Last updated · July 2, 2026
Privacy Policy
Kern is built to know as little about you as possible. This policy explains what we collect, why we collect it, who processes it, and what your rights are. It covers the Kern iOS app and the kern.cards website.
The short version
- Kern has no accounts. You never give us your name, email address, or payment details in the app.
- A random anonymous identifier is created for your installation. It is not linked to your identity.
- The book titles and authors you search for and add are the only content you actively send us. We use them to find the book and generate your cards.
- Payments are handled entirely by Apple. We never see your payment information.
- Your library and purchases sync through your personal iCloud account, which we cannot access.
- The website stores your email only if you join the waitlist.
- We do not sell personal data, we show no ads, and we use no advertising trackers.
Who we are
The Kern app and the kern.cards website are operated by Quantum IT d.o.o., Bana Tome Erdodyja Bakaca 2, 34000 Pozega, Croatia ("Quantum IT", "we", "us", "our"). For the purposes of the EU General Data Protection Regulation (GDPR), Quantum IT is the data controller for the processing described in this policy.
You can reach us at any time at hello@kern.cards.
Information we process in the app
Anonymous installation identifier
When you first open Kern, we create a random identifier for your installation using Firebase Authentication's anonymous sign-in. This identifier contains no personal details, is not connected to your name, email, phone number, or Apple ID, and exists so our servers can respond to your requests and apply fair-use limits. If you delete the app, the identifier is abandoned and a reinstall creates a new one.
Books you search for and add
When you search for a book, your search text is sent to our backend (Google Cloud Functions running in the European Union) and forwarded to the Google Books API to find matching titles. When you add a book, its title and author are sent to Anthropic's Claude API, which generates the study cards. Anthropic acts as our service provider and, under its commercial terms, does not use this data to train its models.
Generated decks are stored in a shared cache in our database (Google Cloud Firestore, EU region), keyed to the book itself rather than to you, so the next reader who adds the same book gets the cards instantly. The cached deck contains no information about you.
To prevent abuse, we keep a short-lived counter of how many decks your installation has generated in the past hour, keyed to your anonymous identifier. These records delete themselves automatically within a few hours.
Usage analytics
We use Google Firebase Analytics to understand whether Kern actually works as a product. We log a small set of events: app first opened, first card seen, book added (with the size of your library as a number), free books finished, paywall shown, purchase completed (the product identifier only), and purchase restored. Firebase also automatically collects technical data such as your device model, operating system version, app version, IP address, approximate region derived from the IP address, and app-instance identifiers.
We use this data in aggregate only. We do not use it for advertising, and Kern does not track you across other companies' apps or websites. You can read about how Google processes this data at policies.google.com/privacy and firebase.google.com/support/privacy. If you would like analytics data associated with your installation deleted, contact us.
Crash reports
If Kern crashes, Firebase Crashlytics automatically sends us a crash report so we can find and fix the problem. A report contains technical details about the crash (stack traces, device model, operating system version, app version, and the app's state at the moment of the crash) together with a Crashlytics installation identifier. Crash reports do not include your books, cards, or any content you typed.
Purchases
All purchases (the Kern Plus subscription and single-book unlocks) are processed by Apple through the App Store. We never receive your name, billing address, or payment card details. The app reads Apple's transaction records on your device to unlock what you have bought, and our analytics record only which product was purchased.
App integrity
We use Firebase App Check with Apple's App Attest and DeviceCheck services to confirm that requests to our backend come from a genuine copy of Kern. This exchanges cryptographic tokens about your device's integrity, not about you.
Information stored on your device and in your iCloud
Your library, your cards, your review history, and your saved cards are stored locally on your device. A compact list of the books in your library and the books you have unlocked is synced through iCloud key-value storage in your personal iCloud account, so your purchases and library survive reinstalls and follow you across your devices. This data lives in your iCloud account under Apple's terms; we have no access to it.
Deleting the app removes the local data. The iCloud copy remains in your iCloud account so your purchases are not lost if you reinstall.
Information we process on the website
- Waitlist. If you join the waitlist on kern.cards, your email address (together with which headline variant of the page you saw) is delivered to our inbox via Web3Forms, a form relay service. We use it solely to tell you when Kern launches and about major updates. Email us at any time to be removed.
- Local storage. The site stores a single flag in your browser's local storage to remember that you already joined, so you are not asked twice. The site sets no advertising or analytics cookies.
- Hosting. The site is served by Cloudflare, which processes standard technical logs (such as IP addresses and browser type) to deliver and secure the site.
