Privacy Policy
This Privacy Policy explains how we collect, use, store, and share personal data when you use the WordsUp mobile application, the website wordsupapp.click, and related services (together, the "Services"). This Policy applies together with the Terms of Use. By using the Services you acknowledge that you have read and understood this Policy.
1. Data controller
- FAIZOV ARTUR, Individual Entrepreneur, registered in the Republic of Armenia
- TIN: 20319333
- Contact email: arpilabs@gmail.com
- Website: https://wordsupapp.click/
2. Data we collect
Data you provide directly:
- email address — when you create an account or sign in with an email code;
- data received from Google when you use Sign in with Google: email address, Google account identifier and, where available, display name and profile photo URL;
- the content of support requests you send to our contact email, including any information you choose to include.
Technical data collected automatically:
- a pseudonymous device identifier (generated from ANDROID_ID on Android or identifierForVendor on iOS) and the set of device identifiers previously associated with your account;
- app installation date, app version, operating system version, device type and model, language, region, and time zone settings;
- over-the-air (OTA) update runtime version and platform, sent with update checks;
- IP address and related network attributes recorded by our server infrastructure;
- request identifiers, timestamps, and HTTP request/response metadata used for diagnostics;
- authentication tokens issued by us and short-lived email verification codes;
- a push notification token, if you grant the operating system permission to send notifications.
Product analytics: app opens, learning session events, key in-app actions (viewing the premium screen, starting and completing a purchase, marking words as learned, completing exercises), and aggregate progress counters.
Payment-related data: payment identifiers, tokenized payment method references, amount, currency, date and status of transactions, selected plan, and applied promo code. We never receive or store card numbers, CVV codes, or other payment credentials — these are processed exclusively by the payment processor.
Error monitoring data: error messages, stack traces, the sequence of in-app actions preceding an error, and device/environment information.
Data stored only on your device: your dictionary, learning progress, repetition schedule, statistics, and settings are stored locally on your device and are not routinely transmitted to us. They may be shared with us only at your initiative as part of a support request.
3. Purposes and legal bases
We process personal data for the following purposes:
- Providing the Services (performance of a contract): account access, saving progress, synchronizing premium status across your devices, processing purchases and subscriptions;
- Authentication and account security (performance of a contract, legitimate interests): issuing and rotating tokens, verifying email codes;
- Reliability and quality (legitimate interests): error monitoring, incident diagnostics, delivering app updates, sending push notifications where enabled;
- Security and fraud prevention (legitimate interests): protecting the Services and users from abuse, fraud, unauthorized access, and automated attacks;
- Product improvement (legitimate interests, consent where required): aggregated and pseudonymized usage analytics;
- Communications (performance of a contract): verification codes, payment notifications, responses to support requests;
- Legal compliance (legal obligation): tax, accounting, and record-keeping requirements under applicable law;
- Establishing and defending legal claims (legitimate interests).
4. Third parties and processors
We share personal data only to the extent necessary for the purposes above, with the following categories of recipients:
- Cloud infrastructure and hosting providers — server hosting and operation of our backend infrastructure, acting on our instructions;
- Google LLC (1600 Amphitheatre Parkway, Mountain View, CA 94043, USA) and Google Ireland Limited — Sign in with Google (token verification in exchange for your email address and account identifier) and distribution of the app via Google Play. See Google Privacy Policy;
- Apple Inc. (One Apple Park Way, Cupertino, CA 95014, USA) — distribution of the app via the App Store, where applicable. See Apple Privacy Policy;
- A third-party payment processor — processing of payments and payment credentials. The processor acts as an independent controller with respect to payment credentials; we receive only payment metadata (amount, status, tokenized references);
- An email delivery (SMTP) provider — delivery of verification codes and service notifications to your email address;
- Functional Software, Inc. (Sentry, 45 Fremont Street, 8th Floor, San Francisco, CA 94105, USA) — error monitoring. We configure the integration to avoid sending direct contact details. See Sentry Privacy Policy;
- 650 Industries, Inc. (Expo, 650 Castro Street, Suite 120-219, Mountain View, CA 94041, USA) — push notification delivery, if you enable notifications. See Expo Privacy Policy.
