Privacy Policy

1. Operator

Hearsay (the "Service") is operated by Sumiyoshi Giken (住吉技研), located at 2-33-602 Sumiyoshi-Higashi-machi, Higashinada-ku, Kobe, Hyogo 658-0052, Japan. The data controller is the operator. Contact: kenjiro.sakamoto@sumiyoshi-giken.com.

2. Data we collect

• Account data: email address (only if you sign up), authentication identifiers from Google or Apple Sign-In if used.
• Forecasts and content: forecasts, comments, votes, and other content you submit.
• Payment data: when you purchase IC credits or premium features, payment is processed by Stripe. We receive a transaction ID and last-four card digits but do not store full card numbers.
• Technical data: IP address (used for rate limiting and abuse prevention only — not stored long-term), browser/device type, referrer.
• Analytics: aggregate page-view data via Umami (privacy-first, no cross-site tracking). We do not use Google Analytics.

3. How we use data

• To provide, operate, and improve the Service.
• To authenticate accounts and prevent abuse.
• To process payments for IC credits and premium features.
• To send service-related emails (password resets, payment receipts, security notices).
• To comply with legal obligations.

We do not sell personal data. We do not share data with advertisers.

4. Third-party processors

• Supabase — database, authentication, storage (US/EU regions).
• Vercel — application hosting and edge delivery.
• Stripe — payment processing. Stripe handles all card data under PCI-DSS.
• Umami — privacy-first analytics (no cookies, no IP storage).
• Google / Apple — only if you choose Google or Apple Sign-In.

5. Cookies

We use essential cookies for authentication sessions and language preference. We do not use advertising or third-party tracking cookies.

6. Data retention

• Account data: retained while the account is active. Deleted within 30 days of account deletion request.
• Payment records: retained for 7 years to comply with Japanese tax and accounting law.
• Server logs (incl. IP for rate limiting): retained up to 14 days, then purged.

7. Your rights

Depending on your jurisdiction (e.g., Japan APPI, EU GDPR, California CCPA), you may have the right to:

• Access the personal data we hold about you.
• Request correction of inaccurate data.
• Request deletion of your data.
• Withdraw consent or object to processing.
• Request data portability.

To exercise these rights, email kenjiro.sakamoto@sumiyoshi-giken.com. We respond within 30 days.

8. International transfers

Some of our processors (Stripe, Vercel, Supabase) operate infrastructure outside Japan. Where required, we rely on standard contractual clauses or equivalent safeguards.

9. Children

The Service is not directed to users under 16. We do not knowingly collect data from children. If you believe we have, contact us and we will delete it.

10. Changes

We may update this policy. Material changes will be notified via the site or email. Continued use after changes constitutes acceptance.

11. Contact

Questions about this policy: kenjiro.sakamoto@sumiyoshi-giken.com.