Privacy Policy

Last updated: February 26, 2026

Effective Date: February 26, 2026

StudyLess ("Company", "we", "us", or "our") is committed to protecting the personal information and privacy rights of users worldwide. This Privacy Policy explains how we collect, use, store, and protect your personal information in accordance with applicable data protection laws, including the EU General Data Protection Regulation (GDPR), the UK General Data Protection Regulation (UK-GDPR) and Data Protection Act 2018, the California Consumer Privacy Act as amended by the California Privacy Rights Act (CCPA/CPRA), Brazil's Lei Geral de Proteção de Dados (LGPD), South Korea's Personal Information Protection Act (PIPA), Japan's Act on the Protection of Personal Information (APPI), and other applicable laws.

By using StudyLess, you agree to the collection and use of your information in accordance with this Privacy Policy.

1. Data Controller and Contact Details

  • Controller: StudyLess – Mingeon Kim
  • Address: Seoul, Republic of Korea
  • Email (privacy and support): support@studyless.app

We have not appointed a Data Protection Officer (DPO). For all privacy-related questions or requests, you can contact us at support@studyless.app.

We have not appointed an EU or UK representative under Article 27 GDPR / UK-GDPR. Users in the EU and UK can contact us directly at support@studyless.app.

2. Purposes and Legal Bases for Processing Personal Information

We process personal information for the purposes described below. Depending on your location, we rely on different legal bases under applicable laws.

2.1 Account Registration and Management

Purpose

  • To create and manage your StudyLess account
  • To authenticate you and keep your account secure
  • To allow you to sign in with email, Apple, or Google

Data processed

  • Email address
  • Password (for direct email sign-up)
  • OAuth identifiers and profile data from providers (e.g., Apple/Google ID, full name, email, avatar if provided)

Legal bases

  • GDPR/UK-GDPR: Performance of a contract (Art. 6(1)(b))
  • LGPD: Performance of a contract / execution of procedures at the request of the data subject
  • PIPA (Korea): Consent of the data subject
  • CCPA/CPRA: Business purpose – providing the service

2.2 Provision of the Core Service

Purpose

  • AI-based flashcard generation from images/PDFs via Google Gemini
  • Spaced repetition scheduling using the FSRS algorithm
  • Managing your decks, cards, and study sessions
  • Synchronizing your study data across devices

Data processed

  • Uploaded images and PDFs (study materials)
  • Text extracted from uploaded content
  • Generated flashcard content (questions/answers, metadata)
  • Decks, cards, and tags you create
  • Learning records (card ratings, review results, review intervals, review time per card, exam dates)
  • FSRS personalization parameters stored per user
  • Study streaks and statistics (e.g., current streak, longest streak, last study date, daily study goal)

Legal bases

  • GDPR/UK-GDPR: Performance of a contract (Art. 6(1)(b))
  • LGPD: Performance of a contract
  • PIPA (Korea): Consent of the data subject
  • CCPA/CPRA: Business purpose – providing the service

2.3 Analytics, Service Improvement, and Error Diagnostics

Purpose

  • To understand how users interact with the app
  • To measure and improve performance, usability, and features
  • To diagnose errors and ensure reliability

Data processed

  • Usage records (e.g., sign-up date, decks created, cards created, reviews completed, AI generations)
  • Event data (e.g., deck creation, review sessions, AI generation events, navigation events) tied to your user ID
  • Device information (OS, device model, app version)
  • IP address and approximate region
  • Error logs and app performance data
  • User identifiers and email attached to analytics and error reports

Legal bases

  • GDPR/UK-GDPR: Legitimate interests (Art. 6(1)(f)) – improving and securing the service. Users in the EEA/UK may object to this processing at any time by contacting us at support@studyless.app.
  • LGPD: Legitimate interest / regular exercise of rights, with safeguards
  • PIPA (Korea): Consent of the data subject
  • CCPA/CPRA: Business purposes – auditing, analytics, debugging, internal research

2.4 Communication and Support

Purpose

  • To respond to your inquiries, feedback, and bug reports
  • To communicate important information about your account or the Service

Data processed

  • Name (if provided in the contact form)
  • Email address
  • Message content and type/category (e.g., bug report, feedback, support request)

Legal bases

  • GDPR/UK-GDPR: Performance of a contract or steps at your request; legitimate interest in responding to you
  • LGPD: Performance of a contract / legitimate interest
  • PIPA (Korea): Consent of the data subject
  • CCPA/CPRA: Business purposes – customer service

3. Categories of Personal Information Collected

We collect the following categories of personal information:

3.1 Information You Provide Directly

Account registration (required)

