Privacy Policy

This Privacy Policy applies to all personal data processed by 2hongo in connection with our Japanese language learning platform, including: - Our website at 2hongo.com - User accounts and profiles - Learning features including vocabulary notebooks, spaced repetition reviews, stroke order practice, grammar references, and language tools - Communication with us through our contact form - Advertising services displayed on our Site This policy does not apply to third-party websites, services, or applications that may be linked from our Site. We encourage you to review the privacy policies of any third-party services you access.

We collect the following categories of information: Account Information When you create an account, we collect: - Display name - Email address - Password (stored in hashed form — we never store plain-text passwords) - Profile avatar (if uploaded, limited to JPEG, PNG, or WebP, max 5 MB) - Language preference (English, Chinese (Simplified & Traditional), or Japanese) - Theme preference (light, dark, or system) Authentication Data If you sign in using Google OAuth, we receive: - Your Google account name - Your Google email address - Your Google profile picture URL We use this data solely for account creation and authentication. We do not access your Google contacts, files, or other Google services. Learning Data As you use our Services, we collect and store: - Words saved to your notebooks - Custom notebook names, descriptions, and color preferences - Tags and personal notes you add to saved words - Mastery levels you assign to words (Learning, Familiar, Mastered) - Spaced repetition review history and scheduling data - Review session statistics Device and Usage Information We automatically collect: - IP address - Browser type and version - Operating system - Device type (desktop, mobile, tablet) - Pages visited and features used - Session duration and timestamps - Referring URLs Communication Data When you contact us through our contact form, we collect: - Your name - Your email address - Subject and message content

We use your personal information for the following purposes: Providing and Improving Our Services - Creating and managing your user account - Synchronizing your learning progress, notebooks, and review schedules across sessions - Personalizing your spaced repetition review experience based on your performance - Displaying content in your preferred language - Analyzing usage patterns to improve features and user experience Communication - Sending account-related emails (verification, password reset, security alerts) - Responding to your inquiries and support requests - Sending service announcements and updates (you may opt out at any time) Security and Fraud Prevention - Detecting and preventing bot abuse and automated attacks - Monitoring for unauthorized account access - Enforcing our Terms of Service Advertising - Displaying advertisements through Google AdSense on word detail pages, grammar pages, and browsing pages - We do not show ads during vocabulary review sessions to preserve your learning experience - Ad personalization is managed by Google; you can control your ad preferences through Google's Ad Settings Legal Compliance - Complying with applicable laws, regulations, and legal processes - Responding to lawful requests from public authorities

If you are located in the European Economic Area (EEA) or United Kingdom (UK), we process your personal data under the following legal bases as defined by the General Data Protection Regulation (GDPR): Contract Performance (Article 6(1)(b)) - Account creation and management - Providing learning services (notebooks, SRS, stroke practice) - Synchronizing your learning progress Legitimate Interests (Article 6(1)(f)) - Improving and optimizing our Services - Analyzing usage patterns and trends - Preventing fraud and ensuring security - Our legitimate interests do not override your fundamental rights and freedoms Consent (Article 6(1)(a)) - Displaying personalized advertisements via Google AdSense - Sending optional marketing communications - Processing data through optional Google OAuth sign-in - You may withdraw consent at any time without affecting the lawfulness of prior processing Legal Obligation (Article 6(1)(c)) - Complying with applicable tax, accounting, or reporting requirements - Responding to valid legal process or government requests

We do not sell your personal information to third parties. We may share your information only in the following circumstances: Service Providers We share data with trusted third-party service providers who assist us in operating our Site, conducting our business, or serving you, subject to confidentiality obligations. These providers include: - Hosting and infrastructure providers - Database services - Email delivery services - Content delivery networks - Analytics providers - Advertising networks Legal Requirements We may disclose your information if required to do so by law or in response to valid requests by public authorities (e.g., a court order or government agency). Business Transfers If 2hongo is involved in a merger, acquisition, or asset sale, your personal information may be transferred. We will provide notice before your personal information is transferred and becomes subject to a different privacy policy. Protection of Rights We may disclose information where we believe it is necessary to investigate, prevent, or take action regarding potential violations of our policies, suspected fraud, situations involving potential threats to the safety of any person, or as evidence in litigation.

