Onja Privacy Policy

Onja (hereinafter referred to as "we," "us," or "our") hereby establishes this Privacy Policy (hereinafter referred to as "this Policy") regarding the handling of personal information and user information obtained through the AI vocabulary learning application "Onja" and all related applications, websites, associated software, and ancillary services (hereinafter collectively referred to as "the Service") provided by us. In doing so, we comply with applicable privacy laws and regulations and give full consideration to the protection of user privacy.

We act as the data controller for personal information processed through the Service. For contact details, please refer to Article 13.

This Policy applies to all users worldwide. Where applicable, we comply with the EU General Data Protection Regulation ("GDPR"), the UK GDPR, and the California Consumer Privacy Act / California Privacy Rights Act ("CCPA/CPRA"). This Policy covers personal information we process about individual users and does not apply to information that cannot be linked to an identified or identifiable person.

This Policy is drafted in Japanese and English. For users residing in Japan, the Japanese version shall prevail over the English version in the event of any inconsistency. For users residing outside Japan, the English version shall prevail over the Japanese version. The non-prevailing language version is provided for reference only.

Article 1 (Definition of Personal Information)

1. In this Policy, "personal information" means any information relating to an identified or identifiable individual. An identifiable individual is one who can be identified, directly or indirectly, by reference to an identifier such as a name, email address, device identifier, online identifier, or one or more factors specific to that individual.

2. Personal information under this Policy includes device identifiers, online identifiers, IP addresses, and other information that, alone or in combination with other information, can identify a specific individual.

3. For the avoidance of doubt, personal information includes any data that qualifies as "personal data" under the GDPR or "personal information" under the CCPA/CPRA.

Article 2 (Information Collected)

1. For the purpose of providing, operating, and improving the Service, we may collect the following information, including information obtained directly from users, information automatically collected through users' use of the Service, and information obtained through third-party services:

(1) Information registered or provided by users: We may collect the following information provided by users when registering for the Service, creating an account, or using various features:

• Email address

• Nickname

• Other information voluntarily entered or provided by the user

(2) Information entered or generated by users in the Service: We may collect the following information entered, submitted, or generated by users in the course of using the Service:

• Words, phrases, or sentences

• Word definitions and other supplementary information

• Scene settings and other generation conditions

• Stories, translations, or audio information generated by AI features

• Playlist information

• Playlist cover images and other user content

(3) Information automatically collected through use of the Service: We may automatically collect the following information through users' use of the Service for the purpose of providing the Service and improving its quality. Additionally, IP addresses and other communication logs may be stored as communication records in cloud services or infrastructure services for the purpose of maintaining communication environments and managing security.

• Device type and device model

• OS type and version

• Application version

• Language and regional settings

• Anonymous app instance identifiers

• Service usage history, operation logs, and access logs

(4) Information obtained through third-party services: In providing the Service, we may use access analysis services, cloud services, AI services, and other third-party services, and the providers of such services may collect device information, usage information, and other information about users.

Article 3 (Purposes of Use of Personal Information)

We use personal information and user information collected in connection with the Service for the following purposes:

(1) To provide, operate, maintain, and manage the Service

(2) To verify user identity, authenticate users, and manage accounts

(3) To provide content generation, translation, audio generation, and other Service features using AI functionality based on information entered by users

(4) To respond to user inquiries, provide user support, and verify identity

(5) To prevent and respond to unauthorized use, unauthorized access, violations of the Terms of Service, and other improper conduct

(6) To improve the quality of the Service, improve features, develop new features, and conduct research and development

(7) To analyze Service usage, create statistical data, and improve the Service

(8) To provide important notices regarding the Service, changes to the Terms of Service or Privacy Policy, and other necessary notifications

(9) To respond to requests based on laws, regulations, or government agency requirements

(10) For purposes incidental to or related to any of the foregoing

Where the GDPR applies, we rely on the following legal bases under Article 6 GDPR for each processing purpose listed above:

Purpose - Legal Basis

(1) Providing, operating and managing the Service - Contract – Art. 6(1)(b)

