Back to home

Privacy Policy

Last updated: February 27, 2026

How we collect, use and protect your personal data

GDPR
Compliant
Security
HTTPS + Encryption
Hosting
France (OVH)

Your privacy is our priority

We are committed to protecting your personal data in accordance with the GDPR.

Table of Contents

Company:Kotoba Interactive
Representative:Chloé THIEL
Address:58 rue de Monceau, CS 48756, 75380 Paris Cedex 08
SIRET:897 456 356 00020
Email:contact@kotobainteractive.com
Host:OVH SAS, Roubaix, France

Identification Data

Username, email, encrypted password, profile picture (optional)

Two-Factor Authentication (2FA) Data

Encrypted TOTP secrets (AES-256), hashed backup codes (bcrypt). This data enables two-factor authentication for your account.

Learning Data

SRS words, review history, statistics, collections, notes, preferences

Forum and Notes Data

Forum posts, comments, personal notes. This data is retained as long as your account is active.

Payment Data (Premium)

Name, billing address, transaction history. Bank details are processed exclusively by Stripe (PCI DSS certified) and never stored on our servers.

Technical Data

IP address, browser, device, connection logs, last activity timestamp (for security and session tracking)

Support Tickets

Support requests, exchanges with support team. Retained for 3 years after resolution to improve our service.

Service provision: Account management, personalized SRS, progress saving

Legal basis: contract performance (Art. 6.1.b GDPR)

Subscription management: Secure payments, invoicing (legal obligation)

Legal basis: legal obligation (Art. 6.1.c GDPR) and contract performance (Art. 6.1.b)

Communications: Account emails, security notifications, important updates

Legal basis: legitimate interest (Art. 6.1.f GDPR)

Security: Fraud prevention, anomaly detection

Legal basis: legitimate interest (Art. 6.1.f GDPR)

Audience measurement: Anonymized usage statistics, service improvement

Legal basis: consent (Art. 6.1.a GDPR)

Your data may be shared only with:

OVH SAS(Hosting - France)
Stripe Inc.(Payments - USA, PCI DSS certified)
IONOS SE(Emails - Germany)
Sentry.io(Error monitoring - USA, with consent)
Umami (umami.is)(Analytics - USA, with consent)
Google Analytics (Google LLC)(Analytics - USA, with consent)
Reddit Inc. (Reddit Pixel)(Advertising conversion tracking - USA, with consent)

Transfers outside the EU

For data transfers to the USA (Stripe, Sentry, Umami, Google Analytics, Reddit), we rely on the EU-US Data Privacy Framework (DPF) where the processor is certified, and/or Standard Contractual Clauses (SCCs) approved by the European Commission (Decision 2021/914). These mechanisms ensure an adequate level of protection for your data in compliance with post-Schrems II requirements.

We never sell or share your data for commercial purposes.

  • Password encryption with bcrypt
  • HTTPS/TLS 1.3 secure connections
  • Data encryption at rest
  • SQL injection and CSRF protection
  • Rate limiting against brute force
  • Daily automatic backups
  • 2FA secrets encrypted with AES-256-GCM
  • 2FA backup codes hashed with bcrypt
Active account dataWhile active
Invoices10 years (legal)
After deletion30 days max
Security logs90 days
Forum and notesWhile account active
Support tickets3 years

Suppression automatique

Unverified email account30 days
Expired trial without subscription90 days
Former subscriber without renewal1 year
Lifetime/Founder subscriptionsNever deleted

A warning email is sent 7 days before any automatic deletion.

Under GDPR, you have the following rights:

AccessArt. 15
RectificationArt. 16
ErasureArt. 17
RestrictionArt. 18
PortabilityArt. 20
ObjectionArt. 21

Exercise your rights from your account settings or by contacting us.

Email: contact@kotobainteractive.com

Contact form: englishsrs.com/contact

Response time: 1 month max (GDPR)

You can also file a complaint with the CNIL (www.cnil.fr).

In accordance with Article 37 of the GDPR, you can contact our data protection officer for any questions regarding the processing of your personal data:

DPO Email: dpo@kotobainteractive.com

We commit to responding to any request within 30 days.

EnglishSRS is intended for users aged 13 and over. We do not knowingly collect personal data from children under 13.

If you are a parent or guardian and believe your child under 13 has provided us with personal data, please contact us immediately. We will delete this data as soon as possible.

For users between 13 and 16 years old located in the EU, parental consent is required in accordance with Article 8 of the GDPR.

In the event of a personal data breach likely to result in a risk to your rights and freedoms, we commit to:

  • Notifying the CNIL within 72 hours of becoming aware of the breach (Art. 33 GDPR)
  • Informing you as soon as possible if the breach is likely to result in a high risk to your rights and freedoms (Art. 34 GDPR)
  • Documenting any breach, its effects and the corrective measures taken

See also

CookiesTerms of UseTerms of Sale

Any question?

Our team is available to answer all your questions.

Contact usCreate account