Privacy Policy

Introduction

Welcome to Bellek ("we," "us," or "our"). We are committed to protecting your privacy and being transparent about how we collect, use, and protect your information. This Privacy Policy explains our data practices for both our Chrome browser extension and web application.

---

1. Information We Collect

1.1 Personal Information

Email Address (Optional)

• When collected: Only when you enable cross-device sync
• Purpose: To create a unique sync identifier that allows your vocabulary data to sync between desktop and mobile devices
• Storage: Stored in our cloud database (Supabase) and used to generate a unique sync_id
• Required: No - you can use Bellek without syncing. Syncing is entirely optional.

1.2 Vocabulary Learning Data

When you save words using Bellek, we collect and store:

• Vocabulary words and their definitions
• Source URLs and domain names where you found each word (e.g., "nytimes.com" or "https://example.com/article")
• Context sentences - the text surrounding the word when you saved it
• Personal notes you add to words
• Translations and example sentences
• Learning statistics:
  • Quiz performance (correct/incorrect answers)
  • Study session history (dates, duration, words reviewed)
  • Mastery levels for each word
  • Accuracy rates and streak counts
• Custom collections and organization preferences
• User preferences and app settings

Important: The source URL helps you remember where you encountered each word and provides clickable context. This is part of the core learning experience.

1.3 Anonymous Usage Data

We collect minimal anonymous telemetry to monitor service reliability:

• Sync events: Success or failure of data synchronization
• Device type: Whether you're using desktop (extension) or mobile (web app)
• Error codes: Technical diagnostics if sync fails
• App version: To identify version-specific issues

This data contains NO personal identifiers and cannot be linked back to you.

1.4 Technical Information

• Browser type and version (e.g., Chrome 120)
• Operating system (e.g., Windows, macOS, Android, iOS)
• Extension version
• Timestamps of data synchronization events

1.5 Information We DO NOT Collect

• We do NOT track your general browsing history
• We do NOT read full webpage content
• We do NOT collect data unless you actively highlight and save a word
• We do NOT use cookies or tracking scripts
• We do NOT collect location data beyond country-level for error logging

---

2. How We Store Your Data

Bellek uses a hybrid storage approach for optimal performance:

2.1 Local Storage (Primary)

Chrome Extension:

• Uses Chrome's chrome.storage.local API
• All vocabulary data stored locally on your device
• Fast access without internet connection
• Data persists even when offline

Web Application:

• Uses browser localStorage API
• Same local-first approach
• Works offline once loaded

2.2 Cloud Storage (Optional - Sync Only)

• Service: Supabase (https://supabase.com)
• Location: Hosted in EU West 2 (London, United Kingdom)
• When used: Only when you enable cross-device sync
• What's synced:
  • All vocabulary lists and words
  • Learning session history
  • Word mastery statuses
  • User preferences and settings
  • Premium license status

Security:

• All data transmitted via encrypted HTTPS
• Data stored in secure PostgreSQL database
• Access controlled by unique sync_id (derived from your email)
• No public access to user data

2.3 Data Synchronization

• Desktop → Cloud: When you save words on the Chrome extension, data syncs automatically every 5 minutes (if sync enabled)
• Cloud → Mobile: Mobile web app fetches your data using a unique sync link (e.g., ?sync=abc123)
• Conflict Resolution: Last write wins - most recent changes take precedence

---

3. How We Use Your Information

We use your information to:

3.1 Core Functionality

• Save and organize your vocabulary words
• Provide definitions, translations, and context
• Track your learning progress and statistics
• Generate quizzes and review sessions
• Sync data across your devices (if enabled)

3.2 Service Improvement

• Monitor sync reliability and fix technical issues
• Identify and resolve bugs
• Improve app performance and user experience
• Develop new features based on usage patterns

3.3 Premium Features

• Process payments via ExtensionPay
• Manage premium subscriptions
• Unlock advanced features for paying users

3.4 Communications

• Send important service updates
• Respond to support requests
• Notify about privacy policy changes

We do NOT use your data for:

• Advertising or marketing
• Selling to third parties
• Training AI models
• Profiling or automated decision-making

---

4. Third-Party Services

Bellek integrates with the following third-party services:

4.1 Supabase (Cloud Database)

• Purpose: Cloud storage for cross-device sync
• Data shared: All vocabulary data, email, sync_id, learning statistics
• Privacy policy: https://supabase.com/privacy
• Data location: EU West 2 (London, United Kingdom)
• Security: Industry-standard encryption, HTTPS only

