Privacy Policy

Last updated: 2026-02-14

1. Introduction

At Hend, we take your privacy seriously. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our language learning application and website (collectively, the “Service”).

We prioritize data minimization, local-first technology, and end-to-end encryption to protect your privacy. Please read this Privacy Policy carefully. By using Hend, you consent to the data practices described in this policy.

2. Information We Collect

2.1 Learning Data

Hend uses a local-first architecture, which means your learning data is always stored on your device first. This data includes:

• Language learning progress and spaced repetition data
• Saved words and phrases with translations
• Texts you have imported or generated
• Reading statistics (time spent, sessions, completion)
• Application settings and preferences

When you create an account, this data is continuously synchronized with our cloud infrastructure using end-to-end encryption (see Section 4.3) to enable cross-device access.

2.2 Account Information

If you register for an account, we process the following through our authentication provider, Clerk:

• Email address - used for account identification and authentication
• Authentication tokens - managed by Clerk for session management

We do not collect your name, phone number, or other personal identifiers unless you provide them voluntarily.

2.3 Payment and Subscription Information

For subscribers, payment information is processed by Polar, our Merchant of Record. We do not store your credit card details. We may have access to:

• Subscription status and plan type
• Billing history and transaction records
• Credit/meter balances for usage-based features

2.4 Usage Metering Data

To manage usage-based features (such as AI generation credits), we record usage events to our payment provider, Polar. These events include:

• The type of action performed (e.g., text generation, translation, text-to-speech)
• The AI model used and token counts
• Character counts for audio generation
• Language codes (not the content itself)
• Cost calculations for billing

This data is associated with your customer ID for billing purposes. It does not include the content of your texts, translations, or other learning materials.

2.5 Analytics Data

With your consent, we collect analytics data to improve the Service. Analytics is opt-in - we only collect this data if you accept cookies via our consent banner. Analytics data may include:

• Pages visited and features used
• Error reports and performance metrics
• Device type and browser information

When analytics is enabled, your Clerk user ID and email address are used as identifiers in our analytics platform (PostHog) to associate sessions with your account.

2.6 Server Logs and Infrastructure Data

As the Service is hosted on Cloudflare Workers, standard request metadata is collected automatically:

• IP addresses (which may be truncated or anonymized)
• Request URLs and response status codes
• Performance and error metrics

3. How We Use Your Information

We use information to:

• Provide, maintain, and improve Hend
• Synchronize your encrypted learning data across devices
• Process transactions and manage your subscription
• Calculate and enforce usage limits for AI-powered features
• Analyze usage patterns to enhance the user experience (with your consent)
• Detect and prevent fraudulent or unauthorized activity
• Provide customer support
• Communicate with you about your account or subscription

4. Data Storage and Security

4.1 Local-First Data Storage

Hend is built on a local-first architecture using Jazz (by Garden Computing, Inc.). Your learning data is stored on your device using browser storage (IndexedDB/LocalStorage). This means your data persists locally even without an internet connection, though the application itself requires an internet connection for the initial page load.

4.2 Cloud Data Storage

When you create an account, your data is also stored on Jazz’s cloud synchronization servers (cloud.jazz.tools) in an end-to-end encrypted format (see Section 4.3).

4.3 End-to-End Encryption

Data synchronization for registered users is protected by end-to-end encryption (E2EE) provided by the Jazz framework. This encryption works as follows:

• Encryption happens on your device. All learning data is encrypted in your browser before leaving your device.
• Cryptographic design. Jazz uses BLAKE3 hashing, Ed25519 signatures, and XSalsa20-Poly1305 stream ciphers. Every data transaction is cryptographically signed.
• Access control via groups. Encryption keys are managed through cryptographic groups. Only devices you have authorized can decrypt your data.
• Key rotation. Encryption keys are automatically rotated when access is revoked.
• Server-side opacity. The Jazz sync server stores only encrypted data and cannot read your content.

We rely on Jazz’s cryptographic framework for E2EE. We have not implemented additional application-level encryption beyond what Jazz provides.

