Privacy Policy

Controller

The controller responsible for processing personal data on this service is Luca Henrik Stosch, Einzelunternehmen — operating under the trade name "Nekonbini" — Von-Bargen-Straße 39, 22041 Hamburg, Germany, email luca@sutoshu.com. No data protection officer (DPO) has been designated; Art. 37 GDPR does not require one for an operation of this size and scope. Please send any data-protection enquiry to the email address above.

Data we process

• Account and login: your email address (used as your account identifier and for verification emails), your display name when you set one, the authentication method you used (email one-time-password, Google, or Apple), and the JSON Web Token issued after sign-in. Google or Apple sign-in is brokered by Firebase Authentication; we receive only your verified email address and (optionally) display name from the identity provider.
• Learning state: your library of saved words and kanji, spaced-repetition state (review history, scheduling, box level), stories you have generated or imported, sentence-level progress, XP and streak counters, your settings (interface language, timezone, target JLPT level, daily XP goal), and feature flags that track whether you have completed onboarding steps. This is the personalised learning state that lets reading aids, reviews, and adaptive surfaces work across your devices.
• Content you submit: texts you import or paste, documents you upload for tokenisation, prompts and replies in conversations with the AI tutor, kanji mnemonic stories you write, and any reactions you leave on shared community kanji entries. Some of this content is forwarded to AI providers (see "Processors" below) to produce translations, explanations, and replies.
• Subscription and AI-usage metadata: which plan (if any) is active for your account, when it expires, and a per-call log of AI requests on your behalf — input/output token counts, the provider used, the feature that triggered the call, and the estimated cost. This lets us enforce plan allowances, investigate billing questions, and detect abuse. We do not currently process card payments ourselves; this section will be updated before any card payments are accepted.
• Technical operating data: server-side request logs (timestamp, route, status code, IP address, user-agent) needed to operate and secure the service; error events captured by Sentry (see "Telemetry" below); and — only with your consent — aggregate analytics page-view events (see "Telemetry" below). Handwriting strokes you draw during kanji practice are scored on the server in real time but not stored.

Purposes and legal bases

We process the data above to provide the personalised learning service you signed up for (sync your library, schedule reviews, generate stories, run AI-tutor conversations) under Art. 6 (1)(b) GDPR (performance of the contract with you); to operate, secure, and debug the service — server logs, abuse detection, error tracking — under Art. 6 (1)(f) GDPR (our legitimate interest in keeping the service available and free of misuse); to measure aggregate product usage with Google Analytics 4 under Art. 6 (1)(a) GDPR (your consent given via the cookie banner, which you can withdraw at any time); and to meet legal obligations, in particular German tax and accounting law for paid plans, under Art. 6 (1)(c) GDPR where applicable. Automated processing for adaptive review scheduling and AI-generated study material does not have legal or similarly significant effects on you within the meaning of Art. 22 GDPR — it only shapes your learning experience.

Analytics, error tracking, and storage on your device

Nekonbini uses two third-party services for telemetry. We treat them differently because their purposes are different.

Google Analytics 4 (analytics) — consent required

We use Google Analytics 4 to understand how the service is used in aggregate. GA4 is loaded with Google Consent Mode v2 set to "denied" by default, which means no analytics or advertising data is sent until you explicitly accept on the consent banner. IP addresses are anonymized (anonymize_ip=true). You can change your choice at any time in Settings → Privacy → Reset analytics consent; rejecting the banner or resetting your consent stops further analytics events for the rest of the session and on subsequent visits on this device.

Sentry (error tracking) — legitimate interest

We use Sentry to capture unhandled errors and crashes so we can fix them. Error events include the URL of the page (with query strings stripped to avoid leaking authentication tokens), the browser version, a stack trace, and — for logged-in users — the internal user ID so we can correlate a report to the user who hit the issue. Cookies and IP addresses are not collected (sendDefaultPii=false). Error tracking runs under our legitimate interest in operating a working service (GDPR Art. 6(1)(f)); you can object to this processing at the contact below. See "Processors" for Sentry's hosting region.

Storage on your device

Your consent choice for analytics is stored in your browser's localStorage under the key "--neko-consent-analytics" with the value "granted" or "denied". Authentication uses a token stored under "--neko-auth-token". A small set of further keys persist UI preferences (last selected language, layout state). These are technical storage on your own device, not third-party tracking cookies; clearing your browser site data removes them.

Processors and third-party services

The following service providers process personal data on our behalf, or as independent controllers for the parts of their service that they control. This list is current as of the "last updated" date below; we update it before any new processor is rolled into the service.

