Privacy Policy

Toran Inc., a Delaware corporation with its principal place of business in Washington, USA (“Toran”, “we”, “our”, or “us”), operates the website and services at mytoran.com. This Privacy Policy explains what information we collect when you use Toran, how we use it, and the choices you have.

This policy is written for people in the European Union and United Kingdom (GDPR / UK GDPR), California (CCPA / CPRA), Canada (PIPEDA), and all other jurisdictions where Toran is accessible. If you have specific rights under any of those frameworks, they are called out explicitly below.

Toran is currently in private beta; access is invite-only via an allowlist and waitlist.

1. Information We Collect

Information you give us when you join the waitlist

Before an account exists, you can request access through the waitlist form. We collect:

• Email address (required), and optionally your name.
• Usage type: Personal, Student, or Professional.
• Conditional context, depending on usage type: home stage (Personal), school name and major (Student), or business name and professional role (Professional).

Information you give us when you create an account

• Account credentials: name, email address, and password (the password is never stored in plain text — it is hashed and salted by Supabase Auth, our authentication provider).
• Account type: Personal or Professional, and — for Professional accounts — the name of your school or company.
• Consent record: the timestamp at which you accepted this Privacy Policy and the Terms of Service, and the version number of those documents you accepted. This is stored both in your authentication metadata and in a dedicated consent-audit table for legal traceability.

Information you give us when you use the service

• Room photographs: photographs of your living space that you choose to upload when using Toran's design tools. These photos may incidentally capture other content visible in the frame — faces of household members, documents, prescription bottles, mail, screens, and similar items. Please review and remove anything you would not want sent to a third-party AI service before uploading.
• Derived assets: images we generate or extract during processing — for example, modified room renders, segmented object crops, and inpainted regions.
• Design prompts and chat input: the text instructions you give Toran to describe the changes you want.
• Support communications: any messages you send to support@mytoran.com.

Information collected automatically

• Device and connection data: IP address, browser type, operating system, and referring URL — used for security, abuse prevention, and basic operations logging.
• Authentication state: session tokens issued by Supabase Auth, stored in browser cookies. These tokens are required to keep you signed in.
• Browser-side preferences: theme choice (light or dark) stored both as a cookie and in localStorage; small interface flags in localStorage tracking whether you have dismissed onboarding tooltips; the most recently visited route stored in sessionStorage for back-navigation. None of this data is transmitted to our servers automatically — see our Cookie Policy.

What we do not collect

• We do not run third-party analytics. We do not currently use Google Analytics, Mixpanel, Amplitude, Segment, PostHog, Sentry, or similar tools.
• We do not run advertising pixels or social-media trackers.
• We do not currently process payments. There is no payment processor integrated with Toran today; if and when we add one (e.g. Stripe) we will update this policy and notify users in advance.

2. How We Use Your Information

• To operate the Toran service — including processing your room photographs and prompts through our AI design tools to produce the edits you request.
• To authenticate your account and maintain a secure session.
• To enforce daily AI-usage limits per account (a small counter is kept per user).
• To send transactional email — for example, waitlist confirmations, allowlist invites, and the account-confirmation email sent by our authentication provider. Transactional email is delivered through Resend (waitlist / allowlist) and through Supabase Auth's built-in email (account confirmation and password reset).
• To improve Toran. We may review aggregated, non-identifying usage patterns. We do not use your identifiable room photographs to train our own models.
• To prevent abuse and respond to security incidents.
• To comply with legal obligations.

We do not send marketing email without separate, explicit consent.

3. Room Photographs and AI Processing

When you request an edit to a room photograph, that photograph (and the prompts associated with it) is transmitted, over an encrypted connection, to one or more third-party AI inference providers in order to produce the result. Different operations use different providers:

We rely on each vendor's published API terms and default data-handling policy. We have not negotiated bespoke processing terms (Data Processing Addenda) with these vendors at this stage of the company. If that changes — for example, after we move out of beta — we will update this policy.

Storage of your photographs and derived assets within Toran itself is handled by Supabase Storage in the following buckets: room-images (originals), object-assets (extracted object crops), room-edits (edited room renders), and ai-guru-results (transformation outputs). Files are addressed by paths scoped to your user ID.

4. Sub-processors

We use the following service providers to operate Toran. Each is listed with the type of data they may process:

• Supabase — authentication and Postgres database hosting; stores account credentials, account metadata, consent records, room and object metadata, and image blobs in Supabase Storage. Hosted in the United States.
• OpenAI — AI inference for image edits, generation, and vision-assisted prompts (see Section 3).
• Replicate — AI inference for segmentation, inpainting, and background removal (see Section 3).
• FAL.ai — AI inference for segmentation and transformation (see Section 3).
• Anthropic — text-only AI inference for narrative and growth-insight features (no room images sent).
• Resend — transactional email delivery (waitlist and allowlist messages). Hosted in the United States.
• Render / Vercel — application hosting infrastructure.

We do not sell or rent your personal information to anyone. We may also disclose information when required by law, court order, or governmental authority, or to protect the safety of our users or the public.

We will provide reasonable advance notice before adding a new sub-processor that materially changes how your personal data is processed.

