Legal

Privacy Policy

πŸ“… Last updated: July 15, 2026 Β· Version 3.3

The short version: Moshibary may display optional rewarded ads delivered through Google AdMob. An ad starts only when you choose to watch it, and Moshibary does not display forced ads. We do not sell personal data. You can study in guest mode, and account deletion is available in the app. If you create an account, we use the data described below to provide syncing and related features. The public website serves its page assets from moshibary.com and does not embed third-party analytics or advertising tags.

1. Who we are

The Moshibary app and the website moshibary.com (together, the β€œService”) are operated by:

  • Operator: Shinobasa (sole proprietorship registered in Japan)
  • Representative: Shimba Saruta
  • Address: Shibuya Dogenzaka Tokyu Building 2F-C, 1-10-8 Dogenzaka, Shibuya-ku, Tokyo 150-0043, Japan
  • Email: moshibary@gmail.com

For the purposes of data protection laws such as the EU/UK General Data Protection Regulation (GDPR), Shinobasa is the data controller of the personal data described in this policy.

2. What this policy covers

This policy explains what data we process through the Moshibary mobile app and this website, why we process it, how it is protected, and the choices and rights you may have. Privacy rights and obligations vary by jurisdiction. We apply the laws that are applicable to our activities, the relevant user, and the particular processing. A reference to a regional law does not mean that every provision of that law applies to every user or every processing activity.

3. Data we collect

Guest mode does not require an account. Your learning records such as progress, decks, settings, and custom words are designed to remain on your device unless you choose a feature that requires a network request, such as downloading content or audio. Our hosting and content-delivery providers may process limited technical data, including IP address and request metadata, to deliver and protect the Service.

If you choose to create an account, we collect only the following:

Categories of data collected, examples, and where they are stored
CategoryWhat exactlyWhenWhere it lives
Account data Email address; or the sign-in identity provided by Apple or Google (name/email as you authorize); password (stored only as a secure hash by our authentication provider) When you sign up or sign in Supabase (database & authentication)
Profile & preferences App language, learning goal, daily goal minutes, onboarding completion time During onboarding / in settings Supabase
Consent records Timestamps of your acceptance of the Terms and this policy; your age confirmation During onboarding Supabase
Learning data (sync) Study progress, statistics, decks, review schedule, display settings, collection/garden state, app version, last sync time While signed in, as you study Supabase (and a copy on your device)
Crash reports (optional) Technical error data: stack trace, device model, OS version, app version. We configure the service to minimize identifiers and remove emails, user IDs, tokens, and similar data before transmission where technically possible; the provider may process network-level technical data to receive and protect the report Only if a crash/error occurs and crash reporting is enabled (you can turn it off in Settings) Sentry (crash reporting service)
Support messages Whatever you write to us by email, plus the app version, OS and language that the contact template pre-fills Only when you contact us Our email inbox

Search queries you type inside the app's dictionary search are sent to our database to return results; they are not used to profile you.

If you purchase the optional Premium subscription, Apple or Google processes the payment. We receive a pseudonymous app user identifier and purchase or subscription information through RevenueCat so the app can validate and unlock Premium. Depending on the store and event, this may include product, transaction, subscription, renewal, refund, and entitlement status. If the identifier is linked to your Moshibary account in our systems, the purchase information is also linked to that account. We do not receive your full payment-card details.

4. Data-use limits and current permissions

We limit collection and use to what is described in this policy. In particular:

  • We do not sell personal data. Service providers may process data on our behalf only for the functions described in this policy.
  • Moshibary may display optional rewarded ads through Google AdMob. An ad begins only after you actively choose to watch it. We do not display forced banner or interstitial ads. Google AdMob may process device and network information needed to request, display, prevent fraud, measure, and grant the reward, as described in Section 6. We implement consent controls required for the applicable region and age group.
  • Current device permissions. As of the date above, the app is not designed to request precise location, contacts, photos, microphone recordings, or health data. If a future feature changes this, we will update this policy and request any permission required by the operating system or applicable law before collection.

5. How and why we use data

PurposeData usedLegal basis (GDPR)
Provide the Service: account access, syncing your progress across devicesAccount, profile, learning dataPerformance of a contract (Art. 6(1)(b))
Remember your consent and age confirmationConsent recordsLegal obligation / legitimate interests (Art. 6(1)(c), (f))
Verify Premium purchases and unlock the features you paid forPseudonymous app user identifier and purchase/subscription informationPerformance of a contract (Art. 6(1)(b))
Show an optional rewarded ad and grant its reward (only if you choose to watch one and the feature is enabled in the production build)Device/ad-delivery data processed by Google AdMobConsent (Art. 6(1)(a))
Fix crashes and improve stabilityCrash reports (PII-scrubbed)Consent β€” you can disable it in Settings (Art. 6(1)(a))
Answer your questionsSupport messagesLegitimate interests (Art. 6(1)(f))

We do not use learning data, account information, or other user data under our control to build advertising profiles. Processing performed by Google AdMob for ad delivery is limited by the purposes described in Section 6 and by the user’s consent and regional settings. We do not use automated decision-making that produces legal or similarly significant effects.

