Your privacy matters. Below is what we collect, why, how long we keep it, and what you can do about it. This policy applies together with our Terms of Service.
1. Who is responsible for your data?
Data controller: Jtobin (individual developer), operating Leafy.
Official website: https://leafyapp.uk
Contact: binjto@gmail.com
For privacy-related questions, data-subject requests, or complaints, use the email above.
2. Data collected on this website
2a. Beta signup form
When you submit the beta signup form, we collect:
- Your email address — to notify you about beta access
- An optional message — if you choose to write one
Submissions are transmitted through EmailJS to us. EmailJS may process your IP address and submission metadata as part of delivery. See section 7.
2b. Website feedback form
When you send feedback from the homepage, we collect:
- Your feedback text
Feedback is also delivered through EmailJS. We do not require your email for feedback, but EmailJS may still process connection metadata (including IP address) when the form is submitted.
2c. Community translation voting ("Translate")
When you use Translate to suggest or vote on app UI translations, we collect:
- Translation suggestion text you submit
- A one-way hash of your IP address — to prevent duplicate votes and enforce daily rate limits (same hashing approach as section 3c)
- Vote records linking your hash to the suggestion you voted for
This data is stored in a Cloudflare D1 database hosted by Cloudflare. English source strings are also stored there for the voting UI. We do not ask for your name or email on this page.
When you load or interact with the Translate page, your browser sends requests to our Cloudflare Worker API. Cloudflare may process connection metadata (including IP address) as part of hosting and security.
2d. Browser storage on the website
We do not use advertising cookies or analytics trackers on this website. We use browser localStorage only to:
- Remember that you dismissed the privacy notice
- Limit duplicate beta signups and feedback submissions (max 2 per browser per day)
This data stays on your device and is not transmitted to us.
All website scripts (including animation libraries and form helpers) are served from our own domain — we do not load JavaScript from third-party CDNs on page load.
3. Data collected by the macOS app
3a. Local storage — stays on your device
All of the following is stored only on your Mac. Leafy has no user accounts and no sync server, so your library is never uploaded to or kept on any server as stored data:
- Your vocabulary list, definitions, examples, and folder organization
- Import/export files, app settings, and preferences
Note: when you scan or look up a word, the text of that query is transmitted for AI processing as described in section 3b below. The resulting definitions and examples are then stored only on your device.
3b. Text sent for AI processing
When you use the word scanner, lookup, or translation features, the text you scan or query is sent to a third-party AI service via a secure Cloudflare proxy, solely to generate a response. No name, account, or device identifier is attached to these requests, and our proxy does not store the text of your query in readable form. The AI response (not your query text) is cached temporarily, as described below.
AI service used:
- DeepSeek — word definitions, OCR analysis, and translation (Privacy Policy)
International transfer to China: DeepSeek processes requests on servers located in the People's Republic of China, outside the European Economic Area. This is a systematic transfer that occurs each time you use these AI features — not an occasional transfer.
We rely on your explicit consent (GDPR Article 6(1)(a) and Article 49(1)(a)) for this transfer. By using AI lookup, scan, or translation features in the app, you consent to your queried text being sent to DeepSeek in China for processing. You can avoid this transfer by not using those features. Where applicable, we also rely on the European Commission's Standard Contractual Clauses as an additional safeguard for international transfers.
The transferred text contains no name, account, or device identifier. DeepSeek's handling of the request on its own servers is governed by its privacy policy linked above.
Caching: To reduce the number of requests sent to the service, AI responses to identical queries are cached on Cloudflare for up to 12 months. The cache key is a one-way content hash, so the query text itself is not stored as a readable key. Each cached entry contains the AI response text together with a one-way hashed IP marker of the request that created it (the same irreversible hashing described in section 3c), used only to avoid re-serving certain generated content to its original requester. No raw IP address, email, or other identity is stored in the cache.
3c. IP address (hashed)
To enforce daily usage limits and to record your interest vote (one vote per device), your IP address is processed as a one-way SHA-256 hash before being stored. The original IP address is never stored and cannot be recovered from the hash. IPv6 addresses are normalised to their /64 network prefix before hashing, so temporary privacy-extension addresses from the same device are treated as one.
Usage counters expire automatically after 25 hours. Vote records are kept until you cancel your vote.
3d. Anonymous usage analytics
The app uses PostHog to collect privacy-first, anonymous usage signals that help us understand how features are used and where errors occur. Automatic app-lifecycle and screen-view capture are disabled; only the specific events listed below are ever sent, and PostHog does not collect data that identifies you personally. Signals are limited to anonymous events such as: app launched, a scan started, a scan completed or failed, a word saved, an import completed, a folder created, and AI request failures (including a generic error tag and which endpoint failed). No vocabulary content, scanned text, or email address is ever sent. PostHog is based in the United States and processes these events on its U.S. servers. As with any network request, your device's IP address is visible to PostHog when the event is sent and may be used for coarse, country-level location statistics. See the PostHog Privacy Policy.
This is entirely optional. You can turn anonymous analytics off at any time in the app under Settings → About; when turned off, no signals are sent at all.
3e. Crash reports
The app uses Sentry to automatically report crashes. When a crash occurs, Sentry receives the crash stack trace, app version, and macOS version. No vocabulary content, scanned text, or personal identifiers are included in crash reports. See the Sentry Privacy Policy.
3f. App update checks
The app uses Sparkle to check for updates. Your current app version and build number are sent to our update server to determine whether a newer version is available. No personal data is transmitted.
3g. Screen Recording permission
The word scanner requires macOS Screen Recording permission to capture on-screen text. Screenshots are processed instantly on-device by OCR and are never saved, uploaded, or shared.