Our Site uses the following third-party services that may process your data: Vercel (Hosting & Deployment) - Purpose: Website hosting, serverless functions, edge network, bot detection - Data processed: IP addresses, request headers, usage data - Privacy policy: https://vercel.com/legal/privacy-policy MongoDB Atlas (Database) - Purpose: Storing user accounts, learning data, and application data - Data processed: All user-generated content and account information - Data location: Cloud-hosted with encryption at rest - Privacy policy: https://www.mongodb.com/legal/privacy-policy Google AdSense (Advertising) - Purpose: Displaying advertisements on non-review pages - Data processed: Cookies, device identifiers, browsing behavior for ad personalization - You can manage ad preferences at: https://adssettings.google.com - Privacy policy: https://policies.google.com/privacy Google OAuth (Authentication) - Purpose: Optional social sign-in - Data processed: Name, email, profile picture from your Google account - Privacy policy: https://policies.google.com/privacy Cloudflare (CDN & Security) - Purpose: Content delivery, DDoS protection, performance optimization - Data processed: IP addresses, request headers - Privacy policy: https://www.cloudflare.com/privacypolicy Amazon SES (Email) - Purpose: Sending transactional emails (verification, password reset, notifications) - Data processed: Email addresses, email content - Privacy policy: https://aws.amazon.com/privacy

2hongo operates globally and your data may be transferred to, stored, and processed in countries other than your country of residence, including the United States and other countries where our service providers operate. If you are located in the EEA, UK, or Switzerland, we ensure that international transfers of personal data are protected by appropriate safeguards, including: - Standard Contractual Clauses (SCCs) approved by the European Commission - Adequacy decisions by the European Commission for transfers to countries recognized as providing adequate protection - Data processing agreements with our service providers that include appropriate data protection obligations By using our Services, you acknowledge that your information may be transferred internationally. We take steps to ensure that your data receives an adequate level of protection in the jurisdictions in which we process it.

We retain your personal information only for as long as necessary to fulfill the purposes described in this Privacy Policy, unless a longer retention period is required or permitted by law. Account Data - Retained for as long as your account is active - Upon account deletion, all personal data is permanently removed from our systems within 30 days - Account deletion can be initiated from your Profile > Security settings Learning Data - Notebooks, saved words, tags, notes, and review history are retained as long as your account is active - Deleted when your account is deleted Session Data - Active sessions expire after 30 days (standard) or 90 days ("remember me") - Session records are automatically cleaned up after expiration Email Verification Tokens - Expire after 24 hours Password Reset Tokens - Expire after 1 hour and are invalidated after use Usage Logs - Server logs are retained for up to 30 days for security and diagnostic purposes Communication Records - Contact form submissions are retained for up to 2 years to maintain support history

We implement appropriate technical and organizational measures to protect your personal information, including: Technical Measures - HTTPS/TLS encryption for all data in transit - Password hashing using industry-standard algorithms (passwords are never stored in plain text) - Session token hashing using SHA-256 - Single-use tokens for email verification and password reset - Encryption at rest for database storage Access Controls - Server-side session management with automatic expiration - Bot detection and rate limiting to prevent automated attacks - Secure OAuth 2.0 implementation for Google sign-in Operational Measures - Regular security reviews of our codebase and infrastructure - Principle of least privilege for internal data access - Incident response procedures for potential data breaches Despite these measures, no method of electronic transmission or storage is 100% secure. While we strive to protect your personal information, we cannot guarantee absolute security. If we become aware of a security breach that affects your personal data, we will notify you and the relevant authorities as required by applicable law.

