Privacy Policy

AccelaStudy Privacy Policy

Version: 2.1.0

Effective Date: March 9, 2026

Last Updated: March 17, 2026

1. Introduction & Scope

This Privacy Policy explains how Renkara Media Group ("Renkara," "we," "us," or "our") collects, uses, shares, and protects your personal data when you use the AccelaStudy application and related services (collectively, the "Service").

This policy applies to all users of the Service worldwide, including users in the European Economic Area (EEA), the United Kingdom (UK), the State of California, and all other jurisdictions. Where local laws grant you additional rights, those rights are described in the relevant sections below.

By using the Service, you acknowledge that you have read and understood this Privacy Policy. Where we rely on consent as a legal basis for processing, we will obtain your explicit consent before collecting or processing your data.

2. Data Controller

The data controller responsible for your personal data is:

Renkara Media Group

Email: privacy@renkara.com

General Support: support@renkara.com

For GDPR-related inquiries, you may also contact our Data Protection Officer at the email address listed in Section 14.

3. What Personal Data We Collect

3.1 Data You Provide Directly

Category	Data Elements	When Collected
Account Information	Email address, first name, last name, username, password (stored as bcrypt hash)	Account registration
Social Sign-In Data	Apple User ID (Apple Sign-In); Facebook profile data including email, first name, last name, gender, locale, and authentication token (Facebook Sign-In)	When you choose to sign in via Apple or Facebook
Study Content	User-created study sets, custom groupings of content	When you create or modify study materials

3.2 Data We Collect Automatically

Category	Data Elements	When Collected
Device Information	Device vendor identifier (Device ID), device type, operating system version, app version, locale/language	Each time you use the Service
Usage & Analytics Data	Analytics events (event name, timestamp, associated product ID), IP address	During your use of the Service
Study Progress	Per-item difficulty scores, study set membership, enrollment data (which products you study)	As you study
Session Data	Session authentication tokens	When you sign in
Subscription Data	App Store transaction IDs, purchase dates, subscription expiration dates	When you make a purchase or restore a subscription

3.3 Data We Do Not Collect

We do not collect precise geolocation data, biometric data, financial account numbers, government-issued identification numbers, or health information.

4. How We Use Your Data

We process your personal data only for the purposes described below. For users in the EEA/UK, we identify the lawful basis under GDPR Article 6 for each purpose.

Purpose	Data Used	Lawful Basis (GDPR)
Provide and operate the Service	Account information, device information, session data, study progress, study content, enrollment data	Performance of contract (Art. 6(1)(b))
Authenticate your identity	Email, password hash, Apple User ID, Facebook token and profile data, session tokens	Performance of contract (Art. 6(1)(b))
Process subscriptions and purchases	Subscription/receipt data, account information	Performance of contract (Art. 6(1)(b))
Personalize your study experience	Study progress, difficulty scores, enrollment data, study sets	Performance of contract (Art. 6(1)(b))
Send transactional communications	Email address, name	Performance of contract (Art. 6(1)(b))
Send marketing communications	Email address, name	Consent (Art. 6(1)(a)) — you may withdraw consent at any time
Analyze usage and improve the Service	Analytics events, device information, IP address, usage data	Legitimate interest (Art. 6(1)(f)) — improving our Service and user experience
Ensure security and prevent fraud	IP address, device information, session data	Legitimate interest (Art. 6(1)(f)) — protecting our Service and users
Comply with legal obligations	Any data as required by applicable law	Legal obligation (Art. 6(1)(c))

Where we rely on legitimate interest, we have conducted balancing tests to ensure our interests do not override your fundamental rights and freedoms.

5. Cookies and Tracking Technologies

5.1 Mobile Application

The AccelaStudy mobile application does not use browser cookies. We use a device vendor identifier (Device ID) to associate your device with your account and to collect analytics data.

