Your privacy matters. Below is what we collect, why, how long we keep it, and what you can do about it. This policy applies together with our Terms of Service.
1. Who is responsible for your data?
Data controller: Jtobin (individual developer), operating Leafy.
Official website: https://leafyapp.uk
Contact: binjto@gmail.com
For privacy-related questions, data-subject requests, or complaints, use the email above.
2. Data collected on this website
2a. Beta signup form (removed)
The beta signup form has been removed — downloading Leafy requires no account and no email address. If you signed up while the form existed, we keep your email address only to notify you about beta access, until the beta program concludes or you request deletion (see section 6).
2b. Website feedback form
When you send feedback from the homepage, we collect:
- Your feedback text
- An optional reply email address — only if you choose to leave one, used solely to reply to you
Feedback is handled entirely on our own Cloudflare infrastructure: it is stored in our Cloudflare database and forwarded to our inbox via Cloudflare Email Routing. No third-party form or email service is involved. To limit abuse, submissions are rate-limited per day using a salted one-way hash of your IP address — the same approach as translation voting (section 2c); your raw IP address is not stored.
2c. Community translation voting ("Translate")
When you use Translate to suggest or vote on app UI translations, we collect:
- Translation suggestion text you submit
- A one-way hash of your IP address — to prevent duplicate votes and enforce daily rate limits (same hashing approach as section 3c)
- Vote records linking your hash to the suggestion you voted for
This data is stored in a Cloudflare D1 database hosted by Cloudflare. English source strings are also stored there for the voting UI. We do not ask for your name or email on this page.
When you load or interact with the Translate page, your browser sends requests to our Cloudflare Worker API. Cloudflare may process connection metadata (including IP address) as part of hosting and security.
2d. Browser storage on the website
We do not use advertising cookies on this website. We use browser localStorage only to remember that you dismissed the privacy notice. This data stays on your device and is not transmitted to us. (Feedback rate limits are enforced on our server using a hashed IP address, as described in section 2b — nothing is stored in your browser for this.)
Most website scripts (including animation libraries and form helpers) are served from our own domain. The one exception is the privacy-friendly analytics described in section 2e below, which loads a small script from PostHog's domain.
2e. Website analytics (PostHog, cookie-free)
We use PostHog to see coarse traffic patterns on this website — which pages are visited, roughly how many visits per day, referring sites, and country-level location (from your IP address, used transiently and not stored). It is configured in the most restrictive privacy mode PostHog offers:
- No cookies, no
localStorage— nothing is written to your device (persistence: "memory"), so nothing survives closing the tab or loading a new page. - No visitor profile — PostHog is configured to never build a person record (
person_profiles: "never"). Each pageview is a standalone, anonymous event; we cannot tell whether two pageviews came from the same visitor, even across two pages in the same visit. - No autocapture, no session recording — we do not track clicks, form input, or record your screen. Only the fact that a page was viewed is captured.
Because this does not use cookies or any other persistent identifier and does not track you across pages or visits, no cookie-consent banner is required under EU/UK ePrivacy rules — there's nothing non-essential being stored on your device to consent to. See the PostHog Privacy Policy.
3. Data collected by the macOS app
3a. Local storage — stays on your device
All of the following is stored only on your Mac. Leafy has no user accounts and no sync server, so your library is never uploaded to or kept on any server as stored data:
- Your vocabulary list, definitions, examples, and folder organization
- Import/export files, app settings, and preferences
Note: when you scan or look up a word, the text of that query is transmitted for AI processing as described in section 3b below. The resulting definitions and examples are saved to the library on your device; in addition, an anonymous copy of the AI response (not linked to you or your library) may be cached on our proxy as described in section 3b.
3b. Text sent for AI processing
When you use the word scanner, lookup, or translation features, the text you scan or query is sent to a third-party AI service via a secure Cloudflare proxy, solely to generate a response. No name, account, or device identifier is attached to these requests, and our proxy never stores the text of your query as a readable cache key. The AI response is cached temporarily, as described below; for single-word lookups, that response naturally contains the word that was looked up. Longer scanned passages, sentence explanations, and full-text translations are never cached at all.
