Vellum — Privacy Policy

Last updated: June 5, 2026

Vellum (“the app”, “we”, “us”) is a flashcard app that turns your study notes into spaced-repetition flashcards with the help of AI. We built it to collect as little about you as possible. This policy explains exactly what data the app handles, where it goes, and why.

Plain-language summary: We don’t have user accounts. Your decks, cards, and review history live on your device and in your own private iCloud. The only thing that leaves your device is (1) the note text you explicitly choose to turn into cards, which we forward to an AI provider to generate the cards, and (2) a referral code and an anonymous identifier used solely to award referral bonuses. We don’t sell your data, we don’t show third-party tracking ads, and we don’t build an advertising profile of you.

1. Data stored on your device and in your iCloud

The following stays on your device and, if you’re signed into iCloud, syncs through your own private iCloud account using Apple’s CloudKit. We cannot read it — it’s in your iCloud, not on our servers:

• Decks, cards (front/back text, tags), and their scheduling state.
• Your review history (which cards you reviewed and when).
• App settings and your energy balance.

We never receive or store this content on our servers.

2. Data sent to our server and to the AI provider

When you ask Vellum to generate flashcards from text (pasted text, or notes you select from an Obsidian vault), the app sends only the text you chose to our backend service (proxy.get-vellum.com), which forwards it to our AI provider, Google (Gemini API), to produce the flashcards.

• We send only the specific text you selected for that generation — not your whole notes library, not files you didn’t pick.
• This text is used to generate your cards and is subject to Google’s API data-handling terms. It is not used by us to build a profile of you.
• In normal operation we do not retain the submitted note text after your cards are generated — it is processed to fulfil your request and then discarded.
• Exception — failed generations: if a generation fails (for example, the AI provider times out or returns an error), our server keeps a diagnostic record of that request — including the note text you submitted — for up to 30 days, so we can investigate and fix the problem. These records are stored on our own server, are not linked to your name or email (we don’t collect those), are not used to build a profile of you or for advertising, and are automatically deleted after 30 days. We never retain text from successful generations.

3. Referral program data

Vellum has a referral feature where sharing a code earns you and your friend bonus “energy.” To make this work and to prevent abuse, when a code is redeemed our server records:

• The referral codes involved (a short random string, not tied to your name or email).
• An anonymous, stable identifier derived from your iCloud account (Apple’s CloudKit user record identifier), used only to ensure each referral is counted once and to stop fraudulent self-referrals.

This data is not linked to your name, email, or contacts (we don’t collect those), and is used solely to operate the referral rewards.

4. Notifications

If you turn on review reminders, Vellum schedules local notifications on your device. These are generated on-device from your own card schedule; no notification data is sent to us.

5. What we do NOT collect

• We do not require an account, name, email address, or phone number.
• We do not collect your precise or coarse location.
• We do not access your contacts. (Obsidian vault access is local to your device; only the specific note text you select is sent for card generation.)
• We do not use third-party analytics or advertising SDKs that track you, and we do not use the iOS Advertising Identifier.

6. Third-party services

• Apple iCloud (CloudKit): stores your synced data in your own iCloud account. Governed by Apple’s privacy policy.
• Google (Gemini API): processes the note text you submit for card generation. Governed by Google’s API terms and privacy policy.

7. Data retention & deletion

• On-device and iCloud data: you control it. Delete a deck/card in the app to remove it; deleting the app and clearing its iCloud data removes it entirely.
• Referral records on our server: retained only as long as needed to operate the rewards program. To request deletion of referral records associated with your code, contact us (Section 9).
• Failed-generation diagnostic records (Section 2): automatically deleted 30 days after the failed request. To request earlier deletion, contact us (Section 9) — note that without your name or email on these records, we may need the approximate time of the failure to locate them.

8. Children’s privacy

Vellum is not directed at children under 13 and does not knowingly collect personal information from them.

9. Contact

Questions or requests about this policy or your data: evgbar.dev@gmail.com

10. Changes to this policy

We may update this policy as the app evolves. Material changes will be reflected here with an updated “Last updated” date.