Privacy Policy

Last updated: 4 May 2026

This Privacy Policy explains what data Graze ("we", "us") collects when you use the Graze mobile app and web app (collectively, the "Service"), how we use it, who we share it with, and the choices you have. Graze is operated by Edward Tran, Sydney, Australia. Contact: support@trygraze.app.

The short version. When you upload a PDF or notes, the file's text content is sent to two third-party AI services — LlamaParse (text extraction) and Google Gemini Flash 2.0 (topic extraction and card generation) — to produce flashcards. We store your account email (via Clerk), the parsed document text, the generated cards, and your study activity in our database (Supabase) so you can come back to your decks. You can delete your account and all associated data from inside the app at any time.

1. Data we collect

Account data (via Clerk). When you sign in, our authentication provider Clerk receives your name and email address. Clerk issues us a stable user ID we use to associate your decks and study history with your account. You can review Clerk's privacy practices at clerk.com/legal/privacy.
Uploaded PDF and note content. When you upload a PDF, paste notes, or take a photo of notes, that content is transmitted to our backend for processing.
Generated study content. Topics, flashcards, multiple-choice cards, summary slides, and memory hooks generated from your input are stored against your account in our database (Supabase) so they're available across sessions and devices.
Study analytics (via PostHog). If you have not opted out of analytics, we record product usage events: deck opens, card swipes, study session length, accuracy, deck creations, deletions, and screen views. PostHog also receives a randomly-generated device identifier. PostHog's privacy practices are at posthog.com/privacy. PostHog is not initialised, and no events are sent, until you have seen and dismissed the AI-data consent prompt the first time you upload.
Local device data. The Graze app stores a copy of your decks and study progress in your device's local storage so you can use the app offline. This data never leaves your device unless you upload notes or sign in.

2. Third-party AI services we send your content to

To generate flashcards we share the contents of the file or notes you upload with the following third-party AI services. By uploading a file you are explicitly consenting to this transmission — Graze prompts you for this consent the first time you upload, and the upload will not start unless you accept.

LlamaParse (operated by LlamaIndex, Inc.) — receives PDFs and image files for text extraction. LlamaParse's documented retention is "for the duration of processing only" and it does not use customer content for model training. See LlamaParse Security.
Google Gemini Flash 2.0 (operated by Google LLC) — receives the parsed text of your file plus model prompts to extract topics and generate cards. We use the paid Gemini API tier; Google does not use paid-tier content to improve its models. See Gemini API terms.
OpenAI and Anthropic — used for some card-polishing and answer-marking calls. Same posture: paid-tier APIs, content not used for training. See OpenAI API policy and Anthropic Privacy.

None of these providers is sent your name, email, or Clerk identifier. They receive only the content you uploaded and the prompts we wrap it in.

3. How we use your data

To extract topics and generate flashcards from your uploads.
To save your decks, study progress, and mastery state so they're available next time you sign in.
To improve the product (only via aggregated PostHog analytics, and only if you have not opted out).
To respond to support requests you send us.

We do not sell your data, and we do not use your uploaded content to train AI models, ours or anyone else's.

4. Storage and retention

Account data. Retained for the lifetime of your account. Deleted when you delete your account.
Uploaded PDFs and parsed text. Stored in Supabase (Postgres + Storage), in the documents and document_chunks tables and the documents/<your-user-id>/ folder of our Storage bucket. Retained until you delete the deck or your account.
Generated cards and study sessions. Stored in the cards and study_sessions tables. Retained until you delete the deck or your account.
Analytics events. Retained by PostHog for up to 12 months under our PostHog plan, then automatically deleted.

5. Your rights

You can:

Access your data. Your decks and cards are visible in the app. For a full export of the records held against your Clerk user ID, email support@trygraze.app and we'll provide a JSON export within 30 days.
Delete your data. Inside the app, open Settings → Delete account. This permanently deletes your account at Clerk, removes every document, card, study session, and uploaded file we hold for you in Supabase, and ends any active analytics tracking. The action cannot be undone.
Export your data. Each deck has an export button that downloads a JSON file with the deck's cards and metadata. You can do this for every deck without contacting us.
Opt out of analytics. In Settings, toggle "Product analytics" off. Existing analytics events are not retroactively deleted, but no further events will be sent from your device.
Withdraw AI processing consent. If you previously consented to AI processing of uploaded content but now wish to withdraw that consent, simply stop uploading new files. Existing decks generated from earlier uploads remain in your account until you delete them.

6. Children

Graze is not directed to children under 13, and we do not knowingly collect data from anyone under 13. If you believe a child has signed up, email us and we will delete the account.

7. Security

Data in transit is protected by TLS. Data at rest in Supabase is encrypted at the storage layer. Authentication is handled by Clerk. We do not store passwords ourselves.

8. Changes to this policy

If we make material changes we will update the "Last updated" date above and, where appropriate, notify you in-app or by email.

9. Contact

Questions, deletion requests, or data-subject access requests: support@trygraze.app.