分Wakatta

Privacy Policy

Last updated: 25 June 2026

This Privacy Policy explains what personal data Wakatta ("Wakatta", "we", "us", "our") collects when you use the Wakatta mobile app and the wakatta.app website (together, the "Service"), how and why we use it, who we share it with, how long we keep it, and the rights you have. Wakatta is a Japanese-learning app that turns real podcasts into tappable lessons with transcripts, a dictionary, AI explanations, and spaced-repetition review. We aim to collect as little personal data as we reasonably can to run the Service.

Data controller. Wakatta is operated by Mariano Matayoshi, an individual established in Spain (European Union). For any privacy question or to exercise your rights, contact [email protected]; a postal contact address is available on request at that address. We have not appointed a Data Protection Officer, as we are not legally required to.

1. What personal data we collect

Account & identity

Your email address — when you create an account with email + password, request a sign-in link, or sign in with Google.
Authentication data — a hashed (never plaintext) password if you set one, and the sign-in tokens that keep you logged in. With Google Sign-In we receive your verified email from Google; we never receive or store your Google password.
Guest sessions — if you use Wakatta as a guest, we create an anonymous session with a randomly generated internal ID and no email, until you choose to create an account.

We currently offer sign-in by email + password, an email sign-in link ("magic link"), and Google Sign-In. We do not currently offer Sign in with Apple. We will update this Policy before adding any new sign-in method.

Learning activity (what the app is built around)

Episodes you play and your listening progress (position, whether completed).
Saved words with their reading, meaning, and the context they came from (source episode and moment in the audio).
Spaced-repetition review data, "missed moment" marks, your daily goal, streak / daily activity, per-episode comprehension feedback, your chosen JLPT level, and your reading/display settings.
The Japanese words and sentences you look up in the dictionary or send to the AI for an explanation (see Section 4).

Technical & diagnostic

Device & app information sent with requests: platform (iOS/Android/web), OS version, app version, device model, and language/locale.
IP address and server request logs, processed transiently for security, abuse-prevention, and reliability.
Crash and error diagnostics (Sentry): stack traces, device model, app state at the time of the error and — because diagnostic context is enabled — your IP address and request metadata.

Usage, cost & waitlist

Usage events (e.g. that you used an AI explanation, or that a transcription was generated), linked to your account ID, to enforce fair-use limits per plan and measure demand.
Waitlist / Premium interest — if you join the waitlist or tap "notify me", we store the email address you give us, the language you used, and where the sign-up came from. For the website waitlist we also store a salted, irreversible hash of your IP address (not your IP itself) to prevent abuse.

What we do NOT collect

No third-party advertising or marketing trackers, and no ads.
No third-party analytics SDK (no Google Analytics, Firebase Analytics, Mixpanel, or similar) — our usage analytics are limited to the in-house records above.
No precise or approximate location, and no age, gender or demographic profiles.
We do not sell your personal data and do not share it for cross-context behavioural advertising.

2. Why we use your data & the legal basis (GDPR Art. 6)

Purpose	Legal basis
Create and run your account; deliver the Service (transcripts, dictionary, AI explanations, saved words, review, progress, streaks); send sign-in emails	Performance of a contract (Art. 6(1)(b))
Keep the Service secure, prevent abuse, enforce fair-use limits, and debug/improve the product	Legitimate interests (Art. 6(1)(f)) — you can object (Section 7)
Tell you when Premium launches, if you asked us to ("notify me" / waitlist)	Consent (Art. 6(1)(a)) — withdraw any time
Comply with legal obligations	Legal obligation (Art. 6(1)(c))

Where we rely on legitimate interests, we have weighed our interest against your rights and limited the data accordingly; you may ask us for more detail. We do not make decisions about you based solely on automated processing that produce legal or similarly significant effects (Art. 22). AI explanations are a study aid and make no decisions about you.

3. Who we share data with (processors)

We do not sell your data. We use a small number of trusted service providers ("processors") that process data on our behalf, under contract and on our instructions. Podcast audio is not routed through them as user content (see Section 5).

