Tayoly
Log In Sign Up

Privacy Policy

Last updated: February 2026

1. Introduction

Tayoly ("we," "us," or "our") operates a language guidance matching platform that connects multilingual speakers with people seeking language support for online and in-person engagements. This Privacy Policy explains how we collect, use, store, and protect your personal information in compliance with the Act on the Protection of Personal Information (APPI / 個人情報保護法) and other applicable data protection laws.

By using our platform, you consent to the practices described in this policy.

2. Information We Collect

2.1 Account Information

When you create an account, we collect:

  • Name and email address
  • Password (hashed using Argon2; we never store plaintext passwords)
  • Social login identifiers (Google, LINE, or Apple account IDs when using OAuth)
  • Phone number (for SMS OTP verification at Tier 1)

2.2 Profile Information

To provide our matching service, we collect:

  • Languages spoken and CEFR proficiency levels (A1 through C2)
  • Bio and description text
  • Availability schedule
  • Approximate location (city or area level for geospatial matching)
  • Profile preferences and notification settings

2.3 Identity Verification Data

For users who complete Tier 2 identity verification (required for guides before in-person sessions), we use Stripe Identity to process:

  • Government-issued ID document (e.g., driver's license, passport, residence card)
  • Selfie photograph for passive liveness detection
  • Verification status and result

Raw identity documents and selfie images are processed and stored by Stripe, not on Tayoly's own servers. We retain only the verification status, tier level, document type, and Stripe verification reference ID.

2.4 Engagement and Transaction Data

  • Booking requests, engagement details, and session history
  • Payment transaction records (processed through Stripe Connect)
  • Reviews and ratings submitted after engagements
  • Safety reports and dispute records

2.5 Communications Data

  • Messages exchanged through our in-app chat system
  • Support inquiries and correspondence

2.6 Location Data

For in-person engagements, we may collect:

  • Approximate location for guide search and matching (stored as geographic coordinates)
  • Geofence check-in and check-out events at meeting locations
  • Share My Trip session data (shared with your designated trusted contact)

We display only approximate distances ("2km away") during the discovery phase. Exact locations are never shown to other users before a booking is confirmed.

2.7 Technical Data

  • IP address, browser type, and device information
  • Access timestamps and usage patterns
  • Error logs (with personal information masked)

3. How We Use Your Information

We use your information for the following purposes:

  • Matching and search -- To find and rank suitable guides or seekers based on language skills, location, availability, and reputation
  • Account management -- To create and maintain your account, authenticate your identity, and manage your sessions
  • Communication -- To facilitate messaging between users and deliver platform notifications
  • Payments -- To process bookings, escrow holds, refunds, and guide payouts through Stripe Connect
  • Safety -- To provide geofence check-in, Share My Trip, and safety reporting features for in-person engagements
  • Identity verification -- To verify user identity through Stripe Identity for trust and safety purposes
  • Trust and reputation -- To calculate and display ratings using Bayesian averages of verified reviews
  • Platform improvement -- To analyze usage patterns (in aggregate) and improve matching quality and user experience
  • Legal compliance -- To comply with applicable laws, respond to legal requests, and enforce our Terms of Service

4. Data Sharing

We share personal information only in the following circumstances:

  • With other users -- Your public profile information (name, bio, languages, ratings) is visible to other users. For confirmed engagements, limited additional details are shared as needed (e.g., meeting location for in-person sessions).
  • With Stripe -- Payment and identity verification data is shared with Stripe for transaction processing and identity verification. Stripe acts as an independent data controller for payment-related data. See Stripe's Privacy Policy.
  • With trusted contacts -- When you use Share My Trip, the name, verified photo, and meeting details of your counterpart are shared via a secure, time-limited link with the contact you designate.
  • With service providers -- We use third-party services for hosting, email delivery, and analytics. These providers process data on our behalf under data processing agreements.
  • For legal compliance -- We may disclose information when required by law, court order, or government request.

We do not sell your personal information to third parties.

5. Data Retention

We retain your data according to the following schedule:

Data Type Retention Period Reason
Account and profile data Duration of account + 30 days Service provision
Identity verification records 7 years APTCP / Stripe regulatory requirement
Transaction and payment records 7 years Tax and financial regulation compliance
Chat messages Duration of account + 30 days Service provision; dispute resolution
Safety reports 7 years Safety investigations and legal compliance
Engagement and review data Duration of account + 90 days Trust and reputation system integrity
Technical logs 90 days Security monitoring and debugging

After the retention period expires, data is permanently deleted or anonymized. You may request earlier deletion of your profile data, subject to the mandatory retention periods above.

6. Cross-Border Data Transfer

Your data may be transferred to and processed in countries outside Japan, including the United States (where Stripe is headquartered) and other jurisdictions where our service providers operate.

In accordance with Article 28 of the APPI, we will obtain your explicit consent before transferring personal data to a third party in a foreign country, unless the recipient country has been recognized by the Personal Information Protection Commission (PPC) as having an equivalent level of data protection, or the recipient has established a system conforming to APPI standards.

By creating an account and using our platform, you consent to the transfer of your data as described in this section. You may withdraw this consent at any time by contacting us, though this may affect your ability to use certain features.

7. Cookies and Tracking

Tayoly uses cookies for the following purposes:

  • Essential cookies -- Session management, authentication tokens, and CSRF protection. These are required for the platform to function and cannot be disabled.
  • Preference cookies -- Language preference, theme settings, and UI customization. These improve your experience but are not required.
  • Analytics cookies -- Aggregated usage data to understand how users interact with the platform. No personal information is included in analytics data.

We do not use third-party advertising cookies or cross-site tracking. Authentication tokens are stored in HttpOnly, Secure, SameSite cookies to prevent unauthorized access.

8. Your Rights

Under the APPI, you have the following rights regarding your personal data:

  • Right of access -- Request a copy of the personal data we hold about you
  • Right of correction -- Request correction of inaccurate or incomplete data
  • Right of deletion -- Request deletion of your data (subject to mandatory retention periods)
  • Right to cease use -- Request that we stop using your data for specific purposes
  • Right to cease third-party provision -- Request that we stop sharing your data with third parties

To exercise any of these rights, contact us at support@tayoly.com. We will respond within 30 days.

9. Data Security

We protect your data through the following measures:

  • TLS encryption for all data in transit
  • Encryption at rest for stored data
  • Password hashing with Argon2 (GPU-resistant algorithm)
  • Least-privilege database access controls
  • Masked logging (personal information is never written to application logs)
  • Regular security audits and vulnerability assessments
  • Identity verification documents processed and stored exclusively by Stripe (not on our servers)

10. Children's Privacy

Tayoly is not intended for use by individuals under the age of 18. We do not knowingly collect personal information from children. If we become aware that we have collected data from a user under 18, we will delete that data promptly.

11. Changes to This Policy

We may update this Privacy Policy from time to time. When we make significant changes, we will notify you by email or through a notice on the platform. The "Last updated" date at the top of this page indicates when the policy was most recently revised.

12. Contact

For privacy-related inquiries, requests to exercise your rights, or complaints, please contact:

Tayoly Privacy Team
Email: support@tayoly.com

If you are not satisfied with our response, you may file a complaint with the Personal Information Protection Commission (PPC / 個人情報保護委員会).