Privacy Policy

Effective Date: December 22, 2025 Last Updated: December 22, 2025

Introduction

Welcome to Hanasu ("we," "our," or "us"). We are committed to protecting your privacy and the privacy of all users, especially students and children. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our language learning platform at hanasu.ai (the "Service").

By using our Service, you agree to the collection and use of information in accordance with this Privacy Policy. If you do not agree with this policy, please do not use our Service.

Age Restrictions and Children's Privacy (COPPA Compliance)

Users Under 13 Years of Age

Our Service is NOT intended for children under the age of 13. We do not knowingly collect, use, or disclose personal information from children under 13 without verifiable parental consent as required by the Children's Online Privacy Protection Act (COPPA).

If you are under 13 years of age, you may NOT create an account or use our Service without express written permission from your parent or legal guardian.

Parental Consent for Users Under 13

If a parent or guardian becomes aware that their child under 13 has provided us with personal information without parental consent, please contact us immediately at privacy@hanasu.ai. We will delete such information from our systems within 48 hours of verification.

Parents of children under 13 who have provided parental consent have the right to:

Review the personal information collected from their child
Request deletion of their child's personal information
Refuse to permit further collection or use of their child's information
Revoke consent at any time

Users Ages 13-17

If you are between 13 and 17 years of age, you may use our Service but we encourage you to review this Privacy Policy with your parent or guardian.

Information We Collect

We limit our data collection to only what is necessary to provide and improve our language learning services. We do NOT collect information beyond what is required for educational purposes.

Account Information (Required)

Email address: For account creation, authentication, and essential communications
Name: To personalize your learning experience
Password: Stored using industry-standard bcrypt hashing (never stored in plain text)
Profile preferences: Language settings, practice frequency, timezone, and notification preferences

Usage Data (Automatically Collected)

Conversation sessions: Language studied, conversation topic, session duration, and message count
Practice activity: Frequency of practice sessions and completion rates
Device information: Browser type, operating system, and device type (for compatibility)
IP address and location data: General geographic location (city/country level only) for timezone detection and fraud prevention
Authentication logs: Login timestamps and session information for security purposes

Analytics Data (Optional for Authenticated Users)

We use PostHog for analytics to understand how users interact with our platform. For authenticated users only, we collect:

Page views and navigation patterns
Session recordings (with form inputs masked for privacy)
Feature usage and interaction events
Performance metrics and error logs

Important: Session recordings are ONLY enabled for authenticated (logged-in) users and can be avoided by logging out. No recordings are made of anonymous visitors or unauthenticated sessions.

Information We Do NOT Collect

Social Security numbers or government-issued identification numbers
Financial information (payment processing is handled by third-party payment processors)
Precise geolocation data (we only collect city/country-level location)
Biometric data
Sensitive personal information about race, ethnicity, religion, or health

How We Use Your Information

We use the collected information ONLY for the following purposes:

Primary Educational Purposes

Provide and maintain our language learning services
Personalize your learning experience and track your progress
Generate AI-powered conversation practice sessions
Send practice reminders based on your chosen frequency preferences
Respond to your questions, comments, and support requests

Service Improvement and Analytics

Analyze usage patterns to improve user experience and educational effectiveness
Monitor and analyze platform performance, errors, and technical issues
Conduct internal research and development for new features
Optimize our AI services for better conversation quality

Legal and Security Purposes

Comply with legal obligations and respond to lawful requests
Protect against fraud, abuse, and security threats
Enforce our Terms of Service and other policies
Detect and prevent technical issues or illegal activities

Prohibited Uses

We do NOT and will NEVER:

Sell, rent, or trade your personal information to third parties
Use your data for targeted advertising or marketing purposes
Create user profiles for advertising or commercial purposes unrelated to education
Share your data with third parties for their marketing purposes
Use student data to build behavioral profiles beyond educational purposes

Data Security Measures

We implement comprehensive technical and organizational security measures to protect your data:

Encryption

Data in transit: All data transmitted between your device and our servers is encrypted using TLS 1.3 (Transport Layer Security)
Data at rest: All data stored in our databases is encrypted using AES-256 encryption
Password security: Passwords are hashed using bcrypt with salt rounds, making them computationally infeasible to reverse

Access Controls

Role-based access control (RBAC) limiting employee access to user data
Multi-factor authentication (MFA) required for administrative access
Regular access audits and automatic deprovisioning of unused accounts
Principle of least privilege for all data access

Security Monitoring

24/7 automated security monitoring and threat detection
Regular security audits and penetration testing
Incident response plan with defined procedures
Logging and monitoring of all data access events

Organizational Measures

Background checks for employees with data access
Regular security training for all employees
Data processing agreements with all third-party vendors
Annual third-party security assessments

Third-Party Services and Data Sharing

We partner with carefully selected third-party service providers to operate our platform. Each provider has been vetted for security and privacy practices and is bound by contractual obligations to protect your data.

