Privacy Policy

1. Identity & Contact

Data Controller: Pluxia GmbH, Blegistrasse 7, 6340 Baar, Switzerland (UID: CHE-198.527.946).

Contact: privacy@learnclash.com

Response Time: We respond to privacy requests within 30 days (GDPR) or 45 days (CCPA). Complex requests may take up to 90 days with notice.

2. Data We Collect

2.1 Account Data

When you sign in, we collect:

• Email address — from Google Sign-In or Apple Sign-In (OAuth provider)
• Display name — from OAuth provider, editable by you
• Profile photo URL — from OAuth provider, editable by you
• Unique user identifier (UID) — generated by Firebase Authentication
• Preferred language — auto-detected from device locale (BCP-47 format)
• Account creation timestamp
• Last active timestamp — updated with 5-minute debounce

2.2 Game Performance Data

To provide matchmaking and track your progress:

• ELO rating — matchmaking score starting at 1000
• XP (experience points) — progression tracking
• Duel count — total games played
• Current streak — consecutive days you've been active
• Maximum streak — your all-time best
• Streak freezes — available streak protection items
• Last streak date — ISO format (YYYY-MM-DD)
• Preferred categories — your 3-18 category selections for matchmaking
• My topic IDs — topics you're practicing (max 50)

2.3 Learning Progress Data

To implement spaced repetition learning:

• Per-question correct count — how many times you answered correctly
• Last seen timestamp — when you last saw each question
• Next review date — scheduled by our SRS algorithm
• Topic cooldown timestamps — prevents overuse of same topics

2.4 Duel History Data

For each game you play:

• Duel ID and timestamps — created, updated, expires
• Opponent information — UID, display name, photo, ELO (public profile data)
• Round-by-round answers — which option you selected and correctness
• Response time — milliseconds to answer each question
• XP earned — per answer
• Final scores and ELO changes
• Forfeit status — if applicable

2.5 Social Data

For friend features and multiplayer:

• Friend relationships — user IDs, pending/accepted status, friend streak
• Head-to-head statistics — win/loss record against specific opponents
• Unread notification count
• Public profile — your display name, photo, ELO, and XP are visible to other authenticated users for matchmaking and leaderboards
• Question reports — if you report a question issue, we store your user ID with the report

2.6 Device & Technical Data

For app functionality and security:

• FCM tokens — Firebase Cloud Messaging tokens for push notifications (max 5 per user)
• Firebase App Check attestation — device integrity verification
• Privacy hash — HMAC-SHA256 of your UID for anonymized crash correlation
• Installation UUID — Crashlytics installation identifier
• IP address — processed transiently by Firebase infrastructure, not stored by us

2.7 Analytics & Diagnostics Data

To improve the app:

• Screen views and navigation paths
• Feature interaction events — duel created, question answered, etc.
• Session duration and timestamps
• Paywall views, conversions, dismissals
• Error logs and stack traces — via Firebase Crashlytics
• Diagnostic keys — FCM status, APNs availability
• Breadcrumb logs — activity trail preceding crashes

Google Analytics Advertising Features (Google Signals)

When you grant advertising consent on our website, Google Analytics may additionally collect (only if you are signed in to a Google account with Ads Personalization enabled):

• Demographics — inferred age range and gender
• Interests — inferred interest categories based on browsing history
• Cross-device linkage — associates activity across devices you use while signed in to the same Google account

These features are disabled by default in the EU/EEA/UK/Switzerland and only activate after you click "Accept all" or opt in via the Privacy preferences link. You can opt out at any time via Google's Analytics Opt-Out Browser Add-on, your Google Ads Settings, or by clicking "Privacy preferences" in our footer.

2.8 Subscription Data

Managed by RevenueCat:

• Purchase history and product IDs
• Subscription status — active, expired, grace period
• Store identifier — App Store or Google Play
• Expiration and renewal dates

2.9 Chat Data

If you use AI chat features:

• AI conversation history — automatically deleted after 30 days (TTL)
• Message timestamps

2.10 Chrome Extension Data

If you use the LearnClash Chrome Extension (new tab quiz), the following data is stored locally on your device via chrome.storage.local:

• Quiz pool — pre-fetched quiz sets for instant new tab loading (expires after 6 hours)
• Language preference — your selected language override
• Daily streak — number of consecutive days you completed a quiz
• Last played date — date of your most recent quiz completion (YYYY-MM-DD)
• GA4 Client ID — a random UUID generated on first use for anonymous analytics grouping

The extension sends anonymous usage events to Google Analytics 4 (GA4) via the Measurement Protocol:

• Topic selections — which topic you picked (name and ID)
• Quiz completions — that you finished a quiz (no answers are sent)
• Session ID — a random number generated per tab open

The extension communicates with our API to fetch quiz content:

• Language header — your browser's Accept-Language or your language override
• Timestamp header — for rate limiting (not stored)
• IP address — processed transiently for rate limiting, not stored by us

No account required: The Chrome Extension does not require sign-in. No personal information (email, name, or app account data) is collected or linked. All data is stored locally and deleted when you uninstall the extension.