4.4 Data Retention

• Local data remains on your device until you clear your browser data or delete your account.
• Cloud data is retained in encrypted form on Jazz’s sync servers as long as your account is active.
• Account information is retained by Clerk as long as you maintain an active account.
• Payment records are retained by Polar as required by applicable financial regulations.
• Usage metering data is retained by Polar for billing and accounting purposes.
• Analytics data is retained by PostHog as long as your account is active and can be deleted upon request.

After account deletion, we instruct our service providers to delete your data. Certain information may be retained as required by law (e.g., financial transaction records).

5. Third-Party Services

We do not sell your personal information. We rely on the following categories of third-party services to operate Hend. Each receives only the data necessary for its function.

5.1 Authentication - Clerk

• Data received: Email address, authentication tokens, session data
• Purpose: User authentication and session management
• Data location: United States
• GDPR: EU-US Data Privacy Framework certified; DPA available
• Privacy policy: clerk.com/legal/privacy

5.2 Payments - Polar

• Data received: Email address, subscription and transaction data, usage metering events with metadata (action type, model, token/character counts, language codes, costs)
• Purpose: Merchant of Record; payment processing, subscription management, and usage-based billing
• Data location: United States (via Stripe for card processing)
• Privacy policy: polar.sh/legal/privacy

5.3 Data Synchronization - Jazz (Garden Computing, Inc.)

• Data received: End-to-end encrypted learning data (opaque to the server), connection metadata
• Purpose: Real-time data sync across your devices
• Data location: United States (assumed; not formally documented by provider)
• Note: Jazz does not currently publish a standalone privacy policy. Because all synced data is end-to-end encrypted, the sync server cannot access your content in plaintext. We are monitoring this and will update this section as Jazz’s privacy documentation matures.

5.4 Hosting - Cloudflare

• Data received: HTTP request metadata (IP addresses, URLs, headers), performance metrics
• Purpose: Application hosting and content delivery
• Data location: Global network; US headquarters
• GDPR: EU-US Data Privacy Framework certified
• Privacy policy: cloudflare.com/privacypolicy

5.5 Analytics - PostHog

• Data received: Page views, feature usage, error reports, device information. When analytics is enabled: Clerk user ID and email address as identifiers
• Purpose: Product analytics and error monitoring
• Data location: European Union (Germany) - we use PostHog’s EU-hosted instance
• GDPR: EU-US Data Privacy Framework certified; SOC 2 compliant
• Consent: Analytics is opt-in. Data is only collected if you accept analytics via the consent banner. You can opt out at any time by clearing your cookie preferences.
• Privacy policy: posthog.com/privacy

5.6 AI Providers

When you use AI-powered features (text generation, translation, word explanations, etc.), your requests are processed by third-party AI providers. Here is how this works:

OpenRouter (routing layer)

• Data received: Text prompts and generation parameters
• Purpose: Routes AI requests to the appropriate language model provider
• Data location: United States
• Important: OpenRouter forwards your prompts to downstream language model providers (such as Anthropic, OpenAI, Google, and others). Each provider has its own data handling practices. OpenRouter states that it does not control downstream providers’ handling of inputs for purposes such as model training.
• Privacy policy: openrouter.ai/privacy

When using your own API key: If you provide your own OpenRouter API key, AI requests are sent directly from your browser to OpenRouter. Your relationship with OpenRouter and its downstream providers is governed by their respective terms. Your API key is stored in your preferences, which are synced via Jazz’s encrypted sync.

