as your account is active or as needed to provide you the Service, comply with our legal obligations, resolve disputes, and enforce our agreements. You can delete your account and associated data by contacting us.

Local Data: User Content stored locally in your browser's IndexedDB persists until you manually clear your browser data, uninstall the PWA, or use the "Clear Local Data" option within the app's settings. Clearing local data does not affect data stored in the cloud for your account.

Cloud Data: For logged-in users, synchronized data is retained in our self-hosted cloud database (using Supabase software on Hetzner infrastructure) as long as your account is active.

Account Deletion: You can delete your account through the app's settings or by contacting us. Account deletion is permanent and will remove your personal information and associated User Content from our self-hosted cloud database (using Supabase software on Hetzner infrastructure). Locally stored data on your devices will not be automatically removed by this action but will no longer sync.

7. Your Data Rights

Depending on your location (e.g., GDPR, CCPA), you may have certain rights regarding your personal information, such as:

• The right to access the personal information we hold about you.
• The right to request correction of inaccurate personal information.
• The right to request deletion of your personal information.
• The right to object to or restrict processing of your personal information.
• The right to data portability.

To exercise these rights, please contact us using the contact information provided below. We will respond to your request within a reasonable timeframe and in accordance with applicable laws.

Notification Preferences: You can manage push notification permissions through your browser or operating system settings at any time. You can also use the "Unsubscribe" functionality if provided within the app to remove your subscription endpoint from our database.

8. Policy for Children

Our Service is not intended for use by children under the age of 13 (or a higher age threshold if required by applicable law, such as 16 in the EEA). We do not knowingly collect personal information from children under this age. If we learn that we have collected personal information from a child under the relevant age without verification of parental consent, we will take steps to delete that information.

9. Third-Party Websites and Services

The Service uses and may contain links to third-party websites or services that are not affiliated with us. This includes our payment processor (Stripe), our analytics provider (Umami), our AI processing provider (Google Cloud AI / Gemini API), our authentication providers (GitHub, Google), and our infrastructure hosting provider (Hetzner). We utilize the open-source Supabase platform, which we self-host on Hetzner. We are not responsible for the privacy practices of these third parties. We encourage you to review their respective privacy policies.

10. Contact Us

If you have questions or comments about this Privacy Policy, please contact us at:

support@finalphase.app