Privacy Policy

Last updated: February 17, 2026

1. Information We Collect

a. Information You Provide

  • Account information: When you create an account, we collect your name, email address, and authentication credentials.
  • Learning content: Phrases, sentences, collections, translations, and stories you create or save within the Service.
  • Study data: Spaced repetition progress, review session history, ratings, and learning preferences.
  • Preferences: Language settings, audio preferences (voice, speed), and display preferences.
  • Communications: Any messages or feedback you send to us via email or through the Service.

b. Information Collected Automatically

  • Device and browser information: Browser type, operating system, screen resolution, and language settings.
  • Analytics data: Page views and general usage patterns, collected via self-hosted Umami analytics (no personal identifiers).
  • Log data: IP addresses, request timestamps, and error logs for security and debugging purposes.
  • Session tokens: Authentication tokens used to maintain your logged-in session.

c. Information from Third Parties

  • Payment information: Subscription status and billing events from Polar.sh. We do not store your full payment card details.
  • Bot protection: Verification signals from Cloudflare Turnstile to prevent automated abuse.

2. How We Use Your Information

We use your information to:

  • Provide, maintain, and improve the Service
  • Personalize your learning experience and spaced repetition schedules
  • Process payments and manage your subscription
  • Generate AI-powered stories, translations, and example sentences tailored to your level
  • Generate text-to-speech audio for Mandarin content
  • Enforce usage limits associated with your subscription tier
  • Send transactional emails (account verification, password resets, billing notifications)
  • Detect and prevent fraud, abuse, and unauthorized access
  • Comply with legal obligations
  • Communicate with you about the Service, including service updates and changes

3. Legal Basis for Processing (GDPR)

If you are in the European Economic Area (EEA), we process your personal data under the following legal bases:

  • Contractual necessity: Processing required to provide the Service you signed up for, including account management, content generation, and spaced repetition.
  • Legitimate interests: Analytics to improve the Service, security measures to protect accounts, and fraud prevention — balanced against your privacy rights.
  • Consent: Where we rely on your consent (e.g., optional marketing communications), you may withdraw consent at any time.
  • Legal obligation: Processing required to comply with applicable laws, such as tax and billing requirements.

4. Data Sharing & Third-Party Services

We do not sell, rent, or trade your personal data to third parties. We share data with the following service providers solely to operate the Service:

  • Polar.sh — Payment processing and subscription management
  • OpenRouter — LLM routing for AI-generated stories, translations, and sentences
  • fal.ai — Text-to-speech audio generation and image generation
  • Minimax — Text-to-speech audio generation and image generation
  • Replicate — Image generation
  • Cloudflare R2 — Cloud storage for audio files and generated images
  • Resend — Transactional email delivery
  • Umami — Privacy-focused web analytics with no personal identifiers
  • Cloudflare Turnstile — Bot protection and CAPTCHA verification

Each third-party provider processes data in accordance with their own privacy policies. We only share the minimum data necessary for each provider to perform its function.

We may also disclose your information if required by law, legal process, or government request, or to protect the rights, property, or safety of Mandarin Forge, our users, or others.

5. Data Storage & Security

We implement appropriate technical and organizational measures to protect your personal information, including:

  • Encryption in transit using TLS (HTTPS) for all connections
  • Secure password hashing — we never store passwords in plain text
  • Access controls limiting who can access production data
  • Session expiry and automatic logout for inactive sessions
  • Rate limiting to prevent brute-force attacks and abuse

Study data, including your phrases, sentences, collections, and review progress, is stored in our database and associated with your account. Audio files and generated images are stored in cloud storage (Cloudflare R2).

While we take reasonable precautions to protect your data, no method of electronic transmission or storage is 100% secure. We cannot guarantee absolute security.

6. Data Retention

  • Active accounts: Your data is retained for as long as your account is active and you continue to use the Service.
  • Account deletion: When you delete your account, we cascade-delete all associated data, including learning content, study progress, preferences, and stored media (audio files and images in R2).
  • Billing data: Payment and subscription records are retained by Polar.sh in accordance with their retention policies and applicable tax/legal requirements.
  • Analytics data: Usage analytics collected by Umami are aggregated and contain no personally identifiable information.
  • Data exports: If you request a data export, the export file will automatically expire and be deleted after a reasonable period.
  • Backups: Your data may persist in encrypted backups for up to 30 days after deletion before being permanently removed.

7. International Data Transfers

Your data may be processed and stored in countries other than your country of residence. Our third-party service providers operate in various jurisdictions, including the United States.

If you are located in the European Economic Area (EEA) or United Kingdom, we ensure that transfers of personal data to countries outside the EEA/UK are protected by appropriate safeguards, such as standard contractual clauses or the service provider's participation in recognized data protection frameworks.

8. Cookies & Tracking

We use a minimal number of cookies, limited to what is essential for the Service to function:

  • Essential cookies: Session and authentication cookies required to keep you logged in and maintain your session state. These are strictly necessary and cannot be disabled.
  • Analytics: We use self-hosted Umami analytics, which does not use tracking cookies, does not collect personal identifiers, and is fully GDPR-compliant by design.

We do not use advertising cookies or third-party tracking pixels. Because our analytics solution does not use cookies or track individual users, Do Not Track (DNT) browser signals are respected by default.

9. Your Rights

a. All Users

Regardless of your location, you have the right to:

  • Access the personal data we hold about you
  • Request correction of inaccurate or incomplete data
  • Request deletion of your account and all associated data
  • Export your study data in a portable format
  • Object to processing of your data for specific purposes

b. EU/EEA Residents (GDPR)

If you are in the European Economic Area, you additionally have the right to:

  • Restrict the processing of your personal data in certain circumstances
  • Data portability — receive your data in a structured, machine-readable format
  • Withdraw consent at any time where processing is based on consent
  • Lodge a complaint with your local supervisory authority if you believe your rights have been violated

c. California Residents (CCPA)

If you are a California resident, you have the right to:

  • Know what personal information we collect, use, and disclose about you
  • Request deletion of your personal information
  • Opt out of the sale of your personal information — however, we do not sell personal information
  • Non-discrimination for exercising your privacy rights

To exercise any of these rights, please contact us at hello@mandarinforge.com. We will respond to your request within 30 days.

10. Children's Privacy

The Service is not directed to children under 16. We do not knowingly collect personal information from children under 16. If you believe we have collected information from a child under 16, please contact us at hello@mandarinforge.com and we will promptly delete the information.

11. Data Breach Notification

In the event of a data breach that is likely to result in a risk to your rights and freedoms, we will notify affected users within 72 hours of becoming aware of the breach, in accordance with GDPR Article 33.

Our notification will include:

  • The nature and scope of the breach
  • The types of data potentially affected
  • Measures we have taken or plan to take in response
  • Recommendations for steps you can take to protect yourself

We will also notify the relevant supervisory authorities as required by applicable law.

12. Changes to This Policy

We may update this Privacy Policy from time to time. For material changes, we will provide at least 14 days' notice by sending an email to the address associated with your account or by posting a prominent notice on the Service.

We will update the "Last updated" date at the top of this page. Prior versions of this policy are available upon request by contacting us.

13. Contact

If you have questions about this Privacy Policy or wish to exercise your data rights, please contact us at hello@mandarinforge.com.