5.2 Website

If you visit our website, we may use:

Strictly Necessary Cookies: Required for the website to function (e.g., session management). These do not require consent under ePrivacy rules.
Analytics Cookies: Used to understand how visitors interact with our website. These are only set with your prior consent, in compliance with the ePrivacy Directive.

You can manage your cookie preferences through your browser settings or through any cookie consent mechanism presented on our website. Withdrawing consent for non-essential cookies will not affect the functionality of the Service.

5.3 Do Not Track

We honor Do Not Track (DNT) browser signals. When we detect a DNT signal, we do not load non-essential tracking technologies.

6. Third-Party Services and Data Sharing

We share your data with the following third-party service providers, solely for the purposes described. We do not sell your personal data.

6.1 Service Providers

Provider	Purpose	Data Shared	Location
Amazon Web Services (AWS)	Cloud hosting, infrastructure (including Secrets Manager, SQS, DynamoDB)	All data stored by the Service	United States
SendGrid (Twilio Inc.)	Transactional and marketing email delivery, webhook event processing	Email address, name, email content	United States
Apple Inc.	Sign-In with Apple authentication, App Store receipt validation and subscription management	Apple User ID, subscription/receipt data	United States
Facebook (Meta Platforms, Inc.)	Facebook Sign-In authentication, Graph API profile retrieval	Facebook authentication token, profile data (email, name, gender, locale)	United States

Each service provider is bound by a Data Processing Agreement (DPA) that requires them to process your data only on our instructions and in compliance with applicable data protection law.

6.2 Other Disclosures

We may also disclose your personal data:

Law enforcement requests: In response to a valid subpoena, search warrant, court order, or other lawful request from a government authority. This includes requests issued under the U.S. Stored Communications Act as amended by the CLOUD Act (see Section 7.2 below).
National security requests: In response to National Security Letters (NSLs) or orders issued under the Foreign Intelligence Surveillance Act (FISA), to the extent permitted and required by law. We may be prohibited from disclosing the existence of such requests.
Safety and rights protection: To protect the rights, property, or safety of Renkara, our users, or the public.
Business transfers: In connection with a merger, acquisition, reorganization, or sale of assets, in which case the acquiring entity will be bound by this Privacy Policy with respect to your data.

Our commitments regarding government data requests:

We review every government request for legal validity and sufficient scope before producing any data.
We challenge requests that we determine to be overly broad, legally deficient, or otherwise inappropriate, including by seeking to narrow the scope of the request or by filing a motion to quash where warranted.
We will notify affected users of a government data request before producing their data, unless we are legally prohibited from doing so (e.g., by a court-issued gag order or the terms of a National Security Letter). When a non-disclosure obligation expires, we will promptly notify the affected user.
We produce only the specific data responsive to a valid request — we do not provide bulk or indiscriminate access to our systems or databases.

We do not share your data with third parties for their own marketing purposes.

7. International Data Transfers

7.1 Transfer Mechanisms

Renkara is based in the United States. If you are located outside the United States (including in the EEA or UK), your personal data will be transferred to and processed in the United States.

We protect international transfers of personal data using the following safeguards:

Standard Contractual Clauses (SCCs): We use the European Commission's Standard Contractual Clauses (as supplemented where required) for transfers of personal data from the EEA to the United States.
UK International Data Transfer Agreement (IDTA): For transfers from the UK, we use the UK Addendum to the EU SCCs or the UK IDTA as appropriate.
Supplementary measures: We implement the additional technical and organizational measures described in Section 7.3 to ensure an adequate level of protection for your data.

You may request a copy of the relevant transfer safeguards by contacting us at privacy@renkara.com.

7.2 U.S. CLOUD Act Disclosure

Renkara is a United States corporation. As such, Renkara and its U.S.-based sub-processors (including Amazon Web Services and Twilio/SendGrid) are subject to the Clarifying Lawful Overseas Use of Data Act (CLOUD Act), enacted in 2018 as an amendment to the U.S. Stored Communications Act (18 U.S.C. § 2713).

