Privacy Policy

Effective Date: April 26, 2026 · Last Updated: April 26, 2026

WordEdge ("we," "us," "our") is a vocabulary learning application operated by Amandeep Singh. This privacy policy explains what personal data we collect, why we collect it, how we store it, and your rights regarding that data.

By using WordEdge, you agree to the collection and use of information in accordance with this policy.

1. Information We Collect

1.1 Information You Provide

Data	When Collected	Purpose
Email address	Account creation / login	Authentication (OTP delivery), account identification
Display name	When you set it in your profile (optional)	Shown on your profile and used for greetings inside the app

1.2 Information Generated Through Use

Data	Description	Purpose
Quiz responses	Which words you answered correctly or incorrectly	Tracking learning progress and selecting which words to surface next
Learning statistics	Words learned and accuracy aggregates	Personal progress tracking shown on your dashboard and profile
Daily challenge data	Which daily challenges you completed and your scores	Daily challenge feature functionality

1.3 Information Collected Automatically

Data	Description	Purpose
IP address	Your device's IP address when making API requests	Rate limiting, abuse prevention, security logging
Request metadata	Timestamp, user agent, request path	Security monitoring, debugging

We do not collect:

Location data
Device identifiers (IDFA, AAID)
Contact lists or phone numbers
Photos, camera, or microphone data
Browsing history outside of WordEdge
Financial or payment information

2. How We Use Your Information

We use the collected information for these purposes only:

Authentication: Your email address is used to send one-time login codes (OTP). We do not use passwords.
App functionality: Quiz data and learning statistics power the core learning features of the app.
Security: IP addresses and request metadata are used for rate limiting, brute force prevention, and detecting unauthorized access.
Debugging: Request logs help us diagnose and fix technical issues.

We do not:

Sell your personal data to third parties
Use your data for advertising or ad targeting
Share your data with data brokers
Use your data to build profiles for purposes outside of WordEdge
Send marketing emails (the only emails are OTP login codes)

3. How We Store Your Information

3.1 Storage Infrastructure

All WordEdge data is stored in Cloudflare D1 databases, which are SQLite-based serverless databases operated by Cloudflare, Inc.

Encryption at rest: All data in D1 is encrypted at rest automatically.
Encryption in transit: All data transmitted between the app and our servers is encrypted using TLS 1.2 or later.
Data region: Our databases are located in the ENAM (East North America) region.
Access control: Only the WordEdge application server can access the database. There is no public database endpoint.

3.2 Token and Session Security

Login sessions use JSON Web Tokens (JWT) with limited validity periods.
Session tokens can be revoked at any time.
OTP codes expire after 5 minutes and are single-use.

4. Who Has Access to Your Data

Who	What Access	Why
You	Your own profile, quiz history, and statistics	Normal app usage
WordEdge administrator	All user data via admin dashboard	Technical support, system maintenance, abuse investigation
Cloudflare, Inc.	Infrastructure-level access to encrypted data	Hosting provider (see Section 6)
Mailgun (Sinch)	Your email address and OTP code	Email delivery service (see Section 6)

No other parties have access to your data. We do not share data with analytics providers, advertising networks, or other third parties.

5. Data Retention

Data Type	Retention Period	Deletion Method
User account (email, display name)	Until you delete your account	User-initiated account deletion
Quiz and learning data	Until you delete your account	Cascade-deleted with account
Learning statistics	Until you delete your account	Cascade-deleted with account
OTP codes (used or expired)	24 hours after use/expiry	Automatic cleanup
Session tokens (expired or revoked)	30 days after expiry/revocation	Automatic cleanup
Rate limit records	24 hours	Automatic cleanup
API request logs	90 days	Automatic cleanup

6. Third-Party Services

WordEdge uses the following third-party services:

6.1 Cloudflare, Inc.

Purpose: Application hosting (Cloudflare Workers), database hosting (Cloudflare D1), CDN, DDoS protection, TLS certificates.
Data shared: All application data passes through Cloudflare infrastructure.
Privacy policy: cloudflare.com/privacypolicy

6.2 Mailgun (Sinch Email)

Purpose: Sending OTP login codes via email.
Data shared: Recipient email address and email content (which contains the OTP code).
Privacy policy: mailgun.com/legal/privacy-policy

We do not use any analytics, tracking, advertising, or social media integration services.

