Privacy Policy
Effective Date: March 8, 2026
1. Introduction
This Privacy Policy describes how Hefoya Studio ("we," "us," "our") collects, uses, and protects information when you use the Vexale Keyboard application for Android ("Application"). We are committed to protecting your privacy and ensuring transparency about our data practices.
As a keyboard application, Vexale Keyboard has the technical ability to process all text you type. We want to be clear: we do not collect, store, transmit, or have access to the content you type. All text processing — including autocorrect, word suggestions, and next-word prediction — occurs entirely on your device.
2. Data Controller
The data controller responsible for your personal data is:
Hefoya Studio
Poland
Email: hefoyastudio@gmail.com
3. Information We Collect
We organize the information associated with the Application into the following categories:
3.1. Information We Do NOT Collect
To be explicitly clear about the boundaries of our data collection:
- Keystrokes or typed text: We never log, record, store, or transmit what you type. The suggestion engine processes your input in real-time on your device and does not retain it.
- Clipboard contents: Clipboard history is stored locally on your device only. We do not transmit clipboard data to any server.
- Password fields: The Application respects the flag and does not learn from password sensitive field.
- Contacts, call logs, photos, files, or location data.
- Audio, camera, or biometric data.
- Account credentials or personal profiles (the Application has no user account system).
3.2. Information Collected Automatically
When you use the Application, the following information may be collected automatically through integrated third-party services:
| Data Type | Purpose | Collected By |
|---|---|---|
| Anonymous usage events (e.g., keyboard opened, emoji panel opened, theme changed, language changed, suggestion tapped, clipboard panel opened) | Understanding feature usage to improve the Application | Firebase Analytics (Google) |
| Crash reports and stack traces (including native / NDK crashes) | Identifying and fixing bugs and stability issues | Firebase Crashlytics (Google) |
| App performance metrics (startup time, network latency, screen rendering) | Monitoring and optimizing app performance | Firebase Performance Monitoring (Google) |
| Firebase Cloud Messaging token (device push token) | Delivering push notifications for updates and announcements | Firebase Cloud Messaging (Google) |
| Android ID (a per-device, per-user identifier reset on factory reset) | Device identification for API communication and update checks | Our backend server |
| Device locale / language setting | Delivering localized content and update information | Our backend server |
| App version (name and code) | Determining whether an update is available | Our backend server |
| App package name | Request validation and integrity verification | Our backend server |
Analytics event design note: Our analytics events are intentionally designed to protect your privacy. For example, when you tap an emoji, we record only that an emoji was selected — never which emoji. When a suggestion is used, we log only the position index (1st, 2nd, or 3rd suggestion) — never the word itself. Theme and language changes log only the theme or language identifier, not any personal data.
3.3. Information Stored Locally on Your Device
The following data is stored only on your device and is never transmitted to us or any third party:
- Keyboard settings: Theme preferences, language selection, autocorrect toggle, number row toggle, sound/vibration settings, keyboard height, toolbar configuration.
- Clipboard history: Up to 50 recent clipboard entries, including pinned items, stored in an encrypted local file (
user_clipboard_50.pack). - Recently used emojis: A local record of your emoji usage for the "recent" category.
- Onboarding state: Whether you have completed the initial setup and accepted the Terms.
- Dictionary data: Pre-packaged dictionaries for supported languages (English, Polish), stored as read-only assets. No user-specific dictionary personalization data is transmitted.
4. Android Permissions
The Application requests the following Android permissions:
| Permission | Why It's Needed |
|---|---|
INTERNET |
Required for checking for app updates from our server, Firebase Analytics, Crashlytics, Performance Monitoring, and receiving push notifications via Firebase Cloud Messaging. |
VIBRATE |
Provides haptic feedback when you press keys, if enabled in settings. No data is collected through this permission. |
POST_NOTIFICATIONS |
Required on Android 13+ to display push notifications (e.g., update alerts). You can deny this permission or revoke it at any time in your device settings. |
BIND_INPUT_METHOD |
A system permission required by Android for all keyboard (Input Method) applications. It allows the system to connect to the keyboard service. |
The Application does not request permissions for camera, microphone, location, contacts, phone, storage, Bluetooth, or any other sensitive resource.
