Privacy Policy
Effective: 2026-05-22
Summary: LearnClash collects data needed to run the app (account info, game progress, device tokens for notifications, and support reports you choose to send). We use Firebase (Google) for infrastructure and RevenueCat for subscriptions. We don't sell your data. On the website, optional ads/matching consent can enable Google Signals and hashed email matching for conversion measurement, demographics, remarketing, and attribution. You can delete your account and all data anytime via the app or by emailing us.
1. Identity & Contact
Data Controller: Pluxia GmbH, Blegistrasse 7, 6340 Baar, Switzerland (UID: CHE-198.527.946).
Contact: privacy@learnclash.com
Response Time: We respond to privacy requests within 30 days (GDPR) or 45 days (CCPA). Complex requests may take up to 90 days with notice.
2. Data We Collect
2.1 Account Data
When you sign in, we collect:
- Email address — from Google Sign-In or Apple Sign-In (OAuth provider)
- Display name — from OAuth provider, editable by you
- Profile photo URL — from OAuth provider, editable by you
- Unique user identifier (UID) — generated by Firebase Authentication
- Preferred language — auto-detected from device locale (BCP-47 format)
- Account creation timestamp
- Last active timestamp — updated with 5-minute debounce
2.2 Game Performance Data
To provide matchmaking and track your progress:
- ELO rating — matchmaking score starting at 1300
- XP (experience points) — progression tracking
- Duel count — total games played
- Current streak — consecutive days you've been active
- Maximum streak — your all-time best
- Streak freezes — available streak protection items
- Last streak date — ISO format (YYYY-MM-DD)
- Preferred categories — your 3-18 category selections for matchmaking
- My topic IDs — topics you're practicing (max 50)
2.3 Learning Progress Data
To implement spaced repetition learning:
- Per-question correct count — how many times you answered correctly
- Last seen timestamp — when you last saw each question
- Next review date — scheduled by our SRS algorithm
- Topic cooldown timestamps — prevents overuse of same topics
2.4 Duel History Data
For each game you play:
- Duel ID and timestamps — created, updated, expires
- Opponent information — UID, display name, photo, ELO (public profile data)
- Round-by-round answers — which option you selected and correctness
- Response time — milliseconds to answer each question
- XP earned — per answer
- Final scores and ELO changes
- Forfeit status — if applicable
2.5 Social Data
For friend features and multiplayer:
- Friend relationships — user IDs, pending/accepted status, friend streak
- Head-to-head statistics — win/loss record against specific opponents
- Unread notification count
- Public profile — your display name, photo, ELO, and XP are visible to other authenticated users for matchmaking and leaderboards
- Question reports — if you report a question issue, we store your user ID with the report
2.6 Feedback & Support Reports
When you send feedback or a bug report from the app, we collect only what is needed to understand and route the report:
- Message and report type - the text you enter and whether you selected bug or idea
- Optional app status diagnostics - app version, build number, flavor, platform, OS version, device model, locale, timezone, text settings, layout insets, network state, route label, and progress counters such as streak, ELO, Mems, level, and XP
- Optional screenshot - captured only after you open the feedback sheet, shown as a preview, removable before sending, and disabled on private screens and active gameplay screens
- Support routing metadata - report ID, Firebase Auth UID, privacy hash, support delivery status, attempts, and error code if delivery fails
- Data we do not include - raw logs, notification tokens, full question content, passwords, payment details, or public screenshot URLs
2.7 Device & Technical Data
For app functionality and security:
- FCM tokens — Firebase Cloud Messaging tokens for push notifications (max 5 per user)
- Firebase App Check attestation — device integrity verification
- Privacy hash — HMAC-SHA256 of your UID for anonymized crash correlation
- Installation UUID — Crashlytics installation identifier
- IP address — processed transiently by Firebase infrastructure, not stored by us
2.8 Analytics & Diagnostics Data
To improve the app:
- Screen views and navigation paths
- Feature interaction events — duel created, question answered, etc.
- Session duration and timestamps
- Paywall views, conversions, dismissals
- Error logs and stack traces — via Firebase Crashlytics
- Diagnostic keys — FCM status, APNs availability
- Breadcrumb logs — activity trail preceding crashes
Google Analytics Advertising Features and User-Provided Data
When you grant ads, demographics, and matching consent on our website, Google Analytics may additionally collect or receive:
- Demographics — inferred age range and gender
- Interests — inferred interest categories based on browsing history
- Cross-device linkage — associates activity across devices you use while signed in to the same Google account
- User-provided data — after website sign-in, a SHA-256 hash of your normalized account email may be sent to Google Analytics for enhanced conversions, Customer Match, demographics, interest reporting, and attribution. We do not send raw email, names, phone numbers, street addresses, city, postal code, or precise location.
