Privacy Policy - mug

Effective date: 2026-05-24

mug ("mug", "we", "us", or "our") is a vocabulary app that helps users learn words through a daily learning ritual, exercises, streaks, boxes, and a collectible Mugidex. This Privacy Policy explains what data is stored on your device, what data may be sent over the network, and the choices you have.

If you have privacy questions or requests, contact: mail@trymug.com.

1) Us

Email: mail@trymug.com

Website: trymug.com

2) Privacy at a glance

No account required. You can use mug without creating an account.

Local-first app data. Core learning progress, streaks, settings, collection progress, and shelf data are stored on your device.

Vocabulary content is fetched online. The app requests word content from backend services over HTTPS.

Product analytics may be collected. We use analytics tools, including PostHog, to understand onboarding, app usage, paywall performance, and reliability. Analytics uses pseudonymous identifiers, not your Apple ID.

No in-app ads. mug does not display third-party ads in the current version.

Subscriptions are processed by Apple. Apple handles payments. We do not receive your payment card details.

Tracking permission may be requested. If mug asks for Apple tracking authorization, you can allow or deny it. Denying tracking does not block core app functionality.

3) Data stored on your device

mug stores app data locally to provide core functionality. Depending on how you use the app, local data may include:

• Onboarding answers and preferences, such as acquisition source, selected starter mug, name or nickname if you type one, favorite beverage, age range, gender option, learning goals, vocabulary level, preferred topics/categories, weak contexts, shelf choice, notification preferences, and app appearance choices.
• Vocabulary and learning state, such as seen words, liked/favorited words, exercise history, quiz answers, known/unknown word state, and mission progress.
• Progression state, such as streaks, daily reward state, box state, Mugidex progress, discovered/owned mugs, shelf arrangement, selected profile mug, and related timestamps.
• Settings, notification preferences, review request throttling, and locally cached subscription entitlement state.
• Cached vocabulary content used to make the app faster and support widget display.
• Widget snapshots stored in the app's shared App Group container so iOS widgets can display selected word or shelf information.

This local data stays on your device unless the policy below says that a category is sent over the network.

4) Data sent over the network

4.1 Vocabulary content requests

mug requests vocabulary content from our backend services over HTTPS. Requests may include word IDs or query parameters needed to retrieve word content, such as word, part of speech, definition, examples, difficulty, and categories.

Our backend infrastructure and hosting providers may process standard technical data needed to serve requests and maintain security, such as IP address, request time, device/app technical context, and server logs. In the current architecture, mug does not require an account and does not store your personal learning profile in Supabase.

4.2 Product analytics and diagnostics

mug uses product analytics services, including PostHog, to understand onboarding flow, feature usage, subscription funnel performance, and app quality.

Analytics data may include:

• App events, such as onboarding started/completed, onboarding step viewed/completed, starter mug revealed, Mugidex opened, notification permission result, paywall viewed, product loaded, purchase started/completed/cancelled/failed, and app lifecycle events.
• Onboarding choices and profile signals, such as acquisition source, selected mug/shelf, favorite beverage, age range, gender option, weekly word goal, preferred topics/categories, learning goal, vocabulary level, unknown-word frequency, weak contexts, and notification preferences.
• Word test information, such as test level, word IDs shown during onboarding tests, known-word IDs, scores, and known/unknown word counts.
• Monetization and entitlement context, such as premium status, product ID, displayed price, paywall source, and purchase result events.
• Technical context, such as app version, build number, platform, SDK-generated identifiers, device/network information, timestamps, and similar diagnostic metadata.

We do not intentionally send your raw name or email address through product analytics. If you type a name during onboarding, analytics should only receive whether a name exists and a broad length bucket, not the name itself. If this implementation changes, this policy and the App Store privacy information should be updated before release.

PostHog is configured to use an EU endpoint in the current app code. However, service providers and their sub-processors may operate in multiple jurisdictions.

4.3 Purchases and subscriptions

mug+ subscriptions are handled by Apple through StoreKit. Apple processes the payment. mug checks subscription entitlement status to unlock paid features. We do not receive your payment card number.

4.4 Support emails

If you contact us by email, we receive the information you choose to send, such as your email address, message content, device/app details you include, and any attachments. We use this information to respond to you and provide support.

5) Tracking, advertising, and attribution

mug does not display third-party advertising in the current version and is not built around ad personalization.

mug may request Apple tracking authorization. If you allow tracking, permitted data may be used for attribution and advertising measurement, such as understanding which campaigns or channels led users to mug. If you deny tracking, mug should not track you across other companies' apps or websites for those purposes.

You can change tracking permission in iOS Settings > Privacy & Security > Tracking.

6) Third-party services

We use third-party services to operate mug:

• Apple / StoreKit: App Store distribution, in-app purchases, subscription billing, entitlement status, and related App Store services.
• Supabase: backend infrastructure used to serve vocabulary content and related API requests.
• PostHog: product analytics, event measurement, and app improvement analysis.
• Email and website hosting providers: support email delivery, website hosting, and basic server operations.

These providers process data according to their own terms, privacy notices, and data processing arrangements.

7) Legal bases for EU/UK users

If EU/UK data protection law applies, we rely on the following legal bases depending on the processing activity:

• Performance of a contract: to provide the app, deliver vocabulary content, manage subscriptions, and provide support.
• Legitimate interests: to maintain security, debug issues, understand product performance, prevent abuse, and improve the app, where those interests are not overridden by your rights.
• Consent: for notifications, Apple tracking authorization, and any processing where consent is required by law.
• Legal obligations: where we must keep records or respond to valid legal requests.

8) Data retention

Local app data remains on your device until you reset it in the app, uninstall the app, or clear device data.

Support emails are retained for as long as needed to answer your request and maintain reasonable support records.

Analytics and service logs are retained for security, operations, debugging, and product improvement for as long as reasonably necessary, unless a longer retention period is required or permitted by law.

Because mug does not require an account, some analytics data may be tied only to a pseudonymous app/device identifier. If you make a privacy request, we may need information from you to locate the relevant records, and in some cases we may not be able to identify records linked to you without additional information.

9) Security

We use reasonable technical and organizational measures to protect data in transit and at rest. For example, app network requests use HTTPS. No system is 100% secure, and we cannot guarantee absolute security.

10) Your choices

You can:

• Use mug without creating an account.
• Reset local app data in the app where available.
• Disable notifications in the app or in iOS Settings.
• Change Apple tracking permission in iOS Settings > Privacy & Security > Tracking.
• Manage or cancel subscriptions in iOS Settings > Apple ID > Subscriptions.
• Contact us at mail@trymug.com for privacy requests.

11) Your rights

Depending on where you live, you may have rights to access, correct, delete, restrict, object to, or receive a copy of your personal data. You may also have the right to withdraw consent where processing is based on consent.

To exercise your rights, contact mail@trymug.com. If you are in the EU/EEA or UK, you may also have the right to complain to your local data protection authority.

12) Children

mug is a general-audience app and is not directed to children under 13, or the minimum age required in your jurisdiction. If you believe a child has provided personal data to us, contact mail@trymug.com so we can review and delete it where appropriate.

13) International processing

We and our service providers may process data in countries other than your country of residence. Where required, we rely on appropriate safeguards for international transfers, such as contractual protections or other legally recognized mechanisms.

14) Changes to this policy

We may update this Privacy Policy from time to time. If we make material changes, we will update the effective date and publish the updated policy in the app and/or on the website.

15) Contact

Email: mail@trymug.com

Website: trymug.com