GenkiRef

Privacy Policy

Last updated: May 12, 2026

This Privacy Policy describes the policies and procedures of Genki Reference("we", "us", or "our") on the collection, use, and disclosure of your information when you use the Genki Reference website and service (the "Service"). By using the Service, you agree to the collection and use of information in accordance with this Privacy Policy.

Information We Collect

Account information

When you sign in with Google, we receive your email address, name, profile picture, and a Google account identifier from Google's OAuth flow. This information is stored in our authentication provider (Supabase) and is used to identify your account.

Study data you create

When you create flashcard sets or study them, we store your flashcard sets, the items they contain, your study sessions, and per-item spaced-repetition progress in our database (Supabase). This data is private to your account and protected by row-level security so that other users cannot read or modify it.

Text-to-speech requests

When you press the speaker button on a card, we send the Japanese text and voice parameters to Google Cloud Text-to-Speech to synthesize audio. We cache the resulting audio in Cloudflare KV keyed by a SHA-256 hash of the request (no user identifier is part of the cache key) for up to 30 days so subsequent plays do not re-bill the API. We also keep a short-lived per-user rate-limit counter (60-second window) in Cloudflare KV to prevent abuse.

Usage data

Like most websites, our infrastructure providers (Cloudflare, Supabase) automatically receive standard request metadata such as IP address, user agent, and request path. This data is used for security, abuse prevention, and operational diagnostics.

Error reporting

If error reporting is enabled, we may send unhandled exceptions and the URL where they occurred to Sentry to help us fix bugs. We do not intentionally include personal data in error reports.

How We Use Information

  • To provide and maintain the Service, including signing you in and saving your study data.
  • To play back text-to-speech audio you request.
  • To enforce rate limits and prevent abuse of the TTS endpoint.
  • To diagnose errors and improve reliability.

We do not sell your personal information. We do not run advertising on the Service.

Service Providers

We rely on the following processors to operate the Service. Each has its own privacy policy that governs how they handle data on our behalf:

  • Supabase — authentication and database hosting (privacy policy).
  • Google — OAuth sign-in and Google Cloud Text-to-Speech (privacy policy).
  • Cloudflare — application hosting, edge caching, and key-value storage (privacy policy).
  • Sentry — optional error reporting (privacy policy).

Cookies and Local Storage

We use cookies and similar storage strictly to keep you signed in (Supabase session cookies) and to remember UI preferences. We do not use third-party advertising or analytics tracking cookies.

Data Retention

We retain your account and study data for as long as your account is active. TTS audio cache entries expire automatically after 30 days. Rate-limit counters expire within minutes. You may request deletion of your account and associated data at any time by contacting us at the email below.

Your Rights

You may request to access, correct, export, or delete your personal data by contacting us at tylernvovan+genki@gmail.com. Depending on your jurisdiction (for example, the EU/UK under GDPR, or California under the CCPA), you may have additional rights, including the right to object to or restrict processing, and the right to lodge a complaint with a supervisory authority.

Children's Privacy

The Service is not directed at children under 13, and we do not knowingly collect personal information from children under 13. If you believe a child has provided us with personal information, please contact us so we can delete it.

International Transfers

Our service providers may process your data in countries other than your own. By using the Service you consent to this transfer, which is governed by the privacy practices of those providers and applicable law.

Security

We use commercially reasonable measures to protect your data, including TLS in transit and row-level security on database tables. No method of transmission or storage is 100% secure, however, and we cannot guarantee absolute security.

Third-Party Links

The Service may link to third-party websites. We are not responsible for the privacy practices of those sites. We encourage you to review their privacy policies.

Your California Privacy Rights

This section provides additional disclosures required by the California Consumer Privacy Act, as amended by the California Privacy Rights Act (collectively, the "CCPA"), for California residents.

Categories of personal information we collect

In the preceding twelve months, we have collected the following CCPA categories of personal information:

  • Identifiers — name, email address, Google account identifier, profile picture URL, IP address.
  • Internet or other network activity — pages visited on the Service, request metadata (timestamps, user agent), and TTS requests you initiate.
  • Inferences — per-item spaced-repetition state derived from your study activity. We do not draw inferences for advertising or profiling.

We do not collect categories such as government identifiers, financial account numbers, precise geolocation, biometric information, health information, or sensitive personal information as defined by the CCPA.

Sources of personal information

  • Directly from you (when you sign in or create flashcard sets).
  • Automatically from your device and browser (request metadata).
  • From Google's OAuth flow (account profile fields you authorize).

Business and commercial purposes

We use personal information for the purposes described in "How We Use Information" above, namely:

  • Providing, maintaining, and securing the Service.
  • Authenticating you and saving your study data.
  • Synthesizing and caching text-to-speech audio you request.
  • Rate-limiting and abuse prevention.
  • Diagnosing errors and improving reliability.

Categories of third parties we disclose to

We disclose personal information only to the service providers listed in the "Service Providers" section (Supabase, Google, Cloudflare, Sentry), each of which is contractually limited to processing data on our behalf.

No sale or sharing of personal information

We do not sell personal information, and we do not share personal information for cross-context behavioral advertising, as those terms are defined under the CCPA. We have not sold or shared personal information in the preceding twelve months. Because we do not sell or share personal information, we do not offer a "Do Not Sell or Share My Personal Information" link; this statement satisfies that disclosure.

Retention

We retain each category of personal information for the periods described in the "Data Retention" section, namely: account and study data for as long as your account is active; TTS audio cache entries for up to 30 days; rate-limit counters for minutes; and request logs as long as needed for security and operational diagnostics, consistent with our service providers' retention policies.

Your rights under the CCPA

If you are a California resident, you have the right to:

  • Know what personal information we collect, use, disclose, and (if applicable) sell or share about you.
  • Access a copy of the specific pieces of personal information we have collected about you.
  • Correct inaccurate personal information we maintain about you.
  • Delete personal information we have collected from you, subject to certain exceptions.
  • Opt out of the sale or sharing of personal information. (Not applicable — we do neither.)
  • Limit our use and disclosure of sensitive personal information. (Not applicable — we do not collect sensitive personal information for purposes beyond what is permitted without a limit request.)
  • Non-discrimination — we will not deny service, charge a different price, or provide a different level of quality because you exercised your CCPA rights.

How to submit a request

You may submit a verifiable consumer request by emailing us at tylernvovan+genki@gmail.com. To protect your information we will verify your identity before fulfilling your request, typically by confirming ownership of the email address associated with your account. We will respond within the time periods required by the CCPA (generally 45 days, extendable once by 45 additional days with notice).

Authorized agents

You may designate an authorized agent to submit a request on your behalf. We may require the agent to provide proof of your written authorization and may require you to verify your identity directly with us.

Shine the Light

California Civil Code §1798.83 (the "Shine the Light" law) permits California residents to request information about disclosures of personal information to third parties for those third parties' direct marketing purposes. We do not disclose personal information to third parties for their direct marketing purposes.

Minors

We do not knowingly sell or share personal information of consumers under 16 years of age. (And as noted, we do not sell or share personal information of anyone.)

Changes to This Policy

We may update this Privacy Policy from time to time. We will indicate the date of the latest revision at the top of this page. Material changes will be communicated by updating the "Last updated" date. Continued use of the Service after a change constitutes acceptance of the revised policy.

Governing Law

This Privacy Policy is governed by the laws of the State of California, United States.

Contact

If you have questions about this Privacy Policy, contact us at tylernvovan+genki@gmail.com.

← Back to Genki Reference