Privacy Policy

Brevlex ("we," "us," or "our") is an AI-powered vocabulary learning application available at brevlex.com. This Privacy Policy explains what data we collect, why we collect it, and how we handle it. We believe in being specific and honest rather than hiding behind vague legal language.

The short version: we collect what we need to make your learning experience work. We do not run ads. We do not sell your data.

What We Collect

Account information

• Email address — required for account creation, used for authentication and transactional emails (verification, password resets).
• Name — optional. Displayed in your profile if provided.
• Authentication credentials — if you sign up with email and password, your password is securely hashed and never stored in plain text. If you use Google OAuth, we receive your name and email from Google but never your Google password.

Learning data

• Interests — topics you select during onboarding (e.g., technology, cooking, sports). Used to personalize AI-generated sentences.
• Learning goals — why you are building vocabulary (e.g., test prep, career growth). Used to tailor word selection and difficulty.
• Study progress — which words you have studied, your correct and incorrect answers, mastery levels, and spaced repetition scheduling data.
• Flashcard data — cards you have created or reviewed, including any custom mnemonics.
• Daily activity — study sessions, words studied per day, streaks, and achievements earned.

Analytics and error monitoring

• We forward anonymized product-usage events to PostHog (no ad pixels, no session replay) so we can see which features people use. When the application crashes, we forward the stack trace and request metadata to Sentry so we can diagnose the failure. See the sub-processor list for the full set.

Guest sessions

• If you try Brevlex without creating an account, we use a browser fingerprint to maintain your guest session. Guest sessions do not collect directly identifying information such as your name or email address. They track only the number of study attempts and words seen, and they expire automatically.

How We Use Your Data

• Personalization — your interests and goals drive the AI-generated sentences and word recommendations you see.
• Spaced repetition — your study history powers the scheduling algorithm that determines when to show you each word again.
• Progress tracking — we display your stats, streaks, and achievements so you can see how you are improving.
• Authentication — your email and credentials are used to sign you in and keep your account secure.
• Transactional emails — we send emails only for account verification, password resets, and critical account security notifications. We do not send marketing emails.
• Product improvement — aggregated, anonymized usage data helps us understand which features are useful and where users struggle.

AI and Data Processing

Brevlex uses Amazon Web Services (AWS) Bedrock to generate personalized example sentences and mnemonics. When you study a word, we send the word, your selected interests, and your learning context to the AI model. We do not send your email, name, or any other personally identifiable information to the AI service.

Generated sentences are cached so that the same request does not need to be processed repeatedly. AWS Bedrock processes data in accordance with AWS's privacy policy. AWS does not use your inputs or outputs to train its models.

Cookies

We use cookies strictly for authentication. When you sign in, a JSON Web Token (JWT) is stored in a secure, HTTP-only cookie. This cookie is required for the application to recognize you across page loads.

We do not use tracking cookies, advertising cookies, or any third-party cookie-based analytics. If you use guest mode, a session cookie identifies your guest session.

Sub-processors

We use a limited number of third-party sub-processors, each for a specific purpose. The current list:

• Amazon Web Services (AWS) — Bedrock for AI sentence and mnemonic generation. Only vocabulary context is sent to Bedrock; no personal information. AWS does not use inputs or outputs to train its models.
• DigitalOcean — VPS hosting for application + Postgres database. DigitalOcean Block Storage Volumes are AES-256-encrypted at rest, but the Postgres data volume runs on droplet local disk and is not encrypted at rest by default. See /legal/subprocessors for full hosting details and our encryption attestation.
• Google— OAuth sign-in. If you choose Google sign-in, Google provides us with your name and email. Google's use of your data is governed by Google's Privacy Policy.
• Brevo — transactional email delivery (account verification, password resets, critical security notifications). Brevo receives your email address solely for the purpose of delivering these messages.
• PostHog — product analytics. Anonymized usage events are forwarded to PostHog to help us understand which features people use. No ad pixels, no session replay.
• Sentry — client- and server-side error monitoring. Stack traces and request metadata are forwarded to Sentry when the application crashes so we can diagnose and fix the failure.

The canonical, versioned list lives at /legal/subprocessors. We do not use any third-party advertising networks, social media trackers, or ad-targeting analytics platforms.

For schools and districts

When Brevlex processes student personal information on behalf of a school or district, we act as a service provider / school official under FERPA and as a processor of school-authorized data under COPPA Path C. The terms that govern that relationship — including our data-handling commitments, sub-processor approvals, breach-notification timelines, and deletion obligations — are in our Data Processing Addendum.

• Data Processing Addendum (DPA) — the contract we sign with school and district customers.
• Sub-processor list — the canonical list of third parties that may process customer data on our behalf.

Data Retention

• Account data — retained as long as your account is active. If you delete your account, your personal data is permanently removed from our database.
• Study progress — retained with your account. Deleted when your account is deleted.
• Guest sessions — expire automatically and are periodically cleaned up from our database.
• Analytics events — anonymized event data may be retained in aggregate form after account deletion for product improvement purposes.
• Security-event audit log — scoped to authentication events (sign-ins, password resets, 2FA changes) and admin actions. Retained for a limited period and then purged. Per-classroom audit of educator reads on student records is on the roadmap, not yet shipped.

Data Security

The specific controls we have in place today:

• In transit — all traffic is served over TLS 1.2 or higher.
• Passwords — hashed with bcrypt. Plain-text passwords are never stored and never logged.
• TOTP secrets — application-encrypted with AES-256-GCM before they are written to the database. Two-factor authentication (TOTP) is available for any account.
• At rest — the Postgres data volume runs on droplet local disk and is not encrypted at rest by default. Beyond bcrypt hashing of passwords and AES-256-GCM encryption of TOTP secrets, we do not currently apply additional application-layer encryption to other user fields. See /legal/subprocessors for our full encryption attestation.
• Session tokens — stored in secure, HTTP-only cookies to prevent cross-site scripting access.
• Database access — restricted to the application; not publicly exposed.

No system is perfectly secure. If you discover a security vulnerability, please report it to support@brevlex.com.

Your Rights

You have the right to:

• Access your data — view the personal information we hold about you through your account settings.
• Correct your data — update your name, email, interests, and learning goals at any time in settings.
• Delete your data — delete your account and all associated data. This action is permanent and cannot be undone.
• Export your data — request a copy of your data by contacting us.

To exercise any of these rights, visit your account settings or contact us at support@brevlex.com.

Children's Privacy

Under-13 use is not supported. Brevlex is for users 13 and older. Educators who create classes attest that every enrolled student is 13+; grade 3-6 classes are blocked at creation and legacy under-13 classes have been retired (read-only). We do not knowingly collect personal information from children under 13. If you believe a child under 13 has provided us with personal data, please contact us at support@brevlex.com and we will promptly delete it.

Changes to This Policy

We may update this Privacy Policy from time to time. When we make significant changes, we will update the "Last updated" date at the top of this page. We encourage you to review this policy periodically. Continued use of Brevlex after changes constitutes acceptance of the updated policy.

Contact

If you have questions about this Privacy Policy or how we handle your data, contact us at:

support@brevlex.com