Our Service Providers

Supabase (Database and Authentication)

Purpose: Secure data storage and user authentication
Data Shared: Account information, usage data, conversation history
Location: United States
Privacy Policy: https://supabase.com/privacy

OpenAI (AI Conversation Processing)

Purpose: Generate AI-powered conversation practice
Data Shared: Conversation content (language prompts and responses only)
Data Retention: OpenAI does not use data sent via API to train their models
Location: United States
Privacy Policy: https://openai.com/privacy

PostHog (Analytics and Session Replay)

Purpose: Understand user behavior and improve platform
Data Shared: Usage analytics, session recordings (authenticated users only)
Location: United States
Privacy Policy: https://posthog.com/privacy

Loops.so (Email Notifications)

Purpose: Send practice reminders and account notifications
Data Shared: Email address, name, practice preferences
Location: United States
Privacy Policy: https://loops.so/privacy

Vercel (Hosting and Deployment)

Purpose: Host and serve the application
Data Shared: Technical data required for hosting (logs, performance data)
Location: United States and globally distributed
Privacy Policy: https://vercel.com/legal/privacy-policy

Legal Disclosure

We may disclose your information if required to do so by law or in response to valid requests by public authorities (e.g., court orders, subpoenas, or government investigations), but only to the extent legally required.

No Data Sales

We do NOT sell, rent, or trade your personal information to third parties for monetary or other valuable consideration. This is a fundamental principle of our privacy practices.

Your Privacy Rights

You have the following rights regarding your personal data:

Right to Access

You may request a copy of the personal information we hold about you. We will provide this information in a structured, commonly used, and machine-readable format within 30 days of your request.

Right to Correction

You may update or correct your account information at any time through your account settings. You may also contact us to request corrections.

Right to Deletion

You may request deletion of your account and all associated personal data. We will delete your data within 30 days of verification of your request, except where retention is required by law.

Right to Data Portability

You may request an export of your data in a portable format (JSON or CSV).

Right to Opt-Out

Email communications: You may opt out of practice reminder emails through your account settings or by clicking "unsubscribe" in any email
Session recordings: You may disable session recordings by logging out or not creating an account
Analytics: You may use browser extensions to block analytics tracking

Right to Withdraw Consent

Where we process your data based on consent, you may withdraw that consent at any time without affecting the lawfulness of processing before withdrawal.

How to Exercise Your Rights

To exercise any of these rights, please contact us at:

Email: privacy@hanasu.ai
Response Time: We will respond to your request within 30 days

For requests involving minors under 18, we may require verification of parental authority.

Data Retention and Deletion

We retain your personal data only for as long as necessary to fulfill the purposes outlined in this Privacy Policy.

Active Accounts

Account information: Retained while your account is active
Conversation history: Retained while your account is active
Usage analytics: Retained for up to 2 years for analysis and improvement

Deleted Accounts

When you delete your account:

Personal information: Deleted within 30 days
De-identified analytics data: May be retained in aggregate form for statistical purposes
Legal holds: Data subject to legal requirements may be retained longer

Automatic Deletion

Inactive accounts (no login for 3+ years): We may delete after email notification
Session recordings: Automatically deleted after 90 days
Error logs: Automatically deleted after 90 days

Backup Retention

Backups containing your data may persist for up to 90 days after deletion for disaster recovery purposes, but are not accessible for normal operations.

Cookies and Tracking Technologies

We use cookies and similar technologies to operate our Service and improve user experience.

Essential Cookies (Required)

Authentication cookies: Maintain your login session (expires after 7 days of inactivity)
Security cookies: Prevent fraud and abuse
Preference cookies: Remember your language and timezone settings

Analytics Cookies (Optional)

PostHog cookies: Track usage patterns and feature adoption (authenticated users only)
Performance cookies: Monitor application speed and reliability

Your Cookie Choices

You can control cookies through your browser settings
Disabling essential cookies may prevent you from using certain features
You can opt out of analytics cookies by logging out or using browser extensions

We do NOT use cookies for:

Third-party advertising
Cross-site tracking
Behavioral profiling for marketing purposes

International Data Transfers and GDPR Compliance

Data Storage Location

Your data is primarily stored in the United States using Supabase's infrastructure. Our service providers may process data in various countries globally.

