Back to app

Privacy Policy

Version 1.0 | Last updated: 2026-02-12

MARAWA ("we", "us") operates the fapuli.com and the Fabulinus mobile applications and related services (together, the "Services"). This Privacy Policy explains how we collect, use, disclose, and protect personal data when you use our Services, and what rights you have under the GDPR and Bulgarian law.

If you do not agree with this Policy, please do not use the Services.

1. Who We Are (Controller Details)

  • Controller: MARAWA
  • UIC / EIK: 207026868
  • VAT: BG207026868
  • Registered address: 1 Yanko Zabunov St., Ivan Vazov, Sofia, Bulgaria
  • Email: privacy@fapuli.com
  • Support email: support@fapuli.com
  • Phone: +359 898 764 777

2. Scope

This Policy applies to personal data processed when you use the Services as a consumer/user. It does not cover job applicants, employees, or contractors.

3. Personal Data We Collect and Sources

A. Data You Provide to Us

Depending on how you use the Services, you may provide:

  • Account data: username, email, password (hashed), date of birth/age bracket, profile photo (optional), language preferences
  • Learning content you create: flashcards, notes, tags, categories, audio/images you upload (if enabled)
  • Communications: support tickets, feedback, survey answers
  • Subscription data: plan type, billing status, invoices/receipts (payment card data is handled by the payment processor, not stored by us)

B. Data We Collect Automatically

When you use the Services, we may collect:

  • Device & technical data: IP address, device ID/advertising ID (where applicable), OS/app version, device model, browser type
  • Usage & interaction data: pages/screens visited, features used, session duration, clicks/taps, events (e.g., "review started", "deck created"), referrer URL, approximate location derived from IP (country/city-level)
  • Diagnostics: crash logs, performance metrics (if enabled)

C. Data from Third Parties

We may receive:

  • Authentication data if you sign in via Apple/Google (e.g., name, email, subject identifier), depending on what you choose to share
  • Payment confirmations from our payment processor (transaction status, subscription period)
  • App store signals (purchase confirmations, refunds/chargebacks) if you subscribe via Apple/Google

4. How We Use Personal Data

We process personal data to:

  • Provide and operate the Services (accounts, study features, syncing across devices)
  • Personalize learning (e.g., SRS scheduling, recommendations, difficulty/adaptive review)
  • Process subscriptions and maintain billing records
  • Support and communication (respond to requests, service notices)
  • Security and fraud prevention (abuse detection, account protection)
  • Analytics and improvement (usage analysis, bug fixing, feature performance)
  • Marketing (only where permitted—e.g., newsletters with consent; limited in-app promotions)
  • Legal compliance (tax/accounting, responding to lawful requests)

5. Legal Bases (GDPR)

We rely on one or more lawful bases under GDPR:

  • Contract: to provide the Services and subscription you requested
  • Legitimate interests: to secure the Services, prevent fraud, improve performance and reliability (balanced against your rights)
  • Consent: for optional cookies/trackers, email marketing, and (where applicable) targeted advertising. You may withdraw consent anytime
  • Legal obligation: compliance with accounting/tax and other mandatory laws

6. Cookies, SDKs, and Similar Technologies

We use cookies/local storage (web) and SDKs (mobile) to:

  • Keep you signed in
  • Remember preferences
  • Measure performance and usage
  • (Optionally) support marketing/advertising
Consent rule (EU): Non-essential cookies/trackers generally require prior consent; strictly necessary ones do not. Cookie controls:
  • Web: Manage via our Cookie Settings
  • Mobile: Use OS-level settings and in-app privacy toggles

7. Sharing and Disclosure of Personal Data

We may share personal data with:

A. Service Providers (Processors)

Vendors who help us run the Services (hosting, analytics, crash reporting, email delivery, customer support, payments). They process data under our instructions and contracts.

B. Legal and Safety Disclosures

We may disclose data where necessary to:

  • Comply with law, court orders, or lawful requests
  • Enforce our Terms
  • Protect rights, safety, and security

C. Business Transfers

If we are involved in a merger, acquisition, or asset sale, data may be transferred subject to appropriate safeguards and notice.

D. With Your Direction

If you choose to share decks publicly or with a link, your content and certain profile data may be visible to others depending on your settings.

8. Public Content and Privacy Settings

If the Services allow sharing:

  • You can choose whether decks are private, unlisted (link), or public
  • Your profile may show username, avatar, and stats depending on your settings

9. International Transfers

If we transfer personal data outside the EEA (e.g., to US-based hosting/analytics), we use recognized safeguards such as Standard Contractual Clauses (SCCs) and supplementary measures where needed.

10. Data Retention

We retain personal data only as long as needed for:

  • Providing the Services
  • Legitimate business needs (security logs, preventing fraud)
  • Legal obligations (billing/tax records)
Typical retention periods:
  • Account data: retained while account is active; deleted or anonymized after deletion, unless legally required
  • Logs/security events: 90–180 days
  • Billing records: up to 10 years if required for accounting/tax

11. Security

We implement appropriate technical and organizational measures, such as:

  • Encryption in transit (TLS)
  • Access controls/least privilege
  • Secure password hashing
  • Monitoring and incident response
No system is 100% secure; please use strong passwords and keep your device secure.

12. Children's Privacy (Bulgaria/EU)

Our Services are not intended for children under 14 without parental involvement.

Bulgaria-specific rule: Where processing is based on consent for information society services, Bulgarian law provides enhanced protection for children under 14—parent/guardian authorization is required.

If we learn we collected a child's data without appropriate authorization, we will delete it and/or restrict the account.

13. Your Rights (EEA/Bulgaria)

If you are in the EEA (including Bulgaria), you have rights under GDPR, including:

  • Access your personal data
  • Rectification of inaccurate data
  • Erasure of your data
  • Restriction of processing
  • Objection (including to direct marketing)
  • Portability of your data
  • Withdrawal of consent (where processing is based on consent)
How to exercise rights: Email us at privacy@fapuli.com with subject "GDPR Request". We may verify your identity.

14. Complaints to the Bulgarian Supervisory Authority (CPDP)

You may lodge a complaint with the Commission for Personal Data Protection (CPDP) in Bulgaria:

  • Address: 2 Prof. Tsvetan Lazarov Blvd., Sofia 1592
  • Email: kzld@cpdp.bg
CPDP also provides instructions for lodging complaints/alerts (including formal requirements).

15. Do Not Track / Global Privacy Control

Browser "Do Not Track" signals may not be uniformly supported. Cookie choices should be managed via our cookie banner/settings.

16. Changes to This Policy

We may update this Policy from time to time. If changes are material, we will notify you via the Services or email and update the "Last updated" date.

17. Contact

  • Questions or requests: privacy@fapuli.com
  • Security issues: security@fapuli.com
  • Postal address: 1 Yanko Zabunov St., Ivan Vazov, Sofia, Bulgaria