← Back to home

Privacy Policy

Last updated: April 19, 2026

1. Who we are

Shiken Lab (“we”, “us”, “our”) operates the website shikenlab.com — a Japanese Language Proficiency Test (JLPT) practice platform. This policy explains what personal data we collect, how we use it, and your rights.

2. Data we collect

We collect only the minimum data needed to run the service:

DataSourcePurpose
Display nameProvided by you at sign-upTo personalise your experience
Email addressProvided by you at sign-up or via Google OAuthTo identify your account and send verification emails
Password (hashed)Provided by you at sign-up (not stored for Google sign-in)To authenticate you — stored as a bcrypt hash, never in plain text
JLPT level & progressSet by you during onboarding and useTo show relevant practice content
Practice & exam resultsGenerated as you use the appTo show your history and progress

We do not collect: real name, address, phone number, payment details, device fingerprints, or any other identifying information beyond the above.

3. How we use your data

  • To create and maintain your account
  • To show your practice history and exam scores
  • To send a one-time email verification link when you register
  • To authenticate you securely on each visit

We do not use your data for advertising, profiling, or automated decision-making.

4. Data sharing

We do not sell, rent, or share your personal data with third parties, except in these limited cases:

  • Google OAuth: If you sign in with Google, Google shares your name, email, and profile picture with us under their Privacy Policy. We do not send data back to Google beyond the OAuth handshake.
  • Cloudflare Turnstile:Our signup page uses Cloudflare’s Turnstile bot-detection widget. Cloudflare may process your IP address to verify you are human. See Cloudflare’s Privacy Policy.
  • Fly.io (hosting): Our servers run on Fly.io. Your data is stored on Fly.io infrastructure in Singapore (sin region). See Fly.io’s Privacy Policy.
  • Legal requirement: We may disclose data if required to do so by law or valid legal process.

5. Data retention

Your account data is retained for as long as your account exists. If you request deletion of your account, we will delete your personal data within 30 days. Practice results may be retained in anonymised, aggregated form.

6. Security

Passwords are stored as bcrypt hashes — we cannot recover your password. Sessions are managed via signed HTTP-only cookies. All traffic is encrypted with HTTPS. We apply rate limiting to authentication endpoints to prevent brute-force attacks.

7. Your rights (GDPR / privacy laws)

Depending on where you live, you may have the right to: access the personal data we hold about you, correct inaccurate data, request deletion of your data, and object to processing. To exercise any of these rights, contact us at the email below. We will respond within 30 days.

8. Cookies

We use only strictly necessary cookies. See our Cookie Policy for details.

9. Children

Shiken Lab is not directed at children under 13. We do not knowingly collect personal data from children. If you believe a child has provided us data, please contact us and we will delete it promptly.

10. Changes to this policy

We may update this policy occasionally. We will post the new version here with an updated “Last updated” date. Continued use of the service after changes constitutes acceptance of the new policy.

11. Contact

Questions about this policy? Email us at privacy@shikenlab.com.

Terms of ServiceCookie Policy