Privacy Policy

Controller

The controller responsible for processing personal data on this service is Luca Henrik Stosch, Einzelunternehmen — trading as "Nekonbini".

Postal address: Von-Bargen-Straße 39, 22041 Hamburg, Germany
Email: luca@sutoshu.com

A data protection officer has not been appointed (no Art. 37 GDPR criterion applies).

Data we process

• Account and login: your email address (used as your account identifier and for verification emails), your display name when you set one, and the authentication method you used (email one-time-password, Google, or Apple). Google or Apple sign-in is brokered by Firebase Authentication; we receive only your verified email address and (optionally) display name from the identity provider.
• Learning state: your library of saved words and kanji, spaced-repetition state (review history, scheduling, box level), stories you have generated or imported, sentence-level progress, XP and streak counters, your settings (interface language, timezone, target JLPT level, daily XP goal), and feature flags that track whether you have completed onboarding steps. This is the personalised learning state that lets reading aids, reviews, and adaptive surfaces work across your devices.
• Content you submit: texts you import or paste, documents you upload for tokenisation, prompts and replies in conversations with the AI tutor, kanji mnemonic stories you write, and any reactions you leave on shared community kanji entries. Some of this content is forwarded to AI providers (see "Processors" below) to produce translations, explanations, and replies.
• Subscription, billing and AI-usage metadata: which plan (if any) is active for your account, when it expires, and a per-call log of AI requests on your behalf — input/output token counts, the provider used, the feature that triggered the call, and the estimated cost. Card payments are handled by Stripe (see "Processors" below); we do not see or store full card numbers.
• Technical operating data: server-side request logs (timestamp, route, status code, IP address, user-agent) needed to operate and secure the service; error events captured by our error-tracking service (see "Telemetry" below); and — only with your consent — aggregate analytics page-view events (see "Telemetry" below). Handwriting strokes you draw during kanji practice are scored on the server in real time but not stored.

Purposes and legal bases

We process the data above to provide the personalised learning service you signed up for (sync your library, schedule reviews, generate stories, run AI-tutor conversations) under Art. 6 (1)(b) GDPR (performance of the contract with you); to operate, secure, and debug the service — server logs, abuse detection, error tracking — under Art. 6 (1)(f) GDPR (our legitimate interest in keeping the service available and free of misuse); to measure aggregate product usage under Art. 6 (1)(a) GDPR (your consent, which you can withdraw at any time); and to meet legal obligations, in particular German tax and accounting law for paid plans, under Art. 6 (1)(c) GDPR where applicable.

Analytics, error tracking, and storage on your device

Nekonbini uses two third-party services for telemetry. We treat them differently because their purposes are different.

Analytics — consent required

We use an aggregate analytics service to understand how the service is used. Analytics only loads after you accept on the consent banner; IP addresses are not stored in identifiable form. You can withdraw or change your choice at any time via the consent banner or in your account settings; this stops further analytics events for the rest of the session and on subsequent visits.

Error tracking — legitimate interest

We use an error-tracking service to capture unhandled errors and crashes so we can fix them. Error events include the URL of the page (with query strings stripped to avoid leaking authentication tokens), the browser version, a stack trace, and — for logged-in users — the internal user ID so we can correlate a report to the user who hit the issue. Cookies and IP addresses are not collected. Error tracking runs under our legitimate interest in operating a working service (GDPR Art. 6(1)(f)); you can object to this processing at the contact above.

Storage on your device

Your consent choice and authentication state are stored in your browser's localStorage. A small set of further keys persist UI preferences (last selected language, layout state). These are technical storage on your own device, not third-party tracking cookies; clearing your browser site data removes them.

Processors and third-party services

The following service providers process personal data on our behalf, or as independent controllers for the parts of their service that they control. This list is current as of the "last updated" date below; we update it before any new processor is rolled into the service.

