Vellum — Privacy Policy
Last updated: June 5, 2026
Vellum (“the app”, “we”, “us”) is a flashcard app that turns your study
notes into spaced-repetition flashcards with the help of AI. We built it to
collect as little about you as possible. This policy explains exactly what
data the app handles, where it goes, and why.
Plain-language summary: We don’t have user accounts. Your
decks, cards, and review history live on your device and in your own private
iCloud. The only thing that leaves your device is (1) the note text you
explicitly choose to turn into cards, which we forward to an AI provider to
generate the cards, and (2) a referral code and an anonymous identifier used
solely to award referral bonuses. We don’t sell your data, we don’t show
third-party tracking ads, and we don’t build an advertising profile of you.
1. Data stored on your device and in your iCloud
The following stays on your device and, if you’re signed into iCloud, syncs
through your own private iCloud account using Apple’s
CloudKit. We cannot read it — it’s in your iCloud, not on our servers:
- Decks, cards (front/back text, tags), and their scheduling state.
- Your review history (which cards you reviewed and when).
- App settings and your energy balance.
We never receive or store this content on our servers.
2. Data sent to our server and to the AI provider
When you ask Vellum to generate flashcards from text
(pasted text, or notes you select from an Obsidian vault), the
app sends only the text you chose to our backend service
(proxy.get-vellum.com), which forwards it to our AI provider,
Google (Gemini API), to produce the flashcards.
- We send only the specific text you selected for that generation — not
your whole notes library, not files you didn’t pick.
- This text is used to generate your cards and is subject to Google’s API
data-handling terms. It is not used by us to build a profile of you.
- In normal operation we do not retain the submitted note text after your
cards are generated — it is processed to fulfil your request and then
discarded.
- Exception — failed generations: if a generation fails
(for example, the AI provider times out or returns an error), our server
keeps a diagnostic record of that request — including the note text you
submitted — for up to 30 days, so we can investigate and
fix the problem. These records are stored on our own server, are not linked
to your name or email (we don’t collect those), are not used to build a
profile of you or for advertising, and are automatically deleted after 30
days. We never retain text from successful generations.
3. Referral program data
Vellum has a referral feature where sharing a code earns you and your
friend bonus “energy.” To make this work and to prevent abuse, when a code is
redeemed our server records:
- The referral codes involved (a short random string, not tied to your
name or email).
- An anonymous, stable identifier derived from your iCloud account
(Apple’s CloudKit user record identifier), used only to
ensure each referral is counted once and to stop fraudulent
self-referrals.
This data is not linked to your name, email, or contacts (we don’t collect
those), and is used solely to operate the referral rewards.
4. Notifications
If you turn on review reminders, Vellum schedules local
notifications on your device. These are generated on-device from your own card
schedule; no notification data is sent to us.
5. What we do NOT collect
- We do not require an account, name, email address, or phone number.
- We do not collect your precise or coarse location.
- We do not access your contacts. (Obsidian vault access is local
to your device; only the specific note text you select is sent for card
generation.)
- We do not use third-party analytics or advertising SDKs that track you,
and we do not use the iOS Advertising Identifier.
6. Third-party services
- Apple iCloud (CloudKit): stores your synced data in
your own iCloud account. Governed by Apple’s privacy policy.
- Google (Gemini API): processes the note text you submit
for card generation. Governed by Google’s API terms and privacy policy.
7. Data retention & deletion
- On-device and iCloud data: you control it. Delete a deck/card in the app
to remove it; deleting the app and clearing its iCloud data removes it
entirely.
- Referral records on our server: retained only as long as needed to
operate the rewards program. To request deletion of referral records
associated with your code, contact us (Section 9).
- Failed-generation diagnostic records (Section 2): automatically deleted
30 days after the failed request. To request earlier deletion, contact us
(Section 9) — note that without your name or email on these records, we may
need the approximate time of the failure to locate them.
8. Children’s privacy
Vellum is not directed at children under 13 and does not knowingly collect
personal information from them.
9. Contact
Questions or requests about this policy or your data:
evgbar.dev@gmail.com
10. Changes to this policy
We may update this policy as the app evolves. Material changes will be
reflected here with an updated “Last updated” date.