Privacy Policy
Last updated: 25 April 2026
This Privacy Policy explains how NANA LABS LTD ("Yada", "we", "us", or "our") collects, uses, and discloses personal information about you when you use our website at learnwithyada.com, our iOS application, and related services (collectively, the "Services"), and in any other interactions we have with you.
NANA LABS LTD is the data controller for personal information processed in connection with the Services. We are a company registered in England and Wales (Company No. 17153759) with our registered office at 82A James Carter Road, Mildenhall, IP28 7DE, United Kingdom. You can contact us at founder@learnwithyada.com.
This Policy applies only when you use our Services as a consumer, and not as a job applicant, contractor, or employee.
1. Personal information we collect
1.1 Information you provide to us
When you use the Services or interact with us, we may collect:
- Account information: username, email address, password, and full name.
- Onboarding information: your learning goals, areas of interest, and study preferences.
- Third-party sign-in information: if you log in via Apple or Google, those services authenticate your identity and may provide us with your name and email address.
- Payment information: limited information needed to process payments. Full payment card details are handled by our payment processors (such as Apple) and are not collected or stored by us.
- Content you upload: text, images, notes, highlights, search queries, survey responses, and any other content you submit to the Services.
- Support communications: information you share when you contact us for customer support.
1.2 Information we collect automatically
When you interact with the Services, we automatically collect:
- Device information: operating system version, device identifier, app version, language, and IP address.
- Usage information: frequency, timing, and duration of your use; the pages or screens you view; your interactions with the Services (lessons started, cards reviewed, progress, streaks, preferences); and referring websites or search terms.
- Diagnostic information: crash reports, performance data, and error logs.
We collect this information using cookies, SDKs, and crash reporters. We also use local storage on your device.
1.3 Information from third parties
- Service providers and partners: we may receive information from analytics providers, customer-support tools, or other partners.
- Other users: if a user refers you to Yada, we may receive your name and email to send an invitation.
- Publicly available sources: we may collect information from public posts and other publicly available sources, in accordance with applicable law.
1.4 Analytics data we collect via PostHog
We use PostHog to capture product analytics events that help us understand how people use the Services and where they get stuck. We do not list every individual event we record, but we group the events we collect into the following categories:
- Account and authentication activity: login attempts, sign-ups, OAuth flows (Apple and Google), password resets, email verifications, logouts, and account deletions. Used to detect failed authentication patterns, support users locked out of their accounts, and improve sign-up reliability.
- Onboarding interactions: the onboarding screens you see, where you drop off, and the answers you provide during onboarding (such as your name, age bracket, and preferred topics or genres). Used to optimise the onboarding flow and personalise your in-app experience.
- Product usage: which features you use and how — deck and card creation, review sessions (start, completion, abandonment, accuracy, time spent), imports, settings, and preference changes. Used to understand engagement, prioritise improvements, and identify bugs.
- Subscription activity: paywall views, plan selections, purchase attempts, subscription state, and restores. Used to operate the subscription service, measure conversion, and support billing issues.
- Technical and device data: device type, operating system version, app version, anonymised IP address, app installs, app opens, crashes, screen views, and interaction touches. Used for compatibility, debugging, and security.
The legal basis for analytics processing is our legitimate interests in operating, securing, and improving the Services (Article 6(1)(f) UK GDPR). For subscription-related analytics we also rely on contract performance (Article 6(1)(b)). You can object to analytics processing at any time — see Section 8.
2. How we use your personal information and legal bases
Under the UK General Data Protection Regulation (UK GDPR) and EU GDPR, we must have a legal basis for processing your personal information. The table below sets out the purposes for which we process your data and the legal basis we rely on.