(2) Identity verification, authentication and account management - Contract – Art. 6(1)(b)

(3) AI-powered content generation based on user input - Contract – Art. 6(1)(b)

(4) Customer support and responding to inquiries - Contract and Legitimate interests – Art. 6(1)(b)(f)

(5) Prevention of unauthorized use and violations - Legitimate interests – Art. 6(1)(f)

(6)(7) Service improvement, analysis and research - Legitimate interests – Art. 6(1)(f)

(8) Important notices and notifications - Contract and Legal obligation – Art. 6(1)(b)(c)

(9) Compliance with laws and government requests - Legal obligation – Art. 6(1)(c)

Where we rely on legitimate interests as a legal basis, users in the EEA or UK have the right to object to such processing as described in Article 10.

Where the CCPA/CPRA applies, we collect and use personal information for the business purposes described in this Article. We do not "sell" or "share" (as those terms are defined under the CCPA/CPRA) your personal information for cross-context behavioral advertising. For information about your California privacy rights, please see Article 10.

Article 4 (Data Use Related to AI Features)

1. In the Service, input data entered by users, including words, sentences, phrases, definitions, scene settings, and other input data (hereinafter referred to as "Input Data"), is used for the purpose of providing content generation, translation, audio generation, and other Service features using AI technology.

2. We may use Input Data and content generated by AI features (hereinafter referred to as "AI-Generated Content") for the purpose of improving the quality of the Service, improving features, investigating defects, and other purposes necessary for Service operation. However, we will not use users' Input Data or AI-Generated Content for training machine learning models or AI models (i.e., use as training data).

3. We do not sell, monetize, or share users' personal data with third parties for advertising, profiling, or any other commercial purposes. We use Google Cloud Vertex AI (Gemini API) and Cloud Text-to-Speech solely as data processing tools to provide AI-powered features within the Service, including story generation, translation, and audio generation for vocabulary learning purposes. Google Cloud processes users' Input Data on our behalf pursuant to Google Cloud's Enterprise Data Processing Terms, and Google Cloud will not use our customers' data to train or improve its foundation models. We retain full control over user data and determine the purposes and means of processing. Google Cloud functions solely as an infrastructure provider and data processing tool.

4. In providing the AI features of the Service, Input Data is transmitted to and processed by Google LLC's Vertex AI and Cloud Text-to-Speech, both operated in the United States. Where personal data is transferred outside the European Economic Area (EEA) or the United Kingdom, we rely on the European Commission's Standard Contractual Clauses (SCCs) pursuant to Article 46 GDPR, or the UK International Data Transfer Agreement (IDTA) as applicable, to ensure an adequate level of protection. The handling of such data is also subject to Google's Privacy Policy and Google Cloud's Enterprise Data Processing Terms.

5. We may analyze, statistically process, or otherwise process Input Data and AI-Generated Content solely for the purposes of monitoring service quality, detecting defects, and improving Service features, including use as statistical information in a form that does not identify individuals. Such processing does not include training or fine-tuning any machine learning or AI models, as stated in paragraph 2 of this Article.

Our AI features generate content based solely on information entered by the user. We do not carry out automated decision-making or profiling that produces legal or similarly significant effects on users within the meaning of Article 22 GDPR.

Article 5 (Use of Third-Party Services)

1. We may use the following third-party services for the purpose of providing, operating, maintaining, improving, and offering features of the Service:

(1) Authentication and data management services: These services are used to provide user authentication, data storage, server processing, and other foundational features of the Service.

• Firebase Authentication

• Cloud Firestore

• Cloud Storage for Firebase

• Cloud Functions for Firebase

(2) AI-related services: These services are used to provide AI text generation, translation, audio generation, and other AI features.

• Google Cloud Vertex AI

• Cloud Text-to-Speech

(3) Access analysis and error monitoring: These services are used for the purpose of analyzing Service usage, improving quality, and identifying defects.

