Legal Document

Privacy Policy

Effective date: March 2026Last updated: June 2026Jurisdiction: Sweden & European Union (GDPR)
GDPR CompliantNo data sellingEU data storageUS AI processing (disclosed)No ad trackingEssential cookies onlyEncrypted at restNo AI training use
Toloo (“Company,” “we,” “us,” or “our”) is committed to protecting your privacy and safeguarding the personal information you share when you use our website and related services (collectively, the “Services”). This Privacy Policy describes how we collect, use, protect, and handle your personal data, and explains the rights you have over your information. By accessing or using the Services, you agree to the practices described in this policy. For questions, contact us at hello@toloo.io.
Contents
  1. 1.Introduction & Scope
  2. 2.Definitions
  3. 3.Information We Collect
  4. 4.How We Use Your Information
  5. 5.Legal Bases for Processing (GDPR)
  6. 6.Disclosure of Your Information
  7. 7.AI Processing & Third Parties
  8. 8.Data Security
  9. 9.Children's Privacy
  10. 10.Cookies
  11. 11.International Data Transfers
  12. 12.Your Rights & Choices
  13. 13.Data Retention
  14. 14.Changes to This Policy
  15. 15.Contact Us
1.Introduction & Scope

This Privacy Policy applies to all personal information collected through the Services, including through our website, onboarding flow, AI companion chat, mood check-in features, and any related interactions that reference or link to this policy.

Third-party services: Our Services integrate with third-party providers (detailed in Section 7). These third parties have their own privacy practices which we do not control. We encourage you to review their policies independently.

Toloo is not a covered healthcare entity under HIPAA. However, we voluntarily apply equivalent standards of sensitivity and care to all health-related information you share with us. All conversation content containing health or mental health information is treated with the highest level of sensitivity and is never shared, sold, or disclosed to any third party for any commercial purpose.

Data Protection Officer (DPO): We have assessed our obligations under GDPR Article 37 and determined that, at our current scale of operations, the appointment of a mandatory DPO is not required. We process sensitive personal data (mental health-related content) but do not do so on a large scale as defined under Article 37(1)(c). We will reassess this determination as our user base grows and appoint a DPO if and when required. All data protection queries are handled directly by the Toloo team at hello@toloo.io.

2.Definitions
  • “Personal Information” — any information about an identifiable individual, or information that could reasonably be used to identify a person.
  • “Processing” — any operation performed on personal data, including collection, storage, use, disclosure, or deletion.
  • “Services” — Toloo's website, AI companion chat, mood tracking, onboarding, and all related features.
  • “User” or “You” — any individual who accesses or uses the Services.
  • “AI Companion” — Toloo's conversational AI feature, powered by Anthropic's Claude model.
  • “Data Controller” — Toloo, reachable at hello@toloo.io, is the data controller responsible for your personal data.
  • “Anonymised Data” — data that has been irreversibly processed so that no individual can be identified, directly or indirectly, by any means reasonably likely to be used. Pseudonymised data (data that could be re-linked to an individual using a separate key) does not qualify as anonymised data under this Policy or under GDPR.
3.Information We Collect

We collect only what is necessary to provide the Services. Nothing more.

A. Information You Provide Directly
  • Account data — your email address, collected at registration and used for authentication only
  • Onboarding answers — your reason for joining Toloo, mood at signup, and age range, used solely to personalise your experience
  • Conversation content — your messages with Toloo's AI Companion, stored to provide continuity across sessions
  • Mood check-ins — your daily mood rating and any optional notes you choose to add
B. Information Collected Automatically
  • Basic usage data — login timestamps and session data, used only for service reliability and security monitoring
  • Authentication cookies — essential session cookies set by Supabase to keep you logged in (see Section 10)

We do not collect your real name, phone number, precise location, payment details, biometric data, device identifiers, or any information beyond what is listed above.

