Shapus Word - Privacy Policy

# Shapus Word – Privacy Policy Last Updated: August 24, 2025 Provider / Controller: Seiji Aoyama (operating under the trade name “Shapus”) (the “Provider”) Contact: support@shapus.com Covered Services: This Privacy Policy (the “Policy”) applies to the English vocabulary learning app “Shapus Word” (the “App”) and related services (app, web, API, notifications, and any other features collectively, the “Services”). Preamble: By using the Services, you agree to this Policy (unless applicable law requires separate explicit consent). The Services are intended for users aged 13 and over; users under 13 may not use the Services. ## Article 1 (Purpose and Scope) This Policy describes the acquisition, use, disclosures to third parties, retention, security, international data transfers, and user rights relating to personal data processed in the Services. If this Policy conflicts with the Terms of Service (“TOS”), this Policy controls for data-protection matters, while the TOS controls for ownership/licensing and similar rights. ## Article 2 (Definitions) Personal Data: Information that identifies or can identify an individual, including related identifiers, as defined under laws such as Japan’s APPI and the GDPR. User Content: Text, images, audio, metadata, and other content that users post, transmit, or store via the Services. Identifiers: Identification information using technologies such as notification tokens, advertising IDs, device IDs, and cookies or similar technologies. Processor / Contractor: An entity that processes Personal Data on behalf of and under the instructions of the Provider. Sale / Sharing: Broad data-sharing concepts including those defined under U.S. state laws (e.g., CCPA/CPRA). Authentication Provider: External authentication services currently or in future adopted by the Provider (e.g., Apple, Google, Facebook, Microsoft). OTP: One-time passcode sent for verification purposes. Authentication Data: OAuth subject IDs, verification results, success/failure counts, link/unlink events, account state, risk scores, device fingerprints, IP address, and related security telemetry. ## Article 3 (Information We Collect) Information you provide (1) Account: Email address, display name, profile image, friend ID/code, phone number (for OTP), Authentication Provider IDs, authentication logs (including success/failure counters, link/unlink, re-auth triggers, account state). (2) Learning: Registered vocabulary, definitions/examples/notes, quiz and SRS results, progress. (3) Content: Snap/Upload images, Paste text, AI-generated outputs, chats, gifts, and similar submissions. (4) Settings: Notifications, block/mute and related relationship settings. Information collected automatically (1) Usage: Interaction events, sessions, crash/diagnostic logs. (2) Device/Technical: Device type, OS, app version, IP address, language, time zone. (3) Identifiers: Notification tokens and, if implemented, advertising IDs and attribution identifiers. (4) Security: Authentication attempts, risk signals, device fingerprints, and other telemetry necessary for fraud prevention and account protection. Device permissions (1) Camera/Photos: For Snap/Upload and profile images. (2) Microphone (if implemented): For pronunciation practice/assessment; recordings are kept for a limited time only to provide the feature. (3) Clipboard: Read only when the user performs a paste action. (4) Notifications: Push notifications for learning and messages; security-critical notifications may not be disabled. Note: The Provider does not collect or store passwords (passwordless authentication). ## Article 4 (Purposes of Use) The Provider uses Personal Data for legitimate business purposes, including: Providing, operating, and maintaining the Services; identity verification; risk-based authentication; fraud and abuse prevention; account recovery and duplicate management (including account linking/unlinking and duplicate consolidation). Service improvement; research and development of new features/services. Statistical and product analytics; A/B testing; quality improvement. Training, evaluation, and improvement of machine-learning models (e.g., vocabulary recommendations, OCR accuracy, generation quality). Marketing analytics, performance measurement, and user segmentation. Personalization, recommendations, and potential future ad display/optimization. Support responses, TOS-violation handling, legal compliance, and dispute resolution. Operational controls: capping OTP sends, declining certain number types (including VoIP/virtual numbers), requiring additional verification, or temporarily restricting features or access where risk is assessed as high. Other purposes reasonably related to the above (as permitted by applicable law). ## Article 5 (Cookies, SDKs, and Identifiers) The Provider may use cookie-like technologies, in-app SDKs, and identifiers (e.g., advertising IDs, notification tokens) for service delivery, quality improvement, performance measurement, and—if implemented—ad optimization. Users may control certain notifications and tracking via OS and in-app settings. Security telemetry essential to account protection cannot be disabled; attempts to block such telemetry may result in degraded functionality or access restrictions. Specific technologies/vendors may change; the Provider will notify users by reasonable means. ## Article 6 (Disclosures to Third Parties) The Provider may disclose information to: (1) Processors/Contractors (cloud, analytics, notifications, OCR, generative AI, support, Authentication Providers, SMS/email gateways, fraud detection and identity services); (2) Analytics/measurement/advertising partners (if implemented); (3) Auditors and professional advisors (legal, accounting, finance, etc.); (4) Successors in interest in connection with business succession, mergers, acquisitions, or asset transfers; (5) Where required or reasonably deemed necessary by the Provider for legal/regulatory requests, rights protection, or security. For clarity: the Provider does not engage in “joint use” (“共同利用”) under Japan’s APPI unless