Privacy Policy

Last updated May 24, 2026

This Privacy Policy explains how Sunbranch AS ("we", "us", "our") handles information in connection with the Cram mobile app (the "App") and the cramaiapp.com website. We've kept it in plain language.

Cram is built to be private by default: it works offline, the decks you create are stored on your device, and the App has no account or login. We do not use your study content to train AI models.

We are committed to protecting your privacy and to complying with the EU/EEA General Data Protection Regulation (GDPR) and other applicable data-protection laws.

1. Who we are (Data Controller)

Sunbranch AS is the data controller responsible for personal data processed through Cram. We are based in Norway.

Questions or requests: support@cramaiapp.com · https://sunbranch.no

2. Information we process

Because the App has no sign-up, we do not collect your name, email address, password, contacts, or precise location.

Study content you provide

When you create a deck, you can give Cram a topic, pasted text, a web link, or a PDF. To turn that into flashcards, the content is sent to our AI providers and the generated cards are returned to your device (see section 3). Your decks and review history are stored locally on your device — not on our servers.

Usage and diagnostics

To understand how the App is used and to fix problems, we collect anonymous usage analytics (such as screens viewed, features used, and similar events) and crash reports (device model, operating-system version, app version, and error details). This information is not tied to your real-world identity.

Purchases

If you subscribe to Cram Pro, the purchase is processed by Apple and our subscription provider, RevenueCat. We receive your subscription status (for example, active or expired) and an anonymous identifier — never your card number or payment details.

3. AI flashcard generation

To create your cards, the topic, text, link, or PDF you submit is sent to our AI provider, Google (Gemini), which generates the flashcards and returns them to your device. We send only what is needed to produce your deck, and the content is processed transiently to fulfil your request.

We do not use your content to train our own models, and we use Google's Gemini API, under which your input is not used to train Google's models. AI-generated content can be inaccurate or incomplete — always review your cards and verify important facts.

4. How we use your data, and our legal bases

Under the GDPR we must have a lawful basis for each purpose. Ours are:

To provide the App (legal basis: performance of a contract)

  • Generate flashcards from the material you provide.
  • Deliver, maintain, and support the App's features.
  • Process and validate your subscription.

To improve and secure the App (legal basis: legitimate interests)

  • Analyse anonymous usage to improve features.
  • Diagnose crashes and fix bugs.
  • Prevent abuse and keep the service secure.

To meet legal obligations (legal basis: legal obligation)

  • Keep records required for tax, accounting, and consumer-law purposes.
  • Respond to lawful requests.

5. Third-party services we rely on

We use a small number of trusted providers. Each processes data under its own privacy policy and only as needed to provide its function. We never share your study content with our analytics or crash-reporting providers.

  • Google (Gemini API) — generates flashcards from the material you submit (policies.google.com/privacy).
  • PostHog — anonymous product analytics (posthog.com/privacy).
  • Sentry — crash and error reporting (sentry.io/privacy).
  • RevenueCat — subscription management (revenuecat.com/privacy).
  • Apple — App Store distribution and payment processing (apple.com/legal/privacy).

6. Storage and security

Your decks and review history are stored on your device. The limited data we do process (anonymous analytics, crash reports, and subscription status) is handled by the providers above, which use encryption in transit and appropriate technical and organisational safeguards. No system is perfectly secure, but we take reasonable measures to protect the data we process.

7. Data retention

  • Decks and review history: kept on your device until you delete them, clear the App's data, or remove the App.
  • Anonymous analytics and crash data: kept only as long as needed for the purposes above — no more than 14 months — then deleted or aggregated.
  • AI generation: your input is processed transiently to generate your deck and is not retained by us.
  • Subscription records: kept as long as required for tax, accounting, and legal purposes.

8. International data transfers

Our analytics provider (PostHog) processes data in the European Union. Some other providers — in particular our AI provider, Google, and our crash-reporting provider — may process data outside the European Economic Area, including in the United States. Where data leaves the EEA, we rely on appropriate safeguards such as the European Commission's Standard Contractual Clauses and, where applicable, certification under the EU–US Data Privacy Framework.

9. Your privacy rights (GDPR Articles 15–22)

If you are in the EEA or UK, you have the right to access your personal data (Art. 15), to rectification (Art. 16), to erasure (Art. 17), to restriction of processing (Art. 18), to data portability (Art. 20), and to object to processing based on legitimate interests (Art. 21). Where processing is based on consent, you may withdraw it at any time.

Because your study content is stored on your device and the App has no account, you can remove it at any time by clearing the App's data or deleting the App. For requests about analytics or other data we process, email support@cramaiapp.com. We will respond within 30 days, and there is no fee for exercising your rights.

10. Complaints

If you believe we have not handled your data properly, you can lodge a complaint with the Norwegian Data Protection Authority (Datatilsynet, datatilsynet.no) or with the supervisory authority in your country of residence. We'd appreciate the chance to resolve your concern first, so please contact us before you do.

11. Children's privacy

Cram is intended for users aged 13 and older. We do not knowingly collect personal data from children under 13. If you believe a child under 13 has provided us with personal data, contact us and we'll delete it.

12. The marketing website

The cramaiapp.com website does not use analytics cookies or third-party tracking. It sets only the cookies strictly necessary to serve the site.

13. Changes to this policy

We may update this policy from time to time. When we make material changes, we'll revise the “last updated” date at the top and, where appropriate, note the change in the App.

14. Contact us

Questions about this policy or your data? Email support@cramaiapp.com. Sunbranch AS, Norway.