Skip to main content

Privacy Policy

Last updated: January 15, 2026

1. Introduction

Welcome to Zenshin Japanese ("we," "our," or "us"). We are committed to protecting your privacy and ensuring transparency about how we collect, use, and protect your personal data. This Privacy Policy explains our practices in compliance with the General Data Protection Regulation (GDPR) and other applicable data protection laws.

2. Data Controller and Data Protection

Zenshin Japanese is the data controller responsible for your personal data.

Zenshin Japanese

KVK: 87099756
Box C0633, Keurenplein 41
1069CD Amsterdam, The Netherlands

2.1 Data Protection Officer (DPO)

Under GDPR, a Data Protection Officer (DPO) is required for organizations that:

  • Are public authorities or bodies
  • Engage in large-scale, regular, and systematic monitoring of individuals
  • Process large-scale special categories of data (health, criminal convictions, etc.)

As a small educational technology company, we are not currently required to appoint a formal DPO under GDPR. However, we take data protection seriously and have designated a data protection contact person to handle all privacy-related inquiries.

2.2 Contact for Data Protection Inquiries

For any questions about this Privacy Policy, to exercise your GDPR rights, or to report a data protection concern, please contact us through our contact page. We will respond to all data protection inquiries within 30 days as required by GDPR.

3. Information We Collect

3.1 Personal Information

  • Account Information: Name, email address, password (hashed), profile picture
  • Authentication Data: OAuth tokens (Google), session tokens
  • Profile Information: Native language, display preferences, study settings

3.2 Learning Data

  • Progress Data: Study progress, mastery scores, learning statistics
  • Assignment Data: Completed assignments, attempts, submissions, feedback
  • Flashcard Data: Flashcard progress, review history, spaced repetition data
  • Session Data: Study sessions, practice sessions, time spent learning
  • Placement Test Data: Test results, estimated JLPT level, preferences

3.3 Usage Data

  • Technical Data: IP address, browser type, device information, operating system
  • Usage Analytics: Pages visited, features used, interaction patterns
  • Error Reports: Error logs, bug reports, user feedback

3.4 Payment Data

  • Subscription Information: Subscription status, payment history (processed by Stripe)
  • Classroom Memberships: Classroom enrollments, payment records

4. How We Use Your Data

We use your personal data for the following purposes:

  • Service Provision: To provide and maintain our learning platform, personalize your learning experience, and track your progress
  • Account Management: To create and manage your account, authenticate you, and communicate about your account
  • Learning Analytics: To analyze your learning patterns, provide insights, and improve our learning algorithms
  • Communication: To send you important updates, notifications, and (with consent) marketing communications
  • Payment Processing: To process payments and manage subscriptions (via Stripe)
  • Legal Compliance: To comply with legal obligations and protect our rights
  • Service Improvement: To improve our services, fix bugs, and develop new features

5. Legal Basis for Processing

We process your personal data based on the following legal bases:

  • Consent: When you provide explicit consent (e.g., marketing communications, analytics)
  • Contract Performance: To fulfill our contract with you (providing the learning service)
  • Legitimate Interests: To improve our services, ensure security, and prevent fraud
  • Legal Obligation: To comply with applicable laws and regulations

6. Data Sharing and Third Parties

We share your data with the following third parties:

  • Stripe: Payment processing (payment data only, not stored on our servers)
  • Google: OAuth authentication (if you choose to sign in with Google)
  • OpenAI: AI content generation and feedback services (sentence generation, educational content)
  • Supabase: Database hosting and storage (data is encrypted in transit and at rest)
  • Vercel: Hosting and infrastructure (may process technical data)
  • Resend: Email delivery service (transactional and marketing emails)

We do not sell your personal data. We only share data as necessary to provide our services or as required by law.

7. Data Retention

We retain your personal data for as long as necessary to provide our services, comply with legal obligations, and resolve disputes. Specific retention periods are as follows:

7.1 Active Account Data

While your account is active, we retain all personal data necessary to provide our services:

  • Account Information: Retained for the duration of your account
  • Learning Progress Data: Retained for the duration of your account
  • Assignment Data: Retained for the duration of your account
  • Flashcard Data: Retained for the duration of your account
  • Session Data: Retained for 2 years from last activity
  • Payment Records: Retained for 7 years (legal requirement for financial records)

7.2 Inactive Account Data

For accounts that have been inactive:

  • Unverified Accounts: Deleted after 90 days of inactivity if email is not verified
  • Inactive Accounts: We may delete accounts that have been inactive for more than 3 years, after sending a notification email

7.3 Account Deletion Requests

When you request account deletion:

  • Standard Deletion: Data is scheduled for deletion 21 days after your request (grace period to allow account recovery)
  • Instant Deletion: Data is scheduled for deletion 1 day after your request (requires admin approval)
  • Deletion Process: All personal data is permanently deleted, except where we are legally required to retain it (e.g., payment records for 7 years)

7.4 Legal Retention Requirements

We may retain certain data longer when required by law:

  • Payment Records: 7 years (tax and accounting requirements)
  • Legal Disputes: Until resolution plus 6 years (statute of limitations)
  • Data Breach Records: 3 years from resolution (compliance documentation)
  • Error Logs: 90 days (for debugging and security)
  • Email Logs: 2 years (for delivery verification and compliance)

7.5 Automated Deletion

We use automated processes to delete data according to these retention periods:

  • Unverified accounts are automatically deleted after 90 days
  • Scheduled account deletions are processed daily
  • Old session data is automatically purged after 2 years
  • Error logs are automatically purged after 90 days

Note: You can request deletion of your data at any time through your Privacy Settings or by contacting us. We will process your request within the timeframes specified above.

8. Your Rights Under GDPR

You have the following rights regarding your personal data:

  • Right to Access: Request a copy of all personal data we hold about you
  • Right to Rectification: Correct inaccurate or incomplete data
  • Right to Erasure: Request deletion of your personal data ("right to be forgotten")
  • Right to Restrict Processing: Limit how we process your data
  • Right to Data Portability: Receive your data in a structured, machine-readable format
  • Right to Object: Object to processing based on legitimate interests
  • Right to Withdraw Consent: Withdraw consent at any time (where processing is based on consent)

You can exercise these rights by visiting your Privacy Settings or by contacting us.

Right to Lodge a Complaint: You also have the right to lodge a complaint with the Dutch Data Protection Authority (Autoriteit Persoonsgegevens) if you believe your data protection rights have been violated. For more information, visit: https://autoriteitpersoonsgegevens.nl

9. Cookies and Tracking

We use cookies and similar technologies to provide our services, authenticate users, and analyze usage. You can manage your cookie preferences at any time through your browser settings or our cookie consent banner.

For more information, see our Cookie Policy.

10. Data Security

We implement appropriate technical and organizational measures to protect your personal data, including:

  • Encryption of data in transit (HTTPS/TLS)
  • Encryption of data at rest
  • Secure password hashing (bcrypt)
  • Regular security audits and updates
  • Access controls and authentication

11. International Data Transfers

Your data may be transferred to and processed in countries outside the European Economic Area (EEA). We ensure appropriate safeguards are in place, such as Standard Contractual Clauses (SCCs) with our service providers.

12. Children's Privacy

Our service is not intended for children under 16 years of age. We do not knowingly collect personal data from children. If you believe we have collected data from a child, please contact us immediately.

13. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of any material changes by posting the new policy on this page and updating the "Last updated" date.

14. Contact Us

If you have questions about this Privacy Policy or wish to exercise your rights, please contact us through our contact page.

← Back to Home