4. How we use your data
- Email — to notify you about beta access only. No marketing or newsletters.
- Feedback — to read and improve Leafy.
- Translation suggestions and votes — to build community localizations for the app UI.
- Scanned text — to generate definitions and translations. Your query text is not stored by our proxy; AI responses are cached temporarily (see section 3b).
- Hashed IP — to enforce daily usage limits and deduplicate votes. Not used for tracking or profiling.
- Anonymous analytics — to understand feature usage and detect errors. Optional; can be turned off in Settings.
- Crash data — to fix bugs and improve stability.
5. Legal basis (GDPR)
- Beta signup email — your explicit consent (Article 6(1)(a) GDPR).
- Website feedback — legitimate interests (Article 6(1)(f) GDPR) in receiving and responding to user feedback, balanced against your rights because feedback is voluntary and we collect only what you submit.
- Community translation voting — legitimate interests (Article 6(1)(f) GDPR) in operating a community localization program and preventing abuse, balanced through IP hashing, rate limits, and data minimisation. You may object to this processing (see section 9).
- App AI features (DeepSeek) — your explicit consent (Article 6(1)(a) GDPR) for processing queried text and for transfer to China (Article 49(1)(a) GDPR). Do not use AI features if you do not consent.
- Hashed IP (app) — legitimate interests (Article 6(1)(f) GDPR) in preventing abuse of AI services and maintaining app stability, balanced through hashing and short retention. You may object (see section 9); note that objecting may limit use of rate-limited features.
- Anonymous analytics (PostHog) — legitimate interests (Article 6(1)(f) GDPR) in understanding how features are used and keeping the app reliable, balanced against your rights through data minimisation: no account, no name or email, no vocabulary or scanned text — only pseudonymous feature-usage events. You may object at any time by turning off analytics in the app's Settings (see section 9).
- Crash reports (Sentry) — legitimate interests (Article 6(1)(f) GDPR) in maintaining app stability.
International transfers (summary):
- DeepSeek (China) — explicit consent; SCCs where applicable (section 3b).
- PostHog (United States) — anonymous usage analytics based on legitimate interests; no vocabulary or scanned text is transferred.
- EmailJS (United States) — consent for beta signup; legitimate interests for feedback delivery.
- Cloudflare (global edge, including EU and US) — website hosting, translation API, and AI proxy caching.
- Sentry (EU) — crash reports processed within the EU.
You may withdraw consent at any time by contacting binjto@gmail.com, and you may object to analytics at any time by turning it off in the app's Settings. Withdrawing consent or objecting does not affect prior processing that was lawful at the time.
6. How long we keep your data
- Email (beta signup) — until the beta program concludes or you request deletion
- Feedback (via EmailJS) — in our inbox until we no longer need it for product improvement, or until you request deletion
- Translation suggestions — until incorporated into the app, removed by us, or no longer needed for the localization program
- Translation votes (hashed IP) — until you remove your vote or the related suggestion is deleted
- Translation rate-limit counters — per calendar day; not retained beyond the active day bucket
- Hashed IP usage counters (app) — 25 hours (automatic expiry)
- Hashed IP vote record (app) — until you cancel your vote
- AI response cache — up to 12 months
- Anonymous analytics — per PostHog's retention policy; aggregated and not tied to an identifiable person
- Crash reports — per Sentry's retention policy (90 days by default)
7. Third-party services (website)
- Cloudflare — hosts this website, runs the community translation API, stores and delivers the feedback you submit (including the optional reply email address), and caches AI responses for the macOS app. See the Cloudflare Privacy Policy.
Website JavaScript libraries are self-hosted on our domain. We do not load scripts from third-party CDNs when you visit our pages.
8. Children
Leafy is not directed at children under 13. We do not knowingly collect personal data from anyone under 13. If you are between 13 and the age of digital consent in your country (up to 16 in some regions), you should use Leafy only with the consent of a parent or legal guardian. If you believe we have received data from a child, contact us and we will delete it promptly. See also our Terms of Service.
9. Your rights (GDPR / UK GDPR)
If you are in the EU, EEA, or UK, you have the right to:
- Access — request a copy of the data we hold about you
- Rectification — request correction of inaccurate data
- Erasure — request deletion of your data
- Restriction — request that we limit how we use your data
- Portability — request your data in a portable format (where applicable)
- Withdraw consent — at any time, without affecting prior lawful processing
- Object — object to processing based on legitimate interests (Article 21 GDPR), including anonymous usage analytics (turn it off in the app's Settings), community translation voting, and hashed-IP abuse prevention. We will stop unless we demonstrate compelling grounds that override your interests.
- Lodge a complaint — with your local data protection supervisory authority. A list of EU authorities is at edpb.europa.eu. UK residents may contact the ICO.
To exercise any of these rights, email binjto@gmail.com. We will respond within 30 days.
Please note: because IP addresses are stored only as irreversible hashes, we cannot identify or retrieve data associated with a specific IP address or browser session. These rights apply most directly to data you have explicitly provided to us, such as your email address or translation suggestion text you can identify.
10. California residents (CCPA / CPRA)
If you are a California resident, you have additional rights under the California Consumer Privacy Act:
- We do not sell your personal information and we do not share it for cross-context behavioural advertising.
- Right to know — what personal information we collect and how we use it (this policy describes that).
- Right to delete — request deletion of personal information we hold about you, subject to legal exceptions.
- Right to correct — request correction of inaccurate personal information.
- Right to non-discrimination — we will not discriminate against you for exercising these rights.
To submit a request, email binjto@gmail.com. We will verify and respond as required by law.
11. Changes to this policy
If we make significant changes, we will update the "Last updated" date at the top of this page.
12. Contact
Questions or concerns? Email us at binjto@gmail.com.