Privacy Policy
Diko is built on a simple promise: your learning is yours. The app runs locally, stores your decks and progress on your device, and does not collect personal data by default. This policy explains the few exceptions, in plain language.
1. Who we are
Diko ("the app") is operated by the Diko team ("we", "us"). If you have privacy questions, write to privacy@getdiko.com. A postal contact will be published before the App Store / Google Play launch.
2. What we collect, by category
2.1 Data stored on your device
The following stays on your phone in app-private storage. We never see it:
- Decks and cards you create or import
- Spaced-repetition progress (intervals, ease, due dates, lapses)
- Review history and streaks
- App preferences (language, daily limit, haptics, reminders)
2.2 Data we collect over the network
The MVP build operates fully offline. The only network traffic the app initiates is for over-the-air JavaScript updates served by Expo Updates. These requests transmit:
- The runtime version of your app (e.g.
1.0.0) so we can serve a compatible bundle - The platform (iOS or Android) and OS version, as part of the standard HTTP request
- A short-lived update channel name (e.g.
production)
We do not log this traffic to any user-level identifier. There is no analytics SDK in the app, no crash reporter that ships back to a third party, and no advertising identifier read.
2.3 Data we do not collect
- Name, email, phone number, address
- Location (GPS, IP-based geolocation)
- Contacts, photos, microphone, camera
- Device advertising ID (IDFA / GAID)
- App-usage analytics or behavioural events
3. Notifications
If you enable daily review reminders, the app schedules local notifications via the operating system. The reminder content is generated on-device. We do not run a push server and have no record of when reminders fire.
4. Text-to-speech
When you tap the speaker button on a card, the app uses the operating system's built-in text-to-speech engine (Apple AVSpeechSynthesizer on iOS, Android TextToSpeech on Android). Audio is generated on-device. We do not transmit card text to any speech service.
5. Future features behind feature flags
The codebase contains optional features that are off by default and not enabled in any released build:
- Account & sync — would require an email address, hashed identifier, and an encrypted backup of your local database. Will be opt-in. A separate addendum will cover it before launch.
- AI deck generation — would send the topic prompt you type to a third-party model. Will be opt-in per generation.
- Group study — would share the public part of decks (not your private SRS state) with people you explicitly invite.
None of these features are available in the current public build. If we activate any of them, this policy will be updated with a new effective date and you will be notified inside the app on first use.
6. Third-party services
The app uses the following third-party components. Their inclusion does not by itself transmit personal data:
- Expo Updates (operated by Expo) — serves over-the-air JS bundles. expo.dev/privacy
- Apple App Store / Google Play Store — the channels you used to install the app. Their handling of install metadata is governed by their own policies.
The marketing website you are reading loads Google Fonts to render Instrument Serif and Geist. Your IP and user agent reach Google's font CDN as part of the HTTP request. We do not log it ourselves.
7. Children
Diko is rated for general audiences but is not directed at children under 13. We do not knowingly collect data from children. Because the MVP collects no personal data at all, this is a structural guarantee rather than a process.
8. Your rights
Because the MVP keeps your data on your device only, you can exercise all data-protection rights (access, correction, deletion, portability) using the in-app Reset seed data button or by deleting and reinstalling the app. There is no server-side copy to request from us.
If you are in the European Economic Area, the United Kingdom, Switzerland, California, or Brazil, additional rights apply under your local law (GDPR, UK GDPR, FADP, CCPA/CPRA, LGPD respectively). Email privacy@getdiko.com and we will respond within 30 days.
9. Security
On-device storage uses the platform's standard app-private sandbox. We do not encrypt local data at rest beyond what the OS provides. If the device is lost or stolen, the OS-level lock screen is the security boundary.
10. Changes to this policy
We may update this policy as features evolve. Material changes will bump the effective date at the top of this page and surface a notice in the app. Continued use after the update means you accept the revised policy.
11. Contact
Privacy questions: privacy@getdiko.com.
General support: getdiko.com/support.