4.2 Netlify (Web Hosting)

• Purpose: Hosts the Bellek web application
• Data shared: Standard web server logs (IP address, browser type, access times)
• Privacy policy: https://www.netlify.com/privacy
• Note: Netlify does not have access to your vocabulary data or personal information beyond standard hosting logs

4.3 ExtensionPay (Payment Processing)

• Purpose: Handle premium subscription payments
• Data shared: Email, payment information (credit card processed by Stripe)
• Privacy policy: https://extensionpay.com/privacy
• Note: We never see or store your credit card details

4.4 Merriam-Webster Dictionary API

• Purpose: Fetch word definitions, pronunciations, and synonyms
• Data shared: Only the specific word you're looking up
• Privacy policy: https://www.merriam-webster.com/privacy-policy
• Note: No personal information is sent with dictionary requests

4.5 Free Dictionary API (Fallback)

• Purpose: Backup dictionary service when primary API is unavailable
• Data shared: Only the specific word you're looking up
• Website: https://dictionaryapi.dev
• Note: No personal information sent

We do NOT share your data with:

• Advertising networks
• Data brokers
• Social media platforms
• Analytics services (beyond our own minimal telemetry)

---

5. Data Security

We implement multiple security measures to protect your data:

5.1 Technical Safeguards

• Encryption in transit: All network requests use HTTPS/TLS
• Encryption at rest: Supabase encrypts stored data
• Access control: Unique sync_id required to access cloud data
• Row Level Security: Database-level policies prevent unauthorized queries
• Secure APIs: No direct database access from client

5.2 Operational Safeguards

• Regular security audits of codebase
• Minimal data collection principle
• No third-party tracking scripts
• Open-source transparency (code available on GitHub)

5.3 Security Implementation

• sync_id security: Your sync link contains a unique identifier derived from your email address and a timestamp. This identifier acts as your access credential and should be kept private.
• Row Level Security (RLS): Enabled on all database tables to prevent unauthorized access
• Local storage: Data in browser storage is accessible to anyone with physical access to your device
• No account system: We don't have traditional login/password. The sync link itself is your credential.

Best Practices:

• Don't share your sync link with others (it's your password)
• Use device lock screens and passwords
• Clear browser data if using a shared computer
• If your sync link is compromised, contact us to generate a new one

---

6. Data Retention and Deletion

6.1 Active Use

• Local data: Retained indefinitely until you delete the extension or clear browser data
• Cloud data: Retained while you actively use sync

6.2 Data Deletion

Option 1: Delete Local Data

• Chrome Extension: Remove extension from Chrome
• Web App: Clear browser localStorage or use browser settings

Option 2: Delete Cloud Sync Data

• Disable sync in settings
• Data will remain on cloud for 30 days, then automatically deleted
• Alternatively, contact us for immediate deletion

Option 3: Complete Deletion

1. Export your data first (optional backup)
2. Remove extension/clear web app data
3. Contact us to delete cloud data: hello@bellek.co

6.3 Automatic Deletion

• Cloud data for inactive accounts (no sync activity for 12+ months) may be deleted after notification
• Anonymous telemetry data deleted after 90 days

---

7. Your Rights

Depending on your location, you may have the following rights:

7.1 Access and Portability

• View your data: All data visible in the Bellek dashboard
• Export your data: Use the built-in Export feature (CSV format)
• Request a copy: Contact us for a complete data dump

7.2 Correction and Deletion

• Edit your data: Edit words, notes, and settings directly in Bellek
• Delete specific items: Delete individual words or collections
• Delete all data: See Section 6.2 above

7.3 Consent and Objection

• Withdraw consent: Disable sync at any time
• Opt-out of telemetry: Contact us to disable anonymous usage tracking
• Object to processing: Contact us with concerns

7.4 GDPR Rights (EU/UK Users)

If you're in the European Economic Area or UK:

• Right to access your personal data
• Right to rectification of inaccurate data
• Right to erasure ("right to be forgotten")
• Right to restrict processing
• Right to data portability
• Right to object to processing
• Right to lodge a complaint with supervisory authority (ICO in UK)

7.5 CCPA Rights (California Users)

If you're in California:

• Right to know what personal information is collected
• Right to delete personal information
• Right to opt-out of sale (note: we don't sell data)
• Right to non-discrimination for exercising privacy rights

To exercise your rights, contact: hello@bellek.co

---

8. Children's Privacy

Bellek is designed as an educational tool suitable for all ages. However:

• We do not knowingly collect personal information from children under 13 without parental consent
• If sync is enabled by a child under 13, parental consent is required
• Parents can review and delete their child's data by contacting us
• We recommend parental supervision for users under 13

If you believe a child under 13 has provided us with personal information without parental consent, please contact us immediately.

