Privacy

1. What we collect

Without login: Your SRS progress, settings, and onboarding state are stored in your browser's localStorage. We do not receive this data.

With login: Email, display name, login provider (Google OAuth or email magic link). Your SRS review progress is synced to our server so it follows you across devices.

Session cookies: We set a single first-party authentication cookie (better-auth.session_token) that is HTTP-only, Secure, and SameSite=Lax. It is required for sign-in and removed when you sign out. We do not use third-party tracking cookies.

Automatic: Basic request logs (IP, user agent, URL) for operational purposes (rate limiting, abuse prevention, debugging). Retained no longer than 30 days.

2. Why we collect it

• Deliver the service (show your progress, sync across devices)
• Prevent abuse (rate limiting, security)
• Understand aggregate usage (no personal identifiers in analytics)

3. Third parties

• Cloudflare — hosting, CDN, DDoS protection. Data may transit Cloudflare servers globally.
• Payment processors — if and when paid plans are introduced, we will use a third-party processor (e.g. Stripe) to handle payments. We do not store card numbers ourselves. The current product has no paid tier.
• Anthropic (for AI features) — prompts are sent to Anthropic's API. We do not send personally identifying information alongside prompts.

4. Your rights

• Access / export: Export your data as JSON from /me.
• Delete: Delete your account directly from /me, or contact us at the address below to request deletion.
• Correct: Update your email or display name from /me.

EEA / UK users: rights under GDPR. Mainland China users: we aim to follow PIPL requirements where applicable.

5. Children

Tadorimichi is not directed at children under 13. If you believe a child has provided us personal data, contact us for removal.

6. Changes

We will notify material changes via email or a site banner.

7. Contact

privacy@tadorimichi.com