Depending on your location, you may have the following rights regarding your personal information: Rights Under GDPR (EEA and UK Residents) - Right of Access: Request a copy of the personal data we hold about you - Right to Rectification: Request correction of inaccurate or incomplete data - Right to Erasure ("Right to be Forgotten"): Request deletion of your personal data - Right to Restrict Processing: Request that we limit how we use your data - Right to Data Portability: Receive your data in a structured, machine-readable format - Right to Object: Object to processing based on legitimate interests or for direct marketing - Right to Withdraw Consent: Withdraw previously given consent at any time - Right to Lodge a Complaint: File a complaint with your local data protection authority Rights Under CCPA/CPRA (California Residents) - Right to Know: Request disclosure of the categories and specific pieces of personal information we collect - Right to Delete: Request deletion of your personal information - Right to Correct: Request correction of inaccurate personal information - Right to Opt-Out of Sale/Sharing: We do not sell or share your personal information for cross-context behavioral advertising - Right to Non-Discrimination: We will not discriminate against you for exercising your privacy rights Rights Under Other Jurisdictions - Brazil (LGPD): You have rights similar to GDPR, including access, correction, deletion, and data portability - Japan (APPI): You have the right to request disclosure, correction, and cessation of use of your personal information - China (PIPL): You have rights to access, copy, correct, and delete your personal information, and to withdraw consent Exercising Your Rights - Account data can be viewed and edited in your Profile settings - Account deletion is available in Profile > Security (permanently removes all your data) - For all other privacy requests, please contact us through our contact form - We will respond to verifiable requests within 30 days (or as required by applicable law)

Our Services are not directed to children under the age of 13 (or the applicable age of digital consent in your jurisdiction, such as 16 in the EEA under GDPR). We do not knowingly collect personal information from children under these ages. If you are a parent or guardian and believe that your child has provided us with personal information without your consent, please contact us through our contact form. If we become aware that we have collected personal information from a child without verification of parental consent, we will take steps to delete that information promptly.

We use cookies and similar technologies to operate and improve our Services. Essential Cookies - Session cookies: Required for user authentication and maintaining your login state - Language preference: Stores your selected interface language - Theme preference: Stores your light/dark mode selection - These cookies are necessary for the Site to function and cannot be disabled Functional Cookies - Learning preferences: Stores settings like word highlight and grammar highlight toggles - Stroke order settings: Stores your preferred animation speed, rainbow mode, and stroke number preferences Advertising Cookies - Google AdSense: Uses cookies to serve ads based on your interests and browsing history - These cookies are set by Google and are subject to Google's privacy policy - You can manage ad personalization at: https://adssettings.google.com - You can opt out of personalized advertising by visiting: https://www.aboutads.info/choices Analytics - We may use analytics tools to understand how users interact with our Services - Analytics data is aggregated and used solely to improve our platform Managing Cookies - Most browsers allow you to control cookies through their settings - Disabling essential cookies may prevent you from using certain features of our Site - For more information about cookies, visit: https://www.allaboutcookies.org

Some browsers include a "Do Not Track" (DNT) feature that signals to websites that you do not want your online activity tracked. Because there is no universally accepted standard for how to respond to DNT signals, our Site does not currently respond to DNT browser signals. However, you can manage your privacy preferences through the cookie settings and ad personalization controls described in Section 12 above.

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors. When we make material changes: - We will update the "Last Updated" date at the top of this page - For significant changes, we may notify you by email or by posting a prominent notice on our Site - Continued use of our Services after the effective date of changes constitutes acceptance of the updated policy We encourage you to review this Privacy Policy periodically to stay informed about how we are protecting your information. Previous versions of this policy are available upon request.

If you have questions, concerns, or requests regarding this Privacy Policy or our data practices, you may contact the 2hongo team through our contact form. When contacting us about a privacy matter, please include sufficient information to help us understand and respond to your request, such as your account email address and the nature of your inquiry. For GDPR-related inquiries, we aim to respond within 30 days. For CCPA-related inquiries, we will respond within 45 days as required by law.