• Firebase Analytics

• Firebase Crashlytics

(4) Payment-related services: These services are used for subscription payments, receipt verification, and billing management within the Service.

• Apple App Store In-App Purchase

• RevenueCat

(5) Other services: These services are used for configuration management, unauthorized access prevention, email delivery, and other purposes.

• Firebase Remote Config

• Firebase App Check

• Resend

2. To the extent necessary for the provision of the Service, we may transmit all or part of user information to these third-party services for processing.

3. The handling of information collected by these third-party service providers shall be governed by the privacy policies or terms of service established by each service provider.

4. We may add, change, or discontinue the use of third-party services as necessary for service improvement or operational purposes.

Article 6 (Data Storage)

1. User data is primarily stored in Google Cloud Platform (GCP) or other cloud infrastructure environments used by us.

2. We retain user data for the periods set out below:

Data Type - Retention Period

Learning data (words, stories, playlists, etc.) created by the user - Retained while the account is active; deleted within 30 days after account deletion

Audio data - Retained during the active subscription period; deleted within 30 days after the subscription ends

Access logs and operation logs - Retained for up to 12 months, then deleted or anonymized

Account information (email address, nickname) - Retained while the account is active; deleted within 30 days after account deletion

We may retain information beyond the periods above where required by applicable law or necessary for the establishment, exercise or defense of legal claims.

3. We may store access logs, operation logs, and other technical log information for a certain period for the purposes of system operation, security management, or prevention of unauthorized use.

4. We may store or use information processed in a form that does not identify individuals for the purposes of service improvement or statistical analysis.

Article 7 (Access Analysis)

1. The Service uses access analysis tools for the purpose of improving service quality, improving features, and analyzing usage.

2. The Service uses Firebase Analytics provided by Google, and information regarding users' use of the Service (including usage history, device information, and other anonymous information) may be collected.

3. This information is collected and analyzed in a form that does not identify individuals and is used as reference information for improving and operating the Service.

4. The handling of information obtained through Firebase Analytics is governed by the privacy policy and related provisions established by Google.

Where required by applicable law, including the GDPR, we will obtain your prior consent before enabling analytics data collection. Users located in the EEA or UK may withdraw their consent at any time via the in-app settings. Withdrawing consent does not affect the lawfulness of any processing carried out prior to withdrawal.

Article 8 (Provision to Third Parties)

1. We will not provide users' personal information to third parties except in the following cases:

(1) When the user has given consent

(2) When disclosure or provision is required by law or regulation

(3) When necessary to protect someone's life, bodily integrity, or property, and obtaining the user's consent is impractical

(4) When required to cooperate with a public authority or law enforcement agency acting within its lawful authority, and obtaining the user's consent would be likely to impede such authority's functions

(5) When otherwise permitted or required by applicable law

2. We may outsource all or part of the handling of personal information to external operators to the extent necessary for the provision of the Service. In such cases, we will exercise necessary and appropriate supervision over the outsourced party.

3. Personal information may be transferred to a successor in the event of a business transfer, company split, or other business succession.

4. We may use or publish statistical information processed from collected information in a form that does not identify individuals.

Article 9 (Management of Personal Information)

1. We implement appropriate technical and organizational security measures to prevent unauthorized access, leakage, loss, or damage of personal information, including industry-standard encryption in transit and at rest, role-based access controls, and regular security reviews. No method of transmission or storage is completely secure; we therefore cannot guarantee absolute security.

2. We will provide necessary and appropriate supervision of employees to ensure the safe management of personal information.

3. When outsourcing the handling of personal information to external operators, we will exercise necessary and appropriate supervision over such operators.

4. We will review and improve our handling of personal information as necessary.

Article 10 (User Rights)

1. In accordance with applicable laws and regulations, users may request disclosure, correction, addition, deletion, suspension of use, or suspension of provision to third parties of their own personal information held by us.

2. When making a request under the preceding paragraph, users shall apply through the method specified by us.

3. We will confirm that the request is from the user themselves and respond within a reasonable period in accordance with the provisions of applicable laws and regulations.

