Privacy

Privacy Policy

How Torrento handles website analytics, Android app data, companion pairing, subscriptions, and Torrento Connect service metadata.

Last updated: April 15, 2026

This Privacy Policy explains how Torrento ("Torrento," "we," "our," or "us") collects, uses, stores, and discloses personal data when you browse torrento.app, use the Torrento Android app, or pair and use Torrento Connect through a companion device. It applies when you use:

  • the Torrento website at torrento.app and related pages,
  • the Torrento Android application, and
  • Torrento Connect, including the companion applications, companion browser dashboard, pairing flow, hosted relay, and update services.

For the purposes described in this policy, Torrento is the controller of the personal data we process for our own service operations. You can contact us at info@torrento.app.

1. Scope

This Privacy Policy applies to personal data processed by us when:

  • you browse or download from our website,
  • you use the Torrento Android app,
  • you configure local or remote torrent servers inside the app,
  • you pair and use Torrento Connect between the Android app and a companion device, and
  • you contact us or use optional account-recovery features made available for Torrento Connect.

This policy does not govern the privacy practices of your torrent client, your seedbox or NAS provider, Google Play, Firebase, AdMob, your email provider, or any third-party service you choose to connect to Torrento. Those services operate under their own terms and privacy notices.

2. Plain-English Summary

  • Standard torrent server profiles that you add directly inside the Android app are stored locally on your device.
  • Torrent-client credentials configured inside a Torrento Connect companion stay on the companion machine. They are not sent to Torrento's backend as credentials.
  • Torrento Connect does store service metadata needed to run the pairing, presence, update, entitlement, and relay systems.
  • The Android app uses Firebase Analytics, Google Mobile Ads, the Google User Messaging Platform, Google Play Billing, and Firebase Cloud Messaging.
  • The website uses Firebase Analytics in production to measure page views and site interactions.
  • If Connect falls back to relay or proxy mode, our backend processes connection traffic in transit so the Android app and the companion can communicate remotely.

3. Personal Data We Process

3.1 Website and download pages

When you access Torrento-hosted pages or API endpoints, our infrastructure and networking stack necessarily receive request data such as your IP address, user agent, timestamps, requested URLs, and related HTTP metadata.

In production, the website also uses Firebase Analytics to record page-view and site-interaction events, including page path, page location, page title, referrer, clicked destination, interaction labels, and page section metadata. This may involve cookies or similar identifiers managed by Google/Firebase.

3.2 Data stored locally in the Android app

The Android app stores operational data on the device, including:

  • torrent server profiles, hostnames, ports, usernames, and passwords for non-Connect servers,
  • app preferences such as theme mode, accent colors, refresh interval, active view, onboarding status, and notification settings,
  • category icons, saved paths, local engine settings, and local torrent state,
  • the Android app's Firebase Cloud Messaging registration token, and
  • limited in-app prompt state such as review and feedback prompt history.

This local data is processed on your device for app functionality. Because the Android app currently allows platform backup, some of this data may also be included in device-level backup or transfer systems controlled by Android or your Google account settings.

3.3 Android analytics, ads, and consent records

The Android app uses Firebase Analytics to record product usage events such as screen views, torrent-added events, torrent completion events, server-added events, purchase completion events, app-feedback prompt events, and Connect launch-prompt events.

If ads are enabled in your build and you have not purchased Remove Ads, the app also uses Google Mobile Ads (AdMob). The app requests consent status through Google's User Messaging Platform before requesting ads where that framework requires consent. AdMob and related Google advertising services may process device identifiers, advertising identifiers, IP address, approximate location signals, ad request metadata, and ad interaction data in accordance with Google's own privacy documentation.

3.4 Purchases and subscriptions

The Android app uses Google Play Billing for:

  • the one-time Remove Ads purchase, and
  • the Torrento Connect subscription product.

For Remove Ads, the app restores purchase state from Google Play and stores a local boolean flag showing that ads have been removed.

