Privacy Policy

LexiVault ("we", "us", or "our") is an English vocabulary learning platform that uses spaced repetition and AI-powered tools to help users build and retain vocabulary. This Privacy Policy explains what personal data we collect, why we collect it, and how it is used and protected.

This policy applies to all users of the LexiVault website and service. By creating an account or continuing to use LexiVault, you agree to the practices described in this document. If you do not agree, please discontinue use and contact us to delete your account.

We collect only the data necessary to provide the service:

• Account data: your email address and password (stored using an industry-standard one-way hashing algorithm — never in plain text). You may also provide a display name.
• Vocabulary data: the words, definitions, personal notes, and tags you add to your word list, along with any AI-generated example sentences you request.
• Learning data: quiz results, spaced repetition state per word, your daily streak, total XP, level, and coin balance with full transaction history.
• Security tokens: time-limited email verification and password reset tokens, stored as cryptographic hashes and invalidated after use.
• Payment event metadata: when you purchase a coin package, our payment processor sends us an order confirmation containing the transaction ID and amount. We do not receive or store your card details.

We do not collect browsing behaviour, device fingerprints, or use third-party advertising or analytics trackers.

We use your data solely to operate and improve LexiVault:

• Authenticate your account and maintain secure sessions.
• Send transactional emails — email address verification when you register, and password reset links when requested.
• Power the spaced repetition algorithm to schedule your word reviews at the optimal time for memory retention.
• Track your daily learning streak, XP, level, and coin balance for gamification.
• Process coin purchases and credit your balance upon confirmed payment.
• Transmit vocabulary words to an AI provider when you request an AI-generated example sentence (see the AI section below).
• Allow you to export your word list to Excel, PDF, or Word format using your active filters.

LexiVault offers an optional feature that generates example sentences for your vocabulary words using an AI language model. When you request a sentence:

• The word and its definition are sent to a third-party AI provider to generate the sentence.
• No other personal data (your email, quiz history, profile, or coin balance) is transmitted to the AI provider.
• Your data is not used to train or fine-tune any AI models.
• Each generation deducts coins from your balance. The generated sentence is stored in LexiVault's database and linked to your account.

This feature is entirely optional. You can use LexiVault — add words, run quizzes, and track progress — without ever triggering AI generation.

Coin purchases are processed entirely by Lemon Squeezy, a third-party payment processor. LexiVault never receives, processes, or stores your credit card number, billing address, or any other sensitive payment details.

When a purchase is completed, Lemon Squeezy sends a cryptographically signed notification to LexiVault confirming the order. LexiVault verifies the signature and credits the corresponding coins to your account. The only payment data stored on our side is the order confirmation metadata (transaction ID and coin package purchased).

For questions about payment processing, billing, or refunds, please refer to Lemon Squeezy's Privacy Policy.

LexiVault sends only transactional emails — specifically:

• An email verification link when you first create your account.
• A password reset link when you request one via the "Forgot password" flow.

We do not send newsletters, promotional emails, product announcements, or any other marketing communications. Because these emails are required for account security, they cannot be opted out of while your account is active.

Your data is retained for as long as your account is active. If you request account deletion, all personal data — including your email, vocabulary words, quiz history, streak records, and coin transactions — will be permanently deleted within 30 days.

Payment records (order confirmation metadata) may be retained for up to 7 years to comply with applicable financial regulations, even after account deletion.

Email verification and password reset tokens expire automatically after a short window and are invalidated immediately upon use.

You have the following rights regarding your personal data:

• Access: view all vocabulary words, quiz history, and profile data from within your account at any time.
• Export: download your full word list in Excel, PDF, or Word format using the built-in export feature (available on the Words page).
• Correction: update inaccurate information in your profile settings.
• Deletion: request permanent deletion of your account and all associated data by emailing support@lexivault.app.

LexiVault does not sell, rent, or share your personal data with third parties for their own marketing or commercial purposes.

We implement several technical measures to protect your data:

• Passwords are stored using a secure one-way hashing algorithm and are never logged or stored in plain text.
• Sessions use encrypted, signed tokens that are validated on every request.
• The database is hosted by a managed cloud provider with encryption at rest and in transit.
• Security tokens (email verification, password reset) are stored as cryptographic hashes, are single-use, and expire automatically.
• HTTPS is enforced across the entire application with HTTP Strict Transport Security (HSTS) enabled in production.
• Response headers restrict which external resources the browser may load.

Despite these measures, no internet-based service can guarantee absolute security. If you suspect a security issue or unauthorised access to your account, please contact us immediately at support@lexivault.app.

We may update this Privacy Policy from time to time to reflect changes in the service or applicable law. When we do, the "Effective date" at the top of this page will be updated. Continued use of LexiVault after any changes constitutes your acceptance of the revised policy.

For material changes — such as collecting new categories of data or sharing data with additional parties — we will send a notification email to registered users where feasible.

If you have questions, concerns, or requests related to this Privacy Policy or the data LexiVault holds about you, please reach out:

support@lexivault.app

This is also the address to use for account deletion requests. We aim to respond within 5 business days.