3. How We Use Your Data

Data Category	Purpose	Legal Basis (GDPR)
Account data	Authentication, profile display	Contract performance
Game data	Matchmaking, leaderboards, progression	Contract performance
Learning progress	Spaced repetition scheduling	Contract performance
Device tokens	Push notifications for game events	Legitimate interest
Analytics (basic)	App improvement, feature usage, funnel analysis	Legitimate interest / Consent (EU)
Google Signals (demographics, interests, cross-device)	Audience insights, cross-device measurement, advertising features	Consent (opt-in required)
Crash logs	Debugging, stability	Legitimate interest
Subscriptions	Premium feature access	Contract performance

Automated Decision-Making: We do not use automated decision-making with legal or similarly significant effects (GDPR Article 22). ELO matchmaking is algorithmic but has no legal effect.

4. Third-Party Services

We use the following services to operate LearnClash:

Service	Provider	Purpose	Data Shared
Firebase Authentication	Google LLC	User sign-in	Email, UID, OAuth tokens
Cloud Firestore	Google LLC	Database storage	All user-generated data
Google Analytics 4 (Firebase Analytics)	Google LLC	Usage analytics, funnel analysis, and — with your consent — Google Signals (demographics, interests, cross-device measurement, advertising features)	Events, hashed user ID (SHA-256 of UID), device info, IP (truncated by Google), and — only with ads consent — Google account signals
Firebase Crashlytics	Google LLC	Crash reporting	Device info, crash logs, privacy hash
Firebase Cloud Messaging	Google LLC	Push notifications	FCM tokens
Firebase App Check	Google LLC	Device verification	Device attestation
RevenueCat	RevenueCat Inc	Subscription management	Purchase history, entitlements
xAI (Grok)	xAI Corp	Question generation	Question text only (no user data)
Google Gemini	Google LLC	Semantic embeddings	Question text only (no user data)

Third-Party AI Services: LearnClash uses xAI (Grok) and Google Gemini to generate quiz questions and semantic embeddings. No user personal data is sent to these AI services. Only question text (which we create) is processed. Your account information, game data, and usage patterns are never shared with third-party AI systems.

For more information: How Google uses data when you use our partners' sites or apps

Third-Party Privacy Policies:

• Firebase Privacy
• RevenueCat Privacy Policy
• xAI Privacy Policy

5. Data Retention

Data Type	Retention Period	Deletion Trigger
Account data	Until account deletion	User request (in-app or email)
Game history (duels)	Indefinite	Account deletion
Learning progress	Indefinite	Account deletion
Chat sessions	30 days	Automatic TTL expiration
Analytics data	14 months	Google default retention
Crash logs	90 days	Firebase default
Rate limit counters	Hourly windows	Automatic expiration

On Sign-Out: Local data (FCM tokens, cache, authentication tokens) is deleted from your device. Your account data remains on our servers until you delete your account via Profile → Settings → Delete Account or by emailing us.

6. International Transfers

Your data may be processed outside your country of residence:

• Firebase/Google — Uses United States infrastructure (Google Cloud). EU transfers rely on Google's Standard Contractual Clauses (SCCs).
• RevenueCat — United States based, uses SCCs for EU compliance.
• xAI/Gemini APIs — Processed in the United States.

7. Your Rights (GDPR — EU/EEA Users)

Under the General Data Protection Regulation, you have the following rights:

• Right to Access (Article 15) — Request a copy of your personal data.
• Right to Rectification (Article 16) — Correct inaccurate data via profile settings or by contacting us.
• Right to Erasure (Article 17) — Delete your account and all associated data. Use the in-app option (Profile → Settings → Delete Account) or email us.
• Right to Restrict Processing (Article 18) — Limit how we use your data.
• Right to Data Portability (Article 20) — Receive your data in a machine-readable format.
• Right to Object (Article 21) — Object to processing based on legitimate interest.
• Right to Withdraw Consent — Where consent is the legal basis.

How to Exercise: Email privacy@learnclash.com with your request. Include your account email for verification.

Response Time: Within 30 days. Complex requests may take up to 60 additional days with notice.

Complaints: You have the right to lodge a complaint with your local Data Protection Authority. List of EU DPAs.

