← Back to home

Privacy Policy

1. Controller

The data controller within the meaning of the GDPR is:

Sebastian Baier Street address and postal code will be added before public launch. Nürnberg, Germany Email for privacy inquiries: info@japanji.com

2. Collection and storage of personal data

2.1 Registration and account

When you register, we store the following personal data:

  • email address
  • password (only as an Argon2id hash)
  • your chosen username (after onboarding is complete)
  • optionally an uploaded or preset-based profile picture

Legal basis: Art. 6(1)(b) GDPR (contract performance and pre-contract measures).

2.2 Session data

For signed-in users we store session tokens as SHA-256 hashes. The raw token never leaves the browser and is not known to us server-side. Session rows expire automatically after 30 days or are deleted on sign-out.

2.3 Rate-limiting and security

To defend against automated attacks we store temporary counters per IP address and per email (at most 24 hours). Legal basis: Art. 6(1)(f) GDPR (legitimate interest in IT security).

2.4 Learning progress

Once Japanji's learning and review features are enabled, we store a per-user learning state (e.g. flashcard due dates and review ratings) solely for the purpose of spaced-repetition scheduling. Legal basis: Art. 6(1)(b) GDPR.

3. Recipients / processors

The following processors may process personal data on our behalf:

  • Vercel Inc. (hosting, USA) — application runtime. Safeguarded via EU Standard Contractual Clauses (SCC).
  • Neon, Inc. (database hosting, EU region) — stores application data.
  • Resend (email delivery, USA) — sends verification and password-reset emails. Safeguarded via SCC.
  • Vercel Blob Storage (image storage, USA) — stores uploaded profile pictures. Safeguarded via SCC.

Beyond these, we disclose data only with your consent (Art. 6(1)(a) GDPR) or where legally required.

4. Retention

  • Account data: until you delete your account.
  • Session rows: 30 days from last use.
  • Rate-limit counters: at most 24 hours.
  • Server logs: our structured log entries are deleted automatically after 30 days; platform-level logs kept by Vercel follow the hoster's retention periods.

5. Your rights

You have the right at any time to:

  • access your stored data (Art. 15 GDPR),
  • rectification of inaccurate data (Art. 16 GDPR),
  • erasure (Art. 17 GDPR) — available directly from the settings page,
  • restriction of processing (Art. 18 GDPR),
  • data portability (Art. 20 GDPR),
  • object to processing (Art. 21 GDPR), and
  • lodge a complaint with the competent supervisory authority (Art. 77 GDPR).

To exercise these rights, contact the controller above.

6. Cookies

The application sets only strictly necessary cookies (session session cookie, NEXT_LOCALE locale cookie, OAuth state cookies during the sign-in flow). No analytics or marketing cookies are set.

7. Changes to this policy

We update this privacy policy occasionally, for example when the legal situation changes or when new features ship. The current version is always available at this URL.

Last updated: 21 April 2026