Provider	What it does & what it processes	Where
Railway	Hosting — runs our servers and database; all stored personal data	EU and/or US
Cloudflare	DNS, CDN, security/WAF; "Turnstile" anti-bot check on the website waitlist; IP & request metadata	Global edge network
Sentry	Crash/error diagnostics; device info, IP, request metadata	EU region (Germany); some account metadata may be in the US
Google (Gemini AI)	Generates AI explanations; receives only the Japanese word/sentence you ask about and your output language — not your name or email	United States / Google regions
Speech-to-text (Soniox; and/or OpenAI / Groq Whisper)	Transcribe podcast audio into text, once per episode — no user personal data	EU and/or US, per provider
Resend	Transactional email (sign-in links, waitlist confirmation); your email and the message	United States
Google (Sign-In)	Lets you sign in with your Google account, if you choose	Per Google

When you ask for an AI explanation, only that Japanese text and your chosen output language are sent to the AI provider — not your identity. Results are cached and reused across users by content. We may also disclose data where required by law, to enforce our Terms, or to protect the rights, safety, and security of our users, the public, or Wakatta.

4. International transfers

Some providers process personal data outside the European Economic Area (EEA), including in the United States. Where that happens, we rely on one or more safeguards under GDPR Chapter V: the provider's certification under the EU–US Data Privacy Framework (where applicable) and/or the European Commission's Standard Contractual Clauses, with additional measures where needed. We have chosen our crash-reporting provider's EU (Germany) data region to keep diagnostic data within the EU where possible. Ask us (Section 8) for more information about the safeguards for a specific transfer.

5. Podcast audio (third-party content)

Wakatta is a learning layer on top of podcasts created and published by third parties. When you play an episode, the audio is streamed directly from the podcast's own host (the public feed's media URL); we do not host or re-stream it as your personal content. Separately, our servers download each episode's audio once to generate a shared transcript (cached per episode, not per user) — this involves the third-party podcast audio, not your personal data.

6. How long we keep your data (retention)

Account & learning data — kept while your account is active; deleted within 30 days of verifying a deletion request, except items we must keep longer for legal/security reasons.
Usage & login analytics — up to 12 months.
Sign-in link tokens — single-use, expire within 15 minutes; we keep only an irreversible hash, never the link itself.
Server request logs — up to 30 days, then deleted or anonymised.
Crash/error diagnostics (Sentry) — up to 90 days.
Waitlist / Premium-interest email — until Premium launches (or we decide not to) or until you ask us to remove it, whichever is first.
Aggregated or anonymised data that can no longer be linked to you may be kept indefinitely.

7. Your rights (GDPR Arts. 15–22)

If you are in the EEA (and similarly under UK law) you have the right to access, rectify, erase, restrict, and port your data, to object to processing based on our legitimate interests, and to withdraw consent at any time (without affecting processing already done). To exercise any of these, email [email protected] from your account address so we can verify it is you; we respond within the time the law allows (generally one month), free of charge. You may also lodge a complaint with a supervisory authority — in Spain, the Agencia Española de Protección de Datos (AEPD), aepd.es — though we would appreciate the chance to address your concern first.

8. Deleting your account & data

You can delete your account and associated personal data at any time and free of charge by requesting deletion on the web at wakatta.app/delete-account, or by emailing [email protected] from your account address. We then permanently delete your account, email, saved words and their context, listening progress, daily goal and streak, marks, review data, and the lookups tied to your account, keeping only what the law requires or briefly for security/abuse-prevention. See wakatta.app/delete-account for full details.

9. Children

Wakatta is intended for an adult, general audience and is not directed to children. We do not knowingly collect personal data from children below the age of digital consent in their country (in Spain, 14; in many EU countries, 16). If you believe a child has provided us data, contact us and we will delete it.

10. Security

We protect your data with measures including encryption in transit (HTTPS), storing passwords only in hashed form, keeping sign-in tokens in the device's private app storage, and limiting access to our systems. No method is completely secure, but we work to protect your information and will notify you and the relevant authority of a personal-data breach where the law requires.

11. Changes to this Policy

We may update this Policy as the Service evolves. We will revise the "Last updated" date above and, for material changes, give you notice in the app or by email before the change takes effect where required.

12. Contact

Questions about this Policy or your data: [email protected].