COPPA Compliance: For U.S. users under 13, we comply with the Children's Online Privacy Protection Act.

---

9. International Data Transfers

Bellek is developed in the United Kingdom and uses cloud services located in the EU:

• Supabase servers: Located in EU West 2 (London, United Kingdom)
• Data transfers: Your data remains within the European Economic Area
• Safeguards: We ensure adequate protections through:
  • Standard contractual clauses
  • Encryption in transit and at rest
  • Compliance with GDPR, CCPA, and local laws

EU/UK Users: Your data is stored within the European Economic Area (London, UK) and is not transferred outside the EEA, ensuring full GDPR compliance.

---

10. Browser Permissions Explained

Bellek requests the following Chrome permissions:

activeTab

• Purpose: Capture text when you highlight words on web pages
• When used: Only when you explicitly open the Bellek popup after selecting text
• What we access: Only the text you've highlighted, not the entire page
• Data collection: None - we just read what you selected

storage

• Purpose: Save your vocabulary words locally in your browser
• What's stored: All your words, collections, and learning progress
• Location: Your device only (unless you enable cloud sync)

alarms

• Purpose: Schedule study reminders and review notifications
• What's scheduled: Times for spaced repetition reviews
• Control: You can disable notifications in settings

notifications

• Purpose: Send study reminders and achievement alerts
• When used: Only for learning-related notifications (e.g., "Time to review!")
• Control: Fully disable in extension settings or Chrome notification settings

<all_urls> (Content Script)

• Purpose: Allow the word-saving popup to appear on any website you visit
• What it does: Detects when you select text and highlight words
• What it doesn't do: Does NOT read pages passively, track browsing, or collect data without your action
• How it works: The script only activates when you select text and open the popup

Important: These permissions enable core functionality. We use the minimum permissions necessary and never abuse access.

---

11. Cookies and Tracking

Bellek does NOT use:

• Tracking cookies
• Third-party advertising cookies
• Analytics cookies (Google Analytics, etc.)
• Social media pixels

We only use:

• localStorage (browser storage for app functionality, not tracking)
• Session storage (temporary data during active use)

---

12. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect:

• New features or functionality
• Legal or regulatory requirements
• Improved privacy practices

How we notify you:

• Email notification (if you've enabled sync)
• In-app banner in the Bellek dashboard
• "Last Updated" date at the top of this policy
• GitHub commit history (policy is version-controlled)

Material changes: If we make significant changes that affect how we use your data, we'll provide 30 days' notice before the changes take effect.

Continued use: By continuing to use Bellek after changes take effect, you accept the updated Privacy Policy.

---

13. Data Breach Notification

In the unlikely event of a data breach affecting your personal information:

• We will notify affected users within 72 hours of discovery
• Notification will include:
  • What data was affected
  • What we're doing to address the breach
  • Steps you should take to protect yourself
• We will also notify relevant regulatory authorities as required by law

---

14. California Shine the Light

California residents have the right to request information about our disclosure of personal information to third parties for direct marketing purposes.

Our practice: We do NOT share personal information with third parties for their direct marketing purposes.

---

15. Do Not Track

Some browsers have "Do Not Track" (DNT) features. Since we don't track users anyway, DNT settings don't affect Bellek's behavior. We respect your privacy regardless of DNT settings.

---

16. Open Source Transparency

Code License: All Rights Reserved

We welcome responsible disclosure of security vulnerabilities via hello@bellek.co

---

17. Contact Us

For privacy-related questions, concerns, or requests:

Email: hello@bellek.co
Response time: We aim to respond within 5 business days

For data deletion requests: Include "Data Deletion Request" in the subject line

For security issues: Use subject line "Security - Confidential" and we'll respond within 24 hours

---

18. Legal Information

Service Provider:
Ceylan Inan
United Kingdom
Contact: hello@bellek.co

Data Controller: Ceylan Inan (for GDPR purposes)
Data Protection Officer: Not required (solo developer, small-scale processing)

Supervisory Authority (EU/UK):
If you're unsatisfied with our response to a privacy concern, you can lodge a complaint with:

• UK: Information Commissioner's Office (ICO) - https://ico.org.uk
• EU: Your local data protection authority

---

19. Acceptance of This Policy

By using Bellek, you acknowledge that you have read, understood, and agree to be bound by this Privacy Policy.

If you do not agree with this Privacy Policy, please do not use Bellek.

---

20. Summary (TL;DR)

---

End of Privacy Policy

This privacy policy was last reviewed and updated on November 27, 2025.