Last updated: May 15, 2026
LearnFromX is operated from France. For GDPR purposes, the data controller is LearnFromX, reachable at contact@learnfromx.com.
| Purpose | Legal basis (GDPR) |
|---|---|
| Provide the service (account, flashcards, study progress) | Contract performance |
| Send transactional emails (verification, password reset, deck ready) | Contract performance |
| Rate limiting and abuse prevention | Legitimate interest |
| Error monitoring (Sentry) | Legitimate interest |
| Analytics (Google Analytics) | Consent |
| Service improvement | Legitimate interest |
We share data with these services to operate LearnFromX:
| Service | Purpose | Data shared |
|---|---|---|
| Google Analytics | Usage analytics | Page views, anonymized usage patterns, IP address |
| Brevo | Transactional email | Email address, email content |
| Sentry | Error tracking | Error stack traces, request context (PII sending is disabled) |
| Anthropic | AI content generation | Anime sentences, vocabulary queries (no account data) |
| Google OAuth | Authentication | Email address (received from Google during login) |
We do not sell your data. We do not use your data for advertising.
We use a single session cookie to keep you logged in. It's HttpOnly, Secure (HTTPS only), and SameSite=Lax. It expires after 30 days of inactivity.
Google Analytics sets its own cookies for usage tracking. You can opt out using a browser extension or by blocking third-party cookies.
| Data type | Retention |
|---|---|
| Account data | Until you delete your account |
| Learning progress | Until you delete your account |
| Generation sessions | Automatically deleted after 24 hours |
| IP addresses (rate limiting) | Reset weekly (Mondays) |
| Feedback messages | Until resolved, then deleted |
| Authentication tokens | Expired tokens are periodically purged |
If you're in the EU/EEA, you have the right to:
To exercise any of these rights, email contact@learnfromx.com. We'll respond within 30 days.
You also have the right to lodge a complaint with your local data protection authority. In France, this is the CNIL.
We protect your data with:
Some third-party services (Google Analytics, Anthropic, Sentry) may process data outside the EU/EEA. These transfers rely on Standard Contractual Clauses or equivalent safeguards provided by each service.
The service is not directed at children under 16. We don't knowingly collect data from children under 16. If you believe a child has created an account, contact us and we'll delete it.
We may update this policy. Material changes will be communicated via email or an in-app notice. The "last updated" date at the top reflects the most recent revision.
For privacy-related questions or GDPR requests: contact@learnfromx.com