1. What Data We Collect
CrokyLingo collects only the data needed to provide its language learning features.
| Data type | Examples | Why collected |
|---|---|---|
| Account data | Username, email address, bcrypt-hashed password | Authentication and account management |
| Vocabulary data | Words you add, their translations, mastery level | Flashcard and learning features |
| Grammar progress | Exercise scores, topic, date completed | Progress tracking and statistics |
| Practice history | Daily practice count, streaks | Statistics and gamification |
| Preferences | Target language, push notification settings | Personalisation |
| Session data | JWT token stored in an HttpOnly cookie (24-hour expiry) | Keeping you logged in |
Passwords are always stored as bcrypt hashes (12 salt rounds). Plaintext passwords are never written to the database or logs.
2. Where Your Data is Stored
All data is stored in a database on CrokyLingo’s server. Your data is not sold or shared with any third parties beyond the optional services described in Section 3.
CrokyLingo is hosted on European servers. The hosting provider has physical access to the server hardware, subject to their own privacy policy and applicable EU law.
3. Third-Party Services
Google Analytics
CrokyLingo uses Google Analytics to collect anonymised usage data (e.g., pages visited, session duration, general location by country). This data helps us understand how the App is used and improve it. Google Analytics may set cookies and collect your IP address (anonymised before storage). See Google’s Privacy Policy. You can opt out using the Google Analytics opt-out browser add-on.
Google AdSense
CrokyLingo may display advertisements served by Google AdSense. Google AdSense uses cookies to serve ads that may be relevant to you based on your browsing activity. No personally identifiable information from your CrokyLingo account (username, email, vocabulary) is shared with Google AdSense. See Google’s Privacy Policy. You can manage ad personalisation via Google’s Ad Settings.
The following additional services are optional features. If they are not enabled, no data is ever sent to them.
Anthropic Claude API (AI features)
When AI story and word generation is enabled, the server sends a prompt (containing the target language and, for stories, a sample word list) to the Anthropic API. No usernames, email addresses, or passwords are included in these requests. Anthropic processes the prompt and returns generated text. See Anthropic’s Privacy Policy.
MyMemory Translation API
When a translation suggestion is requested, the word being translated is sent to MyMemory’s API. No account information is included. See MyMemory’s Privacy Policy.
Forvo
CrokyLingo may display a link to Forvo.com for pronunciation examples. Clicking the link opens Forvo in a new tab; CrokyLingo itself does not send any data to Forvo. Once you are on Forvo’s site, Forvo’s Privacy Policy applies.
Push notifications (Web Push)
If you enable push notifications, your browser generates a push subscription token that is stored in the database. This token is used by the server to send you reminder notifications. It is not shared with any third party. You can disable push notifications at any time in Account Settings.
4. Server Logs
Like any web application, CrokyLingo and its host web server may produce logs that include IP addresses, timestamps, and HTTP request paths. These logs are used for diagnosing errors and detecting abuse.
Logs are stored on our server and are not shared with third parties. Logs are retained for a limited period and then deleted.
5. Data Sharing
CrokyLingo does not sell, rent, or share your personal data with any third party, except as described in Section 3 (optional external services, only when enabled).
CrokyLingo uses Google Analytics for anonymised usage statistics and may display Google AdSense advertisements. No vocabulary, progress, or account data is shared with these services. There is no other third-party tracking or telemetry.
6. Data Retention
Your data is retained for as long as you have an account with CrokyLingo. If you would like your account and all associated data deleted, contact us at info@crokylingo.com.
7. Your Rights
You have the right to:
- Access the data held about you (your words, progress, and account details).
- Correct inaccurate data via the Account Settings page.
- Delete your account and all associated data — email us at info@crokylingo.com.
- Object to the use of optional external services — contact us at info@crokylingo.com.
Depending on your country, additional rights (e.g., under GDPR) may apply. CrokyLingo is responsible for complying with applicable data protection law.
8. Security Measures
CrokyLingo includes the following security measures as standard:
- Passwords hashed with bcrypt (12 salt rounds).
- Authentication via JWT tokens in HttpOnly cookies (not accessible to JavaScript).
- CSRF protection on all state-changing requests.
- Rate limiting on login and API endpoints.
- HTTP security headers (via Helmet).
- HTTPS enforced in production (HTTP redirected to HTTPS).
No system is perfectly secure. We are committed to keeping our server and software up to date.
9. Cookies & Local Storage
CrokyLingo uses one HTTP cookie and browser localStorage to keep you logged in and remember your preferences. There are no tracking, advertising, or analytics cookies.
HTTP Cookie
| Name | Purpose | Expiry | HttpOnly | Secure | SameSite |
|---|---|---|---|---|---|
crokylingo_token |
JWT authentication token — keeps you logged in between page loads | 24 hours | Yes (JS cannot read it) | Yes (HTTPS only in production) | Strict |
This cookie is strictly necessary for the app to function. It is cleared when you log out or when it expires after 24 hours.
localStorage (browser-only — never sent to the server)
The following keys are stored locally in your browser and never transmitted to the server. They survive browser restarts until you clear your browser data or uninstall the PWA.
| Key | Purpose | Cleared when |
|---|---|---|
theme |
Colour theme preference (light or dark) |
You change the theme or clear browser storage |
croky_visits |
Login visit counter — used to time the PWA install prompt | Browser storage cleared |
croky_install_prompted |
Flag: the PWA install prompt has been shown once | Browser storage cleared |
croky_notif_prompted |
Flag: the push-notification opt-in has been shown | Browser storage cleared |
croky_push_denied |
Flag: you declined push notifications | Browser storage cleared |
croky_notif_never_ask |
Flag: you chose never to be prompted about push notifications again | Browser storage cleared |
croky_notif_reprompt_date |
ISO date of the last push-notification re-prompt (7-day cooldown) | Browser storage cleared |
tutorial_seen_{userId} |
Flag: you have completed the onboarding tutorial | Browser storage cleared |
croky_levelup_dismissed_{level} |
Flag: you dismissed the level-up congratulations card | Automatically removed when you advance to the next CEFR level |
croky_wod_{userId}_{language} |
Today’s “Word of the Day” selection (up to 2 words, stable for the day) | Automatically replaced the next calendar day |
All localStorage values are preference flags — no passwords, no vocabulary, no personal data. You can clear them at any time via your browser’s developer tools (Application → Storage → Clear site data).
10. Contact
For any privacy questions, data requests, or concerns, contact us: info@crokylingo.com