Kanzen · Legal documents
Privacy policy
How Kanzen collects, uses, and protects your personal data, in compliance with the GDPR.
Last updated: 18 May 2026 · Version 1.0
1. Data controller
Tom Piguet, sole proprietor, operating under the commercial name Ikigai Studio
55 avenue du Général de Gaulle, 60150 Longueil-Annel, France
SIRET: 904 611 175 00020
GDPR contact: contact.ikigaistudio@gmail.com
2. Data we collect
2.1 Data provided by the user
| Data | Origin | Status |
|---|---|---|
| Email address | Sign-up | Required |
| Password (hashed, never stored in clear) | Email sign-up | Required if signing up by email |
| Username | Profile | Optional (auto-generated by default) |
| Hanko (avatar), banner, honorific title | Profile customization | Optional |
| Personal mnemonics | User creation | Optional |
| Friend code (8 characters, auto-generated) | System | Required (technical) |
2.2 Data generated by use
| Data | Purpose |
|---|---|
| SRS progress (kanji seen, levels, intervals, review dates) | Operation of the review engine |
| Game statistics (Look-alikes, Garden, Notebook) | Stats display, catch-up mode |
| Duel history (results, scores, league, Glicko-2 rating) | Ranking, anti-cheat |
| Friend list, invitations sent and received | Social feature |
| Display preferences (theme, fonts, language) | Personalization |
| Unlocked seals and torii gates | Progress system |
| Published and adopted mnemonics | Community library |
2.3 Technical data
| Data | Purpose | Retention |
|---|---|---|
| Internal user ID (UUID) | Identification | Account lifetime |
| Authentication tokens | Session maintenance | 30 days max |
| Server logs (IP address, timestamp, error codes) | Security, anti-abuse, debugging | 30 days |
| Device ID for push notifications (Expo token) | Sending review reminders | As long as the option is enabled |
2.4 Subscription data (Kanzen Plus only)
When subscribing to Kanzen Plus:
- RevenueCat customer identifier (anonymous on the publisher side);
- subscription type (monthly / yearly / lifetime);
- subscription, expiration, cancellation dates;
- subscription status (active, in trial, expired).
We do not collect any payment data. Banking or credit card details are processed exclusively by Apple or Google and are never transmitted to the publisher or its subprocessors.
2.5 Data we do NOT collect
- Geolocation
- Health data
- Phone contacts
- Photos, videos, or files from the device
- Microphone, camera
- Advertising identifiers (IDFA, AAID)
- Cross-app behavioral tracking
- Third-party analytics cookies (web version)
3. Purposes and legal bases (GDPR art. 6)
| Purpose | Legal basis |
|---|---|
| Provide the service (account, SRS, duels, mnemonics) | Performance of the contract (art. 6.1.b) |
| Multi-device cloud synchronization | Performance of the contract |
| Duel mode and league ranking | Performance of the contract |
| Community mnemonics and adoptions | Performance of the contract |
| Management of Kanzen Plus subscriptions | Performance of the contract |
| Anti-abuse, security, fraud prevention | Legitimate interest (art. 6.1.f) |
| Transactional communications (password reset, security alerts) | Performance of the contract |
| Push notifications for review reminders | Consent (art. 6.1.a) — revocable from Preferences |
| Reporting and content moderation | Legitimate interest (community safety) |
4. Recipients and subprocessors
The publisher does not sell, rent, or share your personal data with third parties for commercial purposes. The subprocessors below intervene strictly in the execution of the service:
| Subprocessor | Role | Location | Safeguards |
|---|---|---|---|
| Supabase Inc. | Database hosting, authentication, edge functions | Ireland (EU) — AWS eu-west-1 datacentre | Supabase DPA + applicable GDPR |
| RevenueCat Inc. | Technical management of subscriptions | United States | EU Standard Contractual Clauses 2021/914 + Data Privacy Framework |
| Apple Inc. | Sign in with Apple authentication, App Store | United States | EU Standard Contractual Clauses + Data Privacy Framework |
| Google LLC | Google OAuth authentication, Google Play | United States | EU Standard Contractual Clauses + Data Privacy Framework |
| Vercel Inc. | Hosting of the web version | United States | EU Standard Contractual Clauses + Data Privacy Framework |
| Expo (650 Industries Inc.) | Push notification delivery service | United States | EU Standard Contractual Clauses |
No data brokers, no advertisers, no resale.
