Skip to main content

Privacy Policy

Last updated April 16, 2026

1. Who we are and what this covers

This policy describes how VerbaLearn ("we", "us") processes personal data when you use our iOS app, iPadOS app, and web application at app.verbalearn.app (collectively, the "Service"). It is binding everywhere the Service is available.

2. Sign-in

We offer two sign-in methods: Sign in with Apple and Sign in with Google. We do not store passwords. If you lose access to your Apple ID or Google Account, recover it through Apple or Google — we cannot reset your password on their behalf.

From the identity provider we receive: a stable unique identifier, your email address (or an Apple relay address), and optionally your given/family name. We persist an internal user ID, your email for receipts and support correspondence, and the linkage between your provider identity and our user account. Apple relay emails are never used to match accounts or for marketing.

3. What we collect

  • Your content. Notes, ink strokes, pages, flashcards, audio recordings, photos, and files you upload. This is the content you create inside the app.
  • Account metadata. User ID, email, sign-in provider subject, session tokens, device identifier, plan and entitlement status, billing customer IDs.
  • Product usage. Aggregated feature usage, route navigation, error and performance traces. We use PostHog for product analytics and Sentry for error reporting.
  • Attribution. We use AppsFlyer to attribute installs and key conversion events (sign-up, trial start, paid subscribe) to the marketing source. AppsFlyer events never include your name, email, phone number, address, IP, device name, or any user-generated content.
  • Billing. Payment is processed by Apple In-App Purchase, Google Play Billing, or Stripe. We never receive your card number. We receive and store Stripe/Apple/Google subscription identifiers, status, and renewal dates so we can grant or revoke access.

4. How we use it

  • To operate the Service: sync your notes, render handwriting, generate flashcards, and transcribe audio.
  • To provide AI features (Paaru). Your prompt and, when you select it, the associated note or file content are sent to our model provider. Transcripts of these requests are not used to train third-party models.
  • To secure your account (session validation, abuse detection, cryptographic verification of billing webhooks).
  • To measure product quality and marketing attribution.
  • To comply with legal obligations and respond to lawful requests.

5. Who we share it with

We do not sell your personal data. We share it only with the following processors:

  • AWS (hosting, database, storage, Kafka, CDN).
  • Apple and Google (sign-in, App Store / Google Play In-App Purchase, APNs/FCM push).
  • Stripe (web billing).
  • Anthropic (Paaru AI generation).
  • PostHog (product analytics), Sentry (error reporting), AppsFlyer (attribution).

6. Your rights

You can access, export, correct, or delete your data. Account deletion is available from Settings → Account → Delete account. Deletion:

  • Revokes all sessions immediately.
  • Disables your Apple / Google sign-in link at our Cognito user pool.
  • Emits an account.deletion_requested event to our internal bus. Downstream services (notes, files, media, notifications, analytics, search indexer, realtime collaboration, paaru, entitlements) purge your data within thirty (30) days.
  • Does not touch your Apple ID or Google Account. Those remain with Apple / Google.

To exercise other GDPR / CCPA rights — including a DSAR, opt-out-of-sale, or correction request — email privacy@epresciencedev.io.

7. Retention

We retain your content and account data for the life of your account. After deletion we complete the purge within 30 days. Operational backups roll off within 35 days. Billing records are retained for the period required by tax and accounting law in the relevant jurisdiction (typically 7 years for financial records).

8. Security

Data is encrypted in transit (TLS 1.2+) and at rest (AES-256). Database, object storage, and cache all use managed AWS services inside a private VPC with no public network path to the data plane. We apply least-privilege IAM and rotate keys on a schedule.

9. Children

VerbaLearn is not directed to children under 13 (or 16 in the EU / UK). If you believe a child has created an account, contact us and we will delete it.

10. Changes

We will notify you of material changes by email and in-app notice at least 30 days before they take effect. Continued use of the Service after the effective date is acceptance of the updated policy.

11. Contact

Privacy questions: privacy@epresciencedev.io. General support: support@epresciencedev.io.