LearnClash
Privacy Policy
Effective: 2026-01-08
Summary: LearnClash collects data needed to run the quiz app (account info, game progress, device tokens for notifications). We use Firebase (Google) for infrastructure and RevenueCat for subscriptions. We don't sell your data. You can delete your account and all data anytime via the app or by emailing us.
1. Identity & Contact
Data Controller: LearnClash (operated by David, individual developer)
Contact: privacy@learnclash.com
Response Time: We respond to privacy requests within 30 days (GDPR) or 45 days (CCPA). Complex requests may take up to 90 days with notice.
2. Data We Collect
2.1 Account Data
When you sign in, we collect:
- Email address — from Google Sign-In or Apple Sign-In (OAuth provider)
- Display name — from OAuth provider, editable by you
- Profile photo URL — from OAuth provider, editable by you
- Unique user identifier (UID) — generated by Firebase Authentication
- Preferred language — auto-detected from device locale (BCP-47 format)
- Account creation timestamp
- Last active timestamp — updated with 5-minute debounce
2.2 Game Performance Data
To provide matchmaking and track your progress:
- ELO rating — matchmaking score starting at 1000
- XP (experience points) — progression tracking
- Duel count — total games played
- Current streak — consecutive days you've been active
- Maximum streak — your all-time best
- Streak freezes — available streak protection items
- Last streak date — ISO format (YYYY-MM-DD)
- Preferred categories — your 3-18 category selections for matchmaking
- My topic IDs — topics you're practicing (max 50)
2.3 Learning Progress Data
To implement spaced repetition learning:
- Per-question correct count — how many times you answered correctly
- Last seen timestamp — when you last saw each question
- Next review date — scheduled by our SRS algorithm
- Topic cooldown timestamps — prevents overuse of same topics
2.4 Duel History Data
For each game you play:
- Duel ID and timestamps — created, updated, expires
- Opponent information — UID, display name, photo, ELO (public profile data)
- Round-by-round answers — which option you selected and correctness
- Response time — milliseconds to answer each question
- XP earned — per answer
- Final scores and ELO changes
- Forfeit status — if applicable
2.5 Social Data
For friend features and multiplayer:
- Friend relationships — user IDs, pending/accepted status, friend streak
- Head-to-head statistics — win/loss record against specific opponents
- Unread notification count
- Public profile — your display name, photo, ELO, and XP are visible to other authenticated users for matchmaking and leaderboards
- Question reports — if you report a question issue, we store your user ID with the report
2.6 Device & Technical Data
For app functionality and security:
- FCM tokens — Firebase Cloud Messaging tokens for push notifications (max 5 per user)
- Firebase App Check attestation — device integrity verification
- Privacy hash — HMAC-SHA256 of your UID for anonymized crash correlation
- Installation UUID — Crashlytics installation identifier
- IP address — processed transiently by Firebase infrastructure, not stored by us
2.7 Analytics & Diagnostics Data
To improve the app:
- Screen views and navigation paths
- Feature interaction events — duel created, question answered, etc.
- Session duration and timestamps
- Paywall views, conversions, dismissals
- Error logs and stack traces — via Firebase Crashlytics
- Diagnostic keys — FCM status, APNs availability
- Breadcrumb logs — activity trail preceding crashes
2.8 Subscription Data
Managed by RevenueCat:
- Purchase history and product IDs
- Subscription status — active, expired, grace period
- Store identifier — App Store or Google Play
- Expiration and renewal dates
2.9 Chat Data
If you use AI chat features:
- AI conversation history — automatically deleted after 30 days (TTL)
- Message timestamps
3. How We Use Your Data
| Data Category | Purpose | Legal Basis (GDPR) |
|---|---|---|
| Account data | Authentication, profile display | Contract performance |
| Game data | Matchmaking, leaderboards, progression | Contract performance |
| Learning progress | Spaced repetition scheduling | Contract performance |
| Device tokens | Push notifications for game events | Legitimate interest |
| Analytics | App improvement, feature usage | Legitimate interest |
| Crash logs | Debugging, stability | Legitimate interest |
| Subscriptions | Premium feature access | Contract performance |
Automated Decision-Making: We do not use automated decision-making with legal or similarly significant effects (GDPR Article 22). ELO matchmaking is algorithmic but has no legal effect.
4. Third-Party Services
We use the following services to operate LearnClash:
| Service | Provider | Purpose | Data Shared |
|---|---|---|---|
| Firebase Authentication | Google LLC | User sign-in | Email, UID, OAuth tokens |
| Cloud Firestore | Google LLC | Database storage | All user-generated data |
| Firebase Analytics (GA4) | Google LLC | Usage analytics | Anonymized events, device info |
| Firebase Crashlytics | Google LLC | Crash reporting | Device info, crash logs, privacy hash |
| Firebase Cloud Messaging | Google LLC | Push notifications | FCM tokens |
| Firebase App Check | Google LLC | Device verification | Device attestation |
| RevenueCat | RevenueCat Inc | Subscription management | Purchase history, entitlements |
| xAI (Grok) | xAI Corp | Question generation | Question text only (no user data) |
| Google Gemini | Google LLC | Semantic embeddings | Question text only (no user data) |
Third-Party AI Services: LearnClash uses xAI (Grok) and Google Gemini to generate quiz questions and semantic embeddings. No user personal data is sent to these AI services. Only question text (which we create) is processed. Your account information, game data, and usage patterns are never shared with third-party AI systems.
