Privacy Policy

Last updated July 4, 2026

This Privacy Policy explains how Sunbranch AS ("we", "us", "our") handles information in connection with the Cram mobile app (the "App") and the cramaiapp.com website. We've kept it in plain language.

Cram is built to be private: there are no ads, we never sell your data, and we do not use your study content to train AI models. You sign in with Apple, Google, or your email address, and the decks you create are stored on your device and synced to your account on servers hosted in the European Union, so your study material is backed up and follows you across devices.

We are committed to protecting your privacy and to complying with the EU/EEA General Data Protection Regulation (GDPR) and other applicable data-protection laws.

1. Who we are (Data Controller)

Sunbranch AS is the data controller responsible for personal data processed through Cram. We are based in Norway.

Questions or requests: support@cramaiapp.com · https://sunbranch.no

2. Information we process

We do not collect your contacts or your precise location, and the only photos we process are the ones you choose to turn into flashcards.

Account information

Cram requires an account. When you sign in with Apple, Google, or your email address, we process your email address, your name or display name (if you share one — Sign in with Apple lets you hide your email and use a private relay address), a unique account identifier, and authentication data such as session tokens. If you set optional profile details in the App (like a display name or study preferences from onboarding), we store those with your account.

Study content you provide

When you create a deck, you can give Cram a topic, pasted text, a web link, a YouTube link, a PDF, or a photo or scan of your notes. To turn that into flashcards, the content is sent to our AI provider and the generated cards are returned to your device (see section 3). Your decks and review history are stored on your device and synced to your account on our database provider's servers in the European Union, so they're backed up and available if you reinstall the App or change phones.

Usage and diagnostics

To understand how the App is used and to fix problems, we collect usage analytics (such as screens viewed, features used, and similar events) and crash reports (device model, operating-system version, app version, and error details). These are linked to a pseudonymous identifier associated with your account — not to your name or email — and we never share your study content with our analytics or crash-reporting providers.

Purchases

If you subscribe to Cram Pro, the purchase is processed by Apple and our subscription provider, RevenueCat. We receive your subscription status (for example, active or expired) and a pseudonymous app-user identifier — never your card number or payment details.

3. AI flashcard generation

To create your cards, the topic, text, link, PDF, photo, or scan you submit is sent to our AI provider, Google (Gemini), which generates the flashcards and returns them to your device. We send only what is needed to produce your deck, and the content is processed transiently to fulfil your request.

We do not use your content to train our own models, and we use Google's Gemini API, under which your input is not used to train Google's models. AI-generated content can be inaccurate or incomplete — always review your cards and verify important facts.

4. How we use your data, and our legal bases

Under the GDPR we must have a lawful basis for each purpose. Ours are:

To provide the App (legal basis: performance of a contract)

  • Create and manage your account, and send the emails needed to operate it (such as sign-in and email-verification messages).
  • Generate flashcards from the material you provide.
  • Sync and back up your decks and review history to your account.
  • Deliver, maintain, and support the App's features.
  • Process and validate your subscription.

To improve and secure the App (legal basis: legitimate interests)

  • Analyse pseudonymous usage to improve features.
  • Diagnose crashes and fix bugs.
  • Prevent abuse and keep the service secure.

To meet legal obligations (legal basis: legal obligation)

  • Keep records required for tax, accounting, and consumer-law purposes.
  • Respond to lawful requests.

5. Third-party services we rely on

We use a small number of trusted providers. Each processes data under its own privacy policy and only as needed to provide its function. We never share your study content with our analytics or crash-reporting providers.

  • Supabase — account authentication and the database that stores your synced decks, hosted in the European Union (supabase.com/privacy).
  • Google (Gemini API) — generates flashcards from the material you submit (policies.google.com/privacy).
  • PostHog — product analytics, hosted in the European Union (posthog.com/privacy).
  • Sentry — crash and error reporting (sentry.io/privacy).
  • RevenueCat — subscription management (revenuecat.com/privacy).
  • Apple — App Store distribution, payment processing, and Sign in with Apple (apple.com/legal/privacy).
  • Google — Sign in with Google (policies.google.com/privacy).

6. Storage and security

Your decks and review history are stored on your device and synced to your account in our database, hosted with Supabase in the European Union (Sweden). Data is encrypted in transit and at rest, and authentication credentials are stored securely on your device. The other data we process (analytics, crash reports, and subscription status) is handled by the providers above, which use encryption in transit and appropriate technical and organisational safeguards. No system is perfectly secure, but we take reasonable measures to protect the data we process.

7. Data retention

  • Account data, decks, and review history: kept while your account exists. Deleting your account in the App (see section 9) permanently removes them from our servers.
  • Analytics and crash data: kept only as long as needed for the purposes above — no more than 14 months — then deleted or aggregated.
  • AI generation: your input is processed transiently to generate your deck and is not retained by us beyond the resulting cards.
  • Subscription records: kept as long as required for tax, accounting, and legal purposes.

8. International data transfers

Your account data and synced study content are hosted in the European Union (Sweden), and our analytics provider (PostHog) also processes data in the European Union. Some other providers — in particular our AI provider, Google, and our crash-reporting provider — may process data outside the European Economic Area, including in the United States. Where data leaves the EEA, we rely on appropriate safeguards such as the European Commission's Standard Contractual Clauses and, where applicable, certification under the EU–US Data Privacy Framework.

9. Your privacy rights (GDPR Articles 15–22)

If you are in the EEA or UK, you have the right to access your personal data (Art. 15), to rectification (Art. 16), to erasure (Art. 17), to restriction of processing (Art. 18), to data portability (Art. 20), and to object to processing based on legitimate interests (Art. 21). Where processing is based on consent, you may withdraw it at any time.

You can exercise the most important rights directly in the App: export a copy of your data (decks, cards, and review history) from Account settings, edit your profile details, and permanently delete your account — which removes your account and synced study content from our servers. For anything else, or if you'd rather we handle a request for you, email support@cramaiapp.com. We will respond within 30 days, and there is no fee for exercising your rights.

10. Complaints

If you believe we have not handled your data properly, you can lodge a complaint with the Norwegian Data Protection Authority (Datatilsynet, datatilsynet.no) or with the supervisory authority in your country of residence. We'd appreciate the chance to resolve your concern first, so please contact us before you do.

11. Children's privacy

Cram is intended for users aged 13 and older. We do not knowingly collect personal data from children under 13. If you believe a child under 13 has provided us with personal data, contact us and we'll delete it.

12. The website

The cramaiapp.com website does not use analytics cookies or third-party tracking. It sets only the cookies strictly necessary to serve the site — including a session cookie if you sign in to your account on the web.

13. Changes to this policy

We may update this policy from time to time. When we make material changes, we'll revise the “last updated” date at the top and, where appropriate, note the change in the App.

14. Contact us

Questions about this policy or your data? Email support@cramaiapp.com. Sunbranch AS, Norway.