• Amazon Web Services EMEA SARL (Luxembourg) — application and database hosting in the European Union (Germany). AWS may, as a sub-processor, rely on its US parent under the EU-US Data Privacy Framework and the EU Standard Contractual Clauses (see "International transfers" below).
• Resend (Resend Inc., United States, under the EU-US Data Privacy Framework and EU Standard Contractual Clauses) — sends transactional email such as the six-digit one-time password used for email sign-in.
• Stripe Payments Europe Ltd. (Ireland, with US transfer to Stripe Inc. under the EU-US Data Privacy Framework and EU Standard Contractual Clauses) — processes subscription payments.
• Firebase Authentication (Google Ireland Limited / Google LLC) — handles federated sign-in via Google and Apple. The data exchanged is your verified email address and (if provided) your display name. Firebase is a US service; see "International data transfers" below for the legal basis.
• Sentry (EU instance) — captures unhandled errors and crashes. The instance we use is hosted in the European Union; event data stays in the EU. See "Telemetry" above for what is sent in each event.
• Google Analytics 4 (Google Ireland Limited / Google LLC) — loaded only when you have granted analytics consent. See "Telemetry" above. Google is a US-headquartered processor; see "International data transfers" below for the legal basis.
• AI subprocessors include OpenAI (US), Google (EU/US), Mistral AI (FR), and OpenRouter (US) as a routing intermediary. When you use an AI-powered feature, we send the relevant text — for example, the sentence you are reading, your chat prompt, or the document you imported — plus minimal context needed for the response. The active set may change as we tune model quality and cost; we update this list before a new provider goes live.

International data transfers

Most of the data we hold about you is stored in the European Union. Some of the processors listed above are based in the United States; your data is transferred to those providers when you use a feature that depends on them. We rely on the European Commission's adequacy decision for the EU-US Data Privacy Framework where the recipient is certified under that framework, and on the EU Standard Contractual Clauses (Module Two, controller-to-processor) as an additional safeguard.

How long we keep your data

We keep account data, learning state, and content you submitted for as long as your account exists; when you ask us to delete your account, this is removed within 30 days. Where statutory accounting retention under § 147 AO and § 257 HGB applies (paid subscriptions), the underlying invoice and billing data is retained for the statutory period (currently up to 10 years), after the rest of your account has been deleted. Email one-time-password requests are purged automatically once the code has been used or has expired. Server logs, error events, and analytics data are automatically rotated by our providers per their default retention; we do not extend it.

Your rights

Under the GDPR you have the following rights regarding your personal data. To exercise any of them, contact us at the email address listed in the Controller section above, from the email address associated with your account. We respond within 30 days of receiving the request; if a request is unusually complex we will tell you and explain the extension.

• Right of access (Art. 15) — request a copy of the personal data we hold about you.
• Right to rectification (Art. 16) — ask us to correct inaccurate or incomplete data.
• Right to erasure (Art. 17) — ask us to delete your account and the data associated with it.
• Right to data portability (Art. 20) — ask for an export of the data you provided in a machine-readable format.
• Right to object (Art. 21) — object to processing based on legitimate interest, including server logs and error tracking.
• Right to withdraw consent (Art. 7(3)) — for processing based on consent (analytics), withdraw your consent at any time via the cookie banner; this does not affect the lawfulness of processing before the withdrawal.
• Right to lodge a complaint — file a complaint with a supervisory authority in your country of residence. For Hamburg the competent authority is the Hamburg Commissioner for Data Protection and Freedom of Information (Hamburgischer Beauftragter für Datenschutz und Informationsfreiheit).

Children

Nekonbini is intended for users aged 16 and over. We do not knowingly collect personal data from anyone under 16. If you believe a child has signed up, please contact us using the address listed in the Controller section above and we will delete the account.

Security

Data is hosted in the EU on contracted infrastructure. Authentication uses signed session tokens issued after passwordless verification. We do not store passwords. Production access is limited to the operator.

Changes to this policy

We will update this page when our processing changes meaningfully — in particular when a new processor or sub-processor is added, or when we add features that introduce new data categories. The "last updated" date below changes with every substantive edit; for changes that affect your rights or require new consent we will also notify logged-in users on the platform.