5.7 Text-to-Speech - fal.ai and ElevenLabs

• Data received: Text content to be converted to speech
• Purpose: Generating audio pronunciation and narration
• Data location: United States (fal.ai infrastructure); ElevenLabs processes in US, Netherlands, and Singapore
• Important: ElevenLabs’ privacy policy states that text data may be used for model improvement unless opted out. Since Hend accesses ElevenLabs through fal.ai’s infrastructure, data passes through both providers.
• Privacy policies: fal.ai/privacy, elevenlabs.io/privacy

5.8 Web Content Fetching - Jina AI

• Data received: URLs you provide when importing web content
• Purpose: Fetching and parsing web page content for import into Hend
• Data location: Germany (EU); EU-compliant infrastructure option available
• GDPR: GDPR compliant; SOC 2 audited
• Privacy policy: jina.ai/legal

5.9 YouTube Data - RapidAPI

• Data received: YouTube video URLs and video IDs
• Purpose: Fetching video metadata and transcripts for import
• Data location: United States (RapidAPI); the underlying API provider (yt-api) is a third-party developer hosted on RapidAPI’s marketplace
• Privacy policy: rapidapi.com/privacy

5.10 Legal Requirements

We may disclose information if required to do so by law or in response to valid requests by public authorities (e.g., a court order or government agency).

6. Cookies and Tracking

Hend uses the following storage mechanisms:

• Essential local storage: Your learning data and cookie consent preference are stored in browser local storage. These are necessary for the Service to function and are not used for tracking.
• Analytics cookies (opt-in): PostHog uses first-party cookies for analytics. These are only set if you accept analytics via the consent banner.

We do not use third-party advertising cookies or tracking pixels.

7. Your Rights and Choices

Depending on your location, you may have the following rights regarding your personal information:

• Access: Request access to the personal information we hold about you.
• Correction: Request correction of inaccurate information.
• Deletion: Request deletion of your account and personal information.
• Data portability: Export your learning data (texts, saved words) via the Data tab in Settings.
• Withdraw consent: Opt out of analytics at any time by clearing your cookie preferences.

7.1 Data Control

Because Hend uses a local-first architecture:

• You maintain direct control over the data stored on your device.
• You can export your learning data at any time via Settings > Data.
• Clearing your browser data removes all local data.
• You can delete your account through your account settings, which will remove your Clerk account and Polar customer record. Your encrypted data on Jazz’s sync servers will no longer be accessible once your encryption keys are deleted.

8. Children’s Privacy

Hend is not intended for children under 16 (or under 13 in jurisdictions where that is the applicable age). We do not knowingly collect personal information from children. If you believe we have inadvertently collected information from a child, please contact us immediately.

9. International Data Transfers

Your data may be transferred to and processed in countries other than your country of residence, including the United States. We use the following safeguards:

• End-to-end encryption ensures your learning content is protected regardless of server location.
• Several of our providers are certified under the EU-US Data Privacy Framework (Clerk, Cloudflare, PostHog, ElevenLabs).
• Where DPF certification is not available, we rely on Standard Contractual Clauses (SCCs) or other appropriate transfer mechanisms.
• Our analytics provider (PostHog) operates from EU-based servers (Germany).

10. California Privacy Rights (CCPA)

If you are a California resident, you have the right to:

• Know what personal information we collect and how it is used
• Request deletion of your personal information
• Opt out of the sale of personal information (we do not sell personal information)
• Not be discriminated against for exercising your rights

To exercise these rights, contact us at the address in Section 13.

11. GDPR Compliance

For users in the European Economic Area (EEA), we comply with the General Data Protection Regulation (GDPR). Our legal bases for processing are:

• Contract performance - processing necessary to provide the Service (authentication, data sync, payment processing)
• Consent - analytics data collection (opt-in via cookie banner)
• Legitimate interests - security monitoring, fraud prevention, error tracking
• Legal obligations - financial record keeping

You may exercise your GDPR rights (access, rectification, erasure, portability, restriction, objection) by contacting us at the address in Section 13.

12. Changes to This Privacy Policy

We may update this Privacy Policy from time to time. We will notify you of changes by:

• Posting the updated policy and revising the “Last Updated” date
• For significant changes, providing notice through the application or via email

13. Contact Us

If you have questions about this Privacy Policy or wish to exercise your data rights, please contact us at:

Email: [email protected]

This privacy policy aims to accurately reflect Hend’s current data practices as of the date above. We are committed to updating it as our product and third-party provider landscape evolve.