5. How We Use Your Information
We use the collected information solely for the following purposes:
- To provide and maintain the Service: Ensuring the keyboard functions correctly on your device.
- To improve the Application: Analyzing anonymous usage patterns (which features are used, how often) to prioritize development efforts.
- To fix bugs and improve stability: Using crash reports to identify, diagnose, and resolve technical issues.
- To monitor performance: Identifying performance bottlenecks and optimizing the user experience.
- To deliver notifications: Informing you about available updates or important announcements via push notifications.
- To check for updates: Communicating with our server to determine whether a newer version of the Application is available.
6. Legal Bases for Processing (EEA/UK Users)
If you are located in the European Economic Area (EEA) or the United Kingdom, we process your personal data based on the following legal grounds under the General Data Protection Regulation (GDPR):
- Consent: By accepting these terms during onboarding, you consent to the data processing described in this policy. For push notifications on Android 13+, you provide separate consent through the system permission dialog.
- Legitimate interest: We have a legitimate interest in collecting anonymous analytics data and crash reports to improve the Application's quality, stability, and user experience, provided this does not override your fundamental rights and freedoms.
- Contract performance: Processing necessary to deliver the service you requested when you installed and activated the Application.
7. Third-Party Services and Data Sharing
We integrate the following third-party services that may receive data as described:
7.1. Firebase (Google LLC)
- Firebase Analytics: Collects anonymous usage data, device information (model, OS version), and app instance identifiers. Google's data practices are governed by the Google Privacy Policy.
- Firebase Crashlytics: Collects crash logs including stack traces, device state, and OS version. No user-typed content is included in crash reports.
- Firebase Performance Monitoring: Collects performance traces and network request metrics.
- Firebase Cloud Messaging: Google processes device tokens necessary for push notification delivery.
Firebase data may be processed by Google on servers located in the United States or other countries. Google is certified under the EU-U.S. Data Privacy Framework. For more information, see Firebase Privacy Information.
7.2. Our Backend Server
The Application communicates with our backend server for the sole purpose of checking for application updates. This communication includes your Android ID, device language, app version, and package name. We may retain the Android ID on our server for troubleshooting, analytics, or to prevent abuse; otherwise the data is not sold, rented, or shared with any third party beyond what is necessary for the update-check functionality.
7.3. No Advertising
The Application does not contain advertisements. We do not use advertising SDKs, advertising identifiers, or any ad-tracking technology. We do not share your data with advertising networks.
7.4. No Data Sales
We do not sell your personal information to any third party. We do not participate in data brokerage or share personal data for monetary consideration.
8. International Data Transfers
Your data processed through Firebase services may be transferred to and processed in the United States or other countries where Google operates. These transfers rely on appropriate safeguards, including Google's compliance with the EU-U.S. Data Privacy Framework and Standard Contractual Clauses where applicable.
Data sent to our backend server may be processed in Poland. We implement appropriate technical and organizational measures to protect data during transfer.
9. Data Retention
- Firebase Analytics data: Retained by Google according to their standard retention policies (typically 14 months for user-level data, 2 months for event-level data, configurable).
- Firebase Crashlytics data: Crash reports are retained by Google for 90 days.
- Firebase Performance data: Retained by Google for 90 days.
- FCM tokens: Retained while the Application is installed. Tokens are automatically invalidated when the Application is uninstalled.
- Android ID on our server: Retained for the duration of the update-check request. We may also persist it in a database for troubleshooting, analytics, or abuse prevention.
- Local device data: Settings, clipboard history, and preferences are retained on your device until you uninstall the Application or clear its data.
10. Data Security
We take the security of your data seriously and implement appropriate measures:
- On-device processing: All text input processing, autocorrect, and suggestions run entirely on your device. No keystroke data is transmitted.
- Signed API requests: Communication with our backend server uses cryptographic request signing (SHA-256 based) to prevent tampering and unauthorized access.
