Privacy Policy

What we collect

When you create an account

You sign in through a third-party provider (Google, Microsoft, or Apple). We receive and store only your email address and a provider-specific identifier used to link your account. We do not store your name, profile picture, phone number, or any other personal information from these providers.

If you register with a username and password instead of SSO, we store your username and a securely hashed password. We never store passwords in plain text.

When you use the platform

We maintain an authenticated session using an encrypted, HttpOnly cookie. Your session expires after 30 minutes of inactivity. We log your IP address and user-agent string for the duration of the session for security purposes.

When someone scans a QR code or opens a URL

Scan events are logged for analytics that you, the product creator, see in your dashboard. We record:

• Truncated IP address — the last octet is removed before storage (e.g. 192.168.1.x becomes 192.168.1.0). The full IP is never stored.
• Approximate location — country, region, and city derived from the truncated IP using a local database. No external geolocation services are called.
• Device information — device type, operating system, and browser, parsed from the user-agent string.
• Referrer and UTM parameters — if present in the URL.
• A one-way fingerprint hash — used only to count unique visitors. This hash cannot be reversed to identify a person.

Scans are anonymous. They are never linked to user accounts.

What we do not collect

• No names, phone numbers, or physical addresses
• No payment card numbers, expiry dates, or billing addresses — all payment processing is handled by our payment provider (Whop)
• No cookies for advertising or cross-site tracking
• No third-party analytics (no Google Analytics, no tracking pixels, no Sentry)
• No device fingerprinting beyond the one-way hash described above

Third-party services

We use the following third-party services, each receiving only the minimum data required:

• Google, Microsoft, Apple — authentication only. We verify your identity token; no ongoing data exchange occurs after login.
• Whop — payment processing. Whop receives your payment details directly. We store only your subscription status and membership identifier.
• Google Maps Platform — map rendering for QR experiences. Google receives standard API requests; no user-identifying data is sent.

We do not sell, rent, or share your data with any other third party.

Infrastructure and security

• Hosted on Google Cloud Platform with IAM-authenticated database access
• All secrets managed via GCP Secret Manager — no hardcoded credentials
• Data encrypted in transit (TLS) and at rest
• Two isolated databases — authentication data is stored separately from product data
• QR code integrity protected by CRC checksums
• Sessions are HttpOnly, SameSite=Strict, Secure — protected against XSS and CSRF
• Rate limiting on all public endpoints

Data retention

Account data is retained for the lifetime of your account. Scan analytics are collected in anonymized form (IP addresses are truncated, no user identifiers are stored) and retained for up to 24 months to provide ongoing dashboard insights. Sessions expire after 30 minutes and are cleaned up automatically.

Data residency

All production data — accounts, products, scan analytics, and sessions — is stored in Google Cloud Platform's asia-northeast1 (Tokyo, Japan) region. Your data does not leave Japan for service delivery. Development environments may use other regions but do not process or store production user data.

Your rights

Under Japan's Act on the Protection of Personal Information (APPI), the EU General Data Protection Regulation (GDPR), and the California Consumer Privacy Act (CCPA), you have specific rights regarding your personal data. Our minimal data collection means most of these rights are straightforward to exercise:

• Access and disclosure — your dashboard shows all scan analytics associated with your products. You may also request a copy of your retained personal data in electronic or written form.
• Deletion and cessation of use — request deletion of your account and all associated personal data. Anonymized scan analytics may be retained.
• Export — request a portable export of your account data.
• Rectification — request correction of inaccurate personal data.
• Object to processing — you may object to processing of your data where we rely on legitimate interest, or request cessation of third-party provision.
• Non-discrimination — exercising your privacy rights will not affect the service you receive.

To exercise any of these rights, email us at jtc.busines.a@gmail.com or contact us through our LinkedIn page. We will respond to verified requests without delay, and no later than 30 days.

Regulatory compliance

Opal is operated by a Japanese Kabushiki Kaisha (KK). We comply with the following data protection frameworks:

• APPI (Japan) — Act on the Protection of Personal Information, including the 2022 amendments. Our primary governing framework.
• GDPR (EU) — General Data Protection Regulation, applicable when serving EU residents.
• CCPA (California, US) — California Consumer Privacy Act, applicable when serving California residents.

Legal basis for processing

Under GDPR and APPI, we process your data on the following bases:

• Contract performance — account creation, session management, and service delivery.
• Legitimate interest — scan analytics, security logging, and service improvement.
• Legal obligation — where required by law.

Cross-border data transfers

Production data is stored exclusively in Japan (GCP asia-northeast1). Authentication tokens are verified against OAuth provider endpoints (Google, Microsoft, Apple) as part of the sign-in process. Payment processing is handled by Whop as an entrusted processor. No bulk personal data is transferred outside Japan.

Cookies

We use two functional cookies. An authentication session cookie (encrypted, HttpOnly, 30-minute expiry) and an anonymous chat session cookie (HttpOnly, 4-hour expiry, scoped to the chat endpoint). Neither stores personal information. We do not use cookies for tracking, advertising, or analytics.

Changes to this policy

We may update this policy as our service evolves. Significant changes will be communicated through the platform. The effective date at the top of this page reflects the most recent update.

Contact

For privacy questions or data requests, email jtc.busines.a@gmail.com or reach us through our LinkedIn page.