• Amazon Web Services EMEA SARL (Luxembourg) — application and database hosting in the eu-central-1 region (Frankfurt, Germany). All primary user data is stored on AWS infrastructure in Germany. AWS may, as a sub-processor, rely on its US parent under the EU-US Data Privacy Framework and the EU Standard Contractual Clauses (see "International transfers" below).
• Amazon Web Services — Simple Email Service (SES) in eu-central-1 — sends transactional email (the six-digit one-time-password used for email sign-in). Recipient email address, the OTP code, and the email body are processed; SES processes message metadata (delivery, bounce, complaint) on our behalf.
• Firebase Authentication (Google Ireland Limited / Google LLC) — handles federated sign-in via Google and Apple, and the underlying ID-token verification. The data exchanged with Firebase is the OAuth ID token issued by Google or Apple, your verified email address, and (if provided) your display name. Firebase is a US service; see "International data transfers" below for the legal basis.
• Sentry (Functional Software, Inc., EU instance) — captures unhandled errors and crashes. The Sentry instance we use is hosted in the European Union (Germany); event data stays in the EU. See the "Telemetry" section above for what is sent in each event.
• Google Analytics 4 (Google Ireland Limited / Google LLC) — only when you have granted analytics consent. See "Telemetry" above. Google is a US-headquartered processor; see "International data transfers" below for the legal basis.
• AI providers, used to generate translations, sentence explanations, conversation replies, story content, and tokenisation. The providers we route to today are OpenAI (OpenAI, L.L.C., United States), OpenRouter (OpenRouter, Inc., United States — a router that forwards to further model providers), Google Gemini (Google Ireland Limited / Google LLC), and Mistral AI (Mistral AI S.A.S., France). When you use a feature that needs AI, we send the relevant text — for example, the sentence you are reading, your chat prompt, or the document you imported — plus minimal context needed for the response (e.g. which JLPT level you are studying). Our prompts to these providers ask them not to retain or train on customer content; the providers' own data-retention behaviour is governed by their respective data-processing terms. The set of active providers can change as we tune model quality and cost; we update this list before a new provider is rolled into the service.

International data transfers

Most of the data we hold about you is stored on AWS infrastructure in Germany (eu-central-1). Some of the processors listed above are based in the United States — in particular Firebase, Google Analytics, OpenAI, and OpenRouter — and your data is transferred to those providers when you use a feature that depends on them. We rely on the European Commission's adequacy decision for the EU-US Data Privacy Framework where the recipient is certified under that framework, and on the EU Standard Contractual Clauses (Module Two, controller-to-processor) as an additional safeguard. For Mistral AI, processing takes place within the European Union. We do not transfer personal data to any country outside the EEA other than under one of those bases.

How long we keep your data

We keep different categories of data for different periods. Your account, learning state, and the content you submitted are kept for as long as your account exists; when you ask us to delete your account, all of this is removed within 30 days, with the exceptions below. AI-usage records (the per-call token and cost log) are kept for up to 12 months for service operation, plan enforcement, and abuse detection; where these records form part of accounting for paid plans, we retain the underlying invoice and billing data for the statutory periods under § 147 AO and § 257 HGB (currently up to 10 years), after the rest of your account has been deleted. Email one-time-password requests are purged automatically once the code has been used or has expired. Server request logs are typically rotated within 90 days. Sentry error events are kept according to Sentry's free-plan retention (currently 30 days); we do not extend retention. Google Analytics 4 events are retained according to the property's data-retention setting (we use the GA4 default of 14 months) and deleted automatically after that. Reactions on community-shared kanji stories are retained while both the reaction author's account and the story owner's account exist, because the reaction is a piece of social state on someone else's content. We do not currently delete accounts for inactivity; if that ever changes, we will update this section and notify logged-in users in-app before the new schedule takes effect.

Your rights

Under the GDPR you have the following rights regarding your personal data. To exercise any of them, email luca@sutoshu.com from the email address associated with your account. We respond within 30 days of receiving the request; if a request is unusually complex we will tell you and explain the extension.

• Right of access (Art. 15) — request a copy of the personal data we hold about you.
• Right to rectification (Art. 16) — ask us to correct inaccurate or incomplete data.
• Right to erasure (Art. 17) — ask us to delete your account and the data associated with it.
• Right to data portability (Art. 20) — ask for an export of the data you provided in a machine-readable format.
• Right to object (Art. 21) — object to processing based on legitimate interest, including server logs and error tracking.
• Right to withdraw consent (Art. 7(3)) — for processing based on consent (analytics), withdraw your consent at any time via the cookie banner; this does not affect the lawfulness of processing before the withdrawal.
• Right to lodge a complaint — file a complaint with a supervisory authority in your country of residence. For Hamburg the competent authority is the Hamburg Commissioner for Data Protection and Freedom of Information (Hamburgischer Beauftragter für Datenschutz und Informationsfreiheit, datenschutz-hamburg.de).

Children

Nekonbini is intended for users aged 16 and over. We do not knowingly collect personal data from anyone under 16. If you believe a child has signed up, please contact us at luca@sutoshu.com and we will delete the account.

Security

The service is served over HTTPS. Authentication uses signed JSON Web Tokens issued by our server after passwordless verification. Application data is stored in PostgreSQL on AWS infrastructure in Germany. We do not store passwords. Access to production systems is limited to the operator named above.

Changes to this policy

We will update this page when our processing changes meaningfully — in particular when a new processor or sub-processor is added, or when we add features that introduce new data categories. The "last updated" date below changes with every substantive edit; for changes that affect your rights or require new consent we will also notify logged-in users in-app.