Privacy Policy
Last updated: 20 June 2026
This Privacy Policy explains how Gradiente Ltd ("we", "us") collects, uses, and protects personal data when you use the Verso mobile application and related services (the "Service"). We are the data controller for the personal data described below.
1. Information we collect
1.1 Account information
- Email address and password when you create an account with email/password (the password is stored as a salted bcrypt hash; we never see or store the plaintext).
- Name you provide on signup.
- OAuth identifiers from Sign in with Google or Sign in with Apple (the provider's stable subject ID and the email address you authorise the provider to share). We do not receive your provider password.
1.2 Content you create
- Decks and flashcards you create (questions, answers, multiple-choice options, deck names).
- PDF files you upload for AI-assisted card generation. These files are sent to our AI provider (OpenAI) to generate cards and are not retained by us after processing.
1.3 Usage and progress data
- Study activity (cards reviewed, correct/incorrect answers, session timestamps).
- Gamification state (XP, level, streak counts, daily goal progress).
- Onboarding answers (study goal, pain points, preference answers) you provide during the onboarding flow.
1.4 Device data
- Push notification tokens if you enable quiz reminder notifications, so we can send scheduled reminders.
- Basic request metadata (IP address, request timestamp, user agent) recorded in server logs for security and abuse-prevention purposes. These logs are retained for up to 30 days.
- Crash and error diagnostics — when the app crashes or errors, technical details (device model, OS and app version, and the error/stack trace) are sent to our crash-reporting provider so we can diagnose and fix problems. These reports are not linked to your name or email.
1.5 Product analytics
- Usage events — in-app actions such as starting a study session, swiping a card, completing a deck, reaching a daily goal, viewing the upgrade screen, and your progress through onboarding, together with the screens you view. We use these to understand how the app is used and to improve it.
- These events are linked to your account via your user ID. We do not send your email or name to our analytics provider, we disable IP-based location lookup, and we do not record your screen (session replay is off).
1.6 Subscription data
- If you subscribe to Verso Pro, we receive your subscription status and purchase history (the plan you bought, renewal/expiry dates, and a purchase token) from Apple via our subscription processor to unlock paid features and keep your subscription in sync across your devices. Apple processes the payment — we never receive your card details.
We do not collect precise location, contacts, photos outside files you explicitly upload, or advertising identifiers, and we do not use advertising or cross-app tracking SDKs.
2. How we use your data
- To provide the Service: authenticate you, store your decks, sync study progress, run the gamification system, and send the notifications you've opted in to.
- To process PDFs into flashcards via our AI provider when you use the AI generation feature.
- To send transactional emails such as password reset links.
- To detect abuse and protect the integrity of the Service (e.g. rate limiting).
- To provide and manage your subscription — unlock Verso Pro features, restore purchases, and keep your subscription status in sync across devices.
- To understand how the app is used and improve it, through privacy-friendly product analytics (aggregated usage events tied to your user ID; no advertising or cross-app tracking).
We do not sell your personal data, and we do not use it for advertising or behavioural profiling.
3. Legal bases (UK / EU users)
- Performance of a contract — to provide the Service you signed up for.
- Legitimate interests — to keep the Service secure, prevent abuse, improve reliability, and understand and improve how the app is used through privacy-friendly product analytics. You can object to analytics processing at any time (see section 8).
- Consent — for push notifications (you can revoke at any time in your device settings).
- Legal obligation — where we must retain or disclose data to comply with applicable law.
4. Sharing with third parties
We share personal data only with the following service providers ("processors"), and only as needed to operate the Service:
- OpenAI — when you use AI-assisted card generation, the contents of the PDF are sent to OpenAI for processing. OpenAI's terms apply to that processing.
- Amazon Web Services (SES) — to deliver transactional emails (e.g. password reset).
- PostHog — product analytics. We send in-app usage events tied to your user ID (not your email or name) to understand and improve how the app is used. Session replay is not enabled. PostHog's terms apply to that processing.
- RevenueCat — subscription management. When you subscribe, we share your account user ID and subscription/purchase status with RevenueCat to validate your entitlement and sync it across your devices. RevenueCat's terms apply to that processing.
- Sentry — crash and error reporting. Technical diagnostics (device model, OS and app version, and the error/stack trace) are sent to Sentry when the app crashes or errors, so we can fix bugs. We do not attach your name or email to these reports.
- Apple and Google — when you sign in with their providers, and Apple Push Notification Service / Firebase Cloud Messaging when you receive notifications.
- Hosting infrastructure operated by Gradiente Ltd on commercial cloud servers.
We do not sell or rent your personal data. We may disclose data to comply with a legal request, court order, or to protect our rights, users, or the public.
5. International transfers
Some of our processors (notably OpenAI, AWS, PostHog, RevenueCat, and Sentry) operate in or transfer data to the United States. Where applicable, transfers are governed by Standard Contractual Clauses or equivalent safeguards.
6. Data retention
- Account data is retained for as long as your account is active.
- If you delete your account, we delete your account data and content within 30 days, except where we are required by law to retain limited records.
- Server logs are retained for up to 30 days for security and operational purposes.
- Product analytics events are linked to your account and are deleted, along with your analytics profile, when you delete your account.
- Password reset tokens are stored only as a SHA-256 hash and expire after one hour.
7. Security
We use industry-standard measures including TLS in transit, bcrypt for password hashing, JWTs for session tokens, hashed (not plaintext) password reset tokens, and access controls on our infrastructure. No system is perfectly secure; please use a strong, unique password and keep your device protected.
8. Your rights
Depending on your jurisdiction (UK GDPR, EU GDPR, California CCPA/CPRA, and others), you may have the right to:
- Access the personal data we hold about you.
- Correct inaccurate data.
- Delete your account and associated data (the app provides an in-app delete option in Settings).
- Export your data in a portable format.
- Object to or restrict certain processing.
- Lodge a complaint with your local data protection authority (in the UK: the Information Commissioner's Office, ico.org.uk).
To exercise any of these rights, email luis@gradiente.dev. We aim to respond within 30 days.
9. Children
Verso is not directed at children under 13, and we do not knowingly collect personal data from children under 13. If you believe a child has provided us with personal data, contact us and we will delete it.
10. Changes to this policy
We may update this Privacy Policy from time to time. Material changes will be communicated in-app or by email. The "Last updated" date at the top of this page indicates the latest revision.
11. Contact
Gradiente Ltd
1 Transom Close, London SE16 7FH, United Kingdom
Email: luis@gradiente.dev