Legal
Privacy Policy
Last updated: 28 June 2026
This policy explains how Cucaracha ("we", "us", "our") collects, uses, and protects your personal data when you visit cucaracha.app and when you use the Cucaracha mobile app. We process personal data in accordance with the EU General Data Protection Regulation (GDPR). We do not sell your data.
1. Data Controller
Deniz Can
Gotenstraße 52
10829 Berlin
Germany
Email: [email protected]
We have not appointed a Data Protection Officer, as we are not legally required to do so.
2. What We Collect
On the website (cucaracha.app):
- Contact form: your name (optional), email address, and the message you send us.
- Feature requests: the title and description you submit to the public feature board. Feature requests are displayed publicly; do not include personal information you would not want visible there.
- Waitlist: your email address and the platform you selected (iOS or Android) when you sign up for a launch waitlist.
- Bot protection: an ephemeral verification token generated by Cloudflare Turnstile on each form submission. This token is checked server-side and is not stored after verification.
- Technical server logs (IP address, browser type, pages visited, timestamp).
- Anonymised usage analytics (see Section 8).
In the app, when you create an account:
- Your name and email address, as provided by Sign in with Apple or Sign in with Google. If you use Apple's "Hide My Email", we only receive Apple's private relay address.
- A user identifier
In the app, as you use it:
- Diagnostic data: crash reports and error logs (for example, the type of error,
the screen or action involved, and your device model and OS version) that help
us detect, diagnose, and fix problems. These events are linked only to your
pseudonymous account identifier, never to your name, email address, or any
advertising identifier. - Content you create: decks, flashcards (front/back text), tags, and deck descriptions
- Study data: review history, ratings, scheduling parameters, streaks, daily goals, and aggregate usage counters
- Pseudonymised product analytics events (e.g. which screens and features you use and how far you progress in the onboarding flow — see Section 8)
- Subscription status (whether you have an active Cucaracha Pro subscription)
We do not store the content of your in-app AI tutor conversations on our servers. Those exchanges are processed in real time and are not retained after the session ends.
3. How We Use Your Data and Legal Bases
- To provide the app (store your cards, sync your data across devices, schedule reviews, generate and edit cards with AI, run the AI tutor): performance of our contract with you, Art. 6(1)(b) GDPR.
- To manage your account and authentication: Art. 6(1)(b) GDPR.
- To process and recognise your subscription: Art. 6(1)(b) GDPR.
- To respond to contact-form enquiries: our legitimate interest in supporting users, Art. 6(1)(f) GDPR (or Art. 6(1)(b) where the enquiry relates to an existing contract).
- To display your feature request on the public board: our legitimate interest in gathering product feedback, Art. 6(1)(f) GDPR.
- Waitlist emails (iOS and Android): your consent, Art. 6(1)(a) GDPR. You can withdraw consent at any time by emailing [email protected]; we will delete your entry from the waitlist within a reasonable time.
- To verify that form submissions are made by humans (Cloudflare Turnstile): our legitimate interest in preventing spam and abuse, Art. 6(1)(f) GDPR.
- To understand, improve, and promote the Service: we analyse usage in aggregate and pseudonymised form, including which features are used, how the onboarding flow performs, and the general kinds of subjects people study. Legal basis: our legitimate interest, Art. 6(1)(f) GDPR.
- Website operation, security, and reliability (server logs): our legitimate interest, Art. 6(1)(f) GDPR.
4. AI Processing (OpenAI)
Core features of the app are powered by OpenAI's API. To generate cards, edit cards, and answer your questions in the AI tutor, we send the following to OpenAI:
- Your generation prompts and any text from PDFs you attach
- The front/back text of cards being generated, edited, or discussed (including the fronts of existing cards in a deck, so the AI can avoid duplicates)
- For the AI tutor: the card in question, its deck name, and your chat messages
We do not send your name, email address, or account identifier to OpenAI. The content you put into cards or prompts is, however, sent, so please avoid entering sensitive personal information you would not want processed by a third-party AI provider.
OpenAI processes this data on our behalf as a processor under a Data Processing Addendum. Under OpenAI's API terms, your data is not used to train their models and is retained for a limited period (currently up to 30 days) only for abuse monitoring, after which it is deleted. OpenAI is based in the United States; transfers are covered by Standard Contractual Clauses (see Section 7).
Legal basis: performance of our contract with you, Art. 6(1)(b) GDPR, because generating and editing cards and answering your questions is the service you signed up for.
5. Third-Party Service Providers
Most of these providers act as our processors under a Data Processing
Agreement (Art. 28 GDPR), processing personal data only on our instructions.
Apple and Google act as independent controllers in their own right for the
sign-in and (for Apple) payment functions they provide; their processing is
governed by their own privacy policies and the developer agreements we have
entered into with them.
Supabase (Supabase, Inc., United States) — database, authentication, and backend functions. Website data (contact submissions, feature requests, and waitlist entries) is stored in the EU (Frankfurt). App account data, decks, cards, and study data are also stored in the EU. Any access from outside the EU is covered by Standard Contractual Clauses.
Vercel (Vercel Inc., 340 S Lemon Ave #4133, Walnut, CA 91789, United States) — website hosting and delivery. Processes server logs (IP, browser, pages, timestamp). Legal basis: Art. 6(1)(f) GDPR; transfers covered by Standard Contractual Clauses.
Resend (Resend Inc., United States) — transactional and notification email delivery. When you submit a contact form, a feature request, or join a waitlist, Resend delivers a notification to us; your email address and the content of your submission may be included in that notification. Transfers covered by Standard Contractual Clauses.