4. We may decline all or part of a request if we are not legally obligated to comply with the request for disclosure or other requests, or if there are reasonable grounds to do so.

5. In the case of the preceding paragraph, we will endeavor to notify the user of the reason.

6. Requests under this Article shall be made through the inquiry contact specified separately by us.

Where the GDPR or UK GDPR applies, you have the following additional rights:

(a) Data Portability (Art. 20 GDPR): You have the right to receive personal data you have provided to us in a structured, commonly used and machine-readable format, and to transmit that data to another controller where technically feasible.

(b) Right to Object (Art. 21 GDPR): You have the right to object at any time to processing of your personal data where we rely on legitimate interests as our legal basis. We will cease processing unless we demonstrate compelling legitimate grounds that override your interests, rights and freedoms, or the processing is necessary for legal claims.

(c) Withdrawal of Consent (Art. 7(3) GDPR): Where processing is based on your consent, you have the right to withdraw that consent at any time. Withdrawal does not affect the lawfulness of processing carried out before withdrawal.

(d) Right to Lodge a Complaint (Art. 77 GDPR): You have the right to lodge a complaint with the data protection supervisory authority in your country of residence within the EEA or UK (e.g., your national Data Protection Authority).

We will respond to rights requests within one month of receipt. For complex or multiple requests, we may extend this period by a further two months and will notify you accordingly. We will not charge a fee unless requests are manifestly unfounded or excessive.

Where the CCPA/CPRA applies, you have the following rights:

(a) Right to Know: You may request that we disclose the categories and specific pieces of personal information we have collected about you, the categories of sources, the business purposes for collection, and the categories of third parties with whom we share personal information.

(b) Right to Delete: You may request deletion of the personal information we have collected about you, subject to certain legal exceptions.

(c) Right to Correct: You may request correction of inaccurate personal information we maintain about you.

(d) Right to Opt-Out of Sale or Sharing: We do not sell or share your personal information for cross-context behavioral advertising. Should this practice change, we will provide a clear opt-out mechanism.

(e) Right to Non-Discrimination: We will not discriminate against you for exercising any of your CCPA/CPRA rights.

To submit a verifiable request, please contact us using the information in Article 13. You may also designate an authorized agent to make a request on your behalf.

Article 11 (Children's Privacy)

1. The Service is not directed to children under 13 years of age, and we do not knowingly collect personal information from anyone under 13.

2. If you are between 13 and 16 years of age (or a lower age if permitted by the laws of your jurisdiction), you may only use the Service with the verifiable consent of your parent or legal guardian, unless applicable law permits you to provide your own consent (for example, if you are 16 or older in the European Economic Area or United Kingdom).

3. Where we rely on consent to process personal data and you are below the applicable digital age of consent in your jurisdiction, we will seek parental or guardian authorization.

4. If we become aware that we have collected personal information from a child without the required consent, we will delete that information promptly.

5. Parents or guardians who believe we hold personal information about a child should contact us using the information in Article 13.

Article 12 (Changes to the Privacy Policy)

1. We may change the content of this Policy when we deem it necessary due to changes in laws or regulations, changes to the content of the Service, or other reasons.

2. When changing this Policy, we will post the updated Policy on the Service and update the effective date. We will provide reasonable advance notice (e.g., by email or in-app notification) when required by applicable law or when the changes are material.

3. The revised Privacy Policy shall take effect from the effective date established by us.

Article 13 (Contact Us)

1. For inquiries regarding this Policy, questions about the handling of personal information, complaints, requests for disclosure, and other matters related to the handling of user information, please contact us at the following:

2. Contact Information

Operator: Onja

Email address: support@onja.app

3. We will endeavor to respond to user inquiries within a reasonable scope and timeframe.

4. If you are located in the European Economic Area or United Kingdom and believe your privacy concern has not been adequately resolved, you have the right to lodge a complaint with your local data protection supervisory authority.

Supplementary Provisions

Effective Date: March 19, 2026

© 2026. All rights reserved.