Skip to main content

Privacy Policy

Last Updated: April 28, 2026

1. Introduction

Welcome to Toran ("we," "our," or "us"), available at toranhq.com. We respect your privacy and are committed to protecting your personal data. This privacy policy explains how we collect, use, and share information about you when you use our website and services.

2. Data Controller vs. Data Processor

  • For our Direct Users (You): We act as the Data Controller for your account information (name, email, billing details).
  • For Your End-Users (Your Customers): When you use Toran widgets to interact with your visitors, we act as a Data Processor. You retain full ownership and control over your end-users' data.

3. Data We Collect

We collect the following categories of data:

  • Account Data: Name, email address, password hash, and billing history.
  • Usage Data: IP address, browser type, device type, and referring URLs.
  • Geo-Localization Data: Country of origin derived from IP address for regional pricing.
  • Widget Click Data: Anonymous metadata (click count, device type, country code).
  • AI Chat Conversation Data: Visitor messages and AI responses, retained for 30 days then automatically and permanently deleted by a scheduled job. We do not read or mine your conversations to train or improve our service; the only thing kept beyond that window is a short, model-written summary saved to the lead so you can act on it in your CRM.
  • Knowledge Base Data: Business content provided via the Knowledge Base feature.

4. Trusted Third-Party Service Providers

We do not sell your data. We share data only with trusted providers required to run our Service:

  • Cloudflare: Hosting & Security (US, global edge)
  • Supabase: Database & Auth (EU — Supabase eu-west-3, France)
  • Paddle: Payments & Tax (UK / US)
  • Resend: Transactional Email (US)
  • Sentry: Error Monitoring (US — PII redacted client-side before transmission)
  • Slack: Owner Notifications (US — only when configured)
  • Google (Gemini): AI Inference (US)
  • IPinfo: IP Geolocation Lookup (US)
  • Telegram: Owner Notifications (Global — only when configured)

For the authoritative current list with transfer mechanisms and locations, see our Sub-processors page.

Each sub-processor is bound by a Data Processing Agreement. We provide at least 30 days' prior written notice before engaging a new sub-processor that processes your data.

5. Data Retention

Account Data — 7-Day Deletion Cooldown

We retain your account, widget configuration, and notification settings for as long as your account is active. When you request deletion, we apply a 7-day cooldown before irreversible erasure proceeds:

  1. Immediately at request time, your widget is disabled and stops processing visitor data.
  2. For 7 days, you can cancel from the dashboard, the cancel link in our confirmation email, or the cancel landing page. Email, password, and MFA changes are blocked during this window to keep your cancel route safe if your credentials were compromised.
  3. After 7 days, your data is permanently and irreversibly erased from our active systems within 24 hours.

The 7-day cooldown is a security measure protecting you from account-takeover. If you require immediate erasure for a documented legal reason, contact privacy@toranhq.com with the supporting documentation. Erasure is permanent in practice, by design. We do not keep your account or lead data in long-lived, immutable snapshots, and we do not restore an individual's deleted data on request. We deliberately favour a bounded, self-controlled backup over a continuously-retained one, because only a self-controlled backup can exclude an entire data class (raw chat transcripts are never written to it) and let deleted data age out, rather than accumulating personal data indefinitely. Your account and lead data is backed up nightly, encrypted before it leaves our systems, and held in independent off-site storage with a tested recovery process. In the rare event of a full disaster-recovery restore, recorded erasures are re-applied before any restored data re-enters production, so a restore cannot resurrect a subject you have erased. Payment and invoice records held by our Merchant of Record (Paddle) may be retained by Paddle under their own legal obligation for tax and AML compliance for up to 10 years — please contact Paddle directly to exercise rights against those records.

AI Chat Conversation Data

Raw message content is retained for 30 days and then automatically and permanently deleted by a scheduled job. Session metadata is retained for 90 days. Raw transcripts are excluded from any backup we take entirely — a control enforced by a post-export check that fails the backup if a transcript data block is ever found. A short AI-written summary of each conversation is kept with the lead so you can use it in your CRM, and that derived summary — not the raw transcript — is the only conversation-related data retained beyond 30 days.

6. Security

We encrypt data in transit with TLS 1.2+ and at rest with AES-256, including object storage on Cloudflare R2. Your primary data store is in the EU (Supabase eu-west-3, France). We enforce two-factor authentication (AAL2) for all administrative access — the server rejects any session below that assurance level, so a stolen single-factor token is not enough. Full technical & organizational measures are documented at the Trust Center.

7. Regulated data & what Toran is not built for

Not HIPAA-eligible. Toran is not configured to handle Protected Health Information (PHI). If you operate a medical practice or healthcare service, do not configure your widget to elicit diagnoses, treatment details, or other PHI from visitors. Use Toran for contact intent only ("book an appointment", "request a callback") and route the medical conversation through your own HIPAA-compliant stack. We are not in a position to sign a Business Associate Agreement (BAA) at this time.

Toran is also not built to receive payment-card data (no PCI scope), government identifiers as a primary input, or content moderated under specific regulated regimes (KYC / AML). If your use case touches any of those, contact trust@toranhq.com before deploying — there is usually a routing pattern that keeps Toran out of the regulated data flow entirely.

8. India DPDP Act & Grievance Officer

For Data Principals under the Indian Digital Personal Data Protection Act 2023, the following rights apply: access (§11), correction & erasure (§12), grievance redressal (§13), and nomination (§14). You may exercise these rights by emailing privacy@toranhq.com.

Grievance Officer (DPDP §13(3)): Erez Avital. Reachable at privacy@toranhq.com with subject line "DPDP grievance" — response within 7 business days, action within 30 days for most requests. Cross-border transfer of personal data is permitted under DPDP §16 (no transfer-blacklist has been published as of this writing).

9. Trust Center & data-processing agreements

For procurement and security questions — encryption details, sub-processor list, DPA signing, breach-response SLA, certifications & roadmap — see the Trust Center and the public Data Processing Agreement / Sub-processor list.

10. Contact Us

If you have any questions about this Privacy Policy, please contact us at privacy@toranhq.com. For trust & security topics, use trust@toranhq.com. For vulnerability disclosure, use security@toranhq.com.