Hanasay · Legal

Privacy Policy

Last updated: 7 May 2026

This policy explains what personal data Hanasay collects, why, where it goes, and what rights you have over it. It is written to be honest rather than exhaustive — if anything here is unclear, email hello@hanasay.com and we will explain.

Who is responsible

Hanasay is operated by Taha Boudouma, a sole trader based in the United Kingdom. For data-protection purposes, Taha Boudouma is the data controller. Contact: hello@hanasay.com.

What we collect

We keep the data set small on purpose.

  • Account information — your email address and, if you sign in with Google, the basic profile fields Google returns. This is handled by our authentication provider, Clerk.
  • Learning progress — the words you have studied, whether each attempt was correct or incorrect, scheduling data for spaced repetition, and timestamps. Stored in our database.
  • Voice recordings — when you speak into an exercise, your audio is sent to Google Cloud Speech-to-Text for transcription. We do not store the audio on our servers, and we do not store the text we transcribed from it. Only the outcome (correct or incorrect) and the word being practised are kept.
  • Subscription information — if you subscribe, our payment provider Polar holds your billing details. We receive a subscription status (trialing, active, cancelled, etc.) and a customer reference, not your card.
  • Product analytics (opt-in) — if you accept analytics in the cookie banner, anonymous usage events (page views, exercise outcomes, feature interactions) are sent to PostHog on its EU infrastructure. We have configured PostHog to use memory-only storage, which means it does not place persistent analytics cookies on your device. Session recording is disabled. If you reject, no events are sent.
  • Advertising measurement (opt-in) — if you accept marketing in the cookie banner, we share a small set of conversion events (page view, sign-up, purchase) with Meta so we can measure the effectiveness of our advertising. See Advertising and measurement below for the exact data and how to opt out.
  • Marketing attribution (opt-in) — if you accept marketing, we keep a localStorage entry recording any utm_*, fbclid, gclid, or ttclid parameters from the URL you arrived on, so we know which campaign sent you. Cleared when you reject marketing or delete site data.

Advertising and measurement

Hanasay runs paid advertising on Meta (Facebook and Instagram). To measure whether those ads work, we use Meta's standard measurement tools only if you accept marketing cookies in our banner. The data sent to Meta is:

  • The event name (e.g. PageView, InitiateCheckout, CompleteRegistration, Purchase) and a deduplication ID.
  • The Meta browser cookies _fbp and (if you arrived from a Meta ad) _fbc.
  • For purchases: the value, currency, and a SHA-256 hash of your email address. The plain-text email is not sent.
  • Your IP address and browser user-agent (sent by the browser automatically and forwarded server-side via Meta's Conversions API for the same Purchase event).

Our legal basis for this processing is your consent (UK GDPR Art. 6(1)(a)). You can withdraw it at any time using the “Cookie preferences” link in the site footer; doing so stops both the browser pixel and the server-side Conversions API for future events. Meta acts as an independent controller for the data once received; see Meta's privacy policy.

What we do not collect

  • We do not store your voice recordings.
  • We do not store the text transcribed from your speech.
  • We do not use your audio or transcripts to train any AI model.
  • We do not run advertising or analytics trackers without your consent.
  • We do not sell your data.

Sub-processors

We use a small number of trusted services to operate Hanasay. Each receives only what it needs.

  • Clerk — authentication. Holds your email and OAuth identifiers.
  • Google Cloud (Speech-to-Text and Text-to-Speech) — processes your audio in real time during exercises and produces the spoken example sentences.
  • Google Gemini API — generates the practice situations and example phrases from the prompts you write during onboarding. We send the prompt text; we do not send your email or account identifiers.
  • Meta (Pixel and Conversions API) — only if you accept marketing cookies. Receives the data described in Advertising and measurement above.
  • MongoDB Atlas — stores your account record and learning progress.
  • Polar — payments and subscription management.
  • PostHog (EU) — product analytics, only if you accept analytics cookies.
  • Resend — sends transactional email such as the welcome message after sign-up.
  • Vercel — hosts the website you are reading right now.

Where data is processed

We try to keep data within the EU/UK where possible (PostHog EU, our primary database region). Some processors are based in the United States (Clerk, Google Cloud, Google Gemini, Meta, Polar, Resend, Vercel). When data leaves the UK/EU, we rely on the UK Extension to the EU–US Data Privacy Framework, the UK International Data Transfer Agreement, or Standard Contractual Clauses, depending on the vendor.

How long we keep things

  • Account and learning data — kept for as long as your account exists. If you delete your account, we delete this within 30 days.
  • Voice recordings — not stored (sent to Google for transcription and discarded).
  • Transcripts — not stored.
  • Billing records — retained by Polar as required by UK and EU tax law (typically 6–10 years).
  • Analytics events — retained by PostHog on a rolling basis according to the plan we use; events are not tied to your email.

Your rights

Under UK GDPR and the EU GDPR (where it applies to you), you have the right to access your data, correct it, delete it, restrict or object to processing, and receive a portable copy. Email hello@hanasay.com from the address on your account and we will respond within 30 days. You can also delete your account at any time, which triggers deletion of the data we hold.

If you believe we have mishandled your data, you can complain to the UK Information Commissioner's Office (ico.org.uk) or, in the EU, to your local supervisory authority.

Children

Hanasay is not for people under 16. We do not knowingly create accounts for users under that age. If you believe a child has signed up, contact us and we will delete the account.

Changes

If we make material changes to this policy, we will update the “last updated” date above and, where appropriate, notify you by email.