These features are disabled by default in the EU/EEA/UK/Switzerland and only activate after you click "Accept all" or opt in via the Privacy preferences link. Global Privacy Control also disables them. You can opt out at any time via Google's Analytics Opt-Out Browser Add-on, your Google Ads Settings, or by clicking "Privacy preferences" in our footer.
2.9 Subscription Data
Managed by RevenueCat:
- Purchase history and product IDs
- Subscription status — active, expired, grace period
- Store identifier — App Store or Google Play
- Expiration and renewal dates
2.10 Chat Data
If you use AI chat or duel chat features:
- AI conversation history — automatically deleted after 30 days (TTL)
- Duel chat messages — message text, sender user ID, duel ID, thread ID, timestamps, and moderation status
- Clash AI prompts — when you ask Clash or tag @clash, the text you submit is processed to generate the reply. Duel-thread Clash replies use only your visible @clash message and do not include hidden duel state
- Chat safety settings — terms acceptance, chat preference, safe mode, muted or blocked users, and local hide records
- Report and moderation records — created when you report a message or when automated safety systems block a message
2.11 Chrome Extension Data
If you use the LearnClash Chrome Extension (new tab quiz), the following data is stored locally on your device via chrome.storage.local:
- Quiz pool — pre-fetched quiz sets for instant new tab loading (expires after 6 hours)
- Language preference — your selected language override
- Daily streak — number of consecutive days you completed a quiz
- Last played date — date of your most recent quiz completion (YYYY-MM-DD)
- GA4 Client ID — a random UUID generated on first use for anonymous analytics grouping
The extension sends anonymous usage events to Google Analytics 4 (GA4) via the Measurement Protocol:
- Topic selections — which topic you picked (name and ID)
- Quiz completions — that you finished a quiz (no answers are sent)
- Session ID — a random number generated per tab open
The extension communicates with our API to fetch quiz content:
- Language header — your browser's Accept-Language or your language override
- Timestamp header — for rate limiting (not stored)
- IP address — processed transiently for rate limiting, not stored by us
No account required: The Chrome Extension does not require sign-in. No personal information (email, name, or app account data) is collected or linked. All data is stored locally and deleted when you uninstall the extension.
3. How We Use Your Data
| Data Category | Purpose | Legal Basis (GDPR) |
|---|---|---|
| Account data | Authentication, profile display | Contract performance |
| Game data | Matchmaking, leaderboards, progression | Contract performance |
| Learning progress | Spaced repetition scheduling | Contract performance |
| Device tokens | Push notifications for game events | Legitimate interest |
| Feedback and support reports | Customer support, bug triage, abuse prevention, and support delivery to support@learnclash.com | Legitimate interest / Consent for optional screenshot |
| Analytics (basic) | App improvement, feature usage, funnel analysis | Legitimate interest / Consent (EU) |
| Google Signals and user-provided data | Audience insights, cross-device measurement, advertising features, enhanced conversions, Customer Match, and attribution | Consent (opt-in required) |
| Crash logs | Debugging, stability | Legitimate interest |
| Subscriptions | Premium feature access | Contract performance |
Automated Decision-Making: We do not use automated decision-making with legal or similarly significant effects (GDPR Article 22). ELO matchmaking is algorithmic but has no legal effect.
4. Third-Party Services
We use the following services to operate LearnClash:
| Service | Provider | Purpose | Data Shared |
|---|---|---|---|
| Firebase Authentication | Google LLC | User sign-in | Email, UID, OAuth tokens |
| Cloud Firestore | Google LLC | Database storage | All user-generated data |
| Google Analytics 4 (Firebase Analytics) | Google LLC | Usage analytics, funnel analysis, and — with your consent — Google Signals, user-provided data, demographics, interests, cross-device measurement, enhanced conversions, Customer Match, advertising features, and attribution | Events, hashed user ID (SHA-256 of UID), device info, IP (truncated by Google), and — only with ads/matching consent — Google account signals and SHA-256 hashed normalized account email |
| Firebase Crashlytics | Google LLC | Crash reporting | Device info, crash logs, privacy hash |
| Firebase Cloud Messaging | Google LLC | Push notifications | FCM tokens |
| Firebase App Check | Google LLC | Device verification | Device attestation |
| RevenueCat | RevenueCat Inc | Subscription management | Purchase history, entitlements |
| xAI (Grok) | xAI Corp | Question generation | Question text only (no user data) |
| Google Gemini | Google LLC | Semantic embeddings, translations, report validation, and Clash AI replies | Question text; AI chat prompts; and visible @clash message text when you tag Clash in a duel thread. Hidden duel state, live answers, scores, account email, notification tokens, and payment data are not sent |
Third-Party AI Services: LearnClash uses xAI (Grok) for quiz question generation and Google Gemini for semantic embeddings, translations, report validation, and Clash AI replies. We do not send account email, payment data, notification tokens, or hidden duel state to these AI services. When you ask Clash or tag @clash, the prompt or message text you submit is processed to generate the reply.