  • Email address
  • Password (for direct email sign-up)
  • Full name or display name (from OAuth providers or if you enter it)

Content and study data

  • Uploaded images and PDFs (study materials)
  • Text extracted from uploads for flashcard generation
  • Flashcards you create or edit (questions, answers, tags)
  • Exam dates and test preparation settings

Contact and feedback

  • Name (if you enter it in the contact form)
  • Email address
  • Message content and category (e.g., bug, feature request, general support)

3.2 Information Collected Automatically

Usage and learning data

  • Decks and cards created
  • Reviews completed and review outcomes (Again/Hard/Good/Easy)
  • Review intervals and scheduling data
  • Review time per card (e.g., milliseconds spent on each card)
  • FSRS personalization parameters per user
  • Study streaks and statistics (current streak, longest streak, last study date, daily study goal and similar metrics)

Device and technical data

  • Device model and operating system
  • App version
  • IP address and approximate region
  • Timestamps of access and usage events

Notifications

  • Push notification token (device token) used to send you notifications

4. Children's Privacy

StudyLess is not intended for children under 13 years old, and we do not knowingly allow children under 13 to create accounts or use the Service.

If we learn that a user is under 13, we will promptly delete the account and associated personal data.

In some countries, the minimum age to use online services may be higher (for example, 16 in certain EU member states or 18 in some jurisdictions). Where local law requires a higher age, we comply with that requirement. By using StudyLess, you confirm that you meet the minimum age required in your country.

If you believe a child has provided us with personal information in violation of this Policy, please contact us at support@studyless.app so we can take appropriate action.

5. Retention of Personal Information

We retain personal information only for as long as necessary for the purposes described in this Policy or as required by law.

  • Account and profile data (email, OAuth identifiers, name, profile settings) – Retained until you delete your account or we no longer need it to provide the Service.
  • Study data (decks, cards, flashcards, review history, FSRS parameters, streaks) – Retained until you delete your account or manually delete specific decks/cards.
  • Service usage and analytics data (Mixpanel) – Retained for up to 24 months from the date of collection, after which it may be aggregated or deleted.
  • Error logs and performance data (Sentry) – Retained for up to 90 days.
  • Contact form submissions and support communications – Retained for as long as necessary to resolve your request and for a reasonable period afterwards for record-keeping and dispute resolution.

Upon account deletion, we will delete or irreversibly anonymize your personal data within a reasonable period, except where we are legally required or permitted to retain certain information (for example, to comply with legal obligations or defend against legal claims).

6. Sharing and Disclosure of Personal Information

We do not sell your personal information.

We share personal data only with the following service providers and in the following situations:

6.1 Service Providers (Processors)

We use trusted third-party providers to help us operate and improve StudyLess:

Supabase Inc. (United States)

  • Purpose: Authentication, database storage, file storage, and real-time synchronization of your study data across devices
  • Data: Email, password hash (for direct sign-up), OAuth identifiers and metadata, decks, cards, review history, FSRS parameters, study statistics, uploaded images/PDFs, push notification tokens, contact submissions
  • Retention: Until account deletion (subject to Supabase's own retention policies for backups and logs)

Google LLC – Google Gemini API (United States)

  • Purpose: AI-based flashcard generation from your uploaded study materials
  • Data: Uploaded image/PDF content and derived text necessary to generate flashcards
  • Retention: Limited retention by Google in accordance with its API terms (for example, for abuse prevention and service quality). We do not allow this data to be used to build advertising profiles about you.

Mixpanel Inc. (United States)

  • Purpose: Product analytics and usage statistics
  • Data: Usage records, event data (e.g., sign-up, deck creation, reviews, AI generations), device information, IP address, app version, user identifiers (user ID), email address, full name or display name, auth provider, sign-up date, and aggregated learning metrics.
  • Retention: Up to 24 months after collection, after which data may be aggregated or deleted according to Mixpanel's policies.

Functional Software Inc. (Sentry) (United States)

  • Purpose: Error diagnostics and app performance monitoring
  • Data: Error logs, stack traces, device information, app version, and user identifiers (user ID) and email address to help reproduce and fix issues
  • Retention: Up to 90 days

Service providers process personal data only on our instructions and under data protection agreements that require them to protect your data.

6.2 Legal Requirements and Protection

We may disclose personal information if we believe in good faith that such action is necessary to:

  • Comply with a legal obligation, court order, or governmental request
  • Protect the rights, property, or safety of StudyLess, our users, or others
  • Detect, prevent, or address fraud, security, or technical issues

6.3 Business Transfers

If we are involved in a merger, acquisition, or asset sale, your personal information may be transferred as part of that transaction. We will provide notice and any required choices in such circumstances.

