Privacy Policy

1. Introduction

Welcome to WordQuest (JLPT Adventure), operated by SolanaLink ("we," "us," or "our"). This Privacy Policy explains how we collect, use, disclose, and protect your personal information when you use our website at https://wordquest.solanalink.jp(the "Service").

We are committed to protecting your privacy and ensuring transparency about our data practices. By using our Service, you agree to the collection and use of information in accordance with this policy.

2. Information We Collect

2.1 Information You Provide Directly

When you create an account or use our Service, we collect:

• Account Information: Email address, password (encrypted with bcrypt), display name
• Profile Information: Avatar/profile picture, bio, date of birth, location, gender, JLPT target level, timezone
• OAuth Information: If you sign in via Google or Twitter/X, we receive your name, email, and profile picture from these providers
• Study Data: Your study strategies, learning history, vocabulary watchlist, course progress, flashcard sessions, practice test results, bookmarks, and study goals
• User-Generated Content: Personal notes, custom categories, tags, and any content you create within the Service

2.2 Information Collected Automatically

When you use our Service, we automatically collect:

• Usage Information: Pages viewed, courses accessed, features used, study time, session duration
• Device Information: IP address, browser type and version, operating system, device type, screen resolution
• Location Data: General geographic location based on IP address (country/city level, not precise location)
• Cookies and Similar Technologies: Session cookies, authentication tokens, preference settings
• Analytics Data: Through Firebase Analytics, we collect user interactions, page views, button clicks, course starts, vocabulary card usage, practice test completions, and audio plays
• Camera & Microphone: Used for real-time video calling (Agora RTC) in the squad tactical vision feature, with your explicit permission
• Precise Location: GPS coordinates for optional profile location verification, collected only with your explicit consent

2.3 Information from Third-Party Services

• Google OAuth: Name, email address, profile picture, Google account ID
• Twitter/X OAuth: Username, display name, email address, profile picture, Twitter/X account ID
• LINE OAuth: Display name, email address, profile picture, LINE user ID
• Discord OAuth: Username, email address, avatar, Discord user ID
• Apple Sign In: Name, email address (may be a private relay address), Apple user ID
• Telegram OAuth: Username, first name, Telegram user ID
• Firebase Analytics: Anonymous user identifiers, device characteristics, engagement metrics

3. How We Use Your Information

We use your personal information for the following purposes:

3.1 Service Delivery

• Create and manage your user account
• Authenticate your identity and maintain session security
• Provide access to vocabulary courses, grammar patterns, and practice exercises
• Save and sync your learning progress across devices
• Enable personalized study management features

3.2 Service Improvement

• Analyze usage patterns to improve user experience
• Understand which features are most valuable to users
• Identify and fix technical issues
• Develop new features and content based on user needs
• Optimize performance and loading times

3.3 Communication

• Send email verification messages during registration
• Send password reset emails when requested
• Send important service updates and security notifications
• Respond to your inquiries and support requests
• Send educational content and study tips (with your consent)

3.4 Security and Compliance

• Detect and prevent fraud, abuse, and security incidents
• Comply with legal obligations and enforce our Terms of Service
• Protect the rights, property, and safety of our users and SolanaLink

4. Data Storage and Security

4.1 Data Storage

Your data is stored securely using:

• MySQL 8.0 Database: User accounts, profiles, study data, and learning progress
• Redis 7 Cache: Session data, temporary authentication tokens
• Docker Infrastructure: Containerized deployment with automated backups
• Data Centers: Hosted on secure servers with industry-standard protections

4.2 Security Measures

• Password Security: All passwords are hashed using bcrypt (cost factor: 12) before storage. We never store plain-text passwords.
• Authentication: JWT tokens with 7-day expiration for access tokens and 30-day expiration for refresh tokens
• HTTP-Only Cookies: Refresh tokens are stored in HTTP-only cookies to prevent XSS attacks
• SQL Injection Prevention: Parameterized queries and prepared statements
• HTTPS Encryption: All data transmitted between your device and our servers is encrypted using TLS/SSL
• Database Backups: Automated daily backups with 7-day retention (MySQL) and 24-hour retention (Redis)
• Access Controls: Role-based access with principle of least privilege

4.3 Data Retention

We retain your personal information for as long as your account is active or as needed to provide you with our Service. You may request deletion of your account and associated data at any time through your profile settings or by contacting us.

After account deletion, we will permanently delete your personal data within 30 days, except where we are required to retain certain information for legal or security purposes.