AI service used:
- DeepSeek — word definitions, OCR analysis, and translation (Privacy Policy)
International transfer to China: DeepSeek processes requests on servers located in the People's Republic of China, outside the European Economic Area. This is a systematic transfer that occurs each time you use these AI features — not an occasional transfer.
We rely on your explicit consent (GDPR Article 6(1)(a) and Article 49(1)(a)) for this transfer. By using AI lookup, scan, or translation features in the app, you consent to your queried text being sent to DeepSeek in China for processing. You can avoid this transfer by not using those features.
We attach no name, account, or device identifier to these requests. The content of the transferred text, however, is whatever you choose to scan or type — if you scan text that contains personal details (such as names, addresses, medical information, or private messages), those details will be sent for processing like any other query. Please avoid scanning text that contains personal or sensitive information. DeepSeek's handling of the request on its own servers is governed by its privacy policy linked above.
Caching: To reduce the number of requests sent to the service, AI responses to identical queries are cached on Cloudflare for up to 12 months. The cache key is a one-way content hash salted with a server-side secret, so the query text is not stored as a readable key and cannot be reconstructed or enumerated without that secret. Each cached entry contains the AI response text together with a one-way hashed IP marker of the request that created it (the same irreversible hashing described in section 3c), used only to avoid re-serving certain generated content to its original requester. No raw IP address, email, or other identity is stored in the cache.
3c. IP address (hashed)
To enforce daily usage limits and to record your interest vote (one vote per device), your IP address is processed as a one-way SHA-256 hash before being stored. The original IP address is never stored and cannot be recovered from the hash. IPv6 addresses are normalised to their /64 network prefix before hashing, so temporary privacy-extension addresses from the same device are treated as one.
Usage counters expire automatically after 25 hours. Vote records are kept until you cancel your vote.
3d. Anonymous usage analytics
The app uses PostHog to collect privacy-first usage signals that help us understand how features are used and where errors occur. Automatic app-lifecycle and screen-view capture are disabled. Events are limited to feature-usage signals — for example: app launched, scan started / completed / failed, word saved, import completed, folder created or renamed, study language selected, offline dictionary downloaded, and AI request failures (a generic error tag and which endpoint failed). Each event carries coarse technical context such as the app version, macOS version, and device model (e.g. "MacBook Pro"). Once per installation, the app also sends a single one-time "new install" signal — fired only once, ever, on a given Mac (remembered by a marker kept locally on your device and never sent to us) — so we can count how many distinct installations exist and roughly how many are brand-new versus returning. It contains no name, account, email, vocabulary, or scanned text; the only identifier attached is the one described for whichever mode is active (below). No vocabulary content, scanned text, or email address is ever sent. PostHog is based in the United States and processes these events on its U.S. servers. PostHog is configured to discard the sending IP address at ingestion; before it is discarded it is used only to derive country-level location statistics, never stored, and never used to profile you or to connect your usage to a real-world identity. See the PostHog Privacy Policy.
Analytics runs in one of two modes, controlled by the toggle in the app under Settings → About:
- Default (pseudonymous) — events from this Mac share a random identifier that is not linked to your name, email, or any account. This lets us count returning users and understand usage over time. Because events from the same install can be linked together, this identifier is treated as pseudonymous personal data under the GDPR.
- Fully anonymous (toggle off) — the random identifier is discarded and regenerated on every launch. No two launches can be linked to each other or to the install's earlier history, and nothing in the events identifies you or your device over time. The one-time "new install" signal described above is still sent (once, ever), but in this mode it too carries only a throwaway per-launch identifier, so it cannot be linked to your other activity — it contributes a single anonymous tally and nothing more. In this mode the events are anonymous statistics (for example, total launches per day and a one-time count of distinct installs), not personal data.
