Privacy Policy

Brevlex ("we," "us," or "our") is an AI-powered vocabulary learning application available at brevlex.com. This Privacy Policy explains what data we collect, why we collect it, and how we handle it. We believe in being specific and honest rather than hiding behind vague legal language.

The short version: we collect what we need to make your learning experience work. We do not run ads. We do not sell your data.

What We Collect

Account information

• Email address — required for account creation, used for authentication and transactional emails (verification, password resets).
• Name — optional. Displayed in your profile if provided.
• Authentication credentials — if you sign up with email and password, your password is securely hashed and never stored in plain text. If you use Google OAuth, we receive your name and email from Google but never your Google password.

Learning data

• Interests — topics you select during onboarding (e.g., technology, cooking, sports). Used to personalize AI-generated sentences.
• Learning goals — why you are building vocabulary (e.g., test prep, career growth). Used to tailor word selection and difficulty.
• Study progress — which words you have studied, your correct and incorrect answers, mastery levels, and spaced repetition scheduling data.
• Flashcard data — cards you have created or reviewed, including any custom mnemonics.
• Daily activity — study sessions, words studied per day, streaks, and achievements earned.

Analytics events

• We track anonymized usage events (e.g., session starts, feature usage) to understand how people use Brevlex and where we can improve. These events are stored in our own database, not sent to third-party analytics services.

Guest sessions

• If you try Brevlex without creating an account, we use a browser fingerprint to maintain your guest session. Guest sessions do not collect any personally identifiable information. They track only the number of study attempts and words seen, and they expire automatically.

How We Use Your Data

• Personalization — your interests and goals drive the AI-generated sentences and word recommendations you see.
• Spaced repetition — your study history powers the scheduling algorithm that determines when to show you each word again.
• Progress tracking — we display your stats, streaks, and achievements so you can see how you are improving.
• Authentication — your email and credentials are used to sign you in and keep your account secure.
• Transactional emails — we send emails only for account verification, password resets, and critical account security notifications. We do not send marketing emails.
• Product improvement — aggregated, anonymized usage data helps us understand which features are useful and where users struggle.

AI and Data Processing

Brevlex uses Amazon Web Services (AWS) Bedrock to generate personalized example sentences and mnemonics. When you study a word, we send the word, your selected interests, and your learning context to the AI model. We do not send your email, name, or any other personally identifiable information to the AI service.

Generated sentences are cached so that the same request does not need to be processed repeatedly. AWS Bedrock processes data in accordance with AWS's privacy policy. AWS does not use your inputs or outputs to train its models.

Cookies

We use cookies strictly for authentication. When you sign in, a JSON Web Token (JWT) is stored in a secure, HTTP-only cookie. This cookie is required for the application to recognize you across page loads.

We do not use tracking cookies, advertising cookies, or any third-party cookie-based analytics. If you use guest mode, a session cookie identifies your guest session.

Third-Party Services

We use a limited number of third-party services, each for a specific purpose:

• Google OAuth — if you choose to sign in with Google, Google provides us with your name and email. Google's use of your data is governed by Google's Privacy Policy.
• AWS Bedrock — powers AI sentence and mnemonic generation. Only vocabulary context is sent; no personal information.
• Brevo — handles transactional email delivery (account verification, password resets). Brevo receives your email address solely for the purpose of delivering these messages.

We do not use any third-party advertising networks, social media trackers, or analytics platforms.

Data Retention

• Account data — retained as long as your account is active. If you delete your account, your personal data is permanently removed from our database.
• Study progress — retained with your account. Deleted when your account is deleted.
• Guest sessions — expire automatically and are periodically cleaned up from our database.
• Analytics events — anonymized event data may be retained in aggregate form after account deletion for product improvement purposes.
• Audit logs — security-related logs (sign-ins, password changes) are retained for a limited period and automatically purged.

Data Security

We take reasonable measures to protect your data:

• Passwords are hashed using industry-standard algorithms and never stored in plain text.
• Two-factor authentication (TOTP) is available for additional account security.
• Authentication tokens are stored in secure, HTTP-only cookies to prevent cross-site scripting access.
• All traffic is encrypted in transit via HTTPS.
• Database access is restricted and not publicly exposed.

No system is perfectly secure. If you discover a security vulnerability, please report it to support@brevlex.com.

Your Rights

You have the right to:

• Access your data — view the personal information we hold about you through your account settings.
• Correct your data — update your name, email, interests, and learning goals at any time in settings.
• Delete your data — delete your account and all associated data. This action is permanent and cannot be undone.
• Export your data — request a copy of your data by contacting us.

To exercise any of these rights, visit your account settings or contact us at support@brevlex.com.

Children's Privacy

Brevlex is not directed at children under 13. We do not knowingly collect personal information from children under 13. If you believe a child under 13 has provided us with personal data, please contact us at support@brevlex.com and we will promptly delete it.

Changes to This Policy

We may update this Privacy Policy from time to time. When we make significant changes, we will update the "Last updated" date at the top of this page. We encourage you to review this policy periodically. Continued use of Brevlex after changes constitutes acceptance of the updated policy.

Contact

If you have questions about this Privacy Policy or how we handle your data, contact us at:

support@brevlex.com