European Users (GDPR)

If you are located in the European Economic Area (EEA), United Kingdom, or Switzerland, you have additional rights under the General Data Protection Regulation (GDPR):

Legal basis for processing: We process your data based on consent, contract performance, or legitimate interests
Data Protection Officer: Contact dpo@hanasu.ai for GDPR-related inquiries
Supervisory authority: You have the right to lodge a complaint with your local data protection authority

Adequate Safeguards

For international transfers, we rely on:

Standard Contractual Clauses (SCCs) approved by the European Commission
Adequate security measures as described in this policy
Compliance with applicable data protection laws

California Privacy Rights (CCPA/CPRA)

If you are a California resident, you have specific rights under the California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA):

Your California Rights

Right to Know: Request disclosure of personal information collected, used, and shared
Right to Delete: Request deletion of your personal information
Right to Opt-Out: Opt out of the sale of personal information (we do not sell data)
Right to Non-Discrimination: Exercise privacy rights without discrimination
Right to Correct: Request correction of inaccurate personal information
Right to Limit: Limit use of sensitive personal information (we collect minimal sensitive data)

Categories of Information Collected

Identifiers (name, email, IP address)
Usage data (session information, feature usage)
Geolocation data (city/country level only)

Do Not Sell My Personal Information

We do NOT sell your personal information and have not sold personal information in the past 12 months.

Educational Use and FERPA Compliance

If our Service is used in an educational institution context (K-12 or higher education), additional protections apply under the Family Educational Rights and Privacy Act (FERPA).

School Official Exception

When used by educational institutions, we act as a "school official" with legitimate educational interests. We:

Use student data only for educational purposes authorized by the institution
Do not share student education records without institutional authorization
Implement security measures to protect education records
Allow institutions to control student data access and deletion

Educational Institution Responsibilities

Schools and districts using our Service should:

Include Hanasu in their data processing agreements
Obtain necessary parental consents as required by law
Inform students and parents about educational technology usage
Monitor compliance with their own privacy policies

Direct-to-Consumer vs. School Use

Individual users: This Privacy Policy governs your use
School-based users: Both this policy and your school's policies apply

State-Specific Student Privacy Laws

We comply with state student privacy laws, including but not limited to:

California's SOPIPA (Student Online Personal Information Protection Act)
New York Education Law 2-d
Other state laws protecting student data privacy

We commit to:

Not selling student personal information
Not using student data for targeted advertising
Not building student profiles beyond educational purposes
Implementing reasonable security measures
Allowing parents and schools to access and delete student data

Email Communications and Notifications

Types of Emails We Send

Essential Communications (Cannot Opt-Out)

Account verification and password resets
Critical security notifications
Legal notices and policy updates
Responses to your support requests

Optional Communications (Can Opt-Out)

Practice reminder emails based on your chosen frequency
Product updates and new feature announcements
Tips for improving your language learning

Managing Email Preferences

Update preferences in your account settings at any time
Click "unsubscribe" in any non-essential email
Email frequency options: daily, 3x weekly, weekly, or never

Email Security

All emails are sent from @hanasu.ai domain
We will never ask for your password via email
Beware of phishing attempts impersonating our Service

Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors.

Notification of Changes

Material changes: We will notify you by email and/or prominent notice on our Service at least 30 days before the change takes effect
Minor changes: We will update the "Last Updated" date at the top of this policy

Your Continued Use

Your continued use of the Service after any changes indicates your acceptance of the updated Privacy Policy. If you do not agree with changes, please discontinue use and contact us to delete your account.

Policy Version History

We maintain a history of previous policy versions. Contact us to request access to prior versions.

Data Breach Notification

In the unlikely event of a data breach that affects your personal information, we will:

Notify affected users within 72 hours of discovery
Describe the nature of the breach and data involved
Explain steps we're taking to address the breach
Provide recommendations for protecting your information
Notify appropriate regulatory authorities as required by law

Contact Information

Privacy Questions and Requests

For any privacy-related questions, concerns, or requests to exercise your rights, please contact us:

Email: privacy@hanasu.ai Response Time: Within 30 days

General Inquiries

Email: support@hanasu.ai Website: https://hanasu.ai

Postal Address

Hanasu 1530 Gough Street San Francisco, CA 94109 United States

Acceptance of This Policy

By using our Service, you acknowledge that you have read, understood, and agree to be bound by this Privacy Policy. If you do not agree with this policy, please do not use our Service.

For users under 18: You confirm that you have obtained permission from your parent or guardian to use this Service and that they have reviewed this Privacy Policy.

This Privacy Policy is effective as of December 22, 2025.

For questions about this policy, email privacy@hanasu.ai