Privacy Policy

Hoshika is the controller of your personal data. For any privacy question, contact us via the contact page.

• Account data: username, public name, email address, password (hashed with bcrypt/argon2), date of birth.
• Profile data: avatar, banner, biography, preferences.
• Generated content: reviews, lists, comments, ratings, forum threads.
• Usage data: list entries (anime/manga, episodes watched, chapters read, rating, dates).
• Technical data: IP address, browser, language, session cookies.
• Linked accounts: if you connect Google, Discord, X, MyAnimeList, AniList, Kitsu, Trakt, or Simkl we receive your identifier, name, and avatar from those services.

• Provide the Service: account, lists, forums, recommendations.
• Authentication and session security.
• Operational communications (email verification, password reset, legal notices).
• Product improvement: aggregated and anonymous statistics.
• Comply with legal obligations and handle user rights.

We verify your date of birth to ensure you meet the minimum age (see Terms). We don't use your data for automated decisions with legal effects.

• Contractual execution: account, lists, profile.
• Consent: non-essential cookies, promotional communications, external integrations.
• Legitimate interest: security, abuse prevention, product improvement.
• Legal obligation: when a competent authority requires it.

We keep your data while you maintain an active account. If you delete it, we erase or anonymize your personal information within 30 days, except data we must retain by legal obligation (e.g. security or billing logs for the required periods).

We don't sell your data. We share it only with:

• Infrastructure providers: Cloudflare (CDN/WAF), Backblaze B2 (storage), Hetzner (EU hosting).
• Identity providers: Google, Discord, X, and anime APIs (only if you link them).
• Email: SMTP provider for transactional emails.
• Authorities: when legal obligation exists.

All processors handle data on our behalf and under data processing agreements.

Some providers may process data outside the EEA. In those cases we require adequate guarantees (European Commission Standard Contractual Clauses or adequacy decision).

You have the right to access, rectify, delete, object, limit processing, and port your data. You can exercise them at any time from your account settings or by writing via the contact page.

You may also file a complaint with the Spanish Data Protection Agency (AEPD) or the supervisory authority of your country.

We use strictly necessary cookies to maintain your session and preferences (language, theme). We don't use third-party advertising cookies. If we add analytics in the future, we'll ask for your consent before enabling them.

We apply reasonable technical and organizational measures: encryption in transit (TLS), strong password hashing, access control, and backups. No system is 100% secure: we'll notify you without undue delay of any incident affecting your data.

The Service is not directed to minors under 13 (16 in EEA/UK, unless local law differs). If we detect underage accounts without authorization, we'll delete them.

We may update this Policy. We'll notify substantial changes in advance by email or prominent notice on the Service.