| Purpose | Legal basis |
|---|---|
| Creating and managing your account | Performance of a contract (Article 6(1)(b) UK GDPR) |
| Providing, personalising, and hosting the Services, including AI-generated flashcards | Performance of a contract |
| Processing payments and managing subscriptions | Performance of a contract |
| Sending transactional communications (receipts, service notices) | Performance of a contract; legal obligation (Article 6(1)(c)) |
| Measuring, analysing, and improving the Services | Our legitimate interests in operating and improving our business (Article 6(1)(f)) |
| Providing customer support and resolving issues | Performance of a contract; our legitimate interests |
| Preventing fraud, abuse, and security threats | Our legitimate interests in protecting our Services and users |
| Sending marketing communications about Yada | Your consent (Article 6(1)(a)); or our legitimate interests where permitted under the “soft opt-in” exception in the Privacy and Electronic Communications Regulations (PECR) |
| Complying with legal obligations | Legal obligation |
| Enforcing our Terms of Service or other agreements | Our legitimate interests in protecting our rights |
Where we rely on our legitimate interests, we have carried out a balancing assessment to ensure that our interests do not override your rights and freedoms. You have the right to object to processing based on legitimate interests — see Section 8.
Where we rely on your consent, you may withdraw it at any time by contacting us or using the in-app or email unsubscribe options. Withdrawing consent does not affect the lawfulness of processing based on consent before its withdrawal.
3. Automated decision-making and AI
We use AI models from third-party providers (currently Google's Gemini, Anthropic's Claude, and OpenAI's GPT) to help generate flashcards and provide other AI-assisted features from content you provide. This processing is carried out to deliver the core functionality of the Services that you have requested. We do not make decisions with legal or similarly significant effects on you based solely on automated processing.
4. Who we share your personal information with
We share personal information with the following categories of recipient:
4.1 Service providers (data processors)
We use third parties to operate and improve the Services. These include:
- Hosting and infrastructure: Railway (cloud hosting), Amazon Web Services, and similar providers.
- Analytics: PostHog, for product analytics. PostHog data is hosted on the EU instance (eu.posthog.com), so analytics data is stored within the European Economic Area.
- Crash and error reporting: Sentry.
- Payments and subscriptions: Apple (via the App Store) and RevenueCat.
- Push notifications: Expo.
- AI processing: Google (Gemini API), Anthropic (Claude API), and OpenAI (GPT API) for generating flashcards and other AI-assisted features from content you provide.
- Customer support: email and help-desk providers.
These providers process data on our behalf under written contracts that require them to protect your information and use it only as instructed.
4.2 Legal and safety disclosures
We may disclose personal information if we believe in good faith that it is reasonably necessary to (a) comply with applicable law, court order, or legal process; (b) enforce our Terms of Service or investigate suspected violations; (c) detect, prevent, or address fraud, security, or technical issues; or (d) protect the rights, property, or safety of Yada, our users, or the public.
4.3 Corporate transactions
If Yada is involved in a merger, acquisition, or sale of all or part of our business, personal information may be transferred to the receiving party, subject to this Privacy Policy.
4.4 With your consent
We may disclose personal information in other ways with your consent.
We do not sell your personal information, and we do not share your personal information for cross-context behavioural advertising.
4.5 Advertising and tracking
We do not use analytics data to target advertising. We do not share your personal information with third parties for advertising purposes. We do not track you across other companies' apps or websites for advertising or any other purpose, and we do not engage in cross-app tracking as defined by Apple's App Tracking Transparency framework.
5. International transfers of personal information
Some of our service providers are based outside the United Kingdom and the European Economic Area, including in the United States. When we transfer personal information outside the UK or EEA, we rely on one of the following safeguards:
- Adequacy decisions (where the UK or EU has determined that the destination country provides an adequate level of protection);
- Standard Contractual Clauses approved by the UK Information Commissioner or the European Commission, together with the UK International Data Transfer Addendum where applicable;
- Other appropriate safeguards permitted under UK and EU GDPR.
You may contact us at founder@learnwithyada.com for a copy of the safeguards in place for any specific transfer.
6. How long we retain your personal information
We retain personal information only for as long as necessary for the purposes set out in this Policy, including to:
- provide the Services to you for the duration of your account;
- comply with our legal, accounting, tax, or reporting obligations (typically up to 6 years under UK law);
- resolve disputes and enforce our agreements;
- protect against fraud and security threats.
