Privacy Policy
π Last updated: July 15, 2026 Β· Version 3.3
1. Who we are
The Moshibary app and the website moshibary.com (together, the βServiceβ) are operated by:
- Operator: Shinobasa (sole proprietorship registered in Japan)
- Representative: Shimba Saruta
- Address: Shibuya Dogenzaka Tokyu Building 2F-C, 1-10-8 Dogenzaka, Shibuya-ku, Tokyo 150-0043, Japan
- Email: moshibary@gmail.com
For the purposes of data protection laws such as the EU/UK General Data Protection Regulation (GDPR), Shinobasa is the data controller of the personal data described in this policy.
2. What this policy covers
This policy explains what data we process through the Moshibary mobile app and this website, why we process it, how it is protected, and the choices and rights you may have. Privacy rights and obligations vary by jurisdiction. We apply the laws that are applicable to our activities, the relevant user, and the particular processing. A reference to a regional law does not mean that every provision of that law applies to every user or every processing activity.
The data practices described below apply only to features that are enabled in the production release you use. If a listed feature or provider is not enabled, the related processing does not occur. We update this policy before materially changing production data practices.
3. Data we collect
Guest mode does not require an account. Your learning records such as progress, decks, settings, and custom words are designed to remain on your device unless you choose a feature that requires a network request, such as downloading content or audio. Our hosting and content-delivery providers may process limited technical data, including IP address and request metadata, to deliver and protect the Service.
If you choose to create an account, we collect only the following:
| Category | What exactly | When | Where it lives |
|---|---|---|---|
| Account data | Email address; or the sign-in identity provided by Apple or Google (name/email as you authorize); password (stored only as a secure hash by our authentication provider) | When you sign up or sign in | Supabase (database & authentication) |
| Profile & preferences | App language, learning goal, daily goal minutes, onboarding completion time | During onboarding / in settings | Supabase |
| Consent records | Timestamps of your acceptance of the Terms and this policy; your age confirmation | During onboarding | Supabase |
| Learning data (sync) | Study progress, statistics, decks, review schedule, display settings, collection/garden state, app version, last sync time | While signed in, as you study | Supabase (and a copy on your device) |
| Crash reports (optional) | Technical error data: stack trace, device model, OS version, app version. We configure the service to minimize identifiers and remove emails, user IDs, tokens, and similar data before transmission where technically possible; the provider may process network-level technical data to receive and protect the report | Only if a crash/error occurs and crash reporting is enabled (you can turn it off in Settings) | Sentry (crash reporting service) |
| Support messages | Whatever you write to us by email, plus the app version, OS and language that the contact template pre-fills | Only when you contact us | Our email inbox |
Search queries you type inside the app's dictionary search are sent to our database to return results; they are not used to profile you.
If you purchase the optional Premium subscription, Apple or Google processes the payment. We receive a pseudonymous app user identifier and purchase or subscription information through RevenueCat so the app can validate and unlock Premium. Depending on the store and event, this may include product, transaction, subscription, renewal, refund, and entitlement status. If the identifier is linked to your Moshibary account in our systems, the purchase information is also linked to that account. We do not receive your full payment-card details.
4. Data-use limits and current permissions
We limit collection and use to what is described in this policy. In particular:
- We do not sell personal data. Service providers may process data on our behalf only for the functions described in this policy.
- Moshibary may display optional rewarded ads through Google AdMob. An ad begins only after you actively choose to watch it. We do not display forced banner or interstitial ads. Google AdMob may process device and network information needed to request, display, prevent fraud, measure, and grant the reward, as described in Section 6. We implement consent controls required for the applicable region and age group.
- Current device permissions. As of the date above, the app is not designed to request precise location, contacts, photos, microphone recordings, or health data. If a future feature changes this, we will update this policy and request any permission required by the operating system or applicable law before collection.
5. How and why we use data
| Purpose | Data used | Legal basis (GDPR) |
|---|---|---|
| Provide the Service: account access, syncing your progress across devices | Account, profile, learning data | Performance of a contract (Art. 6(1)(b)) |
| Remember your consent and age confirmation | Consent records | Legal obligation / legitimate interests (Art. 6(1)(c), (f)) |
| Verify Premium purchases and unlock the features you paid for | Pseudonymous app user identifier and purchase/subscription information | Performance of a contract (Art. 6(1)(b)) |
| Show an optional rewarded ad and grant its reward (only if you choose to watch one and the feature is enabled in the production build) | Device/ad-delivery data processed by Google AdMob | Consent (Art. 6(1)(a)) |
| Fix crashes and improve stability | Crash reports (PII-scrubbed) | Consent β you can disable it in Settings (Art. 6(1)(a)) |
| Answer your questions | Support messages | Legitimate interests (Art. 6(1)(f)) |
We do not use learning data, account information, or other user data under our control to build advertising profiles. Processing performed by Google AdMob for ad delivery is limited by the purposes described in Section 6 and by the userβs consent and regional settings. We do not use automated decision-making that produces legal or similarly significant effects.
