Privacy policy
Last updated: June 2026
1. Controller
Sakuraflow UG (haftungsbeschränkt) i. G.
Hamburger Straße 3
22952 Lütjensee
Germany
Email: sakuraflow.jp@outlook.com
2. Hosting
This website is hosted by Vercel Inc. (340 S Lemon Ave #4133, Walnut, CA 91789, USA). Functions run in Vercel's Frankfurt region (eu-central-1). When you access the site, technically necessary data (e.g. IP address, browser type, time of access) may be processed in server logs. See Vercel's Privacy Policy.
3. Abuse protection and rate limiting
To protect against automated requests, brute-force attempts, and excessive API use, we briefly process your IP address through Upstash, Inc. (USA, data held in the EU region). Only per-IP request counters are stored, which automatically expire after a few minutes. Legal basis: Art. 6(1)(f) GDPR (legitimate interest in secure operations). Upstash Privacy Policy.
4. Registration and account
You may create a user account to use Sakuraflow. Processing is handled via Supabase (Supabase Inc., USA), with the Sakuraflow project running in the EU region eu-west-1 (Ireland). We process credentials and profile data you provide (e.g. email address, display name, optionally a Discord ID). See Supabase Privacy Policy.
5. Learning progress and app usage
Your learning progress and settings may be stored locally in your browser and, when you are signed in, synced with our database to provide the service across devices.
6. Payments
Paid offerings are processed via Stripe (Stripe Technology Europe Ltd. and affiliates). Payment-related data is processed as necessary to complete transactions. See Stripe Privacy Policy.
7. Email communication
We use Resend (Resend Inc., USA) to send emails, processing in particular your email address and delivery metadata. We distinguish the following types of email:
a) Transactional and service emails. These include, for example, confirmation of your registration, account notices, information about the upcoming end of your free trial, and subscription-related messages. Legal basis: Art. 6(1)(b) GDPR (performance of the user relationship) and Art. 6(1)(f) GDPR (legitimate interest in informing you about the status of your access).
b) Newsletter. If you have given explicit consent, we send you a newsletter with news, study tips, and offers. Sign-up uses a two-step confirmation (double opt-in) and is also possible without a user account (waitlist). Legal basis: Art. 6(1)(a) GDPR (consent). You can withdraw your consent at any time with effect for the future, for example via the unsubscribe link in each of these emails.
c) Notices about your access and invitation to keep learning. As a registered user, we may use your email address to inform you about the status of your access, in particular the end of your free trial, and to invite you to continue with a paid plan. Any further promotional messaging only takes place with your consent (see b). Legal basis: Art. 6(1)(f) GDPR in conjunction with Section 7(3) of the German Act Against Unfair Competition (UWG). You can object to this use at any time free of charge, for example via the unsubscribe link in every email.
d) Learning reminders. If you have actively enabled them (during onboarding or in settings), we send you email reminders that encourage you to study daily. Legal basis: Art. 6(1)(a) GDPR (consent). You can turn these reminders off at any time in your settings or via the unsubscribe link.
Processor information: Resend Privacy Policy.
8. Error logging (Sentry)
For stability and security monitoring we use Sentry (Functional Software, Inc. d/b/a Sentry, USA). Your data is processed in the EU region (Frankfurt) we selected. When an error occurs in the app, technical information about the cause is transmitted to Sentry, in particular: error message and stack trace, the affected URL, browser and operating-system information, and a random session ID. IP addresses, cookies, and authentication headers are stripped server-side before data is sent to Sentry. Legal basis: Art. 6(1)(f) GDPR (legitimate interest in app stability and security). We have a Data Processing Agreement in place with Sentry. Sentry Privacy Policy.
9. Discord community (optional)
Sakuraflow runs an optional community on Discord (Discord Inc., USA). If you join our Discord community or link your Discord ID to your Sakuraflow account, you additionally become a user of the Discord platform. We have no direct influence over Discord's processing. On our side, we store only your Discord user ID to map between Sakuraflow and Discord accounts. See Discord Privacy Policy.
10. Feedback and support
If you submit feedback or contact support, we process the information you send to handle your request.
11. Cookies and local storage
We use local storage (e.g. browser storage) and, where necessary, cookies or similar technologies to enable sign-in state, language, theme, and core app functionality. These cookies are strictly necessary (Art. 6(1)(f) GDPR, § 25(2) No. 2 TDDDG). We do not use third-party tracking or marketing cookies that would require consent.
12. Legal bases
Processing is carried out to provide the website and app (Art. 6(1)(b) GDPR), based on consent where we obtain it (Art. 6(1)(a) GDPR), and based on our legitimate interests in secure and efficient operations (Art. 6(1)(f) GDPR).
13. Storage duration
We retain personal data only as long as necessary for the respective purposes or as required by statutory retention obligations. Account and usage data are deleted when you delete your account. Email addresses processed for newsletter or waitlist purposes based on your consent are stored until you unsubscribe or withdraw your consent. To document the consent given, we may retain the related consent data for as long as necessary to defend against legal claims. Sentry error logs are deleted automatically after 30 days. Rate-limit counters expire within minutes.
14. Your rights
You have the right to access, rectification, erasure, restriction of processing, objection, and data portability, where the legal requirements are met.
To exercise your rights, contact sakuraflow.jp@outlook.com.
15. Right to lodge a complaint
You have the right to lodge a complaint with a data protection supervisory authority.
16. Transfers to third countries
Where providers outside the EU/EEA are used (in particular Vercel, Supabase, Stripe, Resend, Sentry, Upstash, and Discord, all with parent entities in the USA), transfers occur in compliance with GDPR requirements, relying on the EU-US Data Privacy Framework and/or Standard Contractual Clauses (Art. 46 GDPR) and appropriate supplementary safeguards.