Privacy Policy

Last updated: 3 May 2026

This Privacy Policy explains how Gradiente Ltd ("we", "us") collects, uses, and protects personal data when you use the Verso mobile application and related services (the "Service"). We are the data controller for the personal data described below.

1. Information we collect

1.1 Account information

• Email address and password when you create an account with email/password (the password is stored as a salted bcrypt hash; we never see or store the plaintext).
• Name you provide on signup.
• OAuth identifiers from Sign in with Google or Sign in with Apple (the provider's stable subject ID and the email address you authorise the provider to share). We do not receive your provider password.

1.2 Content you create

• Decks and flashcards you create (questions, answers, multiple-choice options, deck names).
• PDF files you upload for AI-assisted card generation. These files are sent to our AI provider (OpenAI) to generate cards and are not retained by us after processing.

1.3 Usage and progress data

• Study activity (cards reviewed, correct/incorrect answers, session timestamps).
• Gamification state (XP, level, streak counts, daily goal progress).
• Onboarding answers (study goal, pain points, preference answers) you provide during the onboarding flow.

1.4 Device data

• Push notification tokens if you enable quiz reminder notifications, so we can send scheduled reminders.
• Basic request metadata (IP address, request timestamp, user agent) recorded in server logs for security and abuse-prevention purposes. These logs are retained for up to 30 days.

We do not collect precise location, contacts, photos outside files you explicitly upload, advertising identifiers, or data from third-party tracking SDKs.

2. How we use your data

• To provide the Service: authenticate you, store your decks, sync study progress, run the gamification system, and send the notifications you've opted in to.
• To process PDFs into flashcards via our AI provider when you use the AI generation feature.
• To send transactional emails such as password reset links.
• To detect abuse and protect the integrity of the Service (e.g. rate limiting).

We do not sell your personal data, and we do not use it for advertising or behavioural profiling.

3. Legal bases (UK / EU users)

• Performance of a contract — to provide the Service you signed up for.
• Legitimate interests — to keep the Service secure, prevent abuse, and improve reliability.
• Consent — for push notifications (you can revoke at any time in your device settings).
• Legal obligation — where we must retain or disclose data to comply with applicable law.

4. Sharing with third parties

We share personal data only with the following service providers ("processors"), and only as needed to operate the Service:

• OpenAI — when you use AI-assisted card generation, the contents of the PDF are sent to OpenAI for processing. OpenAI's terms apply to that processing.
• Amazon Web Services (SES) — to deliver transactional emails (e.g. password reset).
• Apple and Google — when you sign in with their providers, and Apple Push Notification Service / Firebase Cloud Messaging when you receive notifications.
• Hosting infrastructure operated by Gradiente Ltd on commercial cloud servers.

We do not sell or rent your personal data. We may disclose data to comply with a legal request, court order, or to protect our rights, users, or the public.

5. International transfers

Some of our processors (notably OpenAI and AWS) operate in or transfer data to the United States. Where applicable, transfers are governed by Standard Contractual Clauses or equivalent safeguards.

6. Data retention

• Account data is retained for as long as your account is active.
• If you delete your account, we delete your account data and content within 30 days, except where we are required by law to retain limited records.
• Server logs are retained for up to 30 days for security and operational purposes.
• Password reset tokens are stored only as a SHA-256 hash and expire after one hour.

7. Security

We use industry-standard measures including TLS in transit, bcrypt for password hashing, JWTs for session tokens, hashed (not plaintext) password reset tokens, and access controls on our infrastructure. No system is perfectly secure; please use a strong, unique password and keep your device protected.

8. Your rights

Depending on your jurisdiction (UK GDPR, EU GDPR, California CCPA/CPRA, and others), you may have the right to:

• Access the personal data we hold about you.
• Correct inaccurate data.
• Delete your account and associated data (the app provides an in-app delete option in Settings).
• Export your data in a portable format.
• Object to or restrict certain processing.
• Lodge a complaint with your local data protection authority (in the UK: the Information Commissioner's Office, ico.org.uk).

To exercise any of these rights, email luis@gradiente.dev. We aim to respond within 30 days.

9. Children

Verso is not directed at children under 13, and we do not knowingly collect personal data from children under 13. If you believe a child has provided us with personal data, contact us and we will delete it.

10. Changes to this policy

We may update this Privacy Policy from time to time. Material changes will be communicated in-app or by email. The "Last updated" date at the top of this page indicates the latest revision.

11. Contact

Gradiente Ltd
1 Transom Close, London SE16 7FH, United Kingdom
Email: luis@gradiente.dev