8. Your Rights (CCPA/CPRA — California Users)

Under the California Consumer Privacy Act and California Privacy Rights Act:

• Right to Know — Request the categories and specific pieces of personal information we've collected.
• Right to Delete — Request deletion of your personal information via the in-app option (Profile → Settings → Delete Account) or by email.
• Right to Correct — Request correction of inaccurate information.
• Right to Opt-Out of Sale/Sharing — We do not sell your personal information for money. However, when you grant advertising consent on our website, we enable Google Analytics Advertising Features (Google Signals), which under California law constitutes "sharing" personal information for cross-context behavioral advertising. You can opt out at any time by: (1) clicking "Privacy preferences" in our footer, (2) declining the consent banner on your first visit, (3) enabling Global Privacy Control (GPC) in your browser (we honor GPC automatically), or (4) using Google's Analytics Opt-Out Browser Add-on.
• Right to Limit Use of Sensitive Personal Information — Not applicable (we don't process sensitive PI beyond account operation).
• Right to Non-Discrimination — No penalty for exercising your rights.

Verification: We verify requests by confirming your email address matches an account.

Authorized Agents: You may designate an authorized agent to make requests on your behalf with written permission.

Response Time: Within 45 days. May extend by 45 additional days with notice.

CCPA 2026 Updates (Effective January 1, 2026)

• Automated Decision-Making: We do not use automated decision-making technology that produces legal or similarly significant effects.
• Opt-Out Confirmations: We provide confirmation when you opt out of data processing.
• Global Privacy Control (GPC): We automatically detect and honor the GPC browser signal as an opt-out of sharing for cross-context behavioral advertising. When GPC is detected, Google Signals is disabled for your session regardless of prior consent.

9. Children's Privacy

Age Requirement: LearnClash is intended for users aged 13 and older.

We do not knowingly collect personal information from children under 13. If you believe a child under 13 has created an account, contact us immediately at privacy@learnclash.com.

Parental Rights: Parents may request deletion of any data collected inadvertently from children under 13.

10. Security

We implement industry-standard security measures:

• Encryption in Transit: All communications use TLS/SSL.
• Encryption at Rest: Firebase default encryption for stored data.
• Access Control: Firestore Security Rules with field-level permissions.
• Device Verification: Firebase App Check validates device integrity.
• Anti-Cheat: Server-side answer validation; correct answers never sent to client.
• Rate Limiting: Prevents abuse of sensitive operations.
• Cryptographic Protection: HMAC-SHA256 for privacy hashes and session tokens.
• Secret Management: API keys stored in Google Secret Manager.

Disclaimer: No system is 100% secure. We cannot guarantee absolute security but take reasonable measures to protect your data.

11. Cookies & Identifiers

Mobile App: LearnClash does not use cookies. We use the following identifiers:

• Firebase Installation ID — identifies app installation
• FCM Token — for push notifications
• App Check Token — device attestation

Website (learnclash.com): The LearnClash website uses Google Analytics 4 (GA4) with Google Consent Mode v2. We distinguish two cookie categories, each independently controlled via the consent banner and the "Privacy preferences" footer link:

Cookie categories

• Analytics cookies (controlled by analytics_storage) — basic pageview, session, and event measurement. Stored by Google Analytics (_ga, _ga_*). Used to understand which pages are visited and to measure funnel conversion. Default: denied in EU/EEA/UK/Switzerland, granted elsewhere. No third-party ad profiling.
• Advertising cookies / Google Signals (controlled by ad_storage, ad_user_data, ad_personalization) — enables Google Analytics Advertising Features including demographics, interest categories, and cross-device measurement for signed-in Google users with Ads Personalization enabled. Default: denied in EU/EEA/UK/Switzerland, granted elsewhere. Automatically disabled when Global Privacy Control is detected, regardless of prior consent. Under California law this constitutes "sharing" for cross-context behavioral advertising.

Opt out or change your choice at any time: click "Privacy preferences" in the footer of any page. Legal pages (privacy policy, terms, impressum, support) do not load any analytics or trackers regardless of consent.

Chrome Extension: The LearnClash Chrome Extension uses GA4 via the Measurement Protocol (not cookies) with a locally stored random Client ID. No consent banner is needed as no cookies are placed. See Section 2.10 for details.

For EU users, we comply with Google's EU User Consent Policy requirements.

12. Policy Updates

We may update this Privacy Policy to reflect changes in our practices or legal requirements.

• Notification: Significant changes will be communicated via in-app notification.
• Continued Use: Continued use after changes constitutes acceptance.
• Version History: Material changes are documented below.

Version History

Date	Change
2026-04-15	Enabled Google Analytics Advertising Features (Google Signals). Added granular consent banner with separate Analytics and Advertising categories. Added Global Privacy Control (GPC) auto-detection. Updated Sections 2.7, 3, 4, 8, and 11 to disclose demographics, interest categories, cross-device measurement, and CCPA sharing classification.
2026-03-27	Added Section 2.10 (Chrome Extension Data) and updated Section 11 to cover extension analytics.
2026-01-08	Initial comprehensive policy with GDPR, CCPA/CPRA 2026, Firebase disclosures, in-app account deletion, public profile visibility, and third-party AI clarifications per Apple Nov 2025 guidelines.

13. Contact Us

For privacy inquiries, data requests, or questions about this policy:

privacy@learnclash.com

We aim to respond to all inquiries within 30 days.