5. Transfers outside the European Union
The main hosting (database, authentication, edge functions) is located in Ireland (EU), no data leaves it as part of the ordinary operation of the App.
Some ancillary subprocessors (RevenueCat, Apple, Google, Vercel, Expo) are established in the United States. These transfers are governed by:
- the European Commission's Standard Contractual Clauses (implementing decision 2021/914 of 4 June 2021);
- the EU–US Data Privacy Framework (adequacy decision of 10 July 2023) when the subprocessor is certified under it.
6. Retention period
| Data | Duration |
|---|---|
| Active account and all its data | As long as the account exists |
| Deleted account (on request or inactive > 3 years) | Definitive erasure within 30 days |
| Public mnemonics adopted by other users | Kept anonymized (author dissociated) |
| Technical logs (IP, error codes) | 30 days |
| Billing data on the Apple / Google side | Per store terms (generally 7 to 10 years for accounting obligations) |
7. Your rights
In accordance with articles 15 to 22 of the GDPR and articles 49 and following of the amended French Data Protection Act, you have the following rights:
- Right of access: obtain a copy of all data concerning you;
- Right to rectification: modify inaccurate or incomplete data (directly from the app for most, or by request);
- Right to erasure: delete your account and your data from Profile → Preferences → Account → Delete my account, or by request to contact.ikigaistudio@gmail.com;
- Right to portability: receive your data in a structured and commonly used format (JSON);
- Right to object: object to processing based on legitimate interest, for reasons related to your particular situation;
- Right to restriction: ask for the suspension of contested processing during the investigation of a complaint;
- Right to withdraw your consent at any time, for processing based on it (push notifications in particular), from the app Preferences;
- Right to lodge a complaint with the CNIL (the French data protection authority — www.cnil.fr) if you believe your rights are not being respected;
- Right to define post-mortem directives regarding the fate of your data after your death, in accordance with article 85 of the French Data Protection Act.
To exercise these rights: contact.ikigaistudio@gmail.com
You will receive a response within a maximum of one month from receipt of your request, in accordance with article 12 of the GDPR. This deadline may be extended by two months for complex requests, with prior notice.
8. Security
Technical and organizational measures in place:
- TLS 1.2+ encryption for all client-server communication;
- passwords hashed with bcrypt (Supabase Auth);
- authentication tokens stored in the operating system's secure keychain (expo-secure-store);
- PostgreSQL Row Level Security — each user can only access their own data;
- no direct database access from the client (mandatory passage through secured functions);
- administrator access restricted to the publisher only, traceability of accesses via Supabase.
No system is infallible. In the event of a data breach likely to entail a risk to your rights and freedoms, you will be notified without undue delay, in accordance with article 34 of the GDPR, and the CNIL will be informed within 72 hours (article 33).
9. Minors
The App is open to users at least 13 years old.
We do not knowingly collect personal data concerning children under 13. If you believe a minor under 13 has provided us with personal data, please contact us immediately at contact.ikigaistudio@gmail.com: we will proceed with deletion as soon as possible.
Minor users between 13 and 15 must obtain the prior consent of their legal representatives in accordance with article 8 of the GDPR and article 45 of the French Data Protection Act.
10. Cookies and trackers
Mobile app
The mobile app uses no cookies or advertising trackers. The only local storage is technical (authentication tokens, progress cache, preferences) and necessary for operation.
Web version
The web version (kanzen.app) uses only strictly necessary technical cookies (Supabase authentication session). No analytics, profiling, or advertising cookies.
No prior consent is required for these technical cookies, in accordance with article 82 of the French Data Protection Act.
11. Modifications
This Privacy policy may be updated to reflect changes to the App or to regulations. The "Last updated" date at the top of the document indicates the current version.
Any substantial modification (new subprocessor, new purpose, new type of data collected) will be the subject of an in-app notification and, where applicable, a consent collection.
12. Contact
For any question relating to your personal data:
contact.ikigaistudio@gmail.com
Data protection officer: none designated. The designation of a DPO is not required given the volume and nature of the processing carried out (article 37 GDPR).