Privacy Policy

1. Who is the data controller

The data controller for this website (tayutau.app) and the Tayu desktop app is Nono (Makoto Nonoyama), a sole proprietor based in Japan. You can reach us at support@tayutau.app for any privacy-related question.

2. What data we collect on the website

When you visit tayutau.app we collect the following through our analytics provider (PostHog, see section 6):

• Pages viewed and the pages you arrived from (URLs are stripped of query parameters and identifiers before being stored).
• Anonymous click and form-submission events on links, buttons, and forms.
• Browser type, operating system, screen size, and approximate geographic region inferred from your IP address. We do not store the raw IP address in PostHog.
• A randomly generated session ID stored in a first-party cookie or local storage, used to group events from the same visit. By default this is anonymous; we never link it to your name or email unless you contact us directly.

We honour the Do Not Track browser signal: when DNT is enabled in your browser, the website skips analytics for your visit entirely.

3. What data we collect when you buy a paid plan

Purchases are processed by Paddle.com Market Limited, who acts as the Merchant of Record (MoR) on our behalf. Paddle collects and processes the data needed to complete the transaction: your name, email address, billing address, country, payment method details, and the IP address used to make the purchase. Paddle is the controller of that data; their privacy policy is at paddle.com/legal/privacy.

After payment, Paddle sends us a webhook with your email address and an opaque customer ID so we can grant access to paid features. We store this in our own database to issue entitlements; see section 4.

4. What the Tayu desktop app does with your data

The Tayu desktop app is designed to run locally. Your wallpapers, playlists, schedules, and YouTube URLs stay on your device. We do not have a server-side copy of your library.

The app talks to our backend (api.tayutau.app) only for the following reasons:

• Entitlement check — the app sends a per-install device identifier and your access code (issued after purchase) so we can confirm your paid plan is active. We log these requests for abuse prevention and keep them for up to 90 days.
• Crash and error reports — if the app crashes, we may receive an anonymous crash signature and the app version. We do not include the contents of your library.

The app does not contain any third-party advertising or marketing SDKs.

5. When you contact support

If you email support@tayutau.app, we receive your email address and the content of your message. We use it only to respond to your request and keep the thread for up to 2 years for follow-up support, after which it is deleted.

6. Third-party services we use

• Paddle — payment processing, tax handling, and subscription management. Paddle is the Merchant of Record. (privacy policy)
• PostHog — product and website analytics, hosted in the United States. We use it with anonymous-by-default profiles and URL redaction. Session replays mask all form inputs. (privacy policy)
• Cloudflare — website hosting (Cloudflare Workers) and DNS. Cloudflare may receive your IP address as part of routing requests; we do not retain access logs beyond Cloudflare’s standard retention. (privacy policy)

We do not embed YouTube, Google Analytics, advertising trackers, Facebook Pixel, or any social media buttons on tayutau.app.

7. Cookies and local storage

tayutau.app uses a small number of strictly necessary first-party storage entries:

• An anonymous analytics session ID (PostHog) used to group events from one visit. Opted out automatically if your browser sends Do Not Track.
• Short-lived storage used by the Paddle checkout overlay during a purchase.

We do not use cookies for advertising, retargeting, or cross-site tracking.

8. International data transfers

If you visit tayutau.app from outside Japan, your data is necessarily transferred to and processed in other countries. PostHog stores analytics events on servers in the United States. Paddle processes payment data globally in line with their own infrastructure. We rely on the privacy frameworks each provider has put in place (including Standard Contractual Clauses where applicable to EU/UK residents) to keep transfers compliant.

9. Your rights

Depending on where you live, you may have the following rights regarding your personal data:

• Access — ask for a copy of the data we hold about you.
• Rectification — ask us to correct inaccurate data.
• Erasure — ask us to delete your data, subject to legal record-keeping obligations on the payment side (Paddle is required to retain transaction records for tax and anti-fraud purposes).
• Portability — receive your data in a machine-readable format.
• Objection / opt-out — opt out of analytics by enabling Do Not Track or by emailing us. Opting out does not affect your access to the website or app.
• Complaint — lodge a complaint with your local data protection authority. EU/UK residents can find their authority via the EDPB; Japanese residents can contact the Personal Information Protection Commission (PPC).