What this means for your data:

Under the CLOUD Act, U.S. law enforcement authorities may compel Renkara or its U.S.-based sub-processors to produce user data in response to a valid warrant, subpoena, or court order, regardless of whether the data is stored inside or outside the United States.
This means that even if your data is physically stored in a data center located in the European Union or another jurisdiction, it may still be subject to disclosure under U.S. legal process.
The CLOUD Act applies to the content of communications and stored data, as well as to non-content metadata (e.g., subscriber information, session records, IP addresses).

Our position and safeguards:

We will not voluntarily disclose user data to any government authority absent a valid and binding legal process.
We evaluate all U.S. government data requests against applicable law, including by assessing whether the request conflicts with the laws of the country where the data subject resides (including GDPR). The CLOUD Act provides a mechanism for providers to challenge requests that create such conflicts, and we will invoke that mechanism where appropriate.
We maintain the commitments described in Section 6.2 regarding review, challenge, and notification of government data requests.

For EEA and UK users: We recognize that the CLOUD Act was identified by the Court of Justice of the European Union (in *Schrems II*, Case C-311/18) as a factor relevant to the assessment of U.S. data protection standards. We address this through the supplementary measures described in Section 7.3, in accordance with the European Data Protection Board's recommendations on supplementary transfer measures (Recommendations 01/2020).

7.3 Supplementary Measures for International Transfers

In addition to the Standard Contractual Clauses, we implement the following supplementary technical and organizational measures to protect personal data transferred from the EEA/UK to the United States:

Technical measures:

Encryption in transit: All data transmitted between your device and our servers is encrypted using TLS 1.2 or higher. Internal service-to-service communications within our infrastructure are also encrypted.
Encryption at rest: All personal data stored in our databases and cloud infrastructure is encrypted at rest using AES-256 encryption with keys managed through AWS Key Management Service (KMS). Encryption keys are access-controlled and rotated regularly.
Access controls: Access to personal data is restricted to authorized personnel on a strict need-to-know basis. We use role-based access controls, multi-factor authentication for all administrative access, and centralized credential management through AWS Secrets Manager.
Pseudonymization: Where technically feasible, we pseudonymize personal data so that it cannot be attributed to a specific individual without the use of additional information, which is kept separately and subject to additional access controls.

Organizational measures:

Government access assessment: We have conducted a transfer impact assessment evaluating the risk of government access to transferred data under U.S. law. This assessment considers the legal framework (including the CLOUD Act, FISA, and Executive Order 12333), the practical likelihood of access given the nature and volume of data we process, and the effectiveness of our technical measures.
Commitment to challenge: As described in Section 6.2, we will challenge government data requests that we assess to be overly broad, legally deficient, or in conflict with EU/UK data protection law.
User notification: We will notify affected data subjects of government access requests unless legally prohibited, and will seek to lift any non-disclosure obligations as soon as legally permissible.
Data minimization: We collect and retain only the personal data necessary for the purposes described in this policy (see Section 8), reducing the volume of data potentially subject to government access.
Sub-processor oversight: Our Data Processing Agreements with sub-processors require them to implement equivalent technical and organizational measures and to notify us promptly of any government data requests they receive relating to our users' data.

8. Data Retention

We retain your personal data only for as long as necessary to fulfill the purposes described in this policy, or as required by law. Specific retention periods are:

Data Category	Retention Period
Account information	Until you delete your account, plus 30 days for backup removal
Study progress and study sets	Until you delete your account
Analytics events and usage data	2 years from the date of collection
Session tokens	30 days from issuance, or until you sign out
Subscription/receipt data	Duration of the subscription plus 3 years (for financial record-keeping and dispute resolution)
SendGrid email delivery logs	90 days
IP addresses in analytics	90 days, then anonymized or deleted
Facebook and Apple authentication tokens	Until you disconnect the linked account or delete your AccelaStudy account

When the retention period expires, we securely delete or anonymize the data. You may request deletion of your data at any time (see Sections 9 and 10).

