Legal

Privacy Policy

Last updated: 28 June 2026

This policy explains how Cucaracha ("we", "us", "our") collects, uses, and protects your personal data when you visit cucaracha.app and when you use the Cucaracha mobile app. We process personal data in accordance with the EU General Data Protection Regulation (GDPR). We do not sell your data.

1. Data Controller

Deniz Can
Gotenstraße 52
10829 Berlin
Germany
Email: [email protected]

We have not appointed a Data Protection Officer, as we are not legally required to do so.

2. What We Collect

On the website (cucaracha.app):

In the app, when you create an account:

In the app, as you use it:

We do not store the content of your in-app AI tutor conversations on our servers. Those exchanges are processed in real time and are not retained after the session ends.

3. How We Use Your Data and Legal Bases

4. AI Processing (OpenAI)

Core features of the app are powered by OpenAI's API. To generate cards, edit cards, and answer your questions in the AI tutor, we send the following to OpenAI:

We do not send your name, email address, or account identifier to OpenAI. The content you put into cards or prompts is, however, sent, so please avoid entering sensitive personal information you would not want processed by a third-party AI provider.

OpenAI processes this data on our behalf as a processor under a Data Processing Addendum. Under OpenAI's API terms, your data is not used to train their models and is retained for a limited period (currently up to 30 days) only for abuse monitoring, after which it is deleted. OpenAI is based in the United States; transfers are covered by Standard Contractual Clauses (see Section 7).

Legal basis: performance of our contract with you, Art. 6(1)(b) GDPR, because generating and editing cards and answering your questions is the service you signed up for.

5. Third-Party Service Providers

Most of these providers act as our processors under a Data Processing
Agreement (Art. 28 GDPR), processing personal data only on our instructions.
Apple and Google act as independent controllers in their own right for the
sign-in and (for Apple) payment functions they provide; their processing is
governed by their own privacy policies and the developer agreements we have
entered into with them.

Supabase (Supabase, Inc., United States) — database, authentication, and backend functions. Website data (contact submissions, feature requests, and waitlist entries) is stored in the EU (Frankfurt). App account data, decks, cards, and study data are also stored in the EU. Any access from outside the EU is covered by Standard Contractual Clauses.

Vercel (Vercel Inc., 340 S Lemon Ave #4133, Walnut, CA 91789, United States) — website hosting and delivery. Processes server logs (IP, browser, pages, timestamp). Legal basis: Art. 6(1)(f) GDPR; transfers covered by Standard Contractual Clauses.

Resend (Resend Inc., United States) — transactional and notification email delivery. When you submit a contact form, a feature request, or join a waitlist, Resend delivers a notification to us; your email address and the content of your submission may be included in that notification. Transfers covered by Standard Contractual Clauses.

Cloudflare (Cloudflare, Inc., United States) — bot protection via Cloudflare Turnstile, used on all website forms. Cloudflare receives an ephemeral challenge token to verify that the submission is human; no additional personal data from your submission is sent to Cloudflare. Cloudflare is based in the United States; transfers are covered by Standard Contractual Clauses.

OpenAI (OpenAI, L.L.C., United States) — AI card generation, editing, and tutor (see Section 4). Transfers covered by Standard Contractual Clauses.

PostHog (PostHog, Inc.) — product and website analytics and app diagnostics (see Section 8). Processes pseudonymised usage events and crash/error reports. Data is hosted in the European Union; any access from outside the EU is covered by Standard Contractual Clauses.

RevenueCat (RevenueCat, Inc., United States) — subscription management. Processes your account identifier and subscription/purchase events. Transfers covered by Standard Contractual Clauses.

Apple — Sign in with Apple, and processing of all in-app purchases. Apple acts as the seller (Merchant of Record) for your subscription; your payment details are handled by Apple and are never received by us.

Google — Sign in with Google (authentication only).

Expo / EAS (650 Industries, Inc., United States) — app builds and over-the-air updates.

6. Subscriptions and Payments

Cucaracha Pro subscriptions are sold through Apple's App Store. Apple is the Merchant of Record: the payment contract is between you and Apple, Apple processes your payment, and we never see your card or payment details. We receive only your subscription status (active or not) via RevenueCat and Apple's servers. Billing, refunds, and cancellations are handled through your Apple account.

7. International Data Transfers

Some processors (Vercel, Resend, Cloudflare, OpenAI, RevenueCat, Apple, Google, Expo) are based in the United States. Where personal data is transferred outside the EU/EEA, we rely on EU Standard Contractual Clauses (Art. 46 GDPR) and, where applicable, the EU-US Data Privacy Framework. Website data (contact submissions, feature requests, waitlist) and your core app and account data are stored in the EU.

8. Cookies and Analytics

We use PostHog to understand how the website and app are used — for example, which features and screens are used, how far people get in the onboarding flow, and where they stop. This helps us improve the Service and decide what to build.

We run PostHog in a privacy-protective configuration:

We also use PostHog to capture crash reports and error logs so we can detect
and fix problems. These diagnostic events are linked only to your pseudonymous
account identifier and never include the content of your cards or what you
study. The legal basis is our legitimate interest in a stable, reliable app
(Art. 6(1)(f) GDPR); you can object at any time as described above.

Legal basis for website analytics: your consent, Art. 6(1)(a) GDPR, given via the cookie banner (cookie-based mode) or not required (anonymous cookieless mode). Legal basis for in-app analytics: our legitimate interest in understanding and improving the Service, Art. 6(1)(f) GDPR. You can opt out of in-app analytics in the app's settings, or object at any time under Art. 21 GDPR by contacting [email protected].

9. Data Retention

You can delete your account and all associated data at any time from within the app (Settings → account). This satisfies your right to erasure under Art. 17 GDPR.

10. Your Rights Under GDPR

You have the right to: access (Art. 15), rectification (Art. 16), erasure (Art. 17), restriction (Art. 18), data portability (Art. 20), objection (Art. 21), and withdrawal of consent at any time (Art. 7(3)). To exercise any of these rights — including withdrawing waitlist consent or requesting deletion of a contact submission or feature request — contact [email protected]. You can also delete your app data directly in the app at any time.

11. Children

The app is not directed at children. In Germany, the age of digital consent is 16. If you are under 16, you may only use the app and provide personal data with the consent of a parent or guardian. We do not knowingly collect data from children below this age; if we learn we have, we will delete it.

12. Data Security

We use appropriate technical and organisational measures to protect your data, including encryption in transit and at rest, access controls, and EU-based storage of core data.

13. Complaints

If you believe your rights have been violated, you may lodge a complaint with a supervisory authority. The authority responsible for Berlin is:

Berliner Beauftragte für Datenschutz und Informationsfreiheit
Alt-Moabit 59-61
10555 Berlin
Germany
Phone: +49 30 13889-0
Email: [email protected]

14. Changes to This Policy

We may update this policy from time to time. Changes are posted on this page with a revised date.