Legal

Privacy Policy

Last updated: May 27, 2026

1. Scope and controller

This Privacy Policy explains how Orvoca processes personal information for the Orvoca web console, Chrome extension, mobile app, APIs, customer support, email, and notification services. It is prepared for compliance with the Personal Information Protection Act of Korea and related rules.

Privacy contact: privacy@orbitvocab.app. General support: support@orbitvocab.app.

2. Personal information we process

Orvoca processes the following information only as needed to provide the Service.

  • Account information — email address, display name or nickname, authentication provider, Firebase authentication identifier, email verification status, and session tokens stored on your device.
  • Vocabulary and capture data — words, phrases, normalized forms, language guesses, optional surrounding sentence context, review state, review results, deletion state, and timestamps.
  • Extension data — allowed host settings, capture trigger settings, selected text or phrase, optional sentence context, local retry queue metadata, and the active page URL or hostname needed to verify the site you enabled.
  • Device and notification data — push subscription endpoint, p256dh key, push auth key, FCM token, device type, app-generated device id, notification settings, timezone, quiet hours, and notification open events.
  • Email and marketing preference data — email address, email delivery logs, unsubscribe status, lifecycle email settings, and marketing email or push preference.
  • Service usage and attribution data — product events such as first capture or first review, last active timestamp, UTM source, UTM medium, UTM campaign, referral code, referring user id if applicable, and aggregated marketing events.
  • Support and error report data — error code, endpoint, product view, optional memo submitted by you, diagnostic metadata, and related email records.

3. Information we do not intentionally collect

  • Full browsing history or full page content.
  • Keystrokes or clipboard contents beyond a word, phrase, or short context that you explicitly capture or allow through enabled capture triggers.
  • Precise location data, advertising IDs, payment card numbers, or government IDs.
  • Data from websites where you have not granted extension host permission.

4. Purposes of processing

  • Creating, verifying, securing, and maintaining your account.
  • Saving, syncing, reviewing, restoring, and deleting vocabulary records.
  • Detecting language, normalizing words, and enriching approved vocabulary.
  • Operating extension capture, local retry, and allowed-site controls.
  • Sending transactional emails, service notices, review reminders, and opt-in updates.
  • Providing push notifications only where permission and settings allow it.
  • Handling support requests, error reports, abuse prevention, and service reliability.
  • Measuring aggregated acquisition and activation performance.
  • Complying with legal obligations and enforcing the Terms of Service.

Orvoca does not sell personal information or share it with third parties for their own advertising.

5. Chrome extension permissions

The Orvoca Chrome extension requests these permissions:

  • contextMenus — to add a capture option to the right-click menu.
  • storage — to store your token, settings, allowed hosts, and pending capture queue locally.
  • alarms — to retry pending captures when network or login state recovers.
  • activeTab — to identify the current tab when you allow capture on a site.
  • scripting — to register bundled content scripts on allowed sites and show a small success or error toast.
  • Host permissions — requested only for websites you explicitly allow.

The extension does not load remotely hosted code. It sends only the selected word or phrase, optional sentence context, and limited sync metadata to the Orvoca API.

6. Service providers and international transfer

Orvoca uses service providers to operate the Service. Personal information may be stored or processed outside Korea where these providers operate infrastructure. Where the transfer is necessary to provide the Service, Orvoca discloses the relevant matters in this Policy.

  • Cloudflare — API hosting, D1 database storage, security, and traffic delivery. Main processed data: account id, vocabulary data, settings, events, push subscription records, email logs, and error reports. Retention follows the periods in this Policy unless earlier deleted.
  • Google Firebase Authentication — authentication, session token issuance, password reset, email verification, Google sign-in, and Apple sign-in integration.
  • Resend — transactional and opt-in lifecycle email delivery, delivery identifiers, bounce or complaint handling, and unsubscribe headers.
  • Sentry — application error monitoring and diagnostic reports. Orvoca limits diagnostic payloads where practical.
  • Push platform providers — browser push services, Firebase Cloud Messaging, Apple Push Notification service, Mozilla push service, and similar platform push infrastructure used to deliver notifications.
  • Dictionary and translation providers — FreeDictionary, Wiktionary, Jisho, and MyMemory may receive the word or phrase and language pair required for definition lookup. Orvoca does not send your account id to these providers for lookup.

7. Retention and deletion

  • Account, vocabulary, capture, review, settings, sync, push, attribution, and email preference records are retained while your account is active.
  • Email logs, security logs, support records, and error reports are retained only as long as needed for delivery evidence, abuse prevention, dispute handling, and service reliability, unless a longer period is required by law.
  • Local extension queue data remains on your device until synced, deleted, or the extension storage is cleared.
  • Account deletion permanently removes your Orvoca database records linked to the account, subject to records that must be retained by law or for legitimate dispute and security purposes.

You can delete your account from Settings or request deletion by emailing privacy@orbitvocab.app.

8. Your rights

You may request access, correction, deletion, suspension of processing, withdrawal of consent, and explanation of processing by contacting Orvoca. You may also update or delete many records directly in the Service. Orvoca may verify your identity before processing a request and may decline a request where retention is required by law.

9. Marketing communications

Orvoca sends marketing email or marketing push notifications only where you have opted in or where applicable law allows the message. You may opt out at any time through settings, an unsubscribe link, or by contacting Orvoca. Transactional messages such as verification, password reset, security, and account deletion notices may still be sent where necessary.

10. Security measures

Orvoca uses HTTPS in transit, provider-managed access control, database access restrictions, authentication checks, input validation, rate limiting, push endpoint allowlists, and operational monitoring. No online service can guarantee perfect security.

11. Children

Orvoca is not directed to children under 14 in Korea or under 13 in other jurisdictions. Orvoca does not knowingly collect personal information from children in those age groups.

12. Changes to this Policy

Orvoca may update this Policy as the Service, law, or providers change. Material changes will be announced through the Service, website, or email where appropriate.

13. Contact

Questions, privacy requests, or complaints may be sent to privacy@orbitvocab.app.