For more information: How Google uses data when you use our partners' sites or apps
Third-Party Privacy Policies:
5. Data Retention
| Data Type | Retention Period | Deletion Trigger |
|---|---|---|
| Account data | Until account deletion | User request (in-app or email) |
| Game history (duels) | Indefinite | Account deletion |
| Learning progress | Indefinite | Account deletion |
| AI chat sessions | 30 days | Automatic TTL expiration |
| Duel chat messages | 60 days | Automatic TTL expiration |
| Duel chat report evidence | 180 days | Automatic TTL expiration |
| Feedback reports | 180 days; optional screenshots 30 days; unsubmitted drafts 30 minutes | Automatic TTL expiration or deletion request |
| Analytics data | 14 months | Google default retention |
| Crash logs | 90 days | Firebase default |
| Rate limit counters | Hourly windows | Automatic expiration |
On Sign-Out: Local data (FCM tokens, cache, authentication tokens) is deleted from your device. Your account data remains on our servers until you delete your account via Profile → Settings → Delete Account or by emailing us.
6. International Transfers
Your data may be processed outside your country of residence:
- Firebase/Google — Uses United States infrastructure (Google Cloud). EU transfers rely on Google's Standard Contractual Clauses (SCCs).
- RevenueCat — United States based, uses SCCs for EU compliance.
- xAI/Gemini APIs — Processed in the United States.
7. Your Rights (GDPR — EU/EEA Users)
Under the General Data Protection Regulation, you have the following rights:
- Right to Access (Article 15) — Request a copy of your personal data.
- Right to Rectification (Article 16) — Correct inaccurate data via profile settings or by contacting us.
- Right to Erasure (Article 17) — Delete your account and all associated data. Use the in-app option (Profile → Settings → Delete Account) or email us.
- Right to Restrict Processing (Article 18) — Limit how we use your data.
- Right to Data Portability (Article 20) — Receive your data in a machine-readable format.
- Right to Object (Article 21) — Object to processing based on legitimate interest.
- Right to Withdraw Consent — Where consent is the legal basis.
How to Exercise: Email privacy@learnclash.com with your request. Include your account email for verification.
Response Time: Within 30 days. Complex requests may take up to 60 additional days with notice.
Complaints: You have the right to lodge a complaint with your local Data Protection Authority. List of EU DPAs.
8. Your Rights (CCPA/CPRA — California Users)
Under the California Consumer Privacy Act and California Privacy Rights Act:
- Right to Know — Request the categories and specific pieces of personal information we've collected.
- Right to Delete — Request deletion of your personal information via the in-app option (Profile → Settings → Delete Account) or by email.
- Right to Correct — Request correction of inaccurate information.
- Right to Opt-Out of Sale/Sharing — We do not sell your personal information for money. However, when you grant ads/matching consent on our website, we enable Google Analytics Advertising Features (Google Signals) and may send a SHA-256 hashed account email for user-provided data features, which under California law constitutes "sharing" personal information for cross-context behavioral advertising. You can opt out at any time by: (1) clicking "Privacy preferences" in our footer, (2) declining the consent banner on your first visit, (3) enabling Global Privacy Control (GPC) in your browser (we honor GPC automatically), or (4) using Google's Analytics Opt-Out Browser Add-on.
- Right to Limit Use of Sensitive Personal Information — Not applicable (we don't process sensitive PI beyond account operation).
- Right to Non-Discrimination — No penalty for exercising your rights.
Verification: We verify requests by confirming your email address matches an account.
Authorized Agents: You may designate an authorized agent to make requests on your behalf with written permission.
Response Time: Within 45 days. May extend by 45 additional days with notice.
CCPA 2026 Updates (Effective January 1, 2026)
- Automated Decision-Making: We do not use automated decision-making technology that produces legal or similarly significant effects.
- Opt-Out Confirmations: We provide confirmation when you opt out of data processing.
- Global Privacy Control (GPC): We automatically detect and honor the GPC browser signal as an opt-out of sharing for cross-context behavioral advertising. When GPC is detected, Google Signals is disabled for your session regardless of prior consent.
9. Children's Privacy
Age Requirement: LearnClash is intended for users aged 13 and older.
We do not knowingly collect personal information from children under 13. If you believe a child under 13 has created an account, contact us immediately at privacy@learnclash.com.
Parental Rights: Parents may request deletion of any data collected inadvertently from children under 13.
10. Security
We implement industry-standard security measures:
- Encryption in Transit: All communications use TLS/SSL.
- Encryption at Rest: Firebase default encryption for stored data.
- Access Control: Firestore Security Rules with field-level permissions.
- Device Verification: Firebase App Check validates device integrity.
- Anti-Cheat: Server-side answer validation; correct answers never sent to client.
