Wortodo

Privacy policy

Last updated: 25 May 2026. The legally binding version is the German one.

1. Controller

Beshoy Khalil
Cornelius-Fredericks-Str. 48F, 13351 Berlin, Germany
Email: info@wortodo.de

This policy applies both to the website wortodo.de and to the Wortschatz mobile app (the "app"). The provider and controller is Beshoy Khalil; the app is published in the app stores under the developer name "Wortodo".

2. What this website collects

This website is served via Cloudflare Pages. Technically necessary data is recorded in log files when you visit:

This data is used solely to operate the website securely (defending against attacks, debugging) and is not combined with other data. Legal basis is Art. 6 (1) (f) GDPR; the legitimate interest is providing a functional website that is protected against abuse. On balance, the rights and interests of users do not override this interest, since only technical connection data is processed briefly and without further analysis.

Cloudflare deletes the logs automatically according to its current retention policy. The default retention for Cloudflare Pages access logs is a few days (typically up to 7 days); aggregate security events may be retained for longer.

We do not set cookies and we do not use analytics tools. No tracking, no profiling, no third-party scripts, no advertising tags. No automated decision-making within the meaning of Art. 22 GDPR takes place.

Note on the Android beta: The "Join the beta" button is purely a link to a Google Group and to Google Play, both operated by Google. Only if you voluntarily join the tester group does Google process your email address to register you as a tester; we process your email address as controller to administer the closed test. The legal basis is your consent under Art. 6 (1) (a) GDPR, given by joining and withdrawable at any time by leaving the group. This website itself collects no data through the link.

Providing this data is neither legally nor contractually required. Without the transmission of the technical connection data listed above, however, the website cannot be delivered to your browser.

3. Local storage (localStorage)

This website stores a single entry in your browser's local storage (localStorage) under the key wortodo-theme. It records only your choice of color scheme (light / dark) so it persists between visits.

This entry contains no personal data, stays in your browser, and is never transmitted to our servers or to third parties. You can delete it at any time via your browser settings. Legal basis is Art. 6 (1) (f) GDPR (legitimate interest in a comfortable interface); in our view no consent is required under § 25 (2) no. 2 TDDDG (the German telecommunications and digital-services data-protection act, formerly TTDSG) for this strictly necessary preference.

4. What the Wortschatz app collects

The app uses two services provided by Google LLC / Google Ireland Ltd. (Firebase) for stability and aggregate usage analysis: Firebase Crashlytics (crash reports) and Firebase Analytics (event telemetry). Your learning progress and vocabulary content still remain exclusively on your device; only the event and crash data listed below is transmitted.

In detail:

Legal bases. The processing of crash and diagnostic data via Firebase Crashlytics is based on our legitimate interest under Art. 6 (1) (f) GDPR in operating a functional, debuggable app; you can exercise your right to object under Art. 21 GDPR at any time via the "Telemetry" toggle. The processing of usage events via Firebase Analytics is based additionally on your consent under Art. 6 (1) (a) GDPR — which you give by leaving the "Telemetry" toggle enabled — together with our legitimate interest under Art. 6 (1) (f) GDPR in improving the app.

§ 25 TDDDG. The Firebase Installation ID is stored on, and read from, your terminal device as a persistent identifier. We rely on your consent expressed via the "Telemetry" toggle within the meaning of § 25 (1) TDDDG (the German implementation of the ePrivacy Directive). We do not invoke the "strictly necessary" exemption under § 25 (2) no. 2 TDDDG.

5. Data sources and in-app content

The words shown in the app are drawn from the frequency lists of the Wortschatz Leipzig corpora of Leipzig University, licensed under Creative Commons Attribution 4.0 International (CC BY 4.0).

Example sentences and English translations were generated once during content production using the Anthropic Claude API and are subsequently shipped statically inside the app. During use of the app there is no data exchange with Anthropic or any other AI provider — all content is materialised into a local database at build time and delivered with the app.

6. Your rights

At any time you have the right to:

To exercise these rights, an informal email to info@wortodo.de is enough. The fastest way to stop further processing of your data is the in-app "Telemetry" toggle (see section 4); switching it off stops any further event or crash transmission immediately.

For erasure or access requests concerning the Firebase data described in section 4, we need the Firebase Installation ID of your specific app install (visible inside the app under Settings → About). Once you have provided it, we file a deletion request with Google via the Firebase DSR tooling.

Because we operate no user account and keep no server-side session history of our own, this opaque ID is the only way we can single out a specific installation. If you cannot provide it — for example because you have already uninstalled the app — under Art. 11 GDPR we are not obliged to maintain additional information for the sole purpose of identifying you, and under Art. 12 (2) sentence 2 GDPR we will inform you accordingly. Practical alternatives are: (a) switch the in-app "Telemetry" toggle off, which immediately stops any further transmission; (b) uninstall and reinstall the app, which generates a fresh Installation ID and orphans the old one; or (c) wait for the retention windows in section 4 to elapse, after which Google purges the data automatically.

The supervisory authority responsible for our seat is the Berliner Beauftragte für Datenschutz und Informationsfreiheit, Friedrichstr. 219, 10969 Berlin, Germany, www.datenschutz-berlin.de. You may also contact the supervisory authority responsible for your habitual residence.

7. Third-party services and international transfers

This website is delivered via Cloudflare Pages, operated by Cloudflare, Inc., 101 Townsend St, San Francisco, CA 94107, USA. Cloudflare processes technical connection data on our behalf as a processor under Art. 28 GDPR.

Within Cloudflare's global infrastructure, personal data may be transferred to third countries, in particular the United States. To our knowledge Cloudflare is certified under the EU-US Data Privacy Framework; in addition, Cloudflare offers Standard Contractual Clauses pursuant to Art. 46 (2) (c) GDPR, which our transfer relies on. Details are set out in Cloudflare's privacy policy and in its Data Processing Addendum.

The app additionally uses Firebase Crashlytics and Firebase Analytics, operated by Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA, with an EU representative: Google Ireland Ltd., Gordon House, Barrow Street, Dublin 4, Ireland. Google processes the data described in section 4 as a processor under Art. 28 GDPR; the processing is governed by the Firebase Data Processing and Security Terms.

Within the Firebase infrastructure, personal data may be transferred to third countries, in particular the United States. To our knowledge Google is certified under the EU-US Data Privacy Framework; in addition, Standard Contractual Clauses under Art. 46 (2) (c) GDPR apply, on which the transfer relies. Further detail on Google's data processing is available in Firebase's privacy and security documentation.

Beyond that, we use no other third-party services — no Google Analytics on the website, no Meta pixel, no external fonts from Google Fonts, no ad networks, no CDN-loaded scripts.

8. Security

The website is served exclusively over HTTPS (TLS). The app stores its learning content locally in an SQLCipher-encrypted SQLite database on your device. All transmissions to Firebase (see section 4) are encrypted over HTTPS / TLS.

9. Children

The app and this website are not directed at children under 16. We do not knowingly collect personal data from children under 16; the telemetry described in section 4 can be disabled at any time via the "Telemetry" toggle. If a child nevertheless contacts us by email, we retain that message only as long as is needed to answer the request and delete it afterwards.

10. No automated decision-making

The app carries out no automated decision-making within the meaning of Art. 22 GDPR — including profiling — that produces legal effects on you or similarly significantly affects you. The selection of the three daily words is computed deterministically and entirely on your device based on your chosen CEFR level, your prior word markings, and the current local-time slot. No further profile leaves your device.

11. Changes to this policy

We may update this policy to reflect changes in law or in the website / app. The current version is always available at this URL. Material changes are reflected by an updated "Last updated" date.