When you delete your account, we delete or anonymise your personal information within a reasonable period, except where we are legally required to retain it or where we have a legitimate ongoing interest (for example, to defend a legal claim). We may retain aggregated or de-identified data indefinitely, as it does not identify you.
Analytics data. Product analytics data we collect via PostHog is retained for the lifetime of your account and is deleted within 30 days of you deleting your account. You can delete your account at any time from the in-app account settings.
7. How we secure your personal information
We take technical and organisational measures designed to protect personal information against unauthorised access, use, alteration, or destruction. These include encryption in transit, access controls, and regular security review. No internet transmission is 100% secure, and we cannot guarantee absolute security. If we become aware of a personal data breach that is likely to result in a risk to your rights and freedoms, we will notify you and the relevant supervisory authority as required by law.
8. Your rights
Depending on where you live, you have the following rights in relation to your personal information:
- Right of access — to request a copy of the personal information we hold about you.
- Right to rectification — to ask us to correct inaccurate or incomplete information.
- Right to erasure("right to be forgotten") — to ask us to delete your personal information in certain circumstances.
- Right to restrict processing — to ask us to limit how we use your data in certain circumstances.
- Right to data portability — to receive your personal information in a structured, commonly used, machine-readable format, or to have it transmitted to another controller.
- Right to object — to object to processing based on our legitimate interests or for direct marketing.
- Right to withdraw consent — where we rely on your consent, at any time.
- Right not to be subject to automated decision-making that produces legal or similarly significant effects.
To exercise any of these rights, contact us at founder@learnwithyada.com. We may need to verify your identity before responding. We will respond within one month (extendable by a further two months for complex requests, in which case we will let you know).
Objecting to analytics specifically. If you wish to object to product analytics processing (described in Section 1.4), email us at founder@learnwithyada.comwith the subject line " Analytics objection". We will stop further analytics processing for your account.
8.1 Complaints
If you are unhappy with how we have handled your personal information, you have the right to complain to a supervisory authority.
- United Kingdom:the Information Commissioner's Office (ICO) at ico.org.uk or by calling 0303 123 1113.
- European Economic Area: the data protection authority in the country where you live, work, or where the alleged infringement took place. A list is available at edpb.europa.eu.
We would appreciate the chance to address your concerns before you contact a supervisory authority — please contact us first at founder@learnwithyada.com.
8.2 California residents
If you are a California resident, the California Consumer Privacy Act, as amended ("CCPA"), provides you with additional rights, including the right to know what personal information we collect, the right to request deletion, the right to correct inaccurate information, and the right to opt out of the sale or sharing of personal information. As stated above, we do not sell or share personal information for cross-context behavioural advertising. We will not discriminate against you for exercising any of your rights.
9. Cookies and similar technologies
We use cookies and similar technologies (including SDKs in our mobile app) for essential functionality, analytics, and to improve the Services. Where required by law, we will ask for your consent before setting non-essential cookies. You can manage your preferences through your browser settings or our in-app settings. Blocking essential cookies may prevent parts of the Services from functioning.
10. Children's privacy
The Services are not directed to children under 13. We do not knowingly collect personal information from children under 13 without verified parental consent. If you believe a child has provided us with personal information, please contact us and we will take steps to delete it.
11. Third-party websites
The Services may contain links to third-party websites or platforms that we do not control. This Privacy Policy does not apply to those websites, and we are not responsible for their privacy practices. We encourage you to read the privacy policies of any third-party websites you visit.
12. Changes to this policy
We may update this Privacy Policy from time to time. If we make material changes, we will revise the "Last updated" date above and, where required by law, notify you through the Services or by email. Your continued use of the Services after the changes become effective constitutes your acceptance of the revised Policy.
13. Contact us
NANA LABS LTD (trading as Yada)
Company No. 17153759 · Registered in England and Wales
Registered office: 82A James Carter Road, Mildenhall, IP28 7DE, United Kingdom
Email: founder@learnwithyada.com
If you have any questions about this Privacy Policy or how we handle your personal information, please contact us at the email address above.