WORDY
FAQContact
Legal

Privacy Policy

Last updated · 1 June 2026

Wordy is a vocabulary-learning tool I built and run myself. This page explains exactly what data Wordy collects, how it's used, and what control you have over it. It's written to be readable in five minutes, not to satisfy a lawyer.

1. Who runs Wordy

Wordy is operated by Gökhan Arlı, an independent developer. Contact: hello@trywordy.com.

I'm not a company, an agency, or a team. There is no shared database with anyone else. Anything you share with Wordy stays with me.

2. What data Wordy collects

When you sign up

  • Email address — used to log you in and send transactional email (verification, password reset).
  • Name — displayed in the UI; you can change it anytime.
  • Password — stored as a one-way bcrypt hash. I cannot see your password and cannot recover it.

When you use Wordy

  • Words you look up — saved as your lookup history. Used to populate practice drills, save lookups to collections, and let you revisit past lookups.
  • Preferences — your native and target language, definition language, theme, and email opt-ins.
  • Subscription state — which tier you're on. Once Stripe billing is live, payment metadata (card last-4, billing country) is held by Stripe — never by Wordy.

Automatically

  • Server logs — IP address, user agent, request paths, and response codes. Retained 30 days for debugging and abuse prevention.
  • Authentication session — when you log in, a JWT auth token is stored in your browser's localStorage so you don't have to sign in on every visit.

3. What Wordy does not collect

  • No tracking cookies. No Google Analytics. No Facebook Pixel.
  • No advertising IDs. Wordy doesn't run ads.
  • No location data beyond the rough geographic implication of your IP address.
  • No microphone, camera, or contact-list access.

4. How your data is used

  • To provide the service: log you in, run lookups, generate audio, save collections, render practice drills.
  • To send transactional email (verification, password reset, security notices). You can opt out of product emails in settings; transactional email is required for the account to function.
  • To enforce tier limits and prevent abuse (rate limiting, fraud detection).
  • To debug errors and improve the product. Errors are sent to a monitoring service (Sentry) without PII attached.

Your lookups, collections, and account data are never sold, rented, or shared with advertisers. Wordy doesn't use your data to train AI models — yours or anyone else's.

5. Third-party services Wordy uses

Wordy is built on a small stack of trusted vendors. Each receives only the minimum data needed to do its job.

  • Anthropic — provides the AI that writes definitions. Receives the word you're looking up and the language pair. Does not receive your account info. Anthropic's terms prohibit using inputs for training when accessed via API.
  • ElevenLabs — generates pronunciation audio. Receives only the word being spoken. Does not receive your account info.
  • DigitalOcean — hosts the database, application server, and audio files. All data stored at rest is encrypted.
  • Vercel — hosts the frontend website. Serves you the HTML, CSS, and JavaScript.
  • Amazon SES — sends transactional email. Receives your email address and the email body.
  • Sentry — captures error reports. Receives stack traces with sensitive parameters (passwords, tokens) scrubbed. Tagged with an anonymized user ID, not your name or email.
  • Stripe (once billing is live) — processes payments. Receives only payment details you enter directly into Stripe's form. Wordy never sees your card number.

6. Your rights

Under GDPR (and similar laws in the UK, California, and elsewhere) you have the right to:

  • Access a copy of your data — use the Export button in Settings, or email me.
  • Correct your name, language preferences, etc. — directly in Settings.
  • Delete your account and all associated data — use the Delete account button in Settings, or email me.
  • Object to specific uses of your data — email me, I'll resolve within 30 days.
  • Lodge a complaint with your local data protection authority if I haven't responded to a reasonable request.

When you delete your account, your data is soft-deleted immediately (no longer accessible to you or anyone else) and permanently purged within 30 days. Backups are rotated within 30 days, so a deletion fully propagates within that window.

7. How long data is kept

  • Account data — until you delete your account.
  • Lookups and collections — until you delete them or your account.
  • Server logs — 30 days.
  • Soft-deleted accounts — 30 days before permanent purge.
  • Backups — rotated within 30 days.

8. Security

Wordy uses standard production practices: HTTPS-only (TLS 1.2+), passwords hashed with bcrypt, JWT auth tokens, content security policy headers, and a rate limiter against brute-force attacks. Database backups are encrypted at rest.

That said, no service is unhackable. If a breach happens, I'll notify affected users by email within 72 hours of discovery.

9. Children

Wordy is not directed at children under 13. If you believe a child under 13 has created an account, email me and I'll delete it.

10. Changes to this policy

If I make material changes, I'll update the "Last updated" date at the top and email everyone with an active account. Trivial fixes (typos, broken links) won't trigger a notification.

11. Contact

Questions, deletion requests, or anything else: hello@trywordy.com. I read every message personally.