7. Your Rights

7.1 Right to Access

You can view all your personal data within the app: your profile information, learning statistics, and quiz history.

7.2 Right to Correction

You can update your display name at any time via the profile screen. Your email address can be changed by contacting us directly.

7.3 Right to Deletion (GDPR Article 17)

You can request complete deletion of your account and all associated data. Upon deletion:

Your user account, email, and display name are permanently deleted.
All quiz data, learning progress, statistics, and daily challenge data are permanently deleted.
All active sessions are revoked.
This action is irreversible.

To delete your account, use the account deletion option in the app's profile screen, or contact us at the email address below.

7.4 Right to Data Portability

You may request an export of your personal data in a machine-readable format (JSON). Contact us at the email address below.

7.5 Right to Restrict Processing

If you believe we are processing your data unlawfully, you may request that we restrict processing while we investigate.

7.6 Right to Object

You may object to any processing of your personal data. Since we only process data for the app's core functionality, the practical outcome of an objection would be account deletion.

8. Cookies

8.1 Web Application

The WordEdge web application uses a single authentication cookie:

Cookie Name	Purpose	Type	Duration
__Host-wordedge_refresh	Authentication session (refresh token)	Strictly necessary	30 days

This cookie is HttpOnly (cannot be accessed by JavaScript), Secure (only transmitted over HTTPS), and SameSite=Strict (not sent on cross-site requests).

We do not use tracking cookies, analytics cookies, or advertising cookies. There is no cookie consent banner because we only use strictly necessary cookies for authentication.

8.2 Mobile Application

The mobile application does not use cookies. Authentication tokens are stored in the device's secure storage (iOS Keychain / Android Keystore).

9. Children's Privacy

WordEdge is a general-audience vocabulary learning app. We do not knowingly collect personal information from children under the age of 13 (or under 16 in jurisdictions where GDPR applies a higher age threshold).

If you are a parent or guardian and believe your child has provided us with personal data, please contact us at the email address below and we will take steps to delete that data promptly.

10. International Data Transfers

WordEdge data is stored in Cloudflare D1 databases in the ENAM (East North America) region. If you access the app from outside North America, your data will be transferred to and processed in the United States. Cloudflare, Inc. participates in the EU-U.S. Data Privacy Framework and maintains Standard Contractual Clauses for international transfers.

11. Security

We implement the following security measures to protect your data:

Encryption at rest for all stored data
Encryption in transit (TLS 1.2+) for all data transmission
OTP-based authentication with brute force protection
Rate limiting on all API endpoints
Short-lived access tokens with automatic rotation
HttpOnly, Secure cookies for session management
Input validation and sanitization on all endpoints
Regular security reviews and dependency auditing

12. Changes to This Policy

We may update this privacy policy from time to time. When we make material changes:

We will update the "Last Updated" date at the top of this document.
We will notify users via an in-app notice on their next login.
Continued use of WordEdge after the update constitutes acceptance of the revised policy.

We will not retroactively change how we use data already collected without obtaining your consent.

13. Contact

For any privacy-related questions, data requests, or concerns:

Email: privacy@amandeep.pro

Name: Amandeep Singh

Response time: We will respond to privacy requests within 30 days.

If you are not satisfied with our response, you have the right to lodge a complaint with your local data protection authority.

Summary

Question	Answer
What data do you collect?	Email, optional display name, quiz/learning data, learning statistics
Do you sell my data?	No, never
Do you use analytics/tracking?	No
Where is my data stored?	Cloudflare D1 (ENAM region, encrypted at rest)
Can I delete my account?	Yes, completely and permanently
Do you send marketing emails?	No, only OTP login codes
Do you use advertising cookies?	No, only a single authentication cookie (web)
Is my data shared with third parties?	Only Cloudflare (hosting) and Mailgun (email delivery)