Turning the toggle off is how you exercise your right to object to analytics based on our legitimate interests (see section 9): the persistent identifier is dropped immediately, and only unlinkable anonymous counts continue to be sent.
3e. Crash reports
The app uses Sentry to automatically report crashes and certain non-fatal technical errors (for example, a failure to save your library file to disk). Reports contain the stack trace, app version, macOS version, and a short technical description of the problem. Such descriptions can include file-system paths; because a path may reveal your macOS account name, newer app versions redact the account-name portion of paths before sending. No vocabulary content or scanned text is included in reports. See the Sentry Privacy Policy.
3f. App update checks
The app uses Sparkle to check for updates. Your current app version and build number are sent to our update server to determine whether a newer version is available. No personal data is transmitted.
3g. Screen Recording permission
The word scanner requires macOS Screen Recording permission to capture on-screen text. Screenshots are processed instantly on-device by OCR and are never saved, uploaded, or shared.
4. How we use your data
- Email — to notify you about beta access only. No marketing or newsletters.
- Feedback — to read and improve Leafy.
- Translation suggestions and votes — to build community localizations for the app UI.
- Scanned text — to generate definitions and translations. Your query text is never stored as a readable cache key; AI responses are cached temporarily (see section 3b).
- Hashed IP — to enforce daily usage limits and deduplicate votes. Not used for tracking or profiling.
- Anonymous analytics (app) — to understand feature usage and detect errors. The persistent identifier is optional: switch the toggle off in Settings and events become fully anonymous and unlinkable (see section 3d).
- Website analytics — to see coarse traffic patterns (page views, referrers, rough visit counts). Not optional in the usual sense — no cookie or identifier is ever set, so there is nothing to turn off (see section 2e).
- Crash data — to fix bugs and improve stability.
5. Legal basis (GDPR)
- Beta signup email — your explicit consent (Article 6(1)(a) GDPR).
- Website feedback — legitimate interests (Article 6(1)(f) GDPR) in receiving and responding to user feedback, balanced against your rights because feedback is voluntary and we collect only what you submit.
- Community translation voting — legitimate interests (Article 6(1)(f) GDPR) in operating a community localization program and preventing abuse, balanced through IP hashing, rate limits, and data minimisation. You may object to this processing (see section 9).
- App AI features (DeepSeek) — your explicit consent (Article 6(1)(a) GDPR) for processing queried text and for transfer to China (Article 49(1)(a) GDPR). Do not use AI features if you do not consent.
- Hashed IP (app) — legitimate interests (Article 6(1)(f) GDPR) in preventing abuse of AI services and maintaining app stability, balanced through hashing and short retention. You may object (see section 9); note that objecting may limit use of rate-limited features.
- Anonymous analytics (app, PostHog) — legitimate interests (Article 6(1)(f) GDPR) in understanding how features are used and keeping the app reliable, balanced against your rights through data minimisation: no account, no name or email, no vocabulary or scanned text — only pseudonymous feature-usage events. You may object at any time by switching the toggle off in the app's Settings, which stops the pseudonymous identifier — remaining events are fully anonymous and no longer personal data (see sections 3d and 9).
- Website analytics (PostHog) — configured with no cookies, no persistent identifier, and no person profile (section 2e), so it does not process personal data and falls outside GDPR/ePrivacy consent requirements. To the extent your IP address is transiently used for country-level stats, that incidental processing relies on legitimate interests (Article 6(1)(f) GDPR) in understanding site traffic.
- Crash reports (Sentry) — legitimate interests (Article 6(1)(f) GDPR) in maintaining app stability.
International transfers (summary):
- DeepSeek (China) — explicit consent (section 3b).
- PostHog (United States) — app usage analytics based on legitimate interests, and cookie-free website analytics; no vocabulary or scanned text is transferred.
- Cloudflare (global edge, including EU and US) — website hosting, translation API, feedback storage and email delivery, and AI proxy caching.