For more information: How Google uses data when you use our partners' sites or apps
Third-Party Privacy Policies:
5. Data Retention
| Data Type | Retention Period | Deletion Trigger |
|---|---|---|
| Account data | Until account deletion | User request (in-app or email) |
| Game history (duels) | Indefinite | Account deletion |
| Learning progress | Indefinite | Account deletion |
| Chat sessions | 30 days | Automatic TTL expiration |
| Analytics data | 14 months | Google default retention |
| Crash logs | 90 days | Firebase default |
| Rate limit counters | Hourly windows | Automatic expiration |
On Sign-Out: Local data (FCM tokens, cache, authentication tokens) is deleted from your device. Your account data remains on our servers until you delete your account via Profile → Settings → Delete Account or by emailing us.
6. International Transfers
Your data may be processed outside your country of residence:
- Firebase/Google — Uses United States infrastructure (Google Cloud). EU transfers rely on Google's Standard Contractual Clauses (SCCs).
- RevenueCat — United States based, uses SCCs for EU compliance.
- xAI/Gemini APIs — Processed in the United States.
7. Your Rights (GDPR — EU/EEA Users)
Under the General Data Protection Regulation, you have the following rights:
- Right to Access (Article 15) — Request a copy of your personal data.
- Right to Rectification (Article 16) — Correct inaccurate data via profile settings or by contacting us.
- Right to Erasure (Article 17) — Delete your account and all associated data. Use the in-app option (Profile → Settings → Delete Account) or email us.
- Right to Restrict Processing (Article 18) — Limit how we use your data.
- Right to Data Portability (Article 20) — Receive your data in a machine-readable format.
- Right to Object (Article 21) — Object to processing based on legitimate interest.
- Right to Withdraw Consent — Where consent is the legal basis.
How to Exercise: Email privacy@learnclash.com with your request. Include your account email for verification.
Response Time: Within 30 days. Complex requests may take up to 60 additional days with notice.
Complaints: You have the right to lodge a complaint with your local Data Protection Authority. List of EU DPAs.
8. Your Rights (CCPA/CPRA — California Users)
Under the California Consumer Privacy Act and California Privacy Rights Act:
- Right to Know — Request the categories and specific pieces of personal information we've collected.
- Right to Delete — Request deletion of your personal information via the in-app option (Profile → Settings → Delete Account) or by email.
- Right to Correct — Request correction of inaccurate information.
- Right to Opt-Out of Sale/Sharing — We do not sell or share personal information for cross-context behavioral advertising.
- Right to Limit Use of Sensitive Personal Information — Not applicable (we don't process sensitive PI beyond account operation).
- Right to Non-Discrimination — No penalty for exercising your rights.
Verification: We verify requests by confirming your email address matches an account.
Authorized Agents: You may designate an authorized agent to make requests on your behalf with written permission.
Response Time: Within 45 days. May extend by 45 additional days with notice.
CCPA 2026 Updates (Effective January 1, 2026)
- Automated Decision-Making: We do not use automated decision-making technology that produces legal or similarly significant effects.
- Opt-Out Confirmations: We provide confirmation when you opt out of data processing.
9. Children's Privacy
Age Requirement: LearnClash is intended for users aged 13 and older.
We do not knowingly collect personal information from children under 13. If you believe a child under 13 has created an account, contact us immediately at privacy@learnclash.com.
Parental Rights: Parents may request deletion of any data collected inadvertently from children under 13.
10. Security
We implement industry-standard security measures:
- Encryption in Transit: All communications use TLS/SSL.
- Encryption at Rest: Firebase default encryption for stored data.
- Access Control: Firestore Security Rules with field-level permissions.
- Device Verification: Firebase App Check validates device integrity.
- Anti-Cheat: Server-side answer validation; correct answers never sent to client.
- Rate Limiting: Prevents abuse of sensitive operations.
- Cryptographic Protection: HMAC-SHA256 for privacy hashes and session tokens.
- Secret Management: API keys stored in Google Secret Manager.
Disclaimer: No system is 100% secure. We cannot guarantee absolute security but take reasonable measures to protect your data.
11. Cookies & Identifiers
Mobile App: LearnClash does not use cookies. We use the following identifiers:
- Firebase Installation ID — identifies app installation
- FCM Token — for push notifications
- App Check Token — device attestation
Website (learnclash.com): This website does not use tracking cookies or analytics. No third-party trackers are loaded on legal pages.
For EU users, we comply with Google's EU User Consent Policy requirements.
12. Policy Updates
We may update this Privacy Policy to reflect changes in our practices or legal requirements.
- Notification: Significant changes will be communicated via in-app notification.
- Continued Use: Continued use after changes constitutes acceptance.
- Version History: Material changes are documented below.
Version History
| Date | Change |
|---|---|
| 2026-01-08 | Initial comprehensive policy with GDPR, CCPA/CPRA 2026, Firebase disclosures, in-app account deletion, public profile visibility, and third-party AI clarifications per Apple Nov 2025 guidelines. |
13. Contact Us
For privacy inquiries, data requests, or questions about this policy:
We aim to respond to all inquiries within 30 days.