Privacy Policy
Mastery — Adaptive Vocabulary Mastery System
Effective Date: February 23, 2026
1. Introduction
Valentin Seehausen, operating as a sole proprietor under the laws of Germany ("we," "us," "our"), operates the Mastery mobile application, web application, Chrome browser extension, and related services (collectively, the "Service"). This Privacy Policy explains how we collect, use, disclose, and protect your personal data when you use our Service.
We process your personal data in compliance with the General Data Protection Regulation (EU) 2016/679 ("GDPR"), the UK General Data Protection Regulation ("UK GDPR"), the California Consumer Privacy Act as amended by the California Privacy Rights Act ("CCPA/CPRA"), the Brazilian Lei Geral de Proteção de Dados ("LGPD"), and other applicable data protection laws.
Data Controller: Valentin Seehausen, Germany
Contact: privacy@mastery-app.com
2. Personal Data We Collect
2.1 Account Data
When you create an account, we collect:
- Email address
- Display name (if provided via your sign-in provider)
- Authentication provider identifiers (Google, Apple, or email credentials)
- Native language selection
- Device locale (for language detection and regional pricing)
2.2 Learning Data
As you use the Service, we collect data to power the adaptive learning system:
- Words you look up or translate, including the source sentence and URL or source identifier
- Kindle vocabulary data (words and reading context imported via Kindle sync)
- Review history: responses, timestamps, response times, and card types for each practice session
- Spaced repetition scheduling data (FSRS parameters: stability, difficulty, interval, state, repetitions, and lapses per word per competency cluster)
- Word stage progression (Captured, Practicing, Stabilizing, Known, Mastered)
- Session metadata (start time, duration, cards reviewed, session type)
2.3 Usage and Technical Data
- Device type, operating system, and version
- App version
- Crash reports and error logs
- General usage analytics (screens visited, feature usage, session frequency)
- IP address (processed transiently for security and geolocation; not stored long-term)
2.4 Payment Data
We do not directly collect or store credit card numbers or bank account details. Payments are processed by Stripe (web) and Apple App Store / Google Play Store via RevenueCat (mobile). These processors share with us subscription status, transaction identifiers, regional pricing tier, and subscription start/renewal/cancellation dates.
2.5 Chrome Extension Data
When you use the Mastery Chrome extension, we collect words you select for translation and the surrounding sentence context. We do not collect your general browsing history. The extension only activates when you explicitly interact with it.
3. Legal Bases for Processing (GDPR Article 6)
| Legal Basis | Processing Activity | Details |
|---|---|---|
| Contract (Art. 6(1)(b)) | Account creation, learning system operation, subscription management | Necessary to provide the Service you signed up for |
| Legitimate Interest (Art. 6(1)(f)) | Analytics, crash reporting, fraud prevention, service improvement | Our legitimate interest in maintaining and improving the Service, balanced against your rights |
| Consent (Art. 6(1)(a)) | Optional marketing communications, optional analytics cookies | You may withdraw consent at any time without affecting prior processing |
| Legal Obligation (Art. 6(1)(c)) | Tax records, responding to lawful requests | Required by applicable law |
4. How We Use Your Data
- Provide and operate the Service: powering the Memory Mirror vocabulary model, spaced repetition scheduling, adaptive card selection, word enrichment, and progress tracking.
- Personalize your experience: adjusting practice sessions, recommending vocabulary, and calibrating difficulty based on your learning data.
- Process payments: managing subscriptions, applying regional pricing, and verifying entitlements.
- Communicate with you: sending transactional emails (account verification, password reset, subscription changes) and, with your consent, product updates.
- Improve the Service: analyzing aggregated usage patterns, diagnosing technical issues via crash reports, and developing new features.
- Ensure security: detecting fraud, preventing abuse, and protecting the integrity of the Service.
5. Third-Party Service Providers
We share personal data with the following categories of service providers, each acting as a data processor on our behalf under appropriate data processing agreements:
| Provider | Purpose | Data Shared | Location |
|---|---|---|---|
| Supabase | Backend infrastructure, database, authentication | Account data, learning data, word enrichment data | EU (Frankfurt) / US |
| Stripe | Web payment processing | Email, subscription data, payment metadata | US (EU SCCs in place) |
| RevenueCat | Mobile subscription management | User ID, subscription status, transaction data | US (EU SCCs in place) |
| Apple / Google | App Store payments, push notifications | Transaction data, device tokens | US (Adequacy / SCCs) |
| Analytics provider | Usage analytics | Anonymized/pseudonymized usage events, device info | TBD (DPA required) |
| Crash reporting provider | Error monitoring | Crash logs, device info, app state at time of crash | TBD (DPA required) |
We do not sell your personal data to any third party. We do not share your personal data for third-party advertising purposes.