4.How We Use Your Information

We use the personal information we collect for the following purposes:

  • Service provision — to create and maintain your account and provide the AI Companion experience
  • Personalisation — to tailor Toloo's responses based on your onboarding answers and conversation history. You may opt out of AI personalisation at any time by contacting hello@toloo.io.
  • Continuity — to allow Toloo to remember context from previous conversations
  • Mood insights — to generate personal mood trends over time based on your check-ins
  • Safety — to detect crisis language and respond with appropriate care and resources
  • Service improvement — using only anonymised and aggregated data (as defined in Section 2), never individual conversations or identifiable records. Any data used for service improvement is first processed through irreversible anonymisation techniques before use.
  • Security & compliance — to protect the integrity of the Services and comply with legal obligations

We will never sell your data, share it with advertisers, use it for ad targeting, use it to train AI models, or disclose it to any third party for commercial purposes. Ever.

5.Legal Bases for Processing (GDPR)

As a service operating under EU and Swedish law, we are required under GDPR to identify a legal basis for each type of data processing we carry out:

  • Consent (Art. 6(1)(a)) — you actively consent by ticking the agreement checkbox at login. You may withdraw consent at any time by deleting your account.
  • Contractual necessity (Art. 6(1)(b)) — processing required to deliver the Services you have signed up for
  • Legitimate interests (Art. 6(1)(f)) — service security, reliability, and improvement, balanced against your rights and freedoms
  • Vital interests (Art. 6(1)(d)) — in crisis situations, we may use conversation context to protect your safety or the safety of others
  • Legal obligation (Art. 6(1)(c)) — where we are required to process data to comply with applicable Swedish or EU law

Special category data: Mental health and emotional wellbeing information you share with Toloo may constitute special category data under GDPR Article 9. We process this data solely on the basis of your explicit consent (Art. 9(2)(a)), which you provide at registration. You may withdraw this consent at any time by deleting your account, at which point all such data will be permanently deleted within 30 days.

6.Disclosure of Your Information

We do not sell, rent, or trade your personal information. We may share personal data only in the following limited circumstances:

  • Service providers — third-party infrastructure providers who process data on our behalf and are bound by strict data processing agreements (DPAs)
  • Legal compliance — where required by Swedish or EU law, court order, or lawful request from a public authority
  • Safety — where we reasonably believe disclosure is necessary to prevent serious harm to you or others
  • Business transfer — in the event of a merger or acquisition, your data would transfer under the same privacy commitments and you would be notified in advance
  • Aggregated data — anonymised, non-identifiable data (as defined in Section 2) may be used for research or service improvement
7.AI Processing & Third Parties

Anthropic (Claude AI) — Toloo uses Claude, an AI model developed by Anthropic, to generate responses. Your conversation messages are transmitted to Anthropic's API for this purpose. Toloo does not share your name, email, or identity with Anthropic — only the conversation content required to generate a response. Anthropic is a US-based company. Anthropic participates in the EU-US Data Privacy Framework, which provides an adequate level of data protection recognised by the European Commission. As a further safeguard, Standard Contractual Clauses (SCCs) approved by the European Commission are also in place as a supplementary transfer mechanism.

Our commitment on AI training: Based on our current agreement with Anthropic, your conversation data is not used by Anthropic to train AI models, and Toloo will never use your data to train AI models. We maintain this as a binding contractual requirement in our agreement with Anthropic. If Anthropic's data processing terms were ever to change in a way that affected this commitment, we would notify you in advance and update this Policy before any such change took effect. No historical conversation data is retained by Anthropic after processing.

If Toloo were to cease using Anthropic's API, your data already stored in our infrastructure (Supabase) would be unaffected.

Supabase — We use Supabase for secure data storage and authentication. Supabase is GDPR-compliant and stores your account data and conversations on EU-based servers. A data processing agreement is in place.

Vercel — We use Vercel for hosting and deployment. Vercel processes network requests but does not store or access your conversation data. A data processing agreement is in place.

No other third parties have access to your personal data. We do not use advertising networks, behavioural analytics platforms, payment processors (free tier has none), or data brokers of any kind.

8.Data Security

We implement technical and infrastructure safeguards to protect your personal data:

  • Encryption in transit via HTTPS/TLS on all connections
  • Encryption at rest within Supabase's EU-based infrastructure
  • Row-level security — your data is accessible only by your own authenticated user ID
  • No shared databases between users
  • No third-party advertising, behavioural analytics, or tracking tools
  • Regular review of data collection and storage practices

In the event of a data breach that risks your rights or freedoms, we will notify the relevant supervisory authority within 72 hours and notify you without undue delay, as required by GDPR Articles 33 and 34.

