Flashcards — Privacy Policy
Effective Date: May 11, 2026
Last Updated: May 11, 2026
This Privacy Policy explains how Pancakes Flashcards ("we," "us," or "our"), operated by Ahmad Mahmoud as a sole proprietorship based in Amman, Jordan, handles your personal data when you use the app at flashcards.usepancakes.com.
For the purposes of the EU General Data Protection Regulation (GDPR) and UK GDPR, the data controller is Ahmad Mahmoud. For privacy-related enquiries, contact us at support@usepancakes.com.
This policy is supplementary to the Pancakes Privacy Policy at usepancakes.com/privacy.
1. What We Collect
1.1 Account Information
- Name and email address when you register
- Password (stored hashed — we never store plaintext passwords)
- Subscription plan and billing history
1.2 User Content
- Flashcard decks, folders, and cards you create or generate
- Files you upload (PDFs, images, .docx, .pptx, videos) for card generation
- FSRS study data — review history, retention scores, scheduling data
1.3 Usage Data
- Features used, session activity, and study patterns (used to power FSRS and statistics features)
- Device information, browser type, and IP address for security purposes — IP addresses and server logs are retained for up to 90 days for security purposes
1.4 Payment Information
- Billing details are collected and processed entirely by Lemon Squeezy. We do not store your credit card or payment information directly.
2. How We Use Your Data
We use your data to:
- Provide and maintain the Flashcards app
- Power FSRS spaced repetition scheduling based on your study history
- Generate flashcards from your uploaded content using AI providers
- Process payments and manage subscriptions via Lemon Squeezy
- Send transactional emails (account confirmation, billing receipts, password resets)
- Display in-depth statistics on Pro and Premium plans
- Detect and prevent abuse or unauthorized access
We do not sell your data. We do not use your flashcard content or uploaded files for training AI models.
3. Legal Basis for Processing (EU/EEA/UK Users)
If you are located in the European Union, European Economic Area, or United Kingdom, we process your personal data on the following legal bases:
| Purpose | Legal Basis |
|---|---|
| Providing the app, FSRS scheduling, storing flashcards and files | Performance of contract (Art. 6(1)(b)) |
| Generating cards via third-party AI providers | Performance of contract (Art. 6(1)(b)) |
| Processing payments and managing subscriptions | Performance of contract (Art. 6(1)(b)) |
| Detecting abuse, securing the service, logging IP addresses | Legitimate interest (Art. 6(1)(f)) |
| Retaining billing records | Legal obligation (Art. 6(1)(c)) |
| Sending non-essential marketing or product updates | Consent (Art. 6(1)(a)) |
You have the right to object to processing carried out on the basis of legitimate interest. See Section 9 (Your Rights) for details.
4. AI Providers
When you use AI card generation features, the content you provide is sent to third-party AI providers for processing:
- Groq — processes content for Free plan users
- Google Gemini — processes content for Pro and Premium plan users
Each provider processes your content under their own privacy policies. We recommend reviewing them at groq.com and ai.google.dev. We do not store the raw input sent to AI providers beyond what is necessary to return generated cards to you.
5. File Storage
Uploaded files (PDFs, images, .docx, .pptx, videos) are stored in Cloudflare R2. Files are accessed via signed, time-limited URLs and are retained for the duration of your account. Upon account deletion, all files are permanently deleted within 7 days.
6. Data Storage and Security
Your account data, flashcard content, and study history are stored in Neon PostgreSQL. We apply industry-standard security measures including encryption in transit (HTTPS/TLS), hashed passwords, and strict access controls.
The database is hosted in Neon's EU region (Frankfurt, Germany), with backups retained in the same region.
7. Cookies
We use only essential cookies necessary to operate the app:
- Authentication cookies — to keep you signed in during a session
- Security cookies (CSRF protection) — to prevent cross-site request forgery attacks
Essential cookies do not require your consent under EU or UK law as they are strictly necessary to provide the service you have requested.
We do not use third-party analytics cookies, advertising cookies, or any form of cross-site tracking.
If this changes in the future, we will update this policy and request your consent where required by law.
8. International Data Transfers
Pancakes Flashcards is operated from Jordan. When you use our service, your personal data may be transferred to and processed by third-party processors located inside or outside the European Economic Area:
- Neon — database hosting (EU/Frankfurt region; backups within the EU)
- Cloudflare R2 — file storage (global infrastructure)
- Groq — AI processing (United States)
- Google Gemini — AI processing (United States and global)
- Lemon Squeezy — payment processing (United States)
For transfers to processors outside the EEA, we rely on the European Commission's Standard Contractual Clauses (SCCs) or equivalent safeguards recognised under applicable law.
You may request a copy of the relevant safeguards by contacting us at support@usepancakes.com.
9. Data Retention
| Data Type | Retention Period |
|---|---|
| Account and flashcard data | Until account deletion |
| Uploaded files | Until account deletion |
| FSRS study history | Until account deletion |
| IP addresses and server logs | Up to 90 days |
| Billing records | Up to 10 years, where required by tax or financial regulations |
Upon account deletion, all personal data, flashcard content, and uploaded files are permanently deleted within 7 days.
10. Sharing Your Data
We do not sell or rent your data. We share it only with:
- Lemon Squeezy — payment processing and subscription management. Lemon Squeezy acts as the Merchant of Record and is an independent controller for billing data under its own privacy policy.
- Groq — AI card generation for Free plan users
- Google Gemini — AI card generation for Pro and Premium plan users
- Cloudflare R2 — file storage
- Neon — cloud database hosting
- Legal authorities — if required by law or court order
11. Your Rights
You have the following rights regarding your personal data:
- Access — request a copy of the personal data we hold about you
- Rectification — request correction of inaccurate or incomplete data
- Erasure — request deletion of your account and all associated personal data
- Portability — receive your flashcard decks and study data in a structured, machine-readable format
- Restriction — request that we restrict processing of your data in certain circumstances
- Object — object to processing based on legitimate interest, including for direct marketing purposes
- Withdraw consent — withdraw any consent you have given at any time, without affecting the lawfulness of processing carried out before withdrawal
To exercise any of these rights, contact us at support@usepancakes.com. We will respond within 30 days.
If you are located in the EU, EEA, or UK, you also have the right to lodge a complaint with your local data protection supervisory authority. EU supervisory authorities are listed at edpb.europa.eu. UK users may contact the Information Commissioner's Office at ico.org.uk.
12. Children's Privacy
The Pancakes Flashcards app is not directed at children under 13. If you are located in the European Union or European Economic Area, the minimum age is 16 unless a parent or guardian has provided verifiable consent. We do not knowingly collect personal data from users below these ages. If we become aware that we have collected such data, we will delete it promptly.
13. Data Breach Notification
In the event of a personal data breach likely to result in a risk to your rights and freedoms, we will notify the relevant supervisory authority within 72 hours of becoming aware of the breach, where required by applicable law. Where the breach is likely to result in a high risk to your rights and freedoms, we will also notify affected users by email without undue delay.
14. Changes
We may update this Privacy Policy from time to time. For material changes — particularly those affecting how we collect, use, or share your data — we will notify you by email at least 30 days before they take effect. The "Last Updated" date at the top reflects the most recent revision. Continued use of the app after the effective date constitutes acceptance of the updated policy.
15. Contact
For privacy-related questions, contact us at:
Email: hello@usepancakes.com
Website: usepancakes.com