1. Scope of this Policy
This Privacy Policy describes how Forgeden (14 Rue Haute, 89740 Quincerot, France) collects, processes and retains personal data for users of:
- 🌐 Websitethe Hana presentation website (hosted on Firebase Hosting)
- 📱 Mobile appthe Hana 花 application, available on Android via the Google Play Store
These two platforms involve distinct data processing activities, described separately in the sections below.
2. Website
2.1 Data collected
The website only collects the email address you voluntarily submit via the pre-registration form. No other personal data is collected during your visit.
2.2 Purpose and legal basis
The email address collected is used solely to:
- notify you when the Hana app pre-registration opens;
- let you know as soon as the Android app is publicly available.
Legal basis: consent (Article 6(1)(a) GDPR), given at the time you enter your email address.
2.3 Retention period
Your email address is kept for 6 months from the date of collection, or until the app becomes publicly available — whichever comes first.
2.4 Cloudflare Turnstile
The pre-registration form uses Cloudflare Turnstile, a privacy-friendly bot-detection service. Unlike traditional CAPTCHAs, Turnstile presents no visual challenge and uses no advertising cookies. It analyses technical signals from your browser and network environment (IP address, non-persistent browser fingerprint) to distinguish humans from bots. This data is processed by Cloudflare, Inc. in accordance with their Privacy Policy. Technical data such as your IP address may be processed by Cloudflare as part of the service, but is neither retained nor used for advertising purposes by Forgeden.
2.5 Cookies and tracking
The website uses no tracking, analytics or advertising cookies. No cookies are deposited on your device during your visit, except for any strictly necessary technical cookies required for Cloudflare Turnstile, which do not require prior consent under applicable regulations.
3. Mobile App — Account Data
The following data is collected when you create an account and maintained throughout your account's lifetime.
| Data | Purpose |
|---|---|
| Unique Firebase ID (UID) | Authentication; linking all data to your account |
| Email address (if provided) or anonymous account status | Authentication and account recovery if you lose access |
| Account creation date | Performance indicators (KPIs) for app health monitoring and user acquisition tracking |
| Last sign-in date | User engagement and retention KPIs |
| Current flower balance (virtual currency) | Displaying and managing your in-app virtual currency balance |
| Number of words learned | Progress indicator shown to you so you can visualise your advancement |
| Last viewed lesson ID | Automatically awarding flower bonuses when you discover a new lesson |
Legal basis: performance of a contract (Art. 6(1)(b) GDPR) — data required for the service to function.
Retention: for the lifetime of your account; deleted within 30 days of account closure.
4. Mobile App — Learning Progress
| Data | Purpose |
|---|---|
| List of words learned; for each word and direction (French → Japanese and Japanese → French), the last 10 results (pass / fail) | Adaptive learning algorithm; reward optimisation for consecutive correct answers |
| Review sessions: date, total number of words shown, list of failed words and their count | Learning progress tracking; letting you view your progress over time |
Legal basis: performance of a contract (Art. 6(1)(b) GDPR).
Retention: for the lifetime of your account.
5. Mobile App — Virtual Currency (Flowers)
| Data | Purpose |
|---|---|
| Full transaction history: flower amount, date, source (daily login, new word learned, gacha draw, rewarded ad…), transaction status | Anti-cheat measures; automatic retry on technical transaction failure; balance integrity |
Legal basis: legitimate interests (Art. 6(1)(f) GDPR) — fraud prevention and service reliability.
Retention: for the lifetime of your account.
6. Mobile App — Game Mechanics
| Data | Purpose |
|---|---|
| User inventory | Managing collected items; enriching the in-app experience |
| Gacha draw history: list of rewards obtained and date of each draw | Draw integrity checks; anti-cheat measures |
| Rewarded ads: date watched, flower amount awarded | Reward attribution; anti-cheat measures — retained for 6 months |
Legal basis: legitimate interests (Art. 6(1)(f) GDPR) for anti-cheat data; performance of a contract (Art. 6(1)(b)) for the inventory.
Retention: inventory and gacha: lifetime of your account; rewarded ads: 6 months.
7. Mobile App — Settings & Personalisation
| Data | Purpose |
|---|---|
| Chosen character, preferred learning method (multiple choice or self-assessment), tutorial progress | Preserving your account state when you switch devices or reinstall the app |
Legal basis: performance of a contract (Art. 6(1)(b) GDPR).