- App integrity checks: The Application includes runtime security measures such as APK signature verification, debugger detection, and tampering detection.
- Code protection: The Application employs code obfuscation and minification to protect against reverse engineering.
- Local data storage: Clipboard history and preferences are stored in the Application's private storage area, accessible only by the Application.
- Transport security: Network communications use HTTPS in production. Cleartext traffic is restricted to development environments only.
While we implement commercially reasonable security measures, no system can guarantee absolute security. We cannot ensure or warrant the security of any information transmitted to or from the Application.
11. Your Rights
Depending on your jurisdiction, you may have the following rights regarding your personal data:
For All Users:
- Opt out of analytics: You can disable Firebase Analytics data collection by restricting the Application's internet access in your device settings, or by uninstalling the Application.
- Control notifications: You can disable push notifications through your device's notification settings or by denying the POST_NOTIFICATIONS permission.
- Delete local data: You can clear all locally stored data (settings, clipboard history, preferences) by clearing the Application's data in your device settings, or by uninstalling the Application.
For EEA/UK Users (GDPR):
- Right of access: You may request information about what personal data we process about you.
- Right to rectification: You may request correction of inaccurate personal data.
- Right to erasure: You may request deletion of your personal data.
- Right to restrict processing: You may request restriction of the processing of your data.
- Right to data portability: You may request your data in a structured, commonly used, machine-readable format.
- Right to object: You may object to the processing of your personal data based on legitimate interest.
- Right to withdraw consent: You may withdraw consent at any time by uninstalling the Application or contacting us.
- Right to lodge a complaint: You have the right to lodge a complaint with your local data protection authority.
For California Users (CCPA/CPRA):
- Right to know: You may request disclosure of the categories and specific pieces of personal information we have collected.
- Right to delete: You may request deletion of personal information we have collected.
- Right to opt out of sale: We do not sell personal information. No opt-out action is necessary.
- Right to non-discrimination: We will not discriminate against you for exercising your privacy rights.
To exercise any of these rights, please contact us at hefoyastudio@gmail.com. We will respond within the timeframe required by applicable law (typically 30 days for GDPR, 45 days for CCPA).
12. Data Deletion
Since the Application does not have user accounts, data deletion is straightforward:
- Uninstalling the Application will permanently remove all locally stored data, including settings, clipboard history, and preferences.
- Clearing app data in your device's Settings > Apps > Vexale Keyboard > Clear Data will delete all local data without uninstalling.
- Firebase data: Analytics and crash data associated with your device instance will be automatically purged according to Google's retention policies. You may also contact us to request deletion of any Firebase data linked to your device.
13. Children's Privacy
The Application is not specifically directed at or designed for children under the age of 13 (or the applicable minimum age in your jurisdiction). We do not knowingly collect personal information from children.
The Application does not contain age-gated content, social features, or mechanisms that would specifically attract children. It is a general-purpose keyboard tool.
If we become aware that we have inadvertently collected personal data from a child under the applicable minimum age without verified parental consent, we will take steps to delete such information promptly. If you believe a child has provided us with personal data, please contact us at hefoyastudio@gmail.com.
14. Cookies and Tracking Technologies
The Application is a native Android app and does not use cookies. However, Firebase services may use device-level identifiers (such as Android Advertising ID or app instance ID) for analytics purposes. The Application does not use any advertising identifiers for ad targeting, as it contains no advertising.
15. Changes to This Privacy Policy
We may update this Privacy Policy from time to time to reflect changes in our practices, legal requirements, or Application features. When we make material changes:
- We will update the "Effective Date" at the top of this page.
- We may notify you through a push notification or an in-app notice.
- The updated policy will be made available at the same URL.
We encourage you to review this Privacy Policy periodically. Your continued use of the Application after any changes constitutes your acceptance of the updated policy.
16. Contact Us
If you have any questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us:
Hefoya Studio
Poland
Email: hefoyastudio@gmail.com
For EEA/UK users: If you are not satisfied with our response, you have the right to lodge a complaint with your local data protection supervisory authority.