5. Data Sharing and Disclosure

5.1 Third-Party Services

We share limited data with the following third-party services:

• Google OAuth: For authentication purposes only. Google's Privacy Policy: https://policies.google.com/privacy
• Twitter/X OAuth: For authentication and social sharing. Twitter's Privacy Policy: https://twitter.com/privacy
• Firebase Analytics (Google): For usage analytics and performance monitoring. Firebase Privacy Policy: https://firebase.google.com/support/privacy
• Mandrill (Mailchimp): For transactional emails (verification, password reset). Mailchimp Privacy Policy: https://www.intuit.com/privacy/statement/
• LINE Login: For authentication via LINE. LINE Privacy Policy: https://line.me/en/terms/policy/
• Discord OAuth: For authentication via Discord. Discord Privacy Policy: https://discord.com/privacy
• Apple Sign In: For authentication via Apple ID. Apple Privacy Policy: https://www.apple.com/legal/privacy/
• Telegram Login: For authentication via Telegram. Telegram Privacy Policy: https://telegram.org/privacy
• Agora RTC: For real-time video and audio communication in squad features. Agora Privacy Policy: https://www.agora.io/en/privacy-policy/
• AI Services (Amazon Bedrock, OpenAI, Google Gemini): For AI tutor functionality and avatar generation. Privacy Policies: AWS, OpenAI, Google
• WordQuest Chain (Ethereum-based): On-chain recording of Neko Coin transactions, AI offerings, and avatar generation for transparency. Wallet addresses are deterministically derived from user IDs (not personal wallets).

5.2 We Do NOT Sell Your Data

We never sell, rent, or trade your personal information to third parties for marketing purposes.

5.3 Legal Requirements

We may disclose your information if required by law, regulation, legal process, or governmental request, or to protect the rights, property, or safety of SolanaLink, our users, or the public.

6. Cookies and Tracking Technologies

6.1 Types of Cookies We Use

• Essential Cookies: Required for authentication, session management, and security
• Functional Cookies: Remember your preferences and settings
• Analytics Cookies: Firebase Analytics to understand how you use our Service
• OAuth Cookies: Temporary cookies for third-party authentication flows

6.2 Managing Cookies

You can control cookies through your browser settings. However, disabling essential cookies may prevent you from using certain features of the Service. Most browsers allow you to:

• View what cookies are stored and delete them individually
• Block third-party cookies
• Block cookies from specific sites
• Block all cookies from being set
• Delete all cookies when you close your browser

7. Your Privacy Rights

7.1 General Rights

You have the right to:

• Access: Request a copy of your personal data
• Correction: Update or correct inaccurate information
• Deletion: Request deletion of your account and data
• Export: Receive your data in a portable format
• Opt-out: Unsubscribe from marketing emails (if applicable)

7.2 GDPR Rights (European Users)

If you are located in the European Economic Area (EEA), you have additional rights under GDPR:

• Right to be Forgotten: Request complete erasure of your personal data
• Right to Restrict Processing: Limit how we use your data
• Right to Object: Object to processing based on legitimate interests
• Right to Data Portability: Receive your data in machine-readable format
• Right to Withdraw Consent: Withdraw consent for data processing at any time
• Right to Lodge Complaint: File a complaint with your local data protection authority

7.3 How to Exercise Your Rights

To exercise any of these rights, please:

• Update your profile information directly in your account settings
• Use the account deletion feature in your profile
• Contact us at noreply@solanalink.jp

We will respond to your request within 30 days.

8. International Data Transfers

Our Service is hosted on servers that may be located in different countries. If you access our Service from outside Japan, your information may be transferred to, stored, and processed in Japan or other countries where our service providers operate.

By using our Service, you consent to the transfer of your information to countries outside your country of residence, which may have different data protection laws.

9. Children's Privacy

Our Service is intended for users aged 13 and older. We do not knowingly collect personal information from children under 13 years of age.

If you are a parent or guardian and believe your child under 13 has provided us with personal information, please contact us immediately. We will delete such information from our systems.

Users between 13 and 18 years old should use our Service only with parental or guardian consent.

10. Analytics and Advertising

10.1 Firebase Analytics

We use Firebase Analytics (Google Analytics 4) to understand how users interact with our Service. Firebase collects:

• Anonymous user identifiers (not personally identifiable)
• Device characteristics (type, OS, browser)
• Usage patterns (pages viewed, features used, time spent)
• Geographic location (country/city level)

You can opt out of Firebase Analytics by using browser extensions or adjusting your device settings.

10.2 No Third-Party Advertising

We do not currently display third-party advertisements or share your data with advertising networks.

11. Social Features and Sharing

Our Service allows you to share your learning achievements on social media platforms like Twitter/X. When you use these features:

• You control what information is shared
• Shared content is subject to the receiving platform's privacy policy
• You can disconnect social accounts at any time in your profile settings

12. Data Breach Notification

In the event of a data breach that affects your personal information, we will:

• Notify affected users within 72 hours of discovering the breach
• Describe the nature of the breach and data affected
• Explain steps we are taking to address the breach
• Provide recommendations for protecting your information
• Notify relevant authorities as required by law

13. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices or legal requirements. We will notify you of material changes by:

• Posting the updated policy on this page
• Updating the "Last Updated" date
• Sending email notification for significant changes
• Displaying a prominent notice on our Service

Your continued use of the Service after changes to this Privacy Policy constitutes your acceptance of the updated policy.

14. Contact Information

If you have any questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us:

15. Consent

By using WordQuest, you consent to the collection, use, and processing of your personal information as described in this Privacy Policy.

For data processing activities that require explicit consent (such as marketing communications), we will obtain your opt-in consent separately.