Privacy Policy

1. Information We Collect

When you use Fan Card Builder, we may collect:

• Account information: email address and password when you sign up
• User content: messages you write and translations you save
• Usage data: pages visited, features used, learning progress, and in-product feedback activity
• Device information: browser type, operating system, and screen size
• Guest session identifier: if you use the Service without an account, a randomly generated session ID is stored in your browser's local storage to track daily translation usage. This identifier is not linked to any personal information.
• Feedback data: if you choose to rate your experience after saving a fan card, we collect your star ratings for translation, practice, and fan card design, along with response type (submitted or skipped), language, platform, premium status, and related technical metadata.
• IP address: collected when you grant or revoke consent, submit a support request, or submit in-product feedback, for record-keeping and security purposes. Also used for rate limiting.
• Payment information: billing details processed securely through our third-party payment provider. We do not store your credit card number directly.
• Push notification token: if you use our mobile app, a Firebase Cloud Messaging (FCM) device token is collected to deliver push notifications. This token is stored in our database and linked to your account. You can disable push notifications in your device settings at any time.
• Advertising data: if advertising is enabled and you use the free tier, third-party advertising services (Google AdSense) may collect cookies, device identifiers, and browsing data to serve and measure advertisements. Premium subscribers are not shown ads and this data is not collected.

2. How We Use Your Information

We use collected information to:

• Provide and maintain the Service
• Generate Korean translations by sending your messages to OpenAI
• Process subscriptions and payments through Polar
• Save your learning progress and message history
• Improve and optimize the Service
• Understand how users interact with our features
• Collect optional star-rating feedback after saving a fan card to evaluate translation, practice, and fan card design quality
• Track daily translation usage to enforce tier limits (per user ID for logged-in users, or per guest session ID for guests)
• Cache translation results temporarily to improve performance and avoid redundant API calls
• Store a local browser timestamp to limit how often the feedback prompt is shown on your device

3. Analytics

We use third-party analytics services such as Google Analytics to understand how the Service is used. These analytics cookies are only loaded after you provide consent via our cookie banner. You may decline analytics cookies, and the Service will function normally without them. These services may collect anonymized usage data including pages visited, time spent, and interaction patterns. No personally identifiable information is shared with these providers beyond what is standard for web analytics.

4. Data Storage

Your data is stored securely using Supabase, a trusted cloud database provider. We use industry-standard security measures to protect your information.

5. Third-Party Services

We use the following third-party services to operate the Service:

• Supabase: Cloud database for storing your account data, content, learning progress, support requests, and in-product feedback (hosted in the United States).
• Polar: Merchant of Record for payment processing, billing, and invoicing.
• Google Analytics: Website analytics (only with your consent via cookie banner).
• OpenAI: When you translate a message, the text content is sent to OpenAI to generate a Korean translation. Only the message text is sent; no account information is included.
• Google AdSense: If advertising is enabled, advertisements may be shown to free-tier users. AdSense may use cookies and similar technologies to serve relevant ads. Premium subscribers are not shown ads. See Google's advertising policies for details.
• Cloudflare: Hosts and delivers the Service via its global CDN. All traffic passes through Cloudflare, which may process IP addresses and request metadata for performance, security, and bot protection.
• Upstash Redis: Provides rate limiting and daily translation usage tracking (per user ID for logged-in users, or per guest session ID for guests). Translation results are cached temporarily (up to 24 hours) to improve performance. All data expires automatically and is not stored long-term.
• Firebase Cloud Messaging (FCM): Delivers push notifications to our mobile app. A device token is generated and stored to route notifications. No message content or personal data is shared with Firebase beyond the token itself.
• Sentry: Automated error tracking service that captures crash reports, stack traces, and request context (such as URL, browser, and OS) when technical errors occur. Error reports do not include account credentials or message content. Data is retained per Sentry's default retention policy (90 days).
• Discord: Receives automated operational alerts (e.g., support request notifications). Support request content forwarded to Discord is used solely for internal response coordination.