To exercise any of these rights, email support@tayutau.app from the email address you used with us. We respond within 30 days. For payment-related data, we may need to forward your request to Paddle as the data controller for that information.

10. Children

Tayu is not directed at children under 13 (or under 16 in some jurisdictions). We do not knowingly collect personal data from children. If you believe a child has provided us data, contact us and we will delete it.

11. Security

We use TLS (HTTPS) for all traffic to tayutau.app and api.tayutau.app. Payment data is handled by Paddle on PCI-compliant infrastructure and never touches our servers in raw form. Our backend is hosted on Cloudflare with standard access controls.

12. Information we do not collect

For clarity, Tayu does not collect or process:

• The contents of your wallpaper library, playlists, schedules, or YouTube URLs — these stay on your device.
• Raw IP addresses stored in our analytics; PostHog receives a coarse region only and we do not retain the IP.
• Precise location, contacts, calendar, microphone, camera, or screen-recording data.
• Identified PostHog profiles by default — we run in identified_only mode and never call identify() on the website.
• Cross-site tracking, advertising IDs, retargeting pixels, or social-media beacons.
• Credit-card numbers, CVVs, or bank-account details — these are handled solely by Paddle on PCI-compliant infrastructure.

13. Lawful basis for processing (EU/UK residents)

If GDPR or UK GDPR applies to you, we rely on the following lawful bases under Article 6:

• Performance of a contract (Art. 6(1)(b)) — processing your purchase, granting entitlements to paid features, and providing customer support you have requested.
• Legitimate interests (Art. 6(1)(f)) — running pseudonymous product analytics (PostHog) to understand which features are used, detecting abuse of our entitlement API, and securing our infrastructure. We balance this against your privacy by honouring Do Not Track, redacting URLs, masking form inputs in session recordings, and never linking analytics IDs to your email.
• Compliance with a legal obligation (Art. 6(1)(c)) — retaining transaction records for tax, accounting, and consumer-protection purposes (handled primarily by Paddle as the Merchant of Record).
• Consent (Art. 6(1)(a)) — where required by local law, before sending optional product update emails. You can withdraw consent at any time without affecting prior processing.

14. Data retention

• Analytics events: up to 12 months in PostHog.
• Entitlement records (purchase ↔ install): for the lifetime of the entitlement plus 2 years for tax record-keeping.
• Support email threads: up to 2 years from last reply.
• Transaction records held by Paddle: per Paddle’s own retention policy (typically 7 years for tax reasons).

15. Notice for California residents (CCPA/CPRA)

If you are a California resident, the California Consumer Privacy Act, as amended by the California Privacy Rights Act (collectively, “CCPA”), gives you specific rights regarding your personal information.

Categories of personal information we collect. In the past twelve (12) months we have collected the categories of personal information described in sections 2–4 of this policy: identifiers (such as a randomly generated analytics session ID and, for purchases, your name and email handled by Paddle), commerce information (transaction history, also handled by Paddle), internet or network activity (page views and click events), approximate geolocation (region inferred from IP), and inferences drawn from the above to improve the product.

Sources and purposes. We collect this information directly from you when you visit the website, install the app, or make a purchase. We use it to provide and improve Tayu, fulfil purchases, prevent abuse, and meet legal obligations.

Sale or sharing of personal information. We do not sell your personal information, and we do not share it for cross-context behavioural advertising. We have not done so in the past twelve (12) months and have no plans to do so.

Your rights. Subject to verification of your identity, you may request to (a) know what personal information we hold about you, (b) delete that information (subject to legal record-keeping obligations on the payment side), (c) correct inaccurate information, and (d) limit the use of sensitive personal information. You may exercise these rights by emailing support@tayutau.app with the subject “CCPA rights request”. We will not discriminate against you for exercising these rights. You may use an authorised agent to submit a request on your behalf; we will require reasonable proof of authorisation.

16. Changes to this policy

If we make material changes to this policy, we will update the “Last updated” date at the top of this page and, where appropriate, notify customers by email. Continued use of Tayu after the change means you accept the updated policy.

17. Contact

For any privacy question or to exercise the rights described above, write to Nono (Makoto Nonoyama) at support@tayutau.app.