6. Service providers (processors)

We use a small number of providers to run the Service. They process data on our behalf and are bound by their own contractual and legal safeguards:

ProviderRoleWhat it processes
SupabaseDatabase, authentication and hosting for account dataThe account, profile, consent and learning data listed in Section 3
SentryCrash reportingPII-scrubbed technical crash data (optional; off if you disable it in Settings)
RevenueCatSubscription management for Premium purchasesA pseudonymous app user ID and purchase information such as product, transaction, subscription, renewal, refund, and entitlement status supplied by the store. If the app user ID is linked to your Moshibary account in our systems, this information is also linked to that account. Full payment-card details do not reach us; Apple or Google processes the payment.
Google AdMobRewarded ads when you choose to watch oneDevice and network data needed to request, display, prevent fraud, measure, and grant the reward, such as IP address, device information, and advertising or app identifiers where permitted. This feature operates only when it is implemented and enabled in the production build. We apply the notices, consent controls, and advertising settings required for the applicable region and age group.
CloudflareContent delivery for audio files (Cloudflare R2) and this websiteNo account data. Like any web server, the CDN processes IP addresses at the network level to deliver content and prevent abuse
Apple / GoogleOptional sign-in providers & in-app purchase billingAuthentication tokens and profile fields you authorize when using Apple or Google sign-in. For purchases, store transaction and subscription information is provided to the app or RevenueCat, while Apple or Google processes the payment under its own terms and privacy policy.

We do not share personal data with any other third parties, except where required by law (e.g., a valid legal order) or to protect the rights, safety and integrity of the Service and its users.

7. Where data is processed & international transfers

We are based in Japan, and our providers may process data in other countries. Depending on the transfer route and applicable law, safeguards may include an adequacy decision, contractual transfer clauses, a UK transfer addendum or agreement, or another lawful transfer mechanism. The provider, infrastructure region, account configuration, and contract in use determine the countries and safeguards for a particular transfer.

8. How long we keep data

  • Account & learning data: kept while your account exists. If you request deletion in the app, your account is scheduled for deletion and removed within approximately 30 days (the grace window lets you change your mind by contacting us before it completes).
  • Crash reports: retained by the crash-reporting service for a limited period and then automatically deleted.
  • Support emails: kept as long as needed to resolve your issue and meet legal obligations.
  • Guest data: lives only on your device β€” deleting the app deletes it.

9. Security

  • All traffic between the app, the website and our servers is encrypted in transit with TLS (HTTPS).
  • Authentication tokens are stored using operating-system protected secure storage where supported, such as the iOS Keychain or Android Keystore.
  • Database access is protected by row-level security, so an account can only read and write its own rows.
  • We practice data minimization: we simply do not collect what we do not need β€” the best protection for data is not having it.

No system can be guaranteed 100% secure, but we design conservatively and keep the attack surface as small as possible. If we ever become aware of a breach affecting your personal data, we will notify you and the relevant authorities as required by law.

10. Your rights

Depending on where you live, you have some or all of the following rights regarding your personal data:

  • Access β€” ask for a copy of the data we hold about you.
  • Rectification β€” correct inaccurate data.
  • Deletion β€” delete your account and data (available directly in the app: Settings β†’ Account β†’ Delete account).
  • Portability β€” receive your data in a machine-readable format.
  • Objection & restriction β€” object to or restrict certain processing.
  • Withdraw consent β€” e.g., turn off crash reporting in Settings at any time.

To exercise any right, use the in-app options or email us at moshibary@gmail.com. We respond within the timelines required by applicable law (one month under GDPR, 45 days under CCPA). We will never discriminate against you for exercising your rights.

If you are in the EU/EEA or UK, you also have the right to lodge a complaint with your local data protection authority.

11. California residents (CCPA/CPRA)

In the preceding 12 months we have collected only the categories described in Section 3, for the purposes described in Section 5.

  • We do not sell personal information.
  • If a current or future feature creates a right to opt out of sharing or targeted advertising under applicable California law, we will provide the notice and control required at that time.
  • We do not use or disclose sensitive personal information for purposes requiring a right to limit, based on the data practices described in this policy.
  • You may exercise applicable rights to know, access, correct, delete, and non-discrimination as described in Section 10.

12. Other regions

Your rights and our obligations vary by location. We handle requests under the law that applies to the relevant user and processing activity. Our commitment not to sell personal data applies regardless of location. Contact us if you want to exercise a privacy right or ask how a regional rule applies.

13. Children

Moshibary is intended for users aged 13 and over. If local law requires a higher age to consent independently to data processing or contract terms, permission from a parent or legal guardian, or another lawful basis, is required. We do not knowingly create accounts for children below the applicable minimum age. If you believe such an account exists, contact us so we can investigate and delete it where required.

14. This website

As of the date above, the public pages of moshibary.com are configured as follows:

  • They do not intentionally set application analytics or advertising cookies or use browser local storage.
  • Fonts, images, and styles are served from moshibary.com. The pages use no executable application JavaScript; the only script element is non-executable structured metadata. They do not embed third-party analytics or advertising resources.
  • The hosting/CDN provider processes IP addresses, request metadata, user-agent information, and network-security logs to deliver the site and prevent abuse. Cloudflare may set strictly necessary security cookies if an enabled protection feature requires them.
  • External links, if selected, take you to the relevant third-party website, which is governed by that website's own privacy practices.

15. Changes to this policy

When we change this policy in a meaningful way (for example, when a new optional feature such as rewarded ads goes live), we will update the date at the top, and for significant changes we will notify you in the app before they take effect. Earlier versions are available on request.

16. Contact

Questions, requests or complaints about privacy:

  • Email: moshibary@gmail.com
  • Post: Shinobasa, Shibuya Dogenzaka Tokyu Building 2F-C, 1-10-8 Dogenzaka, Shibuya-ku, Tokyo 150-0043, Japan

We usually reply within a few business days.