Privacy Policy
Last updated: March 2026
Elephant ("we", "us", or "our") is committed to protecting your privacy. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use Elephant, a Korean study companion, at elephant-project.net (the "Service").
By registering for or using the Service, you acknowledge that you have read and understood this Privacy Policy. If you do not agree with its terms, please do not use the Service.
1. Information We Collect
Information you provide directly
- Account information: your name and email address when you register.
- Language preference: the native language you select for translations and definitions.
- Study input: translation responses and self-ratings you submit during study sessions.
Information collected automatically
- Session data: IP address and user-agent string, stored when you authenticate, to detect suspicious access and support account security.
- Study history: timestamps, ratings, and computed FSRS scheduling parameters (difficulty, stability, due date) for each vocabulary item you study.
- Audit log: a timestamped record of significant account events (e.g. consent acceptance, account deletion requests) retained for legal and security purposes.
2. How We Use Your Information
- Service delivery: to create and manage your account, authenticate your sessions, and provide vocabulary and sentence content.
- Spaced repetition scheduling: your study history is used exclusively to compute the FSRS v4.0 scheduling algorithm, determining when each vocabulary item is next due for review.
- Audio synthesis: when you request example sentence audio, the sentence text is transmitted to Murf.ai to generate a voice recording. We do not send any personal account data to Murf.ai for this purpose.
- Translation evaluation: when you submit a translation for AI feedback, your response is sent to the Google Gemini API for assessment. No personally identifying information beyond the sentence and your translation text is included in this request.
- Account security: session IP addresses and user-agents are used to detect unauthorised access attempts.
- Legal compliance: audit log entries are retained to demonstrate compliance with applicable law (including GDPR consent records).
We do not use your data for advertising, sell it to third parties, or use it to train any machine learning model.
3. Third-Party Sub-Processors
We share data with the following third-party service providers solely to the extent necessary to operate the Service:
| Processor | Purpose | Data shared |
|---|---|---|
| Google Gemini API | AI translation evaluation | Sentence text and your translation response |
| Murf.ai | Voice synthesis for example sentences | Sentence text |
| Cloudflare R2 | Audio file storage | Generated audio files (no personal data) |
| Lemon Squeezy | Subscription billing and payment processing | Name, email, billing address, payment method details |
| Email provider | Transactional email delivery | Name and email address |
Each processor is bound by a data processing agreement and may only use data for the stated purpose. Lemon Squeezy acts as a Merchant of Record for subscription payments and is independently responsible for the payment data they process under their own privacy policy.
4. Data Retention
- Account and study data: retained for as long as your account is active. When you delete your account, your personal data (name, email, session records, study history) is permanently deleted within 30 days.
- Audit logs: entries required for legal compliance (e.g. consent records) are retained for up to 3 years after account deletion, then permanently deleted.
- Billing records: Lemon Squeezy retains payment and invoice records as required by applicable financial and tax regulations, independently of your account with us.
- AI request logs: we do not retain logs of individual Gemini or Murf.ai API requests beyond the immediate processing window. Refer to those providers' policies for their own retention practices.
5. Your Rights Under GDPR
If you are located in the European Economic Area (EEA), United Kingdom, or Switzerland, you have the following rights regarding your personal data:
- Right of access: you may request a copy of the personal data we hold about you.
- Right to rectification: you may correct inaccurate data via your account settings or by contacting us.
- Right to erasure: you may request deletion of your account and associated personal data. You can do this directly from your account settings page.
- Right to data portability: you may request your study data in a machine-readable format.
- Right to restrict processing: you may ask us to limit how we use your data in certain circumstances.
- Right to object: you may object to processing based on our legitimate interests.
- Right to withdraw consent: where processing is based on consent, you may withdraw it at any time without affecting the lawfulness of prior processing.
To exercise any of these rights, contact us at privacy@elephant-project.net. We will respond within 30 days. You also have the right to lodge a complaint with your local data protection authority.
6. Legal Basis for Processing
- Contract performance: processing your account and study data is necessary to provide the Service you signed up for.
- Legitimate interests: security logging (session IP/user-agent) is processed on the basis of our legitimate interest in preventing unauthorised access.
- Legal obligation: audit log retention is required to demonstrate compliance with GDPR consent requirements.
- Consent: you consent to this policy by accepting the terms at registration.
7. Cookies and Tracking
We use only a session authentication cookie strictly necessary to keep you logged in. We do not use advertising cookies, tracking pixels, or third-party analytics scripts. No data is shared with advertising networks.
8. Security
We use industry-standard measures to protect your data, including encrypted connections (HTTPS/TLS) and hashed password storage. No system is completely secure; if you believe your account has been compromised, please contact us immediately.
9. Children's Privacy
The Service is not directed to children under 16 years of age. We do not knowingly collect personal data from children under 16. If you believe a child has provided us with personal data, please contact us and we will promptly delete it.
10. Changes to This Policy
We may update this Privacy Policy from time to time. When we do, we will revise the "Last updated" date at the top. For material changes, we will notify you by email at least 14 days before the change takes effect. Your continued use of the Service after that date constitutes acceptance of the updated policy.
11. Contact
For privacy-related questions or to exercise your rights, please contact us at privacy@elephant-project.net.