Privacy Policy

Straight talk about your data — for the website and the Mac app.

Last updated: June 2026

Your privacy matters. Below is what we collect, why, and what you can do about it.

1. Who is responsible for your data?

Leafy is operated by Jtobin. For any privacy-related questions, contact: binjto@gmail.com

2. Data collected on this website

When you submit the beta signup form, we collect:

• Your email address — to notify you about beta access
• An optional message — if you choose to write one

We do not collect your name, location, or any other personal information through the website. We do not use cookies, Google Analytics, or any advertising trackers. Browser localStorage is used only to limit duplicate form submissions (max 2 per browser per day) and never leaves your device.

3. Data collected by the macOS app

3a. Local storage — stays on your device

All of the following is stored locally on your Mac only and is never uploaded to any server:

• Your vocabulary list, definitions, examples, and folder organization
• Import/export files, app settings, and preferences

3b. Text sent for AI processing

When you use the word scanner, lookup, or translation features, the text you scan or query is sent to a third-party AI service via a secure Cloudflare proxy. The text is used solely to generate a response and is not retained on any server after the response is returned. No name, account, or device identifier is attached to these requests.

AI service used:

• DeepSeek — word definitions, OCR analysis, and translation (Privacy Policy)

International transfer: DeepSeek processes requests on servers located outside the European Economic Area (in China). By using these AI features, the scanned or queried text is transferred to DeepSeek for processing. The text contains no name, account, or device identifier, and is not retained after the response is returned.

To reduce the number of requests sent to the service, identical queries are cached for up to 30 days using a content hash as the key. The cache contains only the AI response text — no IP address or user identity is stored alongside it.

3c. IP address (hashed)

To enforce daily usage limits and to record your interest vote (one vote per device), your IP address is processed as a one-way SHA-256 hash before being stored. The original IP address is never stored and cannot be recovered from the hash. IPv6 addresses are normalised to their /64 network prefix before hashing, so temporary privacy-extension addresses from the same device are treated as one.

Usage counters expire automatically after 25 hours. Vote records are kept until you cancel your vote.

3d. Anonymous usage analytics

The app uses TelemetryDeck to collect privacy-first, anonymous usage signals that help us understand how features are used and where errors occur. TelemetryDeck does not use cookies or advertising identifiers, does not track you across apps or websites, and does not collect data that identifies you personally. Signals are limited to anonymous events such as: app launched, a scan started, a scan completed or failed, a word saved, an import completed, a folder created, and AI request failures (including a generic error tag and which endpoint failed). No vocabulary content, scanned text, email address, or raw IP address is ever sent. TelemetryDeck is based in Germany and processes data within the EU. See the TelemetryDeck Privacy Policy.

This is entirely optional. You can turn anonymous analytics off at any time in the app under Settings → About; when turned off, no signals are sent at all.

3e. Crash reports

The app uses Sentry to automatically report crashes. When a crash occurs, Sentry receives the crash stack trace, app version, and macOS version. No vocabulary content, scanned text, or personal identifiers are included in crash reports. See the Sentry Privacy Policy.

3f. App update checks

The app uses Sparkle to check for updates. Your current app version and build number are sent to our update server to determine whether a newer version is available. No personal data is transmitted.

3g. Screen Recording permission

The word scanner requires macOS Screen Recording permission to capture on-screen text. Screenshots are processed instantly on-device by OCR and are never saved, uploaded, or shared.

4. How we use your data

• Email — to notify you about beta access only. No marketing or newsletters.
• Scanned text — to generate definitions and translations. Not retained after response.
• Hashed IP — to enforce daily usage limits and deduplicate votes. Not used for tracking.
• Anonymous analytics — to understand feature usage and detect errors. Optional; can be turned off in Settings.
• Crash data — to fix bugs and improve stability.

5. Legal basis (GDPR)

For website sign-ups, we process your email on the basis of your explicit consent (Article 6(1)(a) GDPR). For app features, processing is based on legitimate interests (Article 6(1)(f) GDPR) — specifically, preventing abuse of AI services and maintaining app stability — balanced against your privacy rights through IP hashing and data minimisation.

International transfers: When you use the AI scanning, lookup, or translation features, the queried text is transferred to DeepSeek for processing on servers outside the EEA (in China). This transfer is necessary to provide the feature you requested; the text contains no personal identifiers and is not retained after the response. All other processing (analytics, crash reports, email) takes place within the EU/EEA.

You may withdraw consent for email communications at any time by contacting binjto@gmail.com. You may turn off anonymous analytics at any time in the app's Settings.

6. How long we keep your data

• Email — until the beta program concludes or you request deletion
• Hashed IP usage counters — 25 hours (automatic expiry)
• Hashed IP vote record — until you cancel your vote
• AI response cache — up to 30 days
• Anonymous analytics — per TelemetryDeck's retention policy; aggregated and not tied to an identifiable person
• Crash reports — per Sentry's retention policy (90 days by default)

7. Third-party services (website)

Beta signup emails are delivered via EmailJS. EmailJS processes your email address solely to transmit it to us. See the EmailJS Privacy Policy.

8. Your rights (GDPR)

If you are in the EU or EEA, you have the right to:

• Access — request a copy of the data we hold about you
• Rectification — request correction of inaccurate data
• Erasure — request deletion of your data
• Restriction — request that we limit how we use your data
• Portability — request your data in a portable format
• Withdraw consent — at any time, without affecting prior processing

To exercise any of these rights, email binjto@gmail.com. We will respond within 30 days.

Please note: because IP addresses are stored only as irreversible hashes, we cannot identify or retrieve any data associated with a specific IP address. These rights therefore apply only to data you have directly provided to us, such as your email address.

9. Changes to this policy

If we make significant changes, we will update the "Last updated" date at the top of this page.

10. Contact

Questions or concerns? Email us at binjto@gmail.com.