WordForests

Privacy Policy

How account, learning, moderation, analytics, billing, device, and support data are collected, used, protected, and removed.

Expanded for launch review - Effective June 4, 2026

Controller and contact

This Privacy Policy explains how the product team operating the service collects, uses, shares, protects, and removes data for the web app, native apps, support channels, billing flows, and Trust and Safety operations. The public contact channel is the primary way to reach the operator for privacy, safety, support, and account-deletion questions.

Account data

The service collects and uses account identifiers, email address, authentication provider details, email-verification state, session records, profile details, preferences, locale settings, and legal-acceptance records. This information is used to create and secure accounts, keep preferences in sync, show the right product state, and confirm that users have accepted the current Terms and Privacy Policy before protected actions.

Learning, content, and safety data

Course activity, course enrollments, review sessions, review states, review events, submitted answers, progress data, learning preferences, dictionary contributions, course material, examples, public profile details, reports, blocks, moderation decisions, and audit records are used to provide spaced repetition, course discovery, learner history, dictionary workflows, safety review, and account-level controls. Review analytics stay private to the learner unless a future sharing feature asks for explicit consent.

Billing data

Billing and subscription data can include plan status, provider customer identifiers, checkout sessions, billing portal links, invoices, payment events, refunds, failed-payment state, app-store transaction identifiers, entitlement state, and RevenueCat customer records. Stripe processes web purchases. RevenueCat, StoreKit, Apple App Store, Google Play Billing, and Google Play process native subscriptions. The service stores only the subscription state needed to resolve access, support users, reconcile purchases, prevent fraud, and satisfy legal or accounting obligations.

Device, usage, and diagnostics

Device, usage, and diagnostic data can include browser or app platform, app version, request metadata, error reports, performance data, analytics events, and security logs. This data is used to keep the service reliable, investigate abuse, improve launch quality, debug billing or account issues, and monitor for suspicious activity. Sentry or similar diagnostics tooling may process error and performance data when enabled.

How data is used

Data is used to provide the app, personalize review and course workflows, secure accounts, prevent fraud and abuse, process payments, resolve subscriptions, deliver email, provide support, moderate content, enforce the Terms, investigate reports, improve reliability, run aggregate analytics, comply with law, and respond to privacy, safety, billing, or store-review requests.

Processors and providers

The service relies on infrastructure and service providers to operate. These may include hosting and database providers, Vercel, Stripe, RevenueCat, Apple App Store, Google Play Billing, Resend, OAuth providers, Sentry when enabled, email providers, analytics providers, and support or security tooling. Providers are used for app functionality, authentication, billing, email delivery, diagnostics, hosting, analytics, fraud prevention, moderation, support, and legal compliance.

Cookies and analytics

The service uses necessary authentication, security, session, preference, and locale cookies or local storage so users can sign in, stay signed in, keep settings, and use the app. Vercel Web Analytics may provide cookieless aggregate usage analytics when enabled. The service does not use ad tracking, cross-context behavioral advertising cookies, or sell personal information for advertising unless the Privacy Policy is updated and the product changes to support that behavior.

Retention, deletion, and controls

Account deletion is available from account settings, and privacy or deletion support is available through the public contact channel. Deletion is designed to remove or anonymize user-owned settings, sessions, enrollments, review sessions, review states, review events, submitted answers, local billing links, auth provider records, and dictionary proposal or audit references where the service no longer needs them. Some billing, security, legal-acceptance, abuse-prevention, Trust and Safety, tax, accounting, or legal records may be retained for the period needed for that purpose. Backup copies may persist for a limited time before normal rotation removes them.

Privacy rights

Depending on where a user lives, privacy rights may include access, correction, deletion, portability, restriction, objection, withdrawal of consent where processing is based on consent, and the right to complain to a regulator. The service will honor applicable rights requests after reasonable identity verification and will explain when a request cannot be completed because the data is needed for security, billing, legal compliance, or another legitimate purpose.

Security

The service uses technical and organizational safeguards intended to protect account, billing, learning, and safety data, including authentication, authorization, audited admin operations, production env validation, and limited access to operational records. No internet service can promise perfect security. Users should protect their login credentials and contact support promptly if they believe an account has been compromised.

Children and age baseline

The service is intended for a general audience aged 13 and older and is not directed to children under 13 or to a Kids Category/Families audience. If a parent or guardian believes a child under 13 has provided personal information, they should contact support so the account can be reviewed and removed where appropriate.

Policy changes

This Privacy Policy may be updated as the product, providers, analytics, billing flows, safety processes, legal requirements, or store requirements change. Material updates should be communicated through the product, public policy pages, email, or support channel where practical. The effective date shows which version is currently being used for legal acceptance.

Privacy requests and contact

Privacy questions, account-deletion follow-up, data access, portability, correction, deletion, restriction, or objection requests can be sent through the public contact channel using the email address on the account. Requests that affect account data may require identity verification before action is taken. Standard requests are reviewed within 30 days unless a shorter or longer period is required by law.

support@wordforests.com