6. International Data Transfers
Your personal data may be transferred to and processed in countries outside the European Economic Area (EEA), including the United States. When we transfer personal data outside the EEA, we ensure appropriate safeguards are in place:
- European Commission adequacy decisions (where applicable)
- Standard Contractual Clauses (SCCs) approved by the European Commission (June 2021 version)
- Supplementary technical and organizational measures where required by transfer impact assessments
You may request a copy of the applicable transfer safeguards by contacting privacy@mastery-app.com.
7. Data Retention
| Data Category | Retention Period | Basis |
|---|---|---|
| Account data | Duration of account + 30 days after deletion request | Contract performance; deletion grace period |
| Learning data | Duration of account (deleted with account) | Contract performance |
| Payment/transaction records | 7 years after transaction | Legal obligation (German tax law, §147 AO) |
| Crash reports | 90 days | Legitimate interest |
| Analytics data | 26 months (aggregated/anonymized) | Legitimate interest |
| Server logs (IP addresses) | 14 days | Legitimate interest (security) |
8. Your Rights
8.1 Under the GDPR / UK GDPR
If you are located in the EEA or UK, you have the following rights:
- Right of access (Art. 15): Obtain a copy of your personal data and information about how it is processed.
- Right to rectification (Art. 16): Request correction of inaccurate or incomplete personal data.
- Right to erasure (Art. 17): Request deletion of your personal data, subject to legal retention obligations.
- Right to restriction (Art. 18): Request that we limit the processing of your personal data in certain circumstances.
- Right to data portability (Art. 20): Receive your personal data in a structured, commonly used, machine-readable format.
- Right to object (Art. 21): Object to processing based on legitimate interests, including for direct marketing.
- Right to withdraw consent (Art. 7): Withdraw consent at any time, without affecting the lawfulness of processing prior to withdrawal.
- Right to lodge a complaint: File a complaint with your local supervisory authority. In Germany, this may be your state data protection authority (Landesdatenschutzbeauftragter).
8.2 Under the CCPA / CPRA
If you are a California resident, you have the right to know what personal information we collect and how it is used, request deletion of your personal information, opt out of the sale or sharing of personal information (we do not sell or share your data), request correction of inaccurate personal information, and not be discriminated against for exercising your rights.
8.3 How to Exercise Your Rights
To exercise any of these rights, contact us at privacy@mastery-app.com. We will respond within 30 days (GDPR) or 45 days (CCPA). We may ask you to verify your identity before processing your request. You may also delete your account and data directly from within the app under Settings > Account > Delete Account.
9. Data Security
We implement appropriate technical and organizational measures to protect your personal data, including:
- Encryption of data in transit (TLS 1.2+) and at rest
- Row-level security policies ensuring users can only access their own data
- Authentication via industry-standard providers (Google, Apple, secure email/password with hashing)
- Regular security reviews of our infrastructure and third-party providers
- Principle of least privilege for internal access to personal data
10. Children's Privacy
The Service is not directed at children under 16 years of age. We do not knowingly collect personal data from children under 16. If we become aware that we have collected personal data from a child under 16, we will take steps to delete that data promptly. If you believe a child has provided us with personal data, please contact privacy@mastery-app.com.
11. Cookies and Similar Technologies
The Mastery web application and Chrome extension may use cookies and similar technologies for authentication, session management, and analytics:
- Essential cookies: Required for authentication and core functionality. These cannot be disabled.
- Analytics cookies: Used to understand how the Service is used. You may opt out via your browser settings or our cookie preference controls.
The mobile app does not use cookies but may use device identifiers for analytics and crash reporting, subject to your device permissions.
12. Changes to This Privacy Policy
We may update this Privacy Policy from time to time. We will notify you of material changes by posting the updated policy within the app and, where required by law, by email. The "Effective Date" at the top of this document indicates when it was last revised. Continued use of the Service after a change constitutes acceptance of the updated policy.
13. Contact Us
If you have questions about this Privacy Policy or wish to exercise your data protection rights, contact us at:
Valentin Seehausen
Email: privacy@mastery-app.com
You also have the right to lodge a complaint with your local data protection supervisory authority.