Torii QR
Dashboard Log in Get started free

Privacy Policy

Last updated: April 9, 2026

Torii QR ("Service") respects your privacy and is committed to protecting your personal information. This policy explains what data we collect, how we use it, and how we protect it.

1. Data We Collect

Information you provide directly

  • Account information: Email address and password (stored as a bcrypt hash)
  • QR code content: The content you create and edit (URLs, menu data, business information, etc.)

Information collected automatically

  • Scan analytics: When a QR code is scanned, we record the country (from Cloudflare's CF-IPCountry header), device type, and scan timestamp. We do not store IP addresses. User-agent strings are stored as SHA-256 hashes only.

Payment information

Payment details (credit card numbers, etc.) are handled by Paddle (paddle.com). We never collect or store payment information directly. Paddle acts as the Merchant of Record and is responsible for billing and tax processing. See Paddle's privacy policy at paddle.com/legal/privacy.

2. How We Use Your Data

  • Providing and operating the Service (authentication, QR code management, redirect processing)
  • Generating scan analytics reports
  • Sending transactional emails (billing updates, account notifications, etc.)
  • Detecting and preventing fraudulent or abusive use
  • Improving and developing the Service

3. Data Sharing

We do not sell your personal data. We share data only in the following cases:

  • Paddle: Your email address is shared with Paddle to create a billing customer record
  • Resend: Your email address is shared with Resend (resend.com) solely to send transactional emails
  • Legal requirements: We may disclose data if required by law or a valid legal process

4. Data Storage

Your data is stored on servers located in Japan (Tokyo). If you delete your account, your personal information and associated QR code data will be permanently deleted within 30 days. Anonymised scan statistics may be retained for aggregate reporting purposes.

5. Cookies and Local Storage

We use cookies and local storage solely to maintain your authentication session. We do not use third-party tracking cookies.

EU/EEA and UK visitors are shown a cookie consent banner on first visit. Your choice (accept or decline) is stored locally; declining does not affect access to the Service.

International Users — GDPR & CCPA

If you are a resident of the European Economic Area (EEA), United Kingdom, Switzerland, or California, you have additional rights under the GDPR, UK GDPR, Swiss FADP, or CCPA respectively, including:

  • Right of access: request a copy of the personal data we hold about you
  • Right to rectification: correct inaccurate or incomplete data
  • Right to erasure ("right to be forgotten"): request deletion of your personal data
  • Right to restrict processing or object to processing
  • Right to data portability: receive your data in a structured, machine-readable format
  • Right to withdraw consent at any time, where processing is based on consent
  • Right to lodge a complaint with your local supervisory authority
  • CCPA: we do not sell or share personal information for cross-context behavioral advertising. California residents may exercise their CCPA rights by contacting us.

To exercise any of these rights, contact us at [email protected]. We will respond within the timeframes required by applicable law.

International data transfers: our servers are currently located in Tokyo, Japan. By using the Service from outside Japan you consent to the transfer of your data to Japan. Japan has been recognised by the European Commission as providing an adequate level of data protection.

6. Your Rights

You have the right to:

  • Request access to the personal information we hold about you
  • Request correction or deletion of your personal information (via account settings or by emailing us)
  • Delete your account at any time from the account settings page

7. Children

The Service is not directed at children under 13. We do not knowingly collect personal information from anyone under 13.

8. Policy Updates

If we make material changes to this policy, we will notify you via your registered email address or through an in-service notice before the changes take effect.

Contact

For privacy-related questions, please contact us at [email protected].