5. International Data Transfers

The sub-processors listed above are based primarily in the United States. If you access Toran from the European Economic Area, the United Kingdom, Switzerland, or another jurisdiction outside the U.S., your personal data will be transferred to and processed in the United States. We rely on each vendor's publicly available cross-border-transfer terms, including Standard Contractual Clauses where the vendor offers them. We have not separately executed Standard Contractual Clauses at this stage of the company. We will document a more formal transfer mechanism before Toran exits private beta.

6. Data Retention

We retain account data and your uploaded photographs for as long as your account is active. If you ask us to close your account, we will initiate deletion of your account credentials, room photographs, derived assets, and associated metadata within 30 days of confirming your request. Some information may be retained beyond that period where we are legally required to do so — for example, records related to tax, fraud prevention, or legal claims.

Waitlist entries are retained until you ask us to remove them or until we determine the entry is no longer needed for product launch communications.

Deletion from third-party AI inference providers happens on each vendor's own schedule (see Section 3); we do not control those timelines.

7. Your Rights

For all users

• Access: you may request a copy of the personal data we hold about you.
• Correction: you may correct inaccurate information by emailing us. (A self-service profile editor is on our roadmap.)
• Deletion (“Right to be Forgotten”): you may request that we delete your account and associated data. Today, deletion is processed manually: email support@mytoran.com with the subject line “Data Deletion Request”. We will confirm receipt and complete deletion within 30 days. A self-service deletion endpoint is on our roadmap (see Section 11).
• Portability: you may request a machine-readable export of your data. Today this is also a manual process via the same support address. A self-service export is on our roadmap.
• Object / restrict / withdraw consent: you may object to or restrict specific processing, or withdraw any consent you previously gave, by emailing us.

EU / EEA / UK residents (GDPR / UK GDPR)

Our legal bases for processing are:

• Contract performance — to provide the service you sign up for (account creation, AI processing of your photos, transactional email).
• Legitimate interests — security, abuse prevention, basic operations logging.
• Consent — for any future marketing email, and for the consent record itself (acceptance of this Policy and the Terms).
• Legal obligation — where applicable.

You also have the right to lodge a complaint with your national supervisory authority.

California residents (CCPA / CPRA)

Categories of personal information we collect are described in Section 1. The categories of sources are: directly from you, automatically from your device, and from our service providers when they confirm completion of an operation. The business purposes are described in Section 2. The categories of third parties with whom we share are listed in Section 4. We do not sell or share personal information for cross-context behavioural advertising. You have the right to know, delete, correct, and limit the use of sensitive personal information; we will not discriminate against you for exercising any of these rights. We are working to honour the Global Privacy Control (Sec-GPC) signal at the application layer; until that is implemented, the email-based opt-out path described above applies.

Canadian residents (PIPEDA)

Our designated privacy contact is reachable at support@mytoran.com. Your data may be transferred to and processed in the United States by the sub-processors listed in Section 4.

8. AI-Generated Content

Outputs produced by Toran are generated, edited, or modified by artificial-intelligence systems. Where the output would be reasonably mistaken for an original photograph or for human-authored work, you should disclose its AI-generated nature when sharing it externally. We are working on visible “AI-generated” labelling within the application interface (see Section 11).

Toran does not make automated decisions that produce legal effects or similarly significant effects about you (for example, decisions about credit, employment, housing, or insurance). The AI features in Toran are creative and visual in nature.

9. Security

Account credentials, account metadata, room photographs, and derived assets are stored in Supabase. Supabase encrypts data at rest using AES-256 and data in transit using TLS 1.2 or higher. Authentication tokens are short-lived JSON Web Tokens issued by Supabase Auth.

No system is impenetrable. If we become aware of a personal-data breach that affects you, we will notify you by email within 72 hours where legally required (GDPR Article 33) or as soon as reasonably practicable.

10. Children's Privacy

Toran is not directed to children. We do not knowingly collect personal information from children under 13 (in the United States, per COPPA), under 16 (in the European Union, per GDPR), or under any higher minimum age set by your jurisdiction. The Terms of Service require all account holders to be at least 16 years old. If you believe a child has provided us with their information, please contact support@mytoran.com and we will delete it promptly.

11. Known Gaps and Roadmap

We are publishing this policy in good faith during private beta. The following items are tracked engineering work that we are committed to landing before exiting beta or before the volume of user data warrants it:

• Self-service account deletion endpoint, with cascading deletion across database tables and Supabase Storage buckets.
• Self-service data-export endpoint.
• Honouring the Global Privacy Control (Sec-GPC) browser signal at the application layer.
• Sending the FAL.ai per-request opt-out header on all inference calls so that input/output payloads are not stored by FAL by default.
• Visible “AI-generated” labelling on rendered outputs in the user interface.
• A machine-readable sub-processor list and an email subscription for sub-processor change notices.

12. Changes to This Policy

We will update this policy as Toran evolves. For material changes, we will notify users via email or a prominent in-app notice at least 14 days before the change takes effect. Continued use of Toran after that date constitutes acceptance of the revised policy. Earlier versions of this policy are recorded by version number against your consent record.

13. Contact

For privacy-related requests, questions, or complaints, contact us at:

Toran Inc.
A Delaware corporation, operating from Washington, USA
support@mytoran.com