Privacy Policy
Last updated: May 28, 2026
1.Overview
Mr.Wang Chinese ("we", "us") collects a small, deliberate set of data — only what we need to run accounts, deliver paid features, and improve the Service. We do not sell your data, we do not run ad networks on this site, and we keep our list of third-party processors short.
This policy explains what we collect, why, who else sees it, and the rights you have. It applies to the website at mwchinese.online and any associated subdomains.
2.What we collect
Account information
When you sign up, we collect your email address and a cryptographic hash of your password (handled by Supabase Auth — we never see the plaintext password). You may optionally set a display name.
Subscription & invoice records
When you purchase a pass, we store the order ID, plan, amount, currency, purchase date, expiration date, and a link to the invoice PDF hosted by Stripe. We do not store full card numbers, CVVs, or other PCI data — that lives only with Stripe.
Usage logs
To enforce daily quotas and improve the product, we record lightweight events: which tool you used (worksheet, builder, demo, etc.), a timestamp, and a small metadata blob (for example, character count). We do not record the content of worksheets you generate.
Feedback you send
When you use the feedback widget (the floating 💬 button), we store your message, type tag (bug, feature, question, compliment), the URL of the page you sent it from, and your browser user-agent string — alongside your user ID so we can reply.
Technical data
Like any website, our servers and infrastructure providers log basic technical data — IP address, timestamps, request paths, browser headers — for security and operational diagnostics. These logs are short-lived (typically 30 days).
3.How we use your data
- To run your account — sign you in, gate paid features, show you the right plan in the navigation.
- To deliver paid features — verify a pass is active before unlocking watermark-free exports, higher daily limits, and additional fonts.
- To enforce free-tier limits — count daily usage against the documented quota (e.g., 2 Builder trials per day on Free).
- To support you — respond to feedback, refund requests, and account issues.
- To improve the Service — aggregate, anonymized usage data tells us which tools are loved, which are confusing, and where things break.
- To comply with law — invoice records and minimal account data are retained to meet tax and accounting obligations.
We do not use your data to train AI models, profile you for advertising, or sell it to data brokers.
4.Sharing with third parties
We rely on a small set of infrastructure providers ("processors") who handle data on our behalf, under contract. Each is GDPR-compliant and has its own published privacy policy:
| Provider | What it handles | Region |
|---|---|---|
| Supabase | Authentication, Postgres database (your account, subscription, invoice, usage, and feedback records) | AWS · ap-northeast-1 (Tokyo) |
| Stripe | Payment processing, invoice PDFs, card data (we never see your card) | US / global |
| Vercel | Static site hosting, edge functions, technical logs | US / global edge |
| jsDelivr | Public CDN for open-source libraries and stroke data (no account data) | Global |
We share only what each processor needs to do its job. We do not share data with advertisers, data brokers, or analytics resellers.
We may disclose data when required by valid legal process (subpoena, court order) or to protect the safety of our users or the public. Where law permits, we will notify the affected user first.
5.Cookies & local storage
We use a small number of essential browser-storage entries — no third-party tracking cookies, no advertising pixels:
- Auth session (localStorage, key
mrwang-chinese-auth) — keeps you signed in across page loads. Set by Supabase. - Daily quota counters (localStorage, keys starting
mw-quota:) — tracks free-tier usage per day so we don't over-charge against your quota. - UI preferences (localStorage) — remembers your font / grid / opacity choices on the Worksheet page.
- IndexedDB caches — caches large public assets (the makemeahanzi character dictionary, watermark state) to reduce bandwidth.
You can clear all of this at any time from your browser's site-data settings. Doing so will sign you out and reset your local preferences.
6.Data security & retention
Connections to the site use HTTPS. Authentication and database queries go through Supabase row-level security (RLS), meaning each request can only access rows that belong to your own user ID. Passwords are hashed by Supabase Auth and are never visible to us in plaintext.
How long we keep things:
- Account data — for the lifetime of your account, plus 30 days after deletion request.
- Invoice records — 7 years after the invoice date, to meet tax / accounting requirements.
- Usage logs — 90 days, then deleted or aggregated.
- Feedback records — kept while relevant for product follow-up; then anonymized.
- Technical / server logs — 30 days.
We do our best to keep your data safe, but no internet service is perfectly secure. If we discover a breach affecting your personal data, we will notify you and the relevant regulators within the legally required timeframe.
7.Your rights (GDPR / CCPA / others)
Depending on where you live, you have some or all of the following rights:
- Access — request a copy of the personal data we hold about you.
- Correction — ask us to fix anything that is inaccurate.
- Deletion — ask us to delete your data (subject to legal retention obligations like invoice records).
- Portability — receive your data in a machine-readable format.
- Restriction & objection — ask us to stop or limit certain processing.
- Withdraw consent — for anything we rely on consent for, you can withdraw at any time.
- Do not sell / share (CCPA) — we do not sell or share your personal data for cross-context behavioral advertising. There is nothing to opt out of, but you have the right to confirm this in writing.
- Lodge a complaint — with your local data protection authority, if you believe we have mishandled your data.
To exercise any of these rights, email support@mwchinese.online from the address tied to your account. We respond within 30 days. There is no charge for reasonable requests.
8.Children's privacy
Mr.Wang Chinese is not directed at children under 13. We do not knowingly collect personal data from children under 13. If you are a parent or teacher and believe a child under 13 has signed up, please email us and we will delete the account.
Children aged 13–17 may use the Service with a parent's or teacher's permission. In a classroom setting, the responsible educational institution is the data controller for student accounts.
9.Changes to this policy & contact
We may update this policy occasionally. When we make material changes — for example, adding a new processor or a new category of data — we will update the "Last updated" date at the top and notify signed-in users by email or via an in-app notice.
Privacy questions, data requests, or concerns: support@mwchinese.online. We aim to respond within 2 business days.