9.Children's Privacy

Minimum age: The Services are intended for users aged 13 and above. By using Toloo, you confirm you meet this minimum age requirement.

Under-16 users (EU/EEA): Parental or guardian consent is required under GDPR Article 8 for users under 16. At registration, users under 16 are required to confirm via a dedicated checkbox that their parent or legal guardian has reviewed and consented to these terms on their behalf. This confirmation creates a record of the consent claim. If a minor under 16 accesses the Services without the required consent, the parent or legal guardian accepts responsibility for any data processed during that access.

Under-13 protection: We do not knowingly collect personal data from children under 13. If we become aware that a child under 13 has provided personal data without parental consent, we will delete that data and terminate the account immediately.

Parental concerns: Contact us immediately at hello@toloo.io if you believe your child under 13 has used the Services without your consent. We will act promptly.

10.Cookies

Toloo uses only essential authentication cookies — small text files stored on your device that keep you logged in between sessions. These are set by Supabase and are strictly necessary for the Services to function.

We do not use tracking cookies, advertising cookies, marketing pixels, web beacons, or behavioural analytics tools of any kind.

11.International Data Transfers

Your account data and conversations are stored on EU-based Supabase servers. When your conversation content is processed by Anthropic (a US-based company), this constitutes an international transfer of personal data outside the EU/EEA.

This transfer is protected by two mechanisms operating in parallel: Anthropic's participation in the EU-US Data Privacy Framework (an adequacy decision by the European Commission), and Standard Contractual Clauses (SCCs) as approved by the European Commission, which serve as a supplementary safeguard. You can learn more at anthropic.com/privacy.

We only transfer data to countries or organisations that provide an adequate level of data protection as recognised by the European Commission, or where appropriate safeguards such as SCCs are in place.

12.Your Rights & Choices

Under GDPR and applicable Swedish law, you have the following rights over your personal data. Contact us at hello@toloo.io to exercise any of them — we respond within 30 days. You will never face retaliation for exercising your data rights.

Access
Request a copy of all personal data we hold about you
Erasure
Request permanent deletion of your account and all associated data
Rectification
Ask us to correct any inaccurate or incomplete information
Portability
Receive your data in a structured, machine-readable format
Restrict processing
Request that we limit processing of your data in certain circumstances
Withdraw consent
Delete your account at any time to withdraw all consent immediately
Opt out of personalisation
Request that we disable AI personalisation features for your account
Object to processing
Object to processing based on legitimate interests at any time

Complaints: EU/EEA users may lodge a complaint with their national data protection authority. Swedish users may contact the Swedish Data Protection Authority (Integritetsskyddsmyndigheten, IMY) at imy.se. You may also contact the Irish Data Protection Commission at dataprotection.ie.

13.Data Retention

We retain personal data for as long as your account is active and for as long as necessary to fulfil the purposes described in this policy. When you delete your account, all personal data — including conversation history, mood check-ins, and onboarding answers — will be permanently deleted within 30 days.

We may retain certain data for a longer period where required by applicable Swedish or EU law (for example, for tax or accounting purposes). In such cases, only the minimum data required to meet the legal obligation is retained.

Truly anonymised and aggregated data — processed in accordance with the definition in Section 2 and from which you cannot be identified by any reasonable means — may be retained indefinitely for service improvement and analytics purposes. No individually identifiable data is retained in this category.

14.Changes to This Policy

If we make material changes, we will notify you by updating the “Last updated” date and by notifying you by email or via a prominent notice within the Services at least 14 days before the changes take effect. Your continued use of the Services after changes take effect constitutes your acceptance of the revised policy.

If you do not agree with the changes, you may delete your account and all associated data will be removed within 30 days.

15.Contact Us

Toloo acts as the data controller for your personal data. If you have any questions, concerns, or requests regarding this Privacy Policy or your personal data, please contact us at hello@toloo.io. This address also serves as our designated privacy contact for GDPR purposes. We respond to all privacy matters within 30 days.

EU/EEA users may also contact the supervisory authority in their country of residence if unsatisfied with our response. Swedish users may contact IMY at imy.se.