Security

Passwords are hashed with scrypt and a per-user random salt — we never store or log plain-text passwords. Sessions use a signed, HTTP-only cookie that cannot be read by JavaScript.

Every record — your profile, decks, cards, reviews, conversations, writing and classes — is scoped to your account at the database layer. One learner can never read or modify another learner's data.

All traffic is served over HTTPS/TLS. Connections to our database and AI provider are encrypted.

We deliberately avoid third-party advertising and analytics SDKs, which are a common source of data leakage in education apps. Our only subprocessors are our hosting, database and AI providers — listed on the Privacy page.

Teachers manage classes via private join codes and can only see their own classes and rosters. No advertising is shown to any user, including students.

Found a vulnerability? Please email security@language-ninja.app. We appreciate responsible disclosure and will respond promptly.