For Torrento Connect subscriptions, the app may send your Google Play purchase token and package name to the Torrento Connect backend so we can verify entitlement with Google and unlock Connect-backed remote client import.

3.5 Torrento Connect mobile-session data

When the Android app bootstraps or refreshes a Torrento Connect mobile session, the Connect backend processes and may store:

  • an installation identifier generated by the app,
  • device identifiers issued by the backend,
  • platform, OS version, app version, and locale,
  • the app's push token, if available,
  • short-lived access tokens and refresh-token families, and
  • audit and session metadata tied to the mobile device.

In the pairing-first Connect flow, the backend creates an internal trust-owner record so the mobile device can pair a companion even before any explicit email-based account exists. In the current implementation, that record uses a synthetic non-routable internal email address solely as an identifier inside our database.

3.6 Torrento Connect companion data

When you run a Torrento Connect companion, the companion itself stores local companion configuration on that machine. That local configuration can include:

  • companion display name and platform details,
  • pairing state and companion tokens,
  • configured torrent-client labels, hostnames, ports, usernames, passwords, API keys, TLS settings, and capability data, and
  • diagnostic and runtime state required by the companion.

The Torrento Connect backend does not need your torrent-client passwords or API keys to operate the service and does not store those credentials in its central database. It does, however, process and store companion-side metadata such as:

  • companion ID, trust-owner ID, display name, platform, and agent version,
  • public keys used for pairing and trust,
  • online, relay, and local-reachability state,
  • connected client metadata including client label, client type, host kind, host, port, auth state, capability flags, last-ok timestamps, and last error state, and
  • presence and audit events needed to operate the service.

3.7 Pairing, signaling, and relay data

Torrento Connect processes pairing and remote-session data so the Android app and the companion can find each other and communicate. Depending on the route used, this can include:

  • pairing codes and pairing expiration timestamps,
  • sealed token bundles created during successful pairing,
  • signal and presence messages used to negotiate sessions,
  • session path selection metadata such as local, direct, or relay,
  • session timestamps and total relayed byte counts, and
  • local candidate or local-network hint information used to try to upgrade a connection away from relay.

When a session is on relay or proxy fallback, our backend transiently processes relayed request and response data so the Android app can control the paired companion remotely. The current implementation stores proxy request bodies only in short-lived server memory tickets and expires them quickly; it does not intentionally persist those proxied payload bodies in the normal session database. The backend does persist session metadata such as route used, timestamps, and aggregate bytes relayed.

3.8 Optional account, login, and password-recovery data

Torrento Connect also includes account-oriented backend flows that may be used now or in future public-facing experiences. If you use those flows, we may process:

  • email address,
  • password hash, not the raw password,
  • user-session tokens,
  • password reset tokens and reset-delivery timestamps, and
  • audit events tied to registration, login, logout, and reset.

3.9 Communications with us

If you contact us by email or otherwise send us information directly, we process the contact details and the content of your message to respond, troubleshoot, and maintain support records.

4. How We Use Personal Data

We use personal data to:

  • operate, secure, and maintain the website and apps,
  • connect the Android app to the torrent servers you choose,
  • operate Torrento Connect pairing, presence, session routing, companion updates, and relay fallback,
  • verify purchase and subscription entitlement,
  • deliver push notifications that support app functionality,
  • measure usage and improve the product,
  • show ads where applicable and where permitted,
  • prevent abuse, secure accounts and sessions, and audit access,
  • respond to support requests and password resets, and
  • comply with legal obligations and enforce our terms.

5. Legal Bases for Processing

Where the GDPR, UK GDPR, or similar laws apply, we generally rely on the following legal bases:

  • Contract / steps at your request: to deliver the app, pairing, remote connectivity, purchase verification, password reset, and support you ask us to provide.
  • Legitimate interests: to secure the service, prevent fraud or abuse, maintain logs, improve reliability, diagnose failures, and understand aggregate product usage.
  • Consent: where required for ad personalization, certain analytics technologies, notification permissions, or similar optional processing.
  • Legal obligation: where we must retain or disclose information to comply with applicable law, tax, accounting, or lawful requests.

