Store Privacy Policy

Last updated: June 9, 2026

This English version is a reference translation. The Japanese version (日本語) is the authoritative text.

irohamo (hereinafter "we," "us," or "our") establishes this Privacy Policy (hereinafter this "Policy") regarding the handling of user information on the website shamisen.app (hereinafter the "Site") that we operate and the sheet music store within the Site (hereinafter the "Store").

For the privacy policy applicable to the "ShamiScore" app, please see the App Privacy Policy.

1. Information We Collect

• Information obtained from your Google account
  • Google account internal identifier (sub)
  • Email address and verified flag
  • Display name (name)
  • Profile image URL

  These are provided by Google through the OAuth 2.0 mechanism when a user chooses to "Sign in with Google."

• Purchase information
  • Identifier of the purchased sheet music (product slug)
  • Purchase amount and currency
  • Stripe checkout session ID and payment intent ID
  • Purchase date and time, purchase status (paid / refunded, etc.)
• Download logs
  • User ID of the downloader, identifier of the sheet music, file type, and date and time
  • Source IP address and User-Agent header

  We record these for the purpose of investigating misuse and improving quality.

• Session information
  • Session ID to maintain login state (HttpOnly Cookie)
  • Session data retained on the server side (user ID, etc.)
• Referral source information (attribution)
  • To understand how visitors arrive at the Site, we store campaign parameters (such as utm), the host name of the referring site, the landing page, and the time of the first visit in a Cookie (this does not include IP addresses, full URLs, names, etc.). We use this only to measure the effectiveness of marketing activities.
• Inquiry information - your email address, the content of your inquiry, and other information you provide to us

2. Information We Do Not Collect

• Payment information such as credit card numbers, expiration dates, and security codes (these are processed directly by the payment service provider Stripe, and we do not receive them)
• Personal information not associated with your Google account, such as name, address, and phone number (except where you voluntarily provide it when making an inquiry)
• Information not necessary for providing this service, such as contacts (address book), photos, and location data

3. Purposes of Use

We use the information we collect within the scope of the following purposes.

• Providing the Site and the Store and realizing their functions
• User authentication and maintaining login state
• Processing purchases, managing purchase history, and providing purchased content
• Detecting and preventing misuse (unauthorized access, unauthorized downloading, fraudulent use of payment, etc.)
• Responding to inquiries
• Investigating defects, improving quality, and creating statistical information
• Responding as required by laws and regulations

To achieve the above purposes, our operating staff may, to the extent necessary, view access logs, purchase history, and the like.

4. Provision to Third Parties and External Services

We will not provide your information to third parties except where required by laws and regulations or where you have consented. However, in providing this service, we use the following external services.

4-1. Google LLC (authentication and backend infrastructure)

We use Google OAuth for login to the Store. At login, the user authenticates with Google, and we receive part of the profile information from Google (item 1 above).

In addition, the Store's backend API runs on Google Cloud (Cloud Run), and access logs (request date and time, path, IP address, User-Agent, etc.) are recorded in Google Cloud's logging infrastructure. For how Google handles information, please see the Google Privacy Policy.

4-2. Stripe (payment)

Payment processing for the Store is carried out through the payment service provided by Stripe, Inc. Credit card information and the like do not pass through our servers and are processed and stored directly by Stripe. For how Stripe handles information, please see the Stripe Privacy Center.

4-3. Cloudflare (frontend, CDN, file storage)

The Site's frontend is delivered on the infrastructure of Cloudflare, Inc. (Workers / CDN), and sheet music files (PDF / .shami) are stored in Cloudflare R2 (object storage). We also use Cloudflare for measures against unauthorized access, such as WAF / Bot protection. For how Cloudflare handles information, please see the Cloudflare Privacy Policy.

4-4. Neon, Inc. (database)

User account information, purchase information, download logs, sessions, and the like are stored in the serverless Postgres database provided by Neon, Inc. For how Neon handles information, please see the Neon Privacy Policy.

5. Use of Cookies

The Site uses the minimum necessary Cookies (session Cookie, OAuth state, etc.) to maintain login state and for CSRF protection. These authentication-related Cookies are assigned the HttpOnly attribute and are configured so that they cannot be referenced from JavaScript.

In addition, we use first-party Cookies to measure the effectiveness of referral sources (item 1 above). This Cookie stores only campaign parameters, the referring host, the landing page, and the time, and does not include information that directly identifies an individual (IP address, name, etc.).

We do not use Cookies for the purpose of advertising delivery, or Cookies / analytics tags for behavioral tracking by third parties.

6. Access Analysis and Behavioral Tracking

The Site does not use analytics tags for the purpose of advertising delivery or behavioral tracking by third parties such as Google or Meta.

To maintain service quality and measure the effectiveness of marketing activities, we perform only the following in-house measurement.

• Request statistics and access logs recorded on the Cloudflare / Google Cloud infrastructure side (number of requests, error rates, IP addresses, User-Agent, etc.)
• Aggregation of the referral source information in item 1 above (first-party Cookie; utm, referring host, etc.)

If we change the purpose or scope of analysis, we will notify you after revising this Policy.

7. Data Retention Period

• User account information, purchase information, and download logs are retained for as long as the relevant account is active.
• If we receive a request for account deletion, we will delete the information, including purchase history, to a reasonable extent. However, we may retain for the necessary period information for which there is a legal retention obligation, such as accounting books, tax-related matters, and fraud investigation.
• For inquiry information, we will endeavor to delete it appropriately after the necessary period has elapsed following completion of our response.

8. Security Management

To prevent leakage, loss, or damage of the information we handle, we endeavor to manage security to a reasonable extent. Specifically, we have implemented the following measures.

• TLS encryption of communications
• A configuration in which credit card information is not handled on our servers
• Authentication that does not retain passwords (delegated to Google OAuth)
• Assignment of HttpOnly / Secure attributes to session Cookies
• Use of prepared statements for database access (measures against SQL injection)
• Non-public object storage + file delivery only after an authorization check
• Measures against unauthorized access using Cloudflare's WAF / Bot Management, etc.

However, please understand that complete security cannot be guaranteed for the exchange of information over the Internet.

9. Disclosure, Correction, Deletion, and Account Deletion

If you wish to have your own information disclosed, corrected, or deleted, or to delete your account, please contact us at the contact below. After confirming your identity, we will respond to a reasonable extent.

10. Use by Minors

If a minor makes a purchase in the Store, please obtain the consent of a parent or guardian in advance.

11. Transfer Overseas

The external services used in this service, such as Cloudflare / Google / Stripe / Neon, may, for operational reasons, process information on servers outside Japan. Such information is handled appropriately in accordance with each company's privacy policy.

12. Revisions

This Policy may be revised as necessary. The revised Policy takes effect at the time it is posted on this page. In the event of significant changes, we will endeavor to provide appropriate notice on the Site.

13. Contact

For inquiries regarding this Policy, please contact us below.
Email: support@shamisen.app

Related pages: Store Terms of Service ・ App Privacy Policy ・ Support