Cloudflare (Cloudflare, Inc., United States) — bot protection via Cloudflare Turnstile, used on all website forms. Cloudflare receives an ephemeral challenge token to verify that the submission is human; no additional personal data from your submission is sent to Cloudflare. Cloudflare is based in the United States; transfers are covered by Standard Contractual Clauses.
OpenAI (OpenAI, L.L.C., United States) — AI card generation, editing, and tutor (see Section 4). Transfers covered by Standard Contractual Clauses.
PostHog (PostHog, Inc.) — product and website analytics and app diagnostics (see Section 8). Processes pseudonymised usage events and crash/error reports. Data is hosted in the European Union; any access from outside the EU is covered by Standard Contractual Clauses.
RevenueCat (RevenueCat, Inc., United States) — subscription management. Processes your account identifier and subscription/purchase events. Transfers covered by Standard Contractual Clauses.
Apple — Sign in with Apple, and processing of all in-app purchases. Apple acts as the seller (Merchant of Record) for your subscription; your payment details are handled by Apple and are never received by us.
Google — Sign in with Google (authentication only).
Expo / EAS (650 Industries, Inc., United States) — app builds and over-the-air updates.
6. Subscriptions and Payments
Cucaracha Pro subscriptions are sold through Apple's App Store. Apple is the Merchant of Record: the payment contract is between you and Apple, Apple processes your payment, and we never see your card or payment details. We receive only your subscription status (active or not) via RevenueCat and Apple's servers. Billing, refunds, and cancellations are handled through your Apple account.
7. International Data Transfers
Some processors (Vercel, Resend, Cloudflare, OpenAI, RevenueCat, Apple, Google, Expo) are based in the United States. Where personal data is transferred outside the EU/EEA, we rely on EU Standard Contractual Clauses (Art. 46 GDPR) and, where applicable, the EU-US Data Privacy Framework. Website data (contact submissions, feature requests, waitlist) and your core app and account data are stored in the EU.
8. Cookies and Analytics
We use PostHog to understand how the website and app are used — for example, which features and screens are used, how far people get in the onboarding flow, and where they stop. This helps us improve the Service and decide what to build.
We run PostHog in a privacy-protective configuration:
- On the website, analytics runs behind a cookie consent banner. PostHog is not initialised and no non-essential cookies or device identifiers are set until you make a choice. If you accept, cookie-based analytics activates and PostHog may store identifiers in cookies or local storage on your device. If you decline, PostHog runs in cookieless mode and counts you anonymously via a server-side hash; nothing is stored on your device. You can change your choice at any time using the "Cookie settings" link in the footer.
- In the app, analytics events are linked only to a pseudonymous account identifier, never to your name or email address, and never to an advertising identifier.
- We do not capture the content of your cards or what you study through analytics, and we do not record your screen.
- Analytics data is hosted in the EU.
We also use PostHog to capture crash reports and error logs so we can detect
and fix problems. These diagnostic events are linked only to your pseudonymous
account identifier and never include the content of your cards or what you
study. The legal basis is our legitimate interest in a stable, reliable app
(Art. 6(1)(f) GDPR); you can object at any time as described above.
Legal basis for website analytics: your consent, Art. 6(1)(a) GDPR, given via the cookie banner (cookie-based mode) or not required (anonymous cookieless mode). Legal basis for in-app analytics: our legitimate interest in understanding and improving the Service, Art. 6(1)(f) GDPR. You can opt out of in-app analytics in the app's settings, or object at any time under Art. 21 GDPR by contacting [email protected].
9. Data Retention
- Account data: kept while your account is active; deleted when you delete your account
- Decks, cards, and study data: kept while your account is active; deleted on account deletion
- Contact submissions: kept while we operate, or until you request deletion by emailing [email protected]
- Feature requests: displayed publicly while we operate; email [email protected] to request removal of your submission
- Waitlist emails: kept until you withdraw consent or request deletion by emailing [email protected]
- Server logs (Vercel): approximately 30 days
- Analytics data: pseudonymised, up to 12 months
- AI tutor conversation content: not stored after the session ends
- OpenAI processing: up to 30 days at OpenAI for abuse monitoring, then deleted
- Diagnostic data (crash/error reports): pseudonymised, up to 12 months
You can delete your account and all associated data at any time from within the app (Settings → account). This satisfies your right to erasure under Art. 17 GDPR.
10. Your Rights Under GDPR
You have the right to: access (Art. 15), rectification (Art. 16), erasure (Art. 17), restriction (Art. 18), data portability (Art. 20), objection (Art. 21), and withdrawal of consent at any time (Art. 7(3)). To exercise any of these rights — including withdrawing waitlist consent or requesting deletion of a contact submission or feature request — contact [email protected]. You can also delete your app data directly in the app at any time.
11. Children
The app is not directed at children. In Germany, the age of digital consent is 16. If you are under 16, you may only use the app and provide personal data with the consent of a parent or guardian. We do not knowingly collect data from children below this age; if we learn we have, we will delete it.
12. Data Security
We use appropriate technical and organisational measures to protect your data, including encryption in transit and at rest, access controls, and EU-based storage of core data.
13. Complaints
If you believe your rights have been violated, you may lodge a complaint with a supervisory authority. The authority responsible for Berlin is:
Berliner Beauftragte für Datenschutz und Informationsfreiheit
Alt-Moabit 59-61
10555 Berlin
Germany
Phone: +49 30 13889-0
Email: [email protected]
14. Changes to This Policy
We may update this policy from time to time. Changes are posted on this page with a revised date.