6. Service providers (processors)
We use a small number of providers to run the Service. They process data on our behalf and are bound by their own contractual and legal safeguards:
| Provider | Role | What it processes |
|---|---|---|
| Supabase | Database, authentication and hosting for account data | The account, profile, consent and learning data listed in Section 3 |
| Sentry | Crash reporting | PII-scrubbed technical crash data (optional; off if you disable it in Settings) |
| RevenueCat | Subscription management for Premium purchases | A pseudonymous app user ID and purchase information such as product, transaction, subscription, renewal, refund, and entitlement status supplied by the store. If the app user ID is linked to your Moshibary account in our systems, this information is also linked to that account. Full payment-card details do not reach us; Apple or Google processes the payment. |
| Google AdMob | Rewarded ads when you choose to watch one | Device and network data needed to request, display, prevent fraud, measure, and grant the reward, such as IP address, device information, and advertising or app identifiers where permitted. This feature operates only when it is implemented and enabled in the production build. We apply the notices, consent controls, and advertising settings required for the applicable region and age group. |
| Cloudflare | Content delivery for audio files (Cloudflare R2) and this website | No account data. Like any web server, the CDN processes IP addresses at the network level to deliver content and prevent abuse |
| Apple / Google | Optional sign-in providers & in-app purchase billing | Authentication tokens and profile fields you authorize when using Apple or Google sign-in. For purchases, store transaction and subscription information is provided to the app or RevenueCat, while Apple or Google processes the payment under its own terms and privacy policy. |
We do not share personal data with any other third parties, except where required by law (e.g., a valid legal order) or to protect the rights, safety and integrity of the Service and its users.
7. Where data is processed & international transfers
We are based in Japan, and our providers may process data in other countries. Depending on the transfer route and applicable law, safeguards may include an adequacy decision, contractual transfer clauses, a UK transfer addendum or agreement, or another lawful transfer mechanism. The provider, infrastructure region, account configuration, and contract in use determine the countries and safeguards for a particular transfer.
8. How long we keep data
- Account & learning data: kept while your account exists. If you request deletion in the app, your account is scheduled for deletion and removed within approximately 30 days (the grace window lets you change your mind by contacting us before it completes).
- Crash reports: retained by the crash-reporting service for a limited period and then automatically deleted.
- Support emails: kept as long as needed to resolve your issue and meet legal obligations.
- Guest data: lives only on your device β deleting the app deletes it.
9. Security
- All traffic between the app, the website and our servers is encrypted in transit with TLS (HTTPS).
- Authentication tokens are stored using operating-system protected secure storage where supported, such as the iOS Keychain or Android Keystore.
- Database access is protected by row-level security, so an account can only read and write its own rows.
- We practice data minimization: we simply do not collect what we do not need β the best protection for data is not having it.
No system can be guaranteed 100% secure, but we design conservatively and keep the attack surface as small as possible. If we ever become aware of a breach affecting your personal data, we will notify you and the relevant authorities as required by law.
10. Your rights
Depending on where you live, you have some or all of the following rights regarding your personal data:
- Access β ask for a copy of the data we hold about you.
- Rectification β correct inaccurate data.
- Deletion β delete your account and data (available directly in the app: Settings β Account β Delete account).
- Portability β receive your data in a machine-readable format.
- Objection & restriction β object to or restrict certain processing.
- Withdraw consent β e.g., turn off crash reporting in Settings at any time.
To exercise any right, use the in-app options or email us at moshibary@gmail.com. We respond within the timelines required by applicable law (one month under GDPR, 45 days under CCPA). We will never discriminate against you for exercising your rights.
If you are in the EU/EEA or UK, you also have the right to lodge a complaint with your local data protection authority.
11. California residents (CCPA/CPRA)
In the preceding 12 months we have collected only the categories described in Section 3, for the purposes described in Section 5.
- We do not sell personal information.
- If a current or future feature creates a right to opt out of sharing or targeted advertising under applicable California law, we will provide the notice and control required at that time.
- We do not use or disclose sensitive personal information for purposes requiring a right to limit, based on the data practices described in this policy.
- You may exercise applicable rights to know, access, correct, delete, and non-discrimination as described in Section 10.
12. Other regions
Your rights and our obligations vary by location. We handle requests under the law that applies to the relevant user and processing activity. Our commitment not to sell personal data applies regardless of location. Contact us if you want to exercise a privacy right or ask how a regional rule applies.
13. Children
Moshibary is intended for users aged 13 and over. If local law requires a higher age to consent independently to data processing or contract terms, permission from a parent or legal guardian, or another lawful basis, is required. We do not knowingly create accounts for children below the applicable minimum age. If you believe such an account exists, contact us so we can investigate and delete it where required.
14. This website
As of the date above, the public pages of moshibary.com are configured as follows:
- They do not intentionally set application analytics or advertising cookies or use browser local storage.
- Fonts, images, and styles are served from moshibary.com. The pages use no executable application JavaScript; the only script element is non-executable structured metadata. They do not embed third-party analytics or advertising resources.
- The hosting/CDN provider processes IP addresses, request metadata, user-agent information, and network-security logs to deliver the site and prevent abuse. Cloudflare may set strictly necessary security cookies if an enabled protection feature requires them.
- External links, if selected, take you to the relevant third-party website, which is governed by that website's own privacy practices.
15. Changes to this policy
When we change this policy in a meaningful way (for example, when a new optional feature such as rewarded ads goes live), we will update the date at the top, and for significant changes we will notify you in the app before they take effect. Earlier versions are available on request.
16. Contact
Questions, requests or complaints about privacy:
- Email: moshibary@gmail.com
- Post: Shinobasa, Shibuya Dogenzaka Tokyu Building 2F-C, 1-10-8 Dogenzaka, Shibuya-ku, Tokyo 150-0043, Japan
We usually reply within a few business days.