We do not share your account information with third parties beyond what is necessary to provide the Service as described above.

6. Data Retention & Deletion

• Active accounts: Your data is retained for the duration of your active use of the Service.
• Account deletion: When you delete your account, all associated data is immediately removed (via cascading deletion). Residual copies in encrypted backups are purged within 90 days.
• Cookie data: Analytics cookies are cleared upon session end or immediately upon declining/revoking consent.
• Feedback prompt timing: the browser local-storage timestamp used to limit feedback prompt frequency remains on your device until it is overwritten, cleared by you, or removed by your browser.
• Translation usage data: Daily usage counters and cached translations stored in Redis expire automatically after 24 hours.
• Payment records: Billing and transaction records are maintained by Polar (our Merchant of Record) in accordance with their own data retention policies. Upon account deletion, all payment data in our systems is removed.

7. Your Rights (Data Subject Rights)

You have the right to:

• Access your personal data
• Request correction of inaccurate data
• Delete your account and all associated data
• Export your data in a machine-readable format (available in Profile > Export My Data)
• Withdraw consent for analytics cookies at any time

To exercise any of these rights, email us at kpopfancard@gmail.com. We will acknowledge your request within 7 days and complete it within 30 days.

8. Cookies

We use essential cookies for authentication and session management. Analytics cookies (Google Analytics) are only set after you provide explicit consent via our cookie consent banner. You can change your cookie preferences at any time by clicking "Cookie Settings" on our website.

Advertising cookies: If advertising is enabled and you use the free tier, Google AdSense may set cookies to serve and measure advertisements. You can manage ad personalization preferences at Google Ads Settings. Premium subscribers are not shown ads and no advertising cookies are set.

9. Children's Privacy (COPPA Compliance)

The Service is not directed to children under 13. We do not knowingly collect personal information from children under 13. If we become aware that we have collected personal information from a child under 13 without parental consent, we will take steps to remove that information from our servers.

10. Your Rights Under GDPR (EEA Users)

If you are located in the European Economic Area (EEA), we process your personal data under the following legal bases:

• Consent: For analytics cookies (Google Analytics). You may accept or decline these via our cookie consent banner.
• Contract: To provide the translation and learning services you requested when you use the Service (with or without an account).
• Legitimate Interests: To improve our service, ensure security, and prevent fraud.

Under the GDPR, you have the following rights:

• Right of Access: Request a copy of the personal data we hold about you.
• Right to Rectification: Request correction of inaccurate or incomplete data.
• Right to Erasure: Request deletion of your personal data.
• Right to Data Portability: Request a copy of your data in a structured, machine-readable format by contacting us.
• Right to Restrict Processing: Request that we limit how we use your data.
• Right to Object: Object to processing of your data based on legitimate interests.
• Right to Withdraw Consent: Withdraw your cookie consent at any time by clicking "Cookie Settings" on our website.

International Data Transfers: Your data is stored on servers located in the United States via Supabase and delivered globally through Cloudflare. We rely on Standard Contractual Clauses (SCCs) approved by the European Commission, and our vendors' own GDPR-compliant data processing agreements, as the legal basis for transferring personal data outside the EEA.

You have the right to lodge a complaint with your local data protection supervisory authority if you believe your data has been handled incorrectly.

To exercise any of these rights, please contact us at kpopfancard@gmail.com.

11. Your Rights Under CCPA (California Residents)

If you are a California resident, the California Consumer Privacy Act (CCPA) and the California Privacy Rights Act (CPRA) provide you with specific rights regarding your personal information:

• Do Not Sell / Do Not Share: We do not "sell" or "share" your personal information as those terms are defined under California law.
• Right to Know: You may request details about the categories of personal information we collect, the purposes for collection, and the categories of third parties with whom we share it.
• Right to Delete: You may request deletion of the personal information we have collected from you, subject to certain exceptions.
• Right to Non-Discrimination: We will not discriminate against you for exercising any of your CCPA rights. You will not receive different pricing or quality of service.

