Privacy Policy
Last updated: 17 May 2026
This policy explains what data Zelinx Flashcards ("Zelinx", "we") collects, why, and what we do with it. Short version: we collect the minimum we need to run the service, we don't sell it, we don't show ads, and you can delete your account at any time.
1. Who we are
Zelinx is a personal study app run from the United Kingdom. Contact: hello@zelinxstudy.com.
2. What we collect
| Data | Why | Retention |
|---|---|---|
| Email address | Account identifier, password reset | Until you delete your account |
| Password (hashed) | Authentication. We store a PBKDF2-SHA-256 hash with 100,000 iterations. We never see your raw password. | Until you change it or delete your account |
| Your decks, cards, images, study progress | So your data syncs across your devices and survives reinstalls | Until you delete it (or delete your account) |
| XP, streak, level | Powering the leaderboard + stats | Until you delete your account |
| Session tokens | Keeping you signed in | 30 days, or until you log out |
| Password-reset tokens | Letting you reset a forgotten password | 1 hour from request |
We do not collect: your name (unless you put it in your email), your location beyond approximate region inferred from IP for security, payment details (no paid plans yet), or any tracking ID linking you to other sites.
3. Cookies and local storage
Zelinx uses your browser's localStorage and a single first-party cookie to keep you signed in between visits. We don't use third-party analytics, advertising cookies, or tracking pixels. The cookie name is zelinx-fc-token; it's set as SameSite=Lax and expires in 30 days.
4. Who we share data with
Only the service providers we genuinely need to run Zelinx:
- Cloudflare — hosts the application and stores your data in their KV storage (data centres in the EU/US). Cloudflare's privacy policy.
- Resend — sends transactional emails (password resets). They see your email address and the email contents. Resend's privacy policy.
We don't sell your data. We don't share it with advertisers. We don't use it to train any AI model.
5. Your rights (UK / EU GDPR)
You have the right to:
- Access the data we hold about you — use Profile → Export data to download everything as JSON.
- Correct any inaccurate data — edit your decks/cards directly in the app.
- Delete your account and all associated data — Profile → Delete account.
- Object to certain processing.
- Lodge a complaint with the UK Information Commissioner's Office (ico.org.uk) or your local data-protection authority.
6. Security
Passwords are hashed with PBKDF2-SHA-256 (100,000 iterations + a per-account salt) — never stored in plain text. All connections to the service use HTTPS. Sessions expire after 30 days. Reset links expire after 1 hour. If you suspect your account was accessed by someone else, change your password immediately.
No service can guarantee absolute security. If a breach happens that affects your data, we'll notify you within 72 hours where required by law.
7. Children
Zelinx is intended for users aged 13 and over. If you're under 18, you should review this policy with a parent or guardian. We don't knowingly collect data from anyone under 13. If you believe a child under 13 has created an account, email hello@zelinxstudy.com and we'll delete it.
8. International transfers
Your data may be processed in the UK, EU, or US depending on where Cloudflare's edge network handles your traffic. Cloudflare's data-handling practices are designed to comply with GDPR and the UK Data Protection Act.
9. Changes to this policy
If we make material changes, we'll update the "Last updated" date and, where significant, notify you in the app or by email.
10. Contact
Questions about your data, this policy, or how to exercise your rights? Email hello@zelinxstudy.com.