Retention: for the lifetime of your account.
8. Firebase Analytics
The app integrates Firebase Analytics (Google Analytics 4, measurement ID G-T8GL1MXTRY). This service is disabled by default and only enabled if you explicitly grant consent via the in-app consent banner (analytics_storage = granted).
Data collected automatically (if consent granted)
| Category | Detail |
|---|---|
| Engagement & sessions | Session duration, screens viewed, first launch, total engagement time |
| Device information | Operating system and version, device model, language, screen resolution |
| App version | App version number and Firebase SDK version |
| Approximate location | Country and region inferred from IP address (the IP itself is not stored) |
| Pseudonymous identifier | An ID generated by Firebase Analytics — not directly identifying |
No custom events (logEvent) or custom user properties (setUserProperty) are recorded — only automatic collection is enabled.
Legal basis: consent (Art. 6(1)(a) GDPR).
Retention: 14 months (Google Analytics 4 default, configurable).
9. Google AdMob — Rewarded Ads
The app exclusively uses rewarded video ads from Google AdMob (no banners, no interstitials). Personalised ads and the associated data transmission are conditional on your consent.
Data collected by AdMob (if consent granted)
| Data | Detail |
|---|---|
| Android Advertising ID (AD_ID) | A resettable device-level ID used for ad delivery and performance measurement |
| Ad interactions | Impressions, video completion rate, reward events triggered |
| Ad targeting data | Used by Google to serve relevant ads, conditional on ad_user_data and ad_personalization consents |
Server-side verification (SSV)
Each time a rewarded ad is watched, your Firebase user ID is transmitted to Google AdMob's server-side verification (SSV) system. This allows Forgeden to confirm that rewards are credited to authenticated accounts and ensures their integrity. No additional data is retained beyond the reward log described in Section 6.
Legal basis: consent (Art. 6(1)(a) GDPR) for targeting; legitimate interests (Art. 6(1)(f)) for SSV anti-fraud verification.
Retention: in accordance with Google's retention policy.
10. Consent Management — Consent Mode v2
The app implements Google Consent Mode v2. All trackers are denied by default on first launch. A consent banner lets you accept or decline each category independently:
| Parameter | Default value | What it controls |
|---|---|---|
analytics_storage |
Denied | Firebase Analytics initialisation |
ad_storage |
Denied | AdMob advertising cookies and storage |
ad_user_data |
Denied | Sending user data to Google for advertising purposes |
ad_personalization |
Denied | Personalised ad targeting |
functionality_storage |
Granted | App functionality (always active) |
security_storage |
Granted | Security features (always active) |
Your choice is stored locally on your device and can be changed at any time from the app settings.
For technical details on the cookies used (cookie names, localStorage keys, management instructions), see our Cookie Policy.
11. Legal Bases — Summary
| Data category | Legal basis | GDPR article |
|---|---|---|
| Pre-registration email (website) | Consent | Art. 6(1)(a) |
| Account data, words learned, sessions, settings, inventory | Performance of a contract | Art. 6(1)(b) |
| Flower transactions, gacha draws, rewarded ads | Legitimate interests (anti-cheat, service integrity) | Art. 6(1)(f) |
| Firebase Analytics | Consent | Art. 6(1)(a) |
| Google AdMob — personalised advertising | Consent | Art. 6(1)(a) |
| Google AdMob — SSV anti-fraud verification | Legitimate interests | Art. 6(1)(f) |
12. Sub-processors & International Transfers
Forgeden engages the following sub-processors for personal data processing:
| Sub-processor | Services provided | Headquarters | Safeguards |
|---|---|---|---|
| Google Ireland Limited | Firebase Hosting, Firestore, Auth, Cloud Functions, Analytics | Dublin, Ireland (EU) | Processing primarily within the EU · Firebase Privacy |
| Google LLC | AdMob (advertising), Google Play Store (distribution) | Mountain View, CA, United States | EU Standard Contractual Clauses (SCCs) · Google Privacy Policy |
| Cloudflare, Inc. | Turnstile (bot detection, website only) | San Francisco, CA, United States | EU Standard Contractual Clauses (SCCs) · Cloudflare Privacy Policy |
Transfers to the United States are governed by Standard Contractual Clauses adopted by the European Commission, in accordance with Article 46 of the GDPR.
