Privacy

• Wanilog runs in your browser. Your WaniKani data is cached on your device, not on a Wanilog server.
• Your WaniKani API key stays on your device and is sent only to api.wanikani.com, with two consent-gated exceptions described below.
• A small set of usage events are sent to PostHog so the app can improve over time. Each event is tagged with your WaniKani username and level.
• If you choose to publish a public profile or enable achievement sync, an aggregate snapshot of your stats is stored on Wanilog's server (Upstash Redis) under your WaniKani username. Both are opt-in.
• Analytics can be switched off at any time in Settings.

Your WaniKani API key is stored in your browser's localStorage and is used only when Wanilog fetches your data from api.wanikani.com. It is not transmitted to PostHog, Vercel, or any other service. Logging out removes it from your device.

Two exceptions, both with consent. When you publish a public profile (tapping Create shareable link on the /share page) or enable achievement sync on the /achievements page, your browser hands the key off to Wanilog only to confirm you own the account. A short-lived function calls api.wanikani.com/v2/userwith the key to check that the WaniKani username it returns matches the one you're publishing under, then forgets the key. This check is what stops someone else from claiming /u/your-username or syncing badges in your name. The key is never written to disk, never cached, never logged - it only lives in the memory of that single request for a fraction of a second. Achievement sync repeats this verification each time it runs (on the /achievements page and when a new badge is earned), but again only ever sends the key for the in-flight check.

Wanilog is a personal side project. The roadmap is short and time is limited, so usage data is what makes prioritisation possible: which features are worth investing in, which ones aren't earning the space they take, and which pages quietly broke for a subset of users after a release. Without it, every decision becomes a guess.

Each event is tagged with your WaniKani username and level. That makes the data identifiable rather than anonymous, which is what enables cohort analysis such as tracking engagement by level.

• Pageviews. Pathname only. Query strings and URL fragments are stripped.
• Feature usage. Named events such as "opened a study tool" or "downloaded a share card". Numeric properties are bucketed (for example 10-49 or 50-99) before transmission.
• Clicks. PostHog autocapture records the element type, CSS selector, visible text, and link target of the buttons and links you interact with. The contents of input, textarea, password, and hidden fields are stripped before transmission.
• Web vitals. Page-load timings (LCP, CLS, INP, FCP) used to detect performance regressions between releases.
• Crashes. Uncaught JavaScript exceptions with stack traces of Wanilog's own source, used to diagnose and fix bugs.
• Console logs. Warnings and errors that Wanilog prints to the browser console are captured to surface problems in production. This subsystem stays on even when analytics are turned off in Settings; the network-level block below is the only reliable way to stop it.
• Session replays. PostHog records DOM-level interactions (clicks, scrolls, navigation, and timing) using rrweb. All form inputs, including the "Can I read this" textarea and the API key field, are masked before recording. Replays are retained for 30 days.

Requests to WaniKani, PostHog, and Vercel necessarily include your IP address and User-Agent. Those services may observe them; Wanilog does not log them.

Data leaves your device only to WaniKani's API, to PostHog (analytics), to Vercel (hosting), and - when you opt into a public profile or achievement sync - to Upstash Redis (the cloud store described below), and - when you submit the feedback survey - to a private Discord channel via Wanilog's server (your note plus your WaniKani username and level, platform, and install age, never your API key). When the survey first appears, your WaniKani username alone is recorded once on Wanilog's server so the one-time survey does not reappear on your other devices. There is no Google Analytics, no Meta pixel, no advertising network integration, no data broker, and no AI model training. The Can I read this analyzer never transmits what you enter. Demo mode is fully silent: no events fire while it is active.

wk_uidis PostHog's first-party storage key (renamed from PostHog's default name). It starts as a random anonymous identifier on your first visit; once you log in, it is set to your WaniKani username so events can be attributed to your account. It is never derived from your API key. It expires after twelve months of inactivity and is removed when you clear site data.

localStoragealso holds your API key, settings, theme, sync timestamps, and a cached copy of your WaniKani data for offline use. None of it leaves your device. You can inspect or remove it through your browser's developer tools, or by resetting via Settings.

Wanilog ships five server-side routes:

• /api/nhk proxies NHK Easy News so the Reading Coverage page can fetch headlines without cross-origin issues. It never sees your API key or WaniKani data.
• /api/geo reads the approximate location that Vercel infers from your public IP (country code, city, latitude, longitude) and returns it to the same browser tab. The homepage uses it to draw a "you are studying from {country}" arc on the globe. The response is sent back to the client only, not stored, logged, or shared with any third party. It never sees your API key.
• /api/wk-assetproxies images and audio from WaniKani's content CDN so they can be cached for offline use. It carries no personal data and never sees your API key.
• /api/profile backs the opt-in public profile. When you publish, it receives your stats snapshot plus your API key for a single in-flight verification call to api.wanikani.com/v2/user (to confirm you own the username), then stores the snapshot in Upstash Redis under your WaniKani username. The key is never persisted.
• /api/achievements backs the opt-in achievement sync. It receives your earned-badge list plus your API key for the same in-flight verification, then stores the badge record in Upstash Redis under your WaniKani username. The key is never persisted.

Three of these routes never receive your API key. The two opt-in routes (/api/profile and /api/achievements) receive it only for a single verification call and never store it.

By default nothing about you is stored on a Wanilog server. Two opt-in features change that, and both write to an Upstash Redis cloud store keyed by your WaniKani username:

• Public profile. When you create a shareable link on the /share page, an aggregate snapshot of your stats is stored. It contains your username, current and goal level, account start date, projected finish date, your SRS distribution (counts at each stage from beginner through to fully memorised), kanji unlocked and learned counts, JLPT / Joyo / frequency coverage percentages, lifetime accuracy and review count, per-level durations, one representative kanji per level, and any tagline you set. It does not contain your API key or any review-by-review history.
• Achievement sync. When enabled on the /achievements page, the list of badges you have earned (badge id plus the date earned) is stored.

Stored profiles are published at /u/your-username, listed on the public leaderboards, and the username-to-profile mapping is included in the sitemap, so search engines may index it. Both stores persist indefinitely - there is no automatic expiry. You can overwrite a profile by re-publishing, remove yourself from the leaderboard rankings with the toggle in Settings, or email the address below to have everything deleted.

Open Settings and turn off Help improve Wanilog. The change takes effect immediately and persists across sessions.

One caveat: the console-log capture described above stays on regardless of this toggle. For a complete block, including console logs, any content blocker that drops requests to shiba.wanilog.com, such as uBlock Origin, Brave Shields, NextDNS, or an entry in your hosts file, prevents all analytics from being transmitted. The rest of the application continues to function as expected.

Email privacy@wanilog.com to have your data deleted, request a copy of what is held, or correct anything inaccurate.

Wanilog is operated as a personal side project. For privacy-related questions, please email privacy@wanilog.com. Wanilog will not sell your data, display advertisements, share data with any third party outside the processors named above (PostHog, Vercel, and Upstash), or use your data to train an AI model.