Hanasay · Legal

Privacy Policy

Last updated: 1 May 2026

This policy explains what personal data Hanasay collects, why, where it goes, and what rights you have over it. It is written to be honest rather than exhaustive — if anything here is unclear, email hello@hanasay.com and we will explain.

Who is responsible

Hanasay is operated by Taha Boudouma, a sole trader based in the United Kingdom. For data-protection purposes, Taha Boudouma is the data controller. Contact: hello@hanasay.com.

What we collect

We keep the data set small on purpose.

  • Account information — your email address and, if you sign in with Google, the basic profile fields Google returns. This is handled by our authentication provider, Clerk.
  • Learning progress — the words you have studied, whether each attempt was correct or incorrect, scheduling data for spaced repetition, and timestamps. Stored in our database.
  • Voice recordings — when you speak into an exercise, your audio is sent to Google Cloud Speech-to-Text for transcription. We do not store the audio on our servers, and we do not store the text we transcribed from it. Only the outcome (correct or incorrect) and the word being practised are kept.
  • Subscription information — if you subscribe, our payment provider Polar holds your billing details. We receive a subscription status (trialing, active, cancelled, etc.) and a customer reference, not your card.
  • Product analytics — anonymous usage events (page views, exercise outcomes, feature interactions) are sent to PostHog on its EU infrastructure. We have configured PostHog to use memory-only storage, which means it does not place persistent analytics cookies on your device. Session recording is disabled.

What we do not collect

  • We do not store your voice recordings.
  • We do not store the text transcribed from your speech.
  • We do not use your audio or transcripts to train any AI model.
  • We do not run advertising or marketing trackers.
  • We do not sell your data.

Sub-processors

We use a small number of trusted services to operate Hanasay. Each receives only what it needs.

  • Clerk — authentication. Holds your email and OAuth identifiers.
  • Google Cloud (Speech-to-Text and Text-to-Speech) — processes your audio in real time during exercises and produces the spoken example sentences.
  • MongoDB Atlas — stores your account record and learning progress.
  • Polar — payments and subscription management.
  • PostHog (EU) — product analytics.
  • Vercel — hosts the website you are reading right now.

Where data is processed

We try to keep data within the EU/UK where possible (PostHog EU, our primary database region). Some processors are based in the United States (Clerk, Google Cloud, Polar, Vercel). When data leaves the UK/EU, we rely on Standard Contractual Clauses or equivalent safeguards provided by those vendors.

How long we keep things

  • Account and learning data — kept for as long as your account exists. If you delete your account, we delete this within 30 days.
  • Voice recordings — not stored (sent to Google for transcription and discarded).
  • Transcripts — not stored.
  • Billing records — retained by Polar as required by UK and EU tax law (typically 6–10 years).
  • Analytics events — retained by PostHog on a rolling basis according to the plan we use; events are not tied to your email.

Your rights

Under UK GDPR and the EU GDPR (where it applies to you), you have the right to access your data, correct it, delete it, restrict or object to processing, and receive a portable copy. Email hello@hanasay.com from the address on your account and we will respond within 30 days. You can also delete your account at any time, which triggers deletion of the data we hold.

If you believe we have mishandled your data, you can complain to the UK Information Commissioner's Office (ico.org.uk) or, in the EU, to your local supervisory authority.

Children

Hanasay is not for people under 16. We do not knowingly create accounts for users under that age. If you believe a child has signed up, contact us and we will delete the account.

Changes

If we make material changes to this policy, we will update the “last updated” date above and, where appropriate, notify you by email.