Privacy Policy

Last updated: 30 June 2026

1. Who we are

Lexablocks is a free side project that breaks Japanese sentences into clickable grammar blocks. It is operated by Pure Bluff, based in the United Arab Emirates. For any data-related question, email us at the address on the contact page.

2. What we collect

  • Sentences you submit.When you paste a sentence into the tool, the text is sent to our server and to the AI provider listed below. We store the resulting explanation in a cache keyed by a SHA-256 hash of (sentence + model + prompt version), so identical sentences don't re-call the AI. The cache row contains no user identifier.
  • A hashed form of your IP address. To prevent abuse and keep the service free, we count how many sentences each visitor sends per day. Before storing anything, the IP is combined with a server-side secret salt and run through SHA-256. The result is pseudonymous and not by itself enough to identify you. We do not store your raw IP.
  • Aggregate page-view counts. We use Vercel Analytics to see roughly how many people visit each page, where visits come from (e.g. a search engine or a referring site), and broad device/country breakdowns. It does not set cookies, does not store your IP address, does not fingerprint your browser, and does not identify individuals. The data is aggregated counts only.
  • Which channel brought you here.Once per browser tab, we record a single anonymous event noting a coarse acquisition category (e.g. "reddit", "google", "direct") derived from your browser's referrer, plus any utm_source/utm_medium/utm_campaign values present in the link you clicked and the page you landed on. We never record the full referring URL, only the category. This tells us which of our own posts or ads are working — it does not identify you.
  • Voice input (only if you use the microphone).In Speaking practice you can optionally speak instead of type. When you do, your browser's built-in speech-recognition feature converts your speech to text. In some browsers — notably Google Chrome — this means the audio is sent to the browser vendor's servers (Google) for transcription; this is handled by your browser, not by us, and is governed by that vendor's privacy policy. We never record, store, or transmit your audio ourselves — we only receive the resulting text, which is then treated exactly like text you typed. If you don't use the microphone, no audio is processed at all.
  • Conversation history (stored only in your browser).Your Speaking practice conversations and recent breakdowns are saved in your browser's local storage on your own device so they survive a refresh. They are never sent to or stored on our servers, and clearing your browser data removes them.
  • Feedback you send us. If you email us a bug report, suggestion, or any other feedback, we retain that correspondence and may use it to improve the service — for example, to fix a reported problem or to prioritise a feature request. We do not publish individual messages without your permission, and we do not share them with third parties beyond what is necessary to act on them.
  • Nothing else. No accounts. No cookies. No tracking pixels. No cross-site or cross-session identifiers. We do not host a contact form on the site — to reach us you email us directly from your own mail client, so the contents of that email go through your own email provider, not ours.

3. Why we collect it

All processing is based on our legitimate interest in operating a free, abuse-resistant service (UAE PDPL Article 5; for EU/EEA residents, GDPR Article 6(1)(f)). In each case our interest is proportionate: we collect the minimum necessary, use pseudonymous or aggregated data wherever possible, and store nothing that directly identifies you.

  • Hashed IP: daily rate limiting (capped at 100 sentences per day per visitor) and basic abuse prevention.
  • Cached sentences: to reduce duplicate calls to the AI provider, which makes the service faster and lets us continue to offer it free.
  • Aggregate analytics: to understand which pages people use most, where traffic comes from, and roughly how many people are using the tool — so we know where to invest improvement effort. No individual is identified.
  • Feedback emails: to improve the service by acting on bug reports and feature suggestions. The legal basis is the same legitimate interest in maintaining a quality free tool.

4. Third parties involved

We use a small number of trusted infrastructure providers. Each is the minimum needed to run the site:

  • Groq, Inc. (United States) — AI provider. Receives the sentence text you submit to generate an explanation.
  • Neon, Inc. (United States, on AWS) — Postgres database hosting. Stores the cache and the hashed rate-limit counters with encryption at rest (AES-256) and in transit (TLS 1.2+).
  • Vercel, Inc. (United States) — application hosting and CDN. Sees your raw IP at the network edge for routing, but does not retain it on our behalf. Vercel also provides our analytics: it counts page views and product events (such as a practice message being sent) and aggregates roughly where visits come from. Vercel Analytics does not set cookies, does not store IP addresses, does not fingerprint your browser, and does not identify individuals — the data is anonymous aggregate counts only.
  • Your browser's speech-recognition vendor (only if you use voice).If you choose to speak in Speaking practice, your browser may send your audio to its own speech service to transcribe it. In Google Chrome this is Google. This is a feature of your browser, not an integration we control; we only receive the text it returns. Don't use the microphone if you prefer your audio never leave your device.

5. Cross-border transfer

All three providers above process data in the United States. The mechanism for each transfer depends on where you are:

  • EU/EEA residents (GDPR Chapter V):We rely on Standard Contractual Clauses (SCCs) incorporated into each provider's Data Processing Agreement (DPA). Vercel, Groq, and Neon each maintain EU SCCs as part of their standard DPAs, which provide contractual safeguards for your data when it is processed in the United States.
  • UAE residents (PDPL Article 22):We rely on each provider's DPA, which contains contractual safeguards equivalent to standard contractual clauses, as the legal basis for these transfers.

6. How long we keep it

  • Cache entries: retained while the cache key remains valid (i.e. until the model or prompt version changes). Content is addressed only by a SHA-256 hash, with no user identifier attached.
  • Rate-limit rows: automatically deleted seven days after they are created. The cleanup happens inside the database on every rate-limit write, so no scheduler is required.
  • Aggregate analytics data: retained by Vercel on our behalf per their standard retention policy. Because the data does not identify individuals, no per-user deletion is possible or necessary.
  • Emails you send us: retained in our mailbox for as long as needed to respond and to keep a normal correspondence history. You can ask us to delete prior correspondence at any time.

7. Your rights

Under UAE PDPL and, for EU/EEA residents, under GDPR, you have the right to:

  • Access information about how we process your data.
  • Request rectification of inaccurate data.
  • Request erasure of your data.
  • Restrict or object to processing.
  • Request data portability.
  • Withdraw consent at any time.
  • Lodge a complaint with a supervisory authority (EU/EEA residents only). If you believe we have handled your data unlawfully, you can complain to the data protection authority in your EU member state — for example, the ICO (UK), CNIL (France), or the authority in the country where you live or work.

Because we do not collect any identifying data, most of these rights are satisfied simply by you ceasing to use the service. To exercise any right, email us using the address on the contact page.

8. Children

Lexablocks is intended for users aged 13 and over (16 and over for EU/EEA residents, in line with GDPR Article 8). We do not knowingly collect data from anyone below the applicable minimum age. If you believe we have inadvertently done so, please reach us via the contact page and we will delete it.

9. Security

All traffic to the site is served over HTTPS. The database is encrypted at rest. IP addresses are hashed with a server-side salt before any write. We store no passwords and no payment information — there is intentionally very little data to protect.

10. Changes to this policy

If we materially change how we handle data, we will update this page and surface a notice in the application. The "Last updated" date at the top of this page tells you when the policy last changed.

11. Contact

Privacy questions, data requests, or anything else: email us using the address on the contact page.