7. International Data Transfers

We are based in South Korea and use service providers located in the United States and other countries. This means your personal data may be transferred to and processed in countries outside of your own, including countries that may not provide the same level of data protection as your home jurisdiction.

Where required by law (for example, for users in the EEA/UK/Brazil), we implement appropriate safeguards for such transfers, which may include:

  • Standard Contractual Clauses (SCCs) approved by the European Commission
  • The UK International Data Transfer Agreement (IDTA) or the UK Addendum to SCCs
  • Contractual protections required by LGPD and other local laws
  • Encryption in transit (TLS/HTTPS) and at rest

You can contact us at support@studyless.app for more information about our international transfer mechanisms.

8. Security

We take reasonable technical and organizational measures to protect your personal information, including:

  • Encryption in transit (TLS/HTTPS) and at rest (e.g., Supabase storage encryption)
  • Access controls so only authorized personnel can access production systems
  • Secure authentication mechanisms and password hashing for account access
  • Regular updates of software and security libraries
  • Monitoring and logging for error detection and abuse

No method of transmission or storage is completely secure, but we work to protect your data using industry-standard practices.

9. AI Services and Automated Decisions

9.1 AI-Based Flashcard Generation

We use the Google Gemini API to:

  • Extract text from your uploaded images/PDFs
  • Generate flashcards and learning prompts automatically

Important notes:

  • AI-generated content may contain errors or inaccuracies. You should always verify important information against original textbooks or trusted sources, especially for high-stakes exams.
  • AI-generated content is provided for reference only and does not constitute educational, professional, or exam advice.

9.2 Personalized Learning Scheduling (FSRS Algorithm)

We use the FSRS algorithm to:

  • Record your responses to each flashcard (Again/Hard/Good/Easy)
  • Estimate the "memory strength" of each card
  • Calculate review intervals and recommend when to review each card
  • Adjust your schedule to target high retention (for example, around 90%) by your exam date if you set one

This processing is necessary to provide the learning features you expect from StudyLess. It does not produce legal or similarly significant effects for you; it only changes the timing and ordering of flashcards.

If you have questions about how these recommendations are generated, you can contact us at support@studyless.app.

10. Your Rights

Your privacy rights depend on your location, but we aim to respect the following rights where reasonably possible.

10.1 For Users in the EEA/EU and UK (GDPR / UK-GDPR)

You may have the right to:

  • Access your personal data
  • Correct inaccurate or incomplete data
  • Request deletion of your data ("right to be forgotten")
  • Restrict processing in certain circumstances
  • Receive a copy of your data in a portable format
  • Object to processing based on legitimate interests (including analytics)
  • Withdraw consent at any time (where processing is based on consent)
  • Lodge a complaint with your local Data Protection Authority

10.2 For Users in California and Other US States (CCPA/CPRA and Similar Laws)

You may have the right to:

  • Know what personal information we collect, use, and disclose
  • Request deletion of your personal information (subject to exceptions)
  • Correct inaccurate personal information
  • Receive information about how we share and disclose personal information
  • Not be discriminated against for exercising your privacy rights

We do not sell personal information.

10.3 For Users in Brazil (LGPD)

You may have the right to:

  • Confirm whether we process your personal data
  • Access your data
  • Correct incomplete, inaccurate, or outdated data
  • Anonymize, block, or delete unnecessary or excessive data
  • Transfer data to another service provider
  • Delete data processed with your consent
  • Obtain information about public and private entities with whom we share data
  • Withdraw consent

10.4 For Users in South Korea (PIPA) and Japan (APPI)

You may have rights to:

  • Access and obtain a copy of your data
  • Correct or delete incorrect data
  • Request suspension or cessation of use of your data
  • Request information about data handling practices

10.5 How to Exercise Your Rights

You can exercise your rights or make a privacy request by:

  • Using available features in the app (for example, Export Data and Delete Account), and/or
  • Contacting us at support@studyless.app

We may ask you to verify your identity before processing your request. We will respond within the timeframes required by applicable law.

11. Third-Party Links

The Service may contain links to external websites or services. We are not responsible for the privacy practices of those third parties. We encourage you to review their privacy policies.

12. Changes to This Privacy Policy

We may update this Privacy Policy from time to time.

  • For non-material changes, we will post the updated Policy with a new Effective Date.
  • For material changes that significantly affect your rights or how we process data, we will provide more prominent notice (e.g., in-app notification) and, where required, seek your consent.

Your continued use of StudyLess after the updated Policy becomes effective means you accept the changes.

13. Contact

If you have any questions, concerns, or requests about this Privacy Policy or our data practices, contact:

Email: support@studyless.app

We will do our best to resolve your concerns.