Privacy Policy

Last updated: 2026-05-18

This Privacy Policy describes how Torify (“we”, “us”, or “our”) collects, uses, and protects personal data when you use the Torify API service (“Service”) available at torify.dev and related subdomains.

This is not legal advice. This document is provided for informational purposes only. For specific legal obligations, please consult a qualified legal professional.

1. What We Collect

We collect only the minimum personal data necessary to operate the Service.

1.1 Automatically Collected Data

Data	Purpose	Notes
IP address	Security, rate limiting, abuse prevention	Cloudflare processes this on our behalf
Request metadata	Service operation, debugging	Path, HTTP method, timestamp, response status, country code
HTTP headers	API authentication, routing	`X-Trial-Key`, `X-API-Key`, `Authorization` (not stored beyond request scope)

IP addresses are personal data under GDPR. We treat them accordingly.

1.2 Data You Provide

Data	When	Purpose
Email address	Free Trial signup	Sending your Trial API key; service notifications
Email address	Pro subscription checkout	Billing, subscription management (processed by Polar)

1.3 Data We Do Not Collect

We do not collect:

Names, postal addresses, or phone numbers
Payment card numbers or bank details (handled entirely by Polar)
Browser fingerprints, cookies for tracking, or behavioral analytics
Contents of your API requests beyond the request metadata listed above
Device identifiers

2. Why We Collect — Legal Basis

Data	Purpose	Legal Basis (GDPR Art. 6)
IP address	Prevent abuse, enforce rate limits, security incident response	Legitimate interest (Art. 6(1)(f))
Request metadata	Service operation, debugging, capacity planning	Legitimate interest (Art. 6(1)(f))
Email address (Trial)	Deliver API key, send service-critical emails	Contract performance (Art. 6(1)(b))
Email address (Pro)	Subscription management, billing, receipts	Contract performance (Art. 6(1)(b))
Billing records	Tax law compliance (Japan: 7-year retention requirement)	Legal obligation (Art. 6(1)(c))

We do not engage in automated decision-making or profiling that produces legal or similarly significant effects on individuals (GDPR Art. 22).

3. Retention

Data	Retention Period	Implementation
IP address logs	Maximum 90 days, then automatically deleted	Cloudflare Analytics Engine (platform limit)
Request metadata logs	Maximum 90 days	Cloudflare Analytics Engine (platform limit)
Email address (Trial API key)	90 days from issuance, then automatically deleted	KV store with TTL=90 days (`trial:` namespace)
Email address (Pro/Enterprise API key)	Until account deletion request	KV store without expiry (`apikey:` namespace); deleted on request
Email bounce records	1 year from recording	KV store with TTL=1 year (`bounce:` namespace); prevents re-sending to invalid addresses
Polar subscription status	Until subscription ends or deletion request	KV store without expiry (`polar_sub:` namespace); synchronized with Polar webhooks
Billing records	7 years (Japanese tax law: Income Tax Act Art. 232)	Polar (Merchant of Record)
Cloudflare Analytics Engine events	Maximum 90 days (Cloudflare platform limit)	Cloudflare Analytics Engine

4. Third-Party Data Processors

We share personal data only with the following processors, under data processing agreements.

4.1 Cloudflare, Inc. (Data Processor)

Role: Infrastructure provider — DNS, CDN, DDoS protection, Workers runtime
Data shared: All network traffic, including IP addresses and request metadata
Location: Global (US-based; EU data processed under SCCs)
Privacy policy: cloudflare.com/privacypolicy

4.2 Polar (Merchant of Record & Payment Processor)

Role: Payment processing; acts as Merchant of Record for Pro subscriptions
Data shared: Email address, purchase amount, subscription status
Location: US (processes EU data under SCCs)
Privacy policy: polar.sh/legal/privacy

4.3 Resend (Email Delivery)

Role: Transactional email delivery
Data shared: Email address, email content
Location: US (processes EU data under SCCs)
Privacy policy: resend.com/privacy

4.4 Cloudflare Workers AI (AI Inference)

Role: AI inference for kanji-to-kana conversion (Llama 3.3 70B model on Cloudflare edge)
Data shared: Input text submitted to the /v1/kanji/to-kana endpoint is processed by Cloudflare Workers AI
AI training: Cloudflare Workers AI does not use customer data to train its AI models (per Cloudflare Workers AI Terms of Service)
Location: Global (Cloudflare edge network; data processed in the region closest to the requester)
Privacy policy: cloudflare.com/privacypolicy

4.5 National Tax Agency, Japan (NTA) — Read-Only API

Role: Corporate number (Hōjin Bangō) and qualified invoice issuer lookup
Data shared: Query parameters only (corporate registration numbers submitted by the API caller); no personal data of end users is transmitted
Location: Japan
API terms: houjin-bangou.nta.go.jp

We do not sell personal data to any third party.

