Privacy Policy
Last updated: 6 July 2026
Phasa is a Thai-immersion reading and study tool, operated by Phasa LLC, a Wyoming (USA) limited liability company (“Phasa,” “we,” “us”). This policy explains what personal data we collect, why, and what you can do about it. We’ve written it in plain language on purpose.
The short version: you can look up words in the dictionary and read the sample readings without an account, and we don’t run any advertising or third-party tracking. When you create an account, we store the things you’d expect — your email, and the words and progress you build as you learn — so the app can remember them for you.
Who we are
The data controller is Phasa LLC. For any privacy question or request, email hello@phasa.app.
What you can do without an account
The dictionary and the sample readings are open to everyone, with no account and no payment. If you only use these, we don’t create a profile about you. Your device may still store small preference cookies (see Cookies below), and our hosting providers process ordinary technical logs (see Infrastructure below), but we don’t ask for or store personal details.
What we collect when you create an account
Account details. Your email address and a password. Passwords are handled by our authentication provider (Supabase) and stored in hashed form — we never see or store your password in plain text. You may optionally set a display name.
Your learning data. So the app can remember your progress across sessions, we store things like: which words you’ve marked as known, learning, or ignored; your spaced-repetition review history and schedule; your reading progress and coverage; your saved decks and bookmarks; your streak and estimated reading level; and any sentences you mine or personal notes you write. Some of this — notably mined sentences and notes — is free text that you author, so it may contain whatever you choose to put there.
Your preferences. Interface settings such as theme (light/dark), font choices, and reader settings.
We collect this data because you asked us to keep your progress — that is, to perform the service you signed up for. We do not buy personal data about you, and we do not sell your data to anyone.
Analytics and advertising
Phasa runs no advertising and no ad networks, and we never sell your data. We do use PostHog for privacy-respecting product analytics — to understand which features are used and where the app can be improved. This is usage analytics only: it is not advertising, it is not shared with ad networks, and it is not used to profile you across other websites. PostHog sets a first-party identifier so we can count unique users and understand product usage; you can clear it along with your other cookies at any time (see Cookies below).
Cookies and local storage
We use a small number of first-party cookies and browser local storage. These fall into three groups:
- Sign-in cookies, which keep you logged in.
- Preference cookies and local storage (names beginning
phasa.), which remember settings like your theme, fonts, and reader layout so the app looks the way you left it. - A product-analytics identifier set by PostHog, which lets us count unique users and understand how features are used.
None of these are used for advertising or cross-site tracking, and we do not set third-party advertising cookies. You can clear cookies and local storage in your browser at any time; doing so will sign you out and reset your saved preferences.
Who processes your data on our behalf (infrastructure)
We rely on a small set of service providers to run Phasa. They process data on our instructions:
- Supabase — our database, authentication, and file storage provider. Your account and learning data live here.
- Vercel — our hosting and content-delivery provider. Like any web host, it processes technical request data (such as IP addresses and browser type) in server logs to serve the site and keep it secure.
- PostHog — our product-analytics provider, which processes usage events so we can understand and improve the app (see Analytics and advertising above).
- Stripe — our payment processor (see Payments below).
We also use Anthropic’s API for internal editorial tooling only — to help our team prepare and translate the readings we publish. This does not process your personal account data; it operates on our editorial content, not on users’ learning data.
Payments. We use Stripe to process subscription payments. When you subscribe, your payment details are handled directly by Stripe under Stripe’s own terms and privacy policy — Phasa never stores your full card number. We keep basic billing records (such as which plan you’re on and your payment history) so we can show them in your account and meet our tax and accounting obligations.
Where your data is processed, and international transfers
Phasa LLC is a US company, and our providers process data on servers that may be located outside your country, including in Asia and the United States. If you are in the European Economic Area, the United Kingdom, or another region with data-transfer rules, this means your data may be transferred internationally. We rely on our providers’ safeguards for such transfers and take reasonable steps to protect your data wherever it is processed.
How long we keep your data
We keep your account and learning data for as long as your account exists, so your progress is there when you return. If you delete your account, we delete or anonymize your personal data within a reasonable period, except where we need to keep limited records to comply with law. Server logs held by our hosting provider are retained on their standard short cycles.
Your rights
Wherever you live, you can email hello@phasa.app to access, correct, or delete your data, and we’ll help. If you are in the European Economic Area or the United Kingdom, you have specific rights under the GDPR (and UK GDPR), including the right to:
- access the personal data we hold about you;
- correct data that is wrong or incomplete;
- delete your data (“right to erasure”);
- export your data in a portable format;
- restrict or object to certain processing;
- withdraw consent where processing is based on consent; and
- complain to your local data protection authority.
We will not discriminate against you for exercising any of these rights.
Children
Phasa is not intended for children under 13. We do not knowingly collect personal data from anyone under that age. If you believe a child has created an account, email us and we will remove it.
Security
We use reputable providers and standard measures to protect your data, including hashed passwords and encrypted connections. No system is perfectly secure, but we take protecting your data seriously and will notify you and the relevant authorities of a significant breach where the law requires.
Changes to this policy
If we change this policy in a meaningful way, we’ll update the date at the top and, for significant changes, tell account holders by email or in the app.
Contact
Questions, requests, or concerns: hello@phasa.app.