What we never collect
- Your name, email address, or phone number (in the app)
- Payment card or billing details
- Precise location, contacts, photos, microphone, or health data
- Advertising identifiers, and we do not track you across apps or websites
Why we process this data (legal bases under the GDPR)
- To provide the Service (performance of a contract, Art. 6(1)(b)): finding books, generating and caching decks, unlocking purchases, syncing your library.
- To keep the Service safe and improve it (legitimate interests, Art. 6(1)(f)): abuse prevention, rate limiting, app integrity checks, and aggregate analytics that show us whether the product works.
- To contact you about the launch (consent, Art. 6(1)(a)): the website waitlist. You may withdraw consent at any time.
- To comply with the law (legal obligation, Art. 6(1)(c)): where we are required to retain or disclose information.
Who we share data with
We share data only with the service providers needed to run Kern, and only what each one needs:
- Apple (payments, app distribution, App Attest, iCloud sync) · apple.com/legal/privacy
- Google (Firebase anonymous authentication, analytics, crash reporting, cloud functions, Firestore database, App Check, and the Google Books API) · policies.google.com/privacy
- Anthropic (card generation from book title and author) · anthropic.com/legal/privacy
- Web3Forms (waitlist form relay on the website) · web3forms.com/privacy
- Cloudflare (website hosting and delivery) · cloudflare.com/privacypolicy
We do not sell personal data and we do not share it with advertisers or data brokers. We may disclose information if required by law, to protect our rights, or as part of a business transfer such as a merger or acquisition, in which case this policy continues to apply to it.
Where data is processed
Our backend and database run in the European Union (Google Cloud region europe-west1). Some of our providers, including Google, Anthropic, Cloudflare, and Web3Forms, may process data in the United States or other countries. Where personal data leaves the European Economic Area, the transfer is protected by recognized safeguards such as the EU-US Data Privacy Framework or the European Commission's Standard Contractual Clauses.
How long we keep data
- Analytics data: retained by Firebase for up to 14 months, then deleted or aggregated.
- Crash reports: retained by Crashlytics for 90 days.
- Rate-limit and live generation records: delete themselves automatically within a few hours.
- Cached decks: kept indefinitely; they describe books, not people, and contain no personal data.
- Backend logs: kept for a limited period for security and debugging, then deleted.
- Waitlist emails: kept until you ask to be removed, or until launch outreach is complete.
- Data on your device and in your iCloud: under your control, as described above.
Your rights
Depending on where you live, you have the right to access, correct, delete, or receive a copy of your personal data, to restrict or object to its processing, and to withdraw consent at any time. To exercise any of these rights, email hello@kern.cards.
One honest caveat: because Kern is anonymous by design, we usually cannot tell which data belongs to you. If you make a request, we may ask you for technical details from your device so we can locate the records tied to your installation.
If you are in the European Economic Area, you also have the right to lodge a complaint with a supervisory authority, either in the country where you live or with the Croatian Personal Data Protection Agency (AZOP, azop.hr).
California residents
If you are a California resident, the California Consumer Privacy Act (CCPA, as amended by the CPRA) gives you specific rights. In the last 12 months we have collected these categories of personal information: identifiers (anonymous installation identifiers, IP addresses, and, for waitlist members, an email address), internet or network activity (interactions with the app and website as described above), and commercial information (records of in-app purchase events, without payment details).
We collect this information directly from you and automatically through your use of the Service, for the purposes described in this policy. We do not sell personal information and we do not share it for cross-context behavioral advertising. We do not knowingly collect or sell the personal information of anyone under 16.
You have the right to know what personal information we hold about you, to request its deletion or correction, and not to be discriminated against for exercising those rights. To make a request, email hello@kern.cards; we will verify it and respond within the time the law requires.
Children
Kern is not directed at children under 13, and we do not knowingly collect personal data from them. If you believe a child has provided us with personal data, contact us and we will delete it.
Security
All communication between the app, the website, and our servers is encrypted in transit. Access to backend systems is restricted, and we collect the minimum data needed for each feature, which is the best security measure of all. That said, no method of transmission or storage is completely secure, and we cannot guarantee absolute security.
Links to other services
The app and the website may link to services we do not operate, such as the App Store or our providers' privacy pages. Their privacy practices are their own; we encourage you to read their policies.
Changes to this policy
We may update this policy as Kern evolves. We will post the new version on this page and update the date at the top. If a change is material, we will point it out in the app or on the website before it takes effect.
Contact
Quantum IT d.o.o.
Bana Tome Erdodyja Bakaca 2
34000 Pozega, Croatia
hello@kern.cards