13. Retention Periods
| Category | Retention period |
|---|---|
| 🌐Pre-registration email | 6 months from collection, or until the app is publicly available — whichever comes first |
| 📱User account data | Lifetime of your account; deleted within 30 days of closure |
| 📱Words learned and review sessions | Lifetime of your account |
| 📱Flower transactions and gacha draws | Lifetime of your account |
| 📱Rewarded ads | 6 months from the date watched |
| 📱Settings and inventory | Lifetime of your account |
| 📱Firebase Analytics | 14 months (Google Analytics 4 default setting) |
| 📱AdMob data | In accordance with Google's retention policy |
14. Your Rights
Under the GDPR (Articles 15–21), you have the following rights regarding your personal data:
- Right of access — obtain a copy of the data we hold about you
- Right to rectification — correct inaccurate or incomplete data
- Right to erasure — request deletion of your data ("right to be forgotten")
- Right to restriction of processing — temporarily limit how your data is used
- Right to object — object to processing based on legitimate interests
- Right to data portability — receive your data in a structured, machine-readable format
- Right to withdraw consent — withdraw previously given consent at any time, without affecting the lawfulness of prior processing
To exercise any of these rights, please contact us at: support@forgeden.com
15. Contact & Complaints
For any questions about this policy or how your personal data is handled:
- Email: support@forgeden.com
- Post: Forgeden, 14 Rue Haute, 89740 Quincerot, France
If you believe your data is not being processed in accordance with applicable regulations, you have the right to lodge a complaint with the CNIL (France's National Commission on Informatics and Liberty, the French supervisory authority): www.cnil.fr. You may also contact the data protection authority in your own country of residence.
16. Account Deletion — Hana App
In accordance with the right to erasure under Article 17 of the GDPR, you may request the deletion of your Hana account (an application by Forgeden) and the associated personal data. The procedure depends on your account type:
Non-anonymous account (email account)
You can delete your account in two ways:
- From within the app, via the Settings menu → account deletion option;
- By email: write to support@forgeden.com from the email address linked to the account you wish to delete, stating your request.
In both cases, Forgeden will close the account and delete the relevant data within 30 days.
Non-anonymous accounts are not automatically deleted, enabling users to resume learning — even after a long period of inactivity — with their full progress preserved.
Anonymous account
Since anonymous accounts have no associated email address, deletion can only be done from within the app: open the Settings menu and select the account deletion option. Deletion is immediate and permanent.
If you have lost access to your anonymous account, it will be automatically deleted 2 years after the last sign-in.
Data deleted upon account closure
When an account (anonymous or not) is deleted, the following data is erased within 30 days:
- Firebase identifier (UID), email address and authentication data
- Learning progress: words learned, review sessions
- Virtual currency: Flowers balance and transaction history
- Game mechanics: inventory, gacha draw history
- Account settings and customisation
Data retained after account closure
Some data may be retained beyond account closure for legal or operational reasons:
- Rewarded ad logs: retained until their natural expiry (6 months from the viewing date), for anti-fraud integrity purposes
- Firebase Analytics data (if consent was granted): retained until the end of Google Analytics 4's 14-month retention cycle
17. Security
We implement appropriate technical and organisational security measures to protect your personal data:
- Encryption of data in transit (HTTPS/TLS)
- Password hashing (bcrypt via Firebase Auth)
- Secure authentication via Firebase Auth
- Strictly controlled data access (Firestore security rules)
- Security monitoring and logs
These measures are regularly reviewed in light of evolving threats and industry best practices.
18. Protection of Minors
Hana is an educational app that may be used by minors under the supervision of their parent or legal guardian. In accordance with the GDPR, for users under 16 years of age (or the applicable digital consent age in your country), parental consent is required for any collection of personal data.
If you are a parent or guardian and wish to obtain information about your child's data or request its deletion, please contact us at: support@forgeden.com.
19. Updates to this Policy
We may update this Privacy Policy to reflect legal, regulatory or operational changes. The date of the last update is shown at the top of this page.
For significant changes, you will be notified through the app. Continued use of the app after notification constitutes acceptance of the revised policy.