Product analytics is processed on our own infrastructure and is not shared with third parties for analytics purposes. We may also disclose personal data to public authorities where required by applicable law, and to professional advisers (lawyers, accountants, auditors) bound by confidentiality obligations.
We do not sell personal data and do not share it for advertising or marketing purposes.
5. International data transfers
Some of the recipients listed above are located outside the Republic of Armenia, including in the United States (Google LLC, Apple Inc., Functional Software, Inc., 650 Industries, Inc.) and Ireland (Google Ireland Limited), as well as other countries where these providers or their subprocessors operate data centers. Where personal data is transferred internationally, we limit the transfer to the minimum necessary and rely on the safeguards offered by the respective providers.
6. Data retention
- Account data — for the life of the account and up to 12 months after its last activity or after a deletion request, subject to the statutory periods below;
- Refresh tokens — until rotation, sign-out, or expiry (at most 90 days);
- Email verification codes — until confirmed, until the attempt limit is reached, or until a new code is requested;
- Payment and subscription records — for the periods required by applicable tax and accounting legislation and for the duration of applicable limitation periods;
- Server logs — up to 30 days;
- Product analytics events — up to 90 days (aggregated, de-identified statistics may be kept longer);
- Error monitoring data — for the periods set by the provider (typically 30–90 days);
- Database backups — daily backups up to 7 days, weekly up to 4 weeks, monthly up to 12 months; data deleted at your request is re-deleted if restored from a backup;
- Support correspondence — up to 3 years after the request is closed.
7. Your rights
Subject to applicable law, you have the right to:
- access the personal data we hold about you and receive information about its processing;
- request rectification of inaccurate or incomplete data;
- request erasure of your data ("right to be forgotten");
- request restriction of processing;
- object to processing based on legitimate interests;
- withdraw consent at any time, without affecting the lawfulness of processing carried out before the withdrawal;
- lodge a complaint with a competent data protection authority.
To exercise your rights, email us at arpilabs@gmail.com with the subject "Data subject request", specifying the email address used in the Services and the substance of your request. We may ask for additional information to verify your identity. We respond within 30 calendar days; if more time is needed, we will notify you of the reason and the new deadline. Deleting your account does not remove records we are legally required to keep (such as payment records); these are retained for the statutory period with the minimum necessary scope of data.
8. Children
The Services are not intended for children under 16 without the consent of a parent or legal guardian. We do not knowingly collect personal data from children under 16. If we learn that such data has been collected without the required consent, we will delete it promptly.
9. Cookies and local storage
The website may use cookies and similar local storage technologies (LocalStorage, SessionStorage) for authentication, protection against automated abuse, and basic technical diagnostics. The mobile application uses the operating system's local storage facilities (an on-device database, key-value storage, and the system keychain/keystore) to store data required for app functionality. This data remains under your control and can be removed using standard operating system tools (deleting the app or clearing its data).
10. Security
We apply organizational and technical measures appropriate to the risk, including TLS encryption in transit, storage of tokens in the operating system's secure storage, separate secrets for different token types, restricted administrative access with key-based authentication, firewalls, encrypted backups with integrity checks, and tokenization of payment methods. No method of transmission or storage is completely secure, and we cannot guarantee absolute security.
11. Changes to this policy
We may update this Policy from time to time. The current version is always available at https://wordsupapp.click/privacy, with the effective date shown at the top. If the changes are material, we will notify you through the app or by email. Continued use of the Services after a new version takes effect constitutes acceptance of that version.
12. Governing law
This Policy is governed by the laws of the Republic of Armenia. Nothing in this Policy limits any rights you may have under mandatory provisions of the law applicable in your place of residence.
13. Contact
FAIZOV ARTUR, Individual Entrepreneur (Republic of Armenia)
Email: arpilabs@gmail.com
Website: https://wordsupapp.click/