5. Your Rights Under GDPR

If you are located in the EEA, UK, or Switzerland, you have the following rights under GDPR:

Right of Access (Art. 15) — Obtain a copy of your personal data we hold
Right to Rectification (Art. 16) — Request correction of inaccurate data
Right to Erasure (Art. 17) — Request deletion, subject to legal retention obligations
Right to Data Portability (Art. 20) — Receive your data in machine-readable format (JSON)
Right to Object (Art. 21) — Object to processing based on legitimate interest
Right to Restrict Processing (Art. 18) — Request restriction in certain circumstances
Right to Lodge a Complaint — Contact your national data protection supervisory authority

To exercise any of these rights, contact: contact@torify.dev
We will respond within 30 days of a verified request.

5a. International Privacy Rights (Non-EU)

If you are located in the following jurisdictions, you may have additional rights under local data protection laws:

California, USA — CCPA / CPRA

Right to know what personal information we collect, use, disclose, or sell
Right to delete personal information (subject to exceptions)
Right to correct inaccurate personal information
Right to opt-out of sale or sharing (we do not sell or share personal information)
Right to non-discrimination for exercising CCPA rights

Submit CCPA requests to contact@torify.dev. We will respond within 45 days.

Brazil — LGPD (Lei Geral de Proteção de Dados, Lei nº 13.709/2018)

Right to confirmation that your personal data is being processed
Right to access your personal data
Right to correction of incomplete, inaccurate, or outdated data
Right to anonymization, blocking, or deletion of unnecessary or excessive data
Right to data portability to another service provider
Right to deletion of personal data processed with your consent
Right to information about third parties with whom data has been shared
Right to revoke consent at any time
Right to review decisions made solely by automated means

Response time: 7 days for LGPD requests. Data Protection Officer (acting): contact@torify.dev.

Note on legal basis: Where LGPD applies, we rely on contract performance (for email delivery) and legitimate interest (for security/rate limiting). Consent is requested for any optional communications.

Canada — PIPEDA + Quebec Law 25 (Bill 64 / Loi 25)

Right to know what personal information we hold about you
Right to access and correct that information
Right to withdraw consent (subject to legal or contractual obligations)
Quebec residents additionally have the right to data portability under Loi 25 (in effect since 2024-09-22) — you may request a structured, machine-readable copy of your personal information

Response time: 30 days (PIPEDA standard). Contact: contact@torify.dev.

India — Digital Personal Data Protection Act 2023 (DPDP Act)

Right to access a summary of your personal data and the processing activities
Right to correction, completion, updating, and erasure of your personal data
Right to grievance redressal (we will acknowledge within 48 hours and resolve within 30 days)
Right to nominate another individual to exercise your rights in the event of death or incapacity

Note on consent: Under the DPDP Act, consent is the primary legal basis for processing personal data (the GDPR-style “legitimate interest” ground does not apply in the same way). All Indian residents who sign up for Trial access are asked for explicit, informed consent. We do not rely on deemed consent for processing.

South Korea — PIPA (Personal Information Protection Act, incl. 2025-03 portability amendment)

Right to access personal information we hold about you
Right to correction or deletion of inaccurate information
Right to suspension of processing
Right to data portability (effective 2025-03-13 for qualifying data categories)

Domestic representative: PIPA requires appointment of a domestic representative in Korea if we process personal data of 10,000 or more Korean residents per year. We currently do not meet this threshold. If and when triggered, we will appoint a local agent and update this policy at least 30 days in advance.

Singapore — PDPA (Personal Data Protection Act)

Right to access personal data we hold about you
Right to correction of inaccurate personal data
Right to withdraw consent
Data breach notification to PDPC: we will notify within 3 calendar days of becoming aware of a notifiable breach

Response time: 30 days (PDPA standard). Contact: contact@torify.dev.