6. When We Disclose Data

We disclose personal data only where necessary to operate the service.

  • Google / Firebase: for Firebase Analytics, Firebase Cloud Messaging, Google Mobile Ads, the User Messaging Platform, and Google Play Billing.
  • Infrastructure and hosting providers: to host the website, downloads, APIs, and relay systems.
  • Email delivery providers: if and when password reset or account emails are sent through configured SMTP infrastructure.
  • Your selected counterparties: for example, your torrent client, your companion machine, Google Play, or your app-store account, when the requested function inherently requires communication with them.
  • Legal and safety disclosures: if required by law, subpoena, court order, or to protect rights, safety, security, and service integrity.

We do not sell your torrent-client credentials. We do not disclose companion-stored torrent-client passwords or API keys to advertisers. We also do not use your locally stored torrent server credentials for our own marketing purposes.

7. International Transfers

Torrento and its service providers may process personal data in countries other than the country where you live, including countries that may have different data-protection rules. Where we rely on processors or services outside the EEA, UK, or Switzerland, we will rely on appropriate transfer mechanisms where required by applicable law, such as adequacy decisions or standard contractual clauses.

8. Data Retention

We retain personal data only for as long as necessary for the purposes described in this policy, including security, fraud prevention, compliance, and record-keeping.

  • Local app and companion data: retained until you delete it, uninstall the app or companion, clear app data, remove the companion configuration, or overwrite it with newer data, subject to any device-level backup settings you enable.
  • Website analytics: retained according to the Firebase / Google Analytics settings and retention controls in our project configuration.
  • Pairing codes: intended to expire quickly, and by default are short-lived.
  • Access tokens: short-lived. Refresh token families: longer-lived to keep devices signed in, unless revoked, replaced, or expired.
  • Password reset tokens: short-lived and invalid after expiry or use.
  • Proxy body tickets: held only briefly in server memory and deleted after consumption or expiry in the normal relay flow.
  • Subscription, audit, device, and session records: retained for operational, billing, security, and dispute handling needs, and then deleted or de-identified when no longer required.

9. Security

We use technical and organizational measures designed to protect personal data against unauthorized access, loss, misuse, or alteration. These measures include authentication tokens, session controls, companion public-key trust, entitlement checks, and compartmentalizing credentials so that local torrent-client passwords remain on the device or companion where they are configured.

No system is perfectly secure. You are responsible for protecting access to your device, companion machine, torrent-client accounts, and local network. You are also responsible for the transport security of the torrent server endpoints you choose to configure. If you configure a client over insecure HTTP or another unencrypted path, traffic between your device or companion and that client may not be encrypted.

10. Your Rights and Choices

Depending on where you live, you may have rights to access, correct, update, delete, restrict, object to, or export certain personal data, and to withdraw consent where processing relies on consent. You may also have the right to complain to a supervisory authority.

You can also use product-level controls, including:

  • deleting local server profiles, companion imports, or app data,
  • unpairing companions or deleting devices,
  • revoking notification permission at the operating-system level,
  • using the ad privacy options made available through Google's consent tooling inside the Android app, and
  • contacting us at info@torrento.app to exercise applicable privacy rights.

11. Children's Privacy

Torrento is not directed to children. We do not knowingly target or seek to collect personal data from children under 16. If you believe a child has provided personal data to us, contact us at info@torrento.app and we will review the request.

12. Changes to This Policy

We may update this Privacy Policy from time to time to reflect product changes, legal requirements, or operational improvements. When we do, we will publish the revised version at this page and update the "Last updated" date above. Material changes will apply from the date the updated policy is posted unless a longer notice period is required by law.

13. Contact

If you have questions about this Privacy Policy, privacy rights requests, or data-protection concerns, contact Torrento at info@torrento.app.