lexio

Privacy policy

Effective June 10, 2026

This policy explains what information Lexio collects when you use our reading app, how we use it, and the choices you have. We aim for plain language - if anything here is unclear, email hello@lexiolanguage.com.

What we collect

  • Account. Your email address, which we use to send login codes and (occasionally) service announcements.
  • Reading activity. Which stories you open, words you tap, and review grades. This drives your library, your card list, and your review schedule.
  • Preferences. Reader settings (theme, font, font size) you've chosen.
  • Technical logs. Standard server logs: IP address, browser type, request paths, timestamps. Retained for up to 30 days for debugging and abuse prevention.
  • New features. As Lexio grows, we may collect additional information that a new feature genuinely needs to work. When that happens we'll update this policy and the effective date above before the new collection takes effect.

We do not collect payment card numbers. The billing processor (LemonSqueezy) handles card data - we only see the subscription status and last 4 digits.

How we use it

  • Operate the app: log you in, render the library, run the SRS scheduler.
  • Improve the app: aggregate usage patterns to decide which features to build.
  • Support: respond to emails you send us.
  • Security: detect abuse and prevent unauthorized access.

We do not sell your data, and we do not run advertising in Lexio. We will not use your reading data to train large language models without your explicit, separate opt-in.

Who we share it with

We use a small set of vetted subprocessors to run the service:

  • Supabase - database, authentication, and file storage.
  • Vercel - application hosting.
  • Anthropic - story generation and dictionary enrichment (we send story-generation prompts; we do not send your personal reading history).
  • ElevenLabs - audio narration and forced alignment (text only; no personal data).
  • Brevo - transactional email delivery for login codes and account notifications.
  • fal.ai - cover image generation (no personal data).
  • LemonSqueezy - subscription management and billing.

Each of these has its own privacy commitments, and we only share what each strictly needs to deliver its part of the service.

Your choices

  • Export. Download a JSON copy of your profile, cards, and sessions from Account → Privacy & data.
  • Delete. Delete your account from the same screen. We remove your auth record and all linked rows immediately; encrypted backups roll off within 30 days.
  • Email. You can opt out of non-essential email at any time. Login codes and core service notifications are required to keep the account functional.

Data retention

We keep your account data until you delete it. Server logs are kept for up to 30 days. Backups roll off within 30 days of deletion.

International users

Our infrastructure is hosted in the United States. By using Lexio you agree to your data being transferred to and processed in the United States. If you're in the European Economic Area, the United Kingdom, or California, you have additional rights under GDPR, UK GDPR, and the CCPA - email us at hello@lexiolanguage.com to exercise them.

Children

Lexio is not directed at children under 13. We do not knowingly collect data from anyone under 13; if we discover we have, we delete it.

Changes

If we make material changes to this policy, we'll update the effective date above and notify active users by email at least 14 days before the changes take effect.

Contact

Email hello@lexiolanguage.com for any privacy question or data request.