Japan — Act on the Protection of Personal Information (APPI / 個個法)

Right to request disclosure of retained personal information we hold about you
Right to correction, addition, or deletion of inaccurate retained personal information
Right to suspension of use or erasure of personal information
Right to suspension of third-party provision
Right to receive an explanation of the purpose of use

Contact for APPI requests: contact@torify.dev. Response time: within 2 weeks.

Personal Data Breach Notification — APPI Art. 26 (PPC Reporting)

In the event of a leakage, loss, or damage of personal information concerning Japanese residents, we will carry out the following procedures pursuant to Article 26 of the Act on the Protection of Personal Information:

Preliminary Report (΅報): Report to the Personal Information Protection Commission (PPC) within 3–5 business days of becoming aware of the incident
Final Report (確報): Submit a full report to the PPC within 30 days of discovery (or 60 days for cases involving unauthorized access)
Notification to affected individuals: Notify affected individuals promptly by a method that ensures they are informed (individual email and/or prominent notice on our website)
PPC reporting portal: ppc.go.jp/personalinfo/legal/leakAction/

Other Jurisdictions

Thailand (PDPA) — Right of access, correction, withdrawal of consent. Data breach notification within 72 hours of awareness.
Hong Kong (PDPO) — Right of access, correction. Submit a Data Access Request form to contact@torify.dev.
Australia (Privacy Act 1988 / APPs) — Right of access, correction, and complaint to the OAIC.

To exercise any of these rights, email privacy@torify.dev or contact@torify.dev with proof of identity (e.g., confirmation of the email address registered with us). We may verify identity before fulfilling requests. Requests are processed within 30 days regardless of jurisdiction unless a shorter period applies under applicable law.

6. International Data Transfers

The Torify service is operated from Japan. Our processors (Cloudflare, Polar, Resend, Cloudflare Workers AI) are US-based. When personal data from the EEA/UK/Switzerland is transferred to the US, we rely on Standard Contractual Clauses (SCCs) executed by each processor. Japan has received an EU adequacy decision (2019), so Japan-to-EU transfers benefit from the adequacy framework.

7. Data Processing Agreement (DPA)

If you require a formal DPA between your organization (as controller) and Torify (as processor), please email contact@torify.dev with subject line “DPA Request”. Available on request at no charge.

8. Cookies and Tracking

We use no tracking cookies and no third-party analytics scripts. We do not use cookies for advertising, cross-site tracking, or behavioral profiling.

Cloudflare infrastructure may automatically set security-related cookies essential for service operation, including:

__cf_bm — Bot management cookie set by Cloudflare (expires within 30 minutes of inactivity)
cf_clearance — Rate-limiting challenge verification cookie (session-scoped)

These cookies are set by Cloudflare, not by Torify, and are not used for user tracking or behavioral profiling. They are technically necessary for DDoS protection and rate limiting.

9. Security

We implement appropriate technical and organizational measures including TLS encryption, hashed API key storage, network-layer rate limiting, and restricted infrastructure access. In the event of a personal data breach posing high risk to rights and freedoms, we will notify affected individuals without undue delay (GDPR Art. 34).

9a. AI-Generated Content Disclosure (EU AI Act Art. 50)

The /v1/kanji/to-kana endpoint uses AI inference (Cloudflare Workers AI, Llama 3.3 70B model) to convert kanji text to kana readings. In compliance with EU AI Act Article 50 transparency requirements:

API responses from this endpoint include a "source": "workers-ai" field in the JSON response body, clearly indicating that the result was generated by an AI model
The conversion is performed by a general-purpose AI model and is provided as a best-effort approximation; results should be verified for critical applications
No personal data is retained from AI inference inputs after the request completes

All other endpoints in the Torify API do not use AI-generated content; they retrieve factual data from authoritative sources (National Tax Agency, postal databases, etc.).

10. Contact — Data Controller

Torify
Operated by: Individual operator based in Japan
Contact: contact@torify.dev

Email: contact@torify.dev
Response time: within 30 calendar days.

11. Changes to This Policy

For material changes, we will update the “Last updated” date and send email notification to registered users at least 14 days before changes take effect. The current version is always available at torify.dev/privacy.