9. Your Rights Under GDPR (EEA and UK Users)

If you are located in the European Economic Area or the United Kingdom, you have the following rights under the General Data Protection Regulation (GDPR) and the UK GDPR:

Right of Access (Art. 15): You may request a copy of the personal data we hold about you.

Right to Rectification (Art. 16): You may request that we correct inaccurate or incomplete personal data.

Right to Erasure (Art. 17): You may request that we delete your personal data ("right to be forgotten"), subject to certain legal exceptions.

Right to Data Portability (Art. 20): You may request your personal data in a structured, commonly used, machine-readable format (JSON or CSV), and have it transmitted to another controller.

Right to Restrict Processing (Art. 18): You may request that we limit the processing of your personal data in certain circumstances.

Right to Object (Art. 21): You may object to processing based on legitimate interest or for direct marketing purposes. Where you object to direct marketing, we will stop processing immediately.

Right to Withdraw Consent (Art. 7(3)): Where we process your data based on consent, you may withdraw that consent at any time. Withdrawal does not affect the lawfulness of processing carried out before the withdrawal.

Right to Lodge a Complaint: You have the right to lodge a complaint with your local data protection supervisory authority.

We will respond to all rights requests within 30 days. In complex cases, we may extend this period by an additional 60 days, and we will inform you of any such extension.

10. Your Rights Under CCPA (California Residents)

If you are a California resident, you have the following rights under the California Consumer Privacy Act (CCPA) and the California Privacy Rights Act (CPRA):

Right to Know: You may request that we disclose the categories and specific pieces of personal information we have collected about you, the sources of that information, the purposes for collection, and the categories of third parties with whom we share it.

Right to Delete: You may request that we delete the personal information we have collected about you, subject to certain legal exceptions.

Right to Correct: You may request that we correct inaccurate personal information.

Right to Opt-Out of Sale/Sharing: We do not sell your personal information. We do not share your personal information for cross-context behavioral advertising.

Right to Non-Discrimination: We will not discriminate against you for exercising any of your CCPA rights. You will not receive different pricing, a different quality of service, or be denied service for exercising your rights.

CCPA Categories of Personal Information Collected:

CCPA Category	Examples	Collected
Identifiers	Name, email, username, Device ID, IP address, Apple User ID	Yes
Customer records	Name, email	Yes
Commercial information	Subscription and purchase records	Yes
Internet/electronic activity	Analytics events, usage data, app interactions	Yes
Geolocation	General location inferred from IP address (not precise)	Yes
Inferences	Study difficulty scores, learning progress	Yes

We do not collect: protected classification characteristics, biometric data, sensory data, professional/employment data, education data (beyond study progress within our app), or sensitive personal information as defined by the CPRA.

To submit a CCPA request, see Section 16.

11. Children's Privacy (COPPA)

We take children's privacy seriously. In compliance with the Children's Online Privacy Protection Act (COPPA):

Users under 13: We do not knowingly collect personal information from children under the age of 13 without verifiable parental consent. If a child under 13 wishes to use the Service, a parent or legal guardian must create the account and provide consent on the child's behalf.
Parental rights: Parents or guardians of children under 13 may:

- Review the personal information we have collected from their child

- Request deletion of their child's personal information

- Refuse further collection or use of their child's information

How to exercise these rights: Contact us at privacy@renkara.com with the subject line "COPPA Request." We will verify your identity as the child's parent or guardian before processing the request.
If we discover unauthorized collection: If we learn that we have collected personal information from a child under 13 without parental consent, we will delete that information promptly.

For users in the EEA/UK, the minimum age for consent to data processing is 16 (or the lower age set by the relevant Member State, which may be as low as 13). Where the user is below the applicable age, we require consent from the holder of parental responsibility.