- Sentry (EU) — crash reports processed within the EU.
You may withdraw consent at any time by contacting binjto@gmail.com, and you may object to analytics at any time by switching the analytics toggle off in the app's Settings (events then become fully anonymous and unlinkable, see section 3d). Withdrawing consent or objecting does not affect prior processing that was lawful at the time.
6. How long we keep your data
- Email (beta signup) — until the beta program concludes or you request deletion
- Feedback — in our database and inbox until we no longer need it for product improvement, or until you request deletion
- Translation suggestions — until incorporated into the app, removed by us, or no longer needed for the localization program
- Translation votes (hashed IP) — until you remove your vote or the related suggestion is deleted
- Translation rate-limit counters — per calendar day; not retained beyond the active day bucket
- Hashed IP usage counters (app) — 25 hours (automatic expiry)
- Hashed IP vote record (app) — until you cancel your vote
- AI response cache — up to 12 months
- Anonymous analytics (app) — event data is retained by PostHog for 1 year, then deleted automatically; aggregated and not tied to an identifiable person
- Website analytics — page-view events retained by PostHog for 1 year, then deleted automatically; never linked to an identifiable visitor in the first place (no cookie, no cross-page identifier)
- Crash reports — retained by Sentry for 90 days, then deleted automatically
7. Third-party services (website)
- Cloudflare — hosts this website, runs the community translation API, stores and delivers the feedback you submit (including the optional reply email address), and caches AI responses for the macOS app. See the Cloudflare Privacy Policy.
- PostHog — cookie-free website analytics (section 2e). See the PostHog Privacy Policy.
Most website JavaScript is self-hosted on our domain. The one exception is the PostHog analytics script described in section 2e, loaded from PostHog's own domain.
8. Children
Leafy is not directed at children under 13. We do not knowingly collect personal data from anyone under 13. If you are between 13 and the age of digital consent in your country (up to 16 in some regions), you should use Leafy only with the consent of a parent or legal guardian. If you believe we have received data from a child, contact us and we will delete it promptly. See also our Terms of Service.
9. Your rights (GDPR / UK GDPR)
If you are in the EU, EEA, or UK, you have the right to:
- Access — request a copy of the data we hold about you
- Rectification — request correction of inaccurate data
- Erasure — request deletion of your data
- Restriction — request that we limit how we use your data
- Portability — request your data in a portable format (where applicable)
- Withdraw consent — at any time, without affecting prior lawful processing
- Object — object to processing based on legitimate interests (Article 21 GDPR), including usage analytics (switch the toggle off in the app's Settings; the pseudonymous identifier stops immediately and remaining events are fully anonymous, see section 3d), community translation voting, and hashed-IP abuse prevention. We will stop unless we demonstrate compelling grounds that override your interests.
- Lodge a complaint — with your local data protection supervisory authority. A list of EU authorities is at edpb.europa.eu. UK residents may contact the ICO.
To exercise any of these rights, email binjto@gmail.com. We will respond within 30 days.
Please note: because IP addresses are stored only as irreversible hashes, we cannot identify or retrieve data associated with a specific IP address or browser session. These rights apply most directly to data you have explicitly provided to us, such as your email address or translation suggestion text you can identify.
10. California residents (CCPA / CPRA)
If you are a California resident, you have additional rights under the California Consumer Privacy Act:
- We do not sell your personal information and we do not share it for cross-context behavioural advertising.
- Right to know — what personal information we collect and how we use it (this policy describes that).
- Right to delete — request deletion of personal information we hold about you, subject to legal exceptions.
- Right to correct — request correction of inaccurate personal information.
- Right to non-discrimination — we will not discriminate against you for exercising these rights.
To submit a request, email binjto@gmail.com. We will verify and respond as required by law.
11. Changes to this policy
If we make significant changes, we will update the "Last updated" date at the top of this page.
12. Contact
Questions or concerns? Email us at binjto@gmail.com.