- Rate Limiting: Prevents abuse of sensitive operations.
- Cryptographic Protection: HMAC-SHA256 for privacy hashes and session tokens.
- Secret Management: API keys stored in Google Secret Manager.
Disclaimer: No system is 100% secure. We cannot guarantee absolute security but take reasonable measures to protect your data.
11. Cookies & Identifiers
Mobile App: LearnClash does not use cookies. We use the following identifiers:
- Firebase Installation ID — identifies app installation
- FCM Token — for push notifications
- App Check Token — device attestation
Website (learnclash.com): The LearnClash website uses Google Analytics 4 (GA4) with Google Consent Mode v2, delivered via our own server-side tag manager (sGTM) running on learnclash.com. Your browser sends analytics requests to our server (Google Cloud Run, us-central1), which then forwards them to Google Analytics. No analytics request connects directly to googletagmanager.com or google-analytics.com. We distinguish two cookie categories, each independently controlled via the consent banner and the "Privacy preferences" footer link:
Cookie categories
- Analytics cookies (controlled by
analytics_storage): basic pageview, session, and event measurement. All four cookies are first-party onlearnclash.com:_ga(2 years, identifies the browser across sessions),_ga_SCDL21Y0MG(2 years, holds the current GA4 session state),FPID(2 years, HttpOnly, server-set first-party identifier that survives Safari ITP's 7-day cookie cap), andFPGSID(30 minutes, SameSite=Strict, server-set session identifier). Used to understand which pages are visited and to measure funnel conversion. Default: denied in the EEA, UK, and Switzerland until you choose to allow analytics; enabled elsewhere unless you opt out. No third-party ad profiling. - Advertising cookies / Google Signals / user-provided data (controlled by
ad_storage,ad_user_data,ad_personalization) — enables Google Analytics Advertising Features including demographics, interest categories, cross-device measurement, remarketing, enhanced conversions, Customer Match, and attribution. After website sign-in and only when this category is allowed, we may send Google Analytics a SHA-256 hash of your normalized account email. Default: denied until you choose to allow ads, demographics, and matching. Automatically disabled when Global Privacy Control is detected, regardless of prior consent. Under California law this constitutes "sharing" for cross-context behavioral advertising.
Opt out or change your choice at any time: click "Privacy preferences" in the footer of any page. Legal pages (privacy policy, terms, impressum, support) do not load any analytics or trackers regardless of consent.
Chrome Extension: The LearnClash Chrome Extension uses GA4 via the Measurement Protocol (not cookies) with a locally stored random Client ID. No consent banner is needed as no cookies are placed. See Section 2.11 for details.
For EU users, we comply with Google's EU User Consent Policy requirements.
12. Policy Updates
We may update this Privacy Policy to reflect changes in our practices or legal requirements.
- Notification: Significant changes will be communicated via in-app notification.
- Continued Use: Continued use after changes constitutes acceptance.
- Version History: Material changes are documented below.
Version History
| Date | Change |
|---|---|
| 2026-05-24 | Clarified that Clash AI prompts and visible @clash duel-thread messages are processed by Google Gemini to generate replies, while hidden duel state, account email, notification tokens, and payment data are not sent. |
| 2026-05-22 | Added consent-gated Google Analytics user-provided data disclosures for hashed account email matching, enhanced conversions, Customer Match, remarketing, demographics, interest reporting, and attribution. Clarified that city, postal code, phone number, raw email, names, street address, and precise location are not sent. |
| 2026-05-20 | Added duel chat message, report, block, moderation, and 60-day/180-day retention disclosures. |
| 2026-05-17 | Adopted server-side Google Tag Manager (sGTM) on learnclash.com. Analytics requests now route through our own Google Cloud Run server (us-central1) before reaching Google, instead of the browser connecting directly to googletagmanager.com and google-analytics.com. Added FPID (2-year HttpOnly first-party identifier) and FPGSID (30-minute SameSite=Strict session identifier) to the Section 11 cookie list. No change to which data is collected, no change to data recipients, no change to consent behavior. |
| 2026-04-15 | Enabled Google Analytics Advertising Features (Google Signals). Added granular consent banner with separate Analytics and Advertising categories. Added Global Privacy Control (GPC) auto-detection. Updated Sections 2.7, 3, 4, 8, and 11 to disclose demographics, interest categories, cross-device measurement, and CCPA sharing classification. |
| 2026-03-27 | Added Chrome Extension data disclosures and updated Section 11 to cover extension analytics. |
| 2026-01-08 | Initial comprehensive policy with GDPR, CCPA/CPRA 2026, Firebase disclosures, in-app account deletion, public profile visibility, and third-party AI clarifications per Apple Nov 2025 guidelines. |
13. Contact Us
For privacy inquiries, data requests, or questions about this policy:
We aim to respond to all inquiries within 30 days.