12. Data Security

We implement appropriate technical and organizational measures to protect your personal data against unauthorized access, alteration, disclosure, or destruction. These measures include:

Passwords: All user passwords are hashed using bcrypt with an appropriate cost factor. We never store passwords in plaintext.
Encryption in transit: All data transmitted between your device and our servers is encrypted using TLS (Transport Layer Security).
Encryption at rest: Data stored in our databases and cloud infrastructure is encrypted at rest using AWS-managed encryption keys.
Access controls: Access to personal data is restricted to authorized personnel on a need-to-know basis. We use AWS Secrets Manager for secure credential storage.
Infrastructure security: Our infrastructure is hosted on AWS, which maintains SOC 2, ISO 27001, and other industry-standard security certifications.
Session management: Session tokens expire after 30 days and can be invalidated by signing out.
Monitoring: We monitor our systems for security incidents and unauthorized access attempts.

No method of transmission over the Internet or electronic storage is 100% secure. While we strive to use commercially acceptable means to protect your personal data, we cannot guarantee absolute security.

13. Data Breach Notification

In the event of a personal data breach that is likely to result in a risk to your rights and freedoms:

Supervisory authorities: We will notify the relevant data protection supervisory authority within 72 hours of becoming aware of the breach, in accordance with GDPR Article 33.
Affected individuals: Where the breach is likely to result in a high risk to your rights and freedoms, we will notify you without undue delay, in accordance with GDPR Article 34. Notification will be sent via email to your registered email address.
California residents: We will notify affected California residents as required by California Civil Code § 1798.82.
Content of notification: Breach notifications will describe the nature of the breach, the categories and approximate number of individuals affected, the likely consequences, and the measures taken or proposed to address the breach.

14. Data Protection Officer

Although not legally required to appoint a Data Protection Officer under GDPR Article 37, we have designated a privacy contact to handle all data protection inquiries:

Data Protection Contact

Renkara Media Group

Email: privacy@renkara.com

You may contact our Data Protection Contact for any questions regarding this Privacy Policy, to exercise your data protection rights, or to file a complaint about our data practices.

15. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technologies, legal requirements, or other factors. When we make material changes:

We will update the "Last Updated" date at the top of this policy.
We will notify you by email and/or through a prominent notice within the Service at least 30 days before the changes take effect.
Where required by law, we will obtain your consent to material changes.

Your continued use of the Service after the effective date of changes constitutes acceptance of the updated policy. If you do not agree with the changes, you may delete your account before the changes take effect.

We encourage you to review this Privacy Policy periodically.

16. How to Exercise Your Rights

You may exercise any of your data protection rights by:

Email: Send a request to privacy@renkara.com. Please include:

- Your full name and email address associated with your account

- The specific right you wish to exercise

- Any details necessary to fulfill your request

In-App: Use the account settings within the AccelaStudy app to:

- Update your personal information

- Delete your account and associated data

- Manage marketing communication preferences

Marketing opt-out: You can unsubscribe from marketing emails by clicking the "Unsubscribe" link in any marketing email, or by contacting us at the email above.

Verification: To protect your privacy, we will verify your identity before processing any rights request. We may ask you to confirm information associated with your account.

Response time:

GDPR requests: within 30 days (extendable by 60 days for complex requests)
CCPA requests: within 45 days (extendable by an additional 45 days)
COPPA requests: as promptly as possible, typically within 10 business days

No fee: We will not charge a fee for processing your request, unless the request is manifestly unfounded or excessive, in which case we may charge a reasonable fee or refuse the request.

Authorized agents: California residents may designate an authorized agent to submit requests on their behalf. The agent must provide written authorization signed by you, and we may still verify your identity directly.

17. Contact Us

If you have any questions, concerns, or complaints about this Privacy Policy or our data practices, please contact us:

Renkara Media Group

Email: privacy@renkara.com

General Support: support@renkara.com

*This Privacy Policy is effective as of March 9, 2026.*

*Version 2.1.0*