Progress1 / 9

Privacy Policy

How we collect and protect your data

Last updated: February 27, 2026

We are committed to protecting your personal data in accordance with GDPR. Here is how we collect, use and protect your information.

RGPD
Compliant
TLS 1.3
Encryption
OVH
Hosted in France

1. Data Controller

  • Kotoba Interactive :Sole Proprietorship
  • Representative: Chloé THIEL
  • SIRET: 897 456 356 00020
  • Address: 58 rue de Monceau, CS 48756, 75380 Paris Cedex 08
  • Host: OVH SAS, Roubaix, France

2. Data Collected

  • Identification: username, email, encrypted password, profile picture (optional)
  • 2FA: encrypted TOTP secrets (AES-256), hashed backup codes (bcrypt)
  • Learning: SRS words, review history, statistics, collections, notes, preferences
  • Forum and notes: messages, comments, personal notes
  • Payment (Premium): name, billing address, transaction history via Stripe (PCI DSS)
  • Technical: IP address, browser, device, connection logs
  • Support: assistance requests, support exchanges (kept 3 years)

3. Processing Purposes

  • Service provision :account management, personalized SRS (Art. 6.1.b GDPR)
  • Subscription management :secure payments, billing (Art. 6.1.c GDPR)
  • Communications :account emails, security notifications (Art. 6.1.f GDPR)
  • Security :fraud prevention, anomaly detection (Art. 6.1.f GDPR)
  • Audience measurement :anonymized statistics (Art. 6.1.a GDPR, with consent)

4. Data Sharing

We never sell or share your data for commercial purposes. Transfers outside the EU are governed by the EU-US Data Privacy Framework and/or Standard Contractual Clauses (SCCs).

  • OVH SAS :hosting (France)
  • Stripe Inc. :payments (USA, PCI DSS)
  • IONOS SE :emails (Germany)
  • Sentry.io :error monitoring (USA, with consent)
  • Umami / Google Analytics :audience measurement (USA, with consent)
  • Reddit Pixel :advertising conversion measurement (USA, with consent)

5. Data Security

  • Password encryption with bcrypt
  • Secure HTTPS/TLS 1.3 connections
  • Data encryption at rest
  • Protection against SQL injections and CSRF
  • Rate limiting against brute force attacks
  • Daily automatic backups
  • 2FA secrets encrypted with AES-256-GCM

6. Data Retention

Auto-deletion: unverified email (30d), expired trial (90d), former subscriber (1 year). Lifetime/Founder are never deleted. A warning email is sent 7 days before.

Active accountWhile active
Invoices10 years (legal)
After deletion30 days max
Security logs90 days
Support tickets3 years

7. Your Rights (GDPR)

  • Right of access, rectification, erasure
  • Right of restriction, portability, objection
  • Exercise your rights from settings or by email
  • Response time: 1 month max
  • Complaint possible with CNIL (www.cnil.fr)

8. Protection of Minors

ChineseSRS is intended for users aged 13 and over. For 13-16 year olds in the EU, parental consent is required (Art. 8 GDPR).

9. Data Breach Notification

  • CNIL notification within 72h (Art. 33 GDPR)
  • User notification in case of high risk (Art. 34 GDPR)
  • Documentation of any breach and corrective measures

Contact: contact@chinesesrs.com

1 / 9