separately and specifically disclosed. Authentication Providers generally act as independent controllers for their own processing; please refer to their privacy policies. Sale/Sharing (U.S. state laws): Certain disclosures may constitute a “sale” or “sharing” under applicable law. Eligible users may opt out (see Article 13). ## Article 7 (Retention) Personal Data is retained for periods the Provider reasonably deems necessary for service delivery/operations, legal compliance, and security. Backups and logs may be retained for a period necessary for operations and security. When an account is deleted, the Provider will delete or anonymize Personal Data within a reasonable period, except where retention is required for legal, operational, or security reasons (including fraud-prevention blacklists such as hashed phone numbers). The Provider may retain and use de-identified or aggregated data for analytics and service improvement; such data is not subject to individual rights requests. ## Article 8 (Security Measures) The Provider implements measures such as encrypted communications, access controls, permission management, and auditing. The Provider uses passwordless authentication; tokens are managed securely and re-authentication or temporary suspension may occur upon anomaly detection. Given the nature of the internet, complete security cannot be guaranteed. ## Article 9 (International Data Transfers) Personal Data may be processed and stored in countries/regions where the Provider or its processors’ facilities are located (which may differ from the user’s country/region of residence). For EU/UK transfers, the Provider relies on Standard Contractual Clauses (SCCs) or other lawful mechanisms as applicable. The Provider is located in Japan and is not established in the EU/UK; if appointment of an EU/UK representative becomes required, this Policy will be updated. ## Article 10 (Handling of User Content and Generated Content) Ownership and licensing are governed by the TOS. This Article is limited to processing purposes, storage, and sharing categories for User Content and generated outputs (e.g., generated images). To maintain service integrity and safety, and in accordance with the TOS, the Provider may monitor, edit, remove, or restrict access to content when necessary. IP rights in generated outputs and permitted use are as set forth in the TOS. ## Article 11 (Children’s Privacy) The Services are intended for users aged 13 and over; users under 13 may not use the Services. The Provider does not knowingly collect Personal Data from users under 13. If the Provider becomes aware that a user is under 13, it may suspend/delete the account and delete Personal Data promptly within a reasonable scope. Parents/guardians may contact support@shapus.com. Even for users 13 and over who are minors, parental consent may be required depending on local laws. ## Article 12 (User Rights and Limitations) Subject to applicable law, users may request access, rectification, deletion, restriction of processing, and data portability regarding their Personal Data. The Provider may request additional information to verify identity. The Provider may decline requests where there are technical/operational constraints, where honoring a request would infringe others’ rights or confidentiality, where requests are excessive or abusive, or where sufficient identity verification cannot be completed. Where permitted by law, the Provider may charge a reasonable fee for manifestly unfounded or excessive requests, or refuse to act on such requests. Data portability applies only to Personal Data you provided to us, in a structured, commonly used and machine-readable format, where required by applicable law. Security-critical and anti-fraud data (e.g., blacklists, risk scores, device fingerprints, certain audit logs) may be excluded from some rights requests. Account recovery requires access to registered authentication methods; if you lose access to all methods, the Provider may be unable to restore your account. Contact for requests: support@shapus.com (requests submitted through other channels may not be processed). ## Article 13 (Region-Specific Disclosures) EU/UK (GDPR). Legal bases include contract performance, legitimate interests (including security and fraud prevention), legal obligations, and consent. Users have the right to object to processing based on legitimate interests and the right to lodge a complaint with a supervisory authority. Authentication Providers typically act as independent controllers for their processing. California and other U.S. states (CCPA/CPRA). Rights include access, deletion, correction, opt-out of sale/sharing, and limits on the use of sensitive personal information. The Provider’s use of sensitive data (e.g., phone numbers) is limited to service provision and security and may be outside certain opt-out scopes. The Provider does not knowingly sell or share Personal Data of users under 16 without the required opt-in. Opt-out method: email support@shapus.com with the subject “Do Not Sell or Share.” Security and service-critical messages are not marketing and may not be disabled. ## Article 14 (Monetization and Advertising) Even if ads are not currently shown, the Provider may introduce advertising or other monetization in the future. In such cases, identifiers (e.g., advertising IDs) may be used for analytics and personalization, and consent/opt-out mechanisms will be provided where required. ## Article 15 (Changes to This Policy and Consent) The Provider may revise this Policy without prior notice. Material changes will be communicated via in-app notice or other reasonable means. Continued use of the Services after changes take effect constitutes consent to the revised Policy (unless applicable law requires separate consent). Authentication providers, delivery channels, risk controls, and vendor selections may be updated from time to time. ## Article 16 (Contact) Controller: Seiji Aoyama (operating under the trade name “Shapus”) Email: support@shapus.com Requests are accepted via email only; additional verification may be required.