Categories of information we collect: identifiers (email, IP address), usage data (pages visited, features used, star-rating feedback), and device information (browser type, OS).

To exercise any of these rights, please contact us at kpopfancard@gmail.com.

12. Additional Disclosures for South Korean Users (PIPA)

In accordance with Korea's Personal Information Protection Act (PIPA), we provide the following additional disclosures:

Personal Information Collected

• Email address and password (upon registration; account creation is optional)
• Guest session identifier (randomly generated UUID stored in browser local storage; only for non-logged-in users)
• Messages you write and their translations
• Learning progress data (jamo practice records; only for logged-in users)
• Optional feedback ratings for translation, practice, and fan card design, plus whether you submitted or skipped the prompt
• Device information (browser type, operating system)
• IP address (used for rate limiting and stored with consent records, support requests, and feedback records)
• Payment information (processed through a third-party payment provider)
• Push notification device token (FCM token, for mobile app users only)

Purpose of Collection and Use

• Providing the Service and managing user accounts
• Storing learning progress and message history
• Providing AI-powered Korean translation
• Processing subscriptions and payments
• Evaluating satisfaction with translation, handwriting practice, and fan card design to improve the Service
• Service improvement and statistical analysis (with consent)

Disclosure to Third Parties

• OpenAI: Message text is sent to generate Korean translations.
• Polar: Payment information is processed for billing and subscription management.
• Supabase (United States): Account data, learning records, support requests, and feedback records are stored.
• Google Analytics: Analytics data is collected only with user consent.
• Google AdSense: If advertising is enabled, free-tier users may be shown advertisements; cookies and browsing data may be collected.
• Cloudflare: All traffic is delivered through Cloudflare CDN; IP addresses and request metadata are processed.
• Upstash Redis: Provides rate limiting and daily translation usage tracking (per user ID or guest session ID). Cached translations are stored temporarily. All data expires within 24 hours.
• Firebase Cloud Messaging (FCM): Push notification device tokens are stored to deliver app notifications.
• Sentry: Crash reports and technical error data are collected automatically for service stability and debugging.
• Discord: Support request notifications are forwarded for internal response coordination.

Retention Period

• Upon account deletion: immediately removed (backups purged within 90 days)
• Payment records: maintained by Polar (Merchant of Record) per their retention policies; removed from our systems upon account deletion
• Analytics cookies: cleared upon session end or consent withdrawal
• Translation usage counters and cached translations (Redis): automatically expire after 24 hours

Destruction Procedure

When a user deletes their account, all personal data is immediately destroyed through cascading deletion in the database. Electronic files are deleted using methods that prevent recovery.

User Rights

• You may request access, correction, deletion, or suspension of processing of your personal data.
• You may export your data (JSON) and delete your account from your profile settings.
• You may withdraw analytics cookie consent at any time.

Privacy Officer

Email: kpopfancard@gmail.com

13. Changes to This Policy

We may update this Privacy Policy from time to time. If we make material changes, we will notify you through a notice within the Service at least 7 days before the changes take effect. Continued use of the Service after changes take effect constitutes acceptance of the updated Policy.

14. Vendor Data Processing Agreements

We maintain Data Processing Agreements (DPAs) with our key service providers:

• Supabase: Supabase DPA
• Google Analytics: Google Ads Data Processing Terms
• OpenAI: OpenAI Data Processing Addendum

15. Contact

Fan Card Builder is operated by PittsEdu. Your use of the Service is also subject to our Terms of Service. If you have questions about this Privacy Policy, please contact us at kpopfancard@gmail.com.

16. Business Information

• Business Name: PittsEdu
• Business Registration No.: 511-73-00601
• Address: 11-41, Simin-daero 327beon-gil, Dongan-gu, Anyang-si, Gyeonggi-do, Republic of Korea, 14055
• Contact: kpopfancard@gmail.com