This Privacy Policy applies to all personal information collected through the Services, including through our website, onboarding flow, AI companion chat, mood check-in features, and any related interactions that reference or link to this policy.
Third-party services: Our Services integrate with third-party providers (detailed in Section 7). These third parties have their own privacy practices which we do not control. We encourage you to review their policies independently.
Toloo is not a covered healthcare entity under HIPAA. However, we voluntarily apply equivalent standards of sensitivity and care to all health-related information you share with us. All conversation content containing health or mental health information is treated with the highest level of sensitivity and is never shared, sold, or disclosed to any third party for any commercial purpose.
Data Protection Officer (DPO): We have assessed our obligations under GDPR Article 37 and determined that, at our current scale of operations, the appointment of a mandatory DPO is not required. We process sensitive personal data (mental health-related content) but do not do so on a large scale as defined under Article 37(1)(c). We will reassess this determination as our user base grows and appoint a DPO if and when required. All data protection queries are handled directly by the Toloo team at hello@toloo.io.
We collect only what is necessary to provide the Services. Nothing more.
We do not collect your real name, phone number, precise location, payment details, biometric data, device identifiers, or any information beyond what is listed above.
We use the personal information we collect for the following purposes:
We will never sell your data, share it with advertisers, use it for ad targeting, use it to train AI models, or disclose it to any third party for commercial purposes. Ever.
As a service operating under EU and Swedish law, we are required under GDPR to identify a legal basis for each type of data processing we carry out:
Special category data: Mental health and emotional wellbeing information you share with Toloo may constitute special category data under GDPR Article 9. We process this data solely on the basis of your explicit consent (Art. 9(2)(a)), which you provide at registration. You may withdraw this consent at any time by deleting your account, at which point all such data will be permanently deleted within 30 days.
We do not sell, rent, or trade your personal information. We may share personal data only in the following limited circumstances:
Anthropic (Claude AI) — Toloo uses Claude, an AI model developed by Anthropic, to generate responses. Your conversation messages are transmitted to Anthropic's API for this purpose. Toloo does not share your name, email, or identity with Anthropic — only the conversation content required to generate a response. Anthropic is a US-based company. Anthropic participates in the EU-US Data Privacy Framework, which provides an adequate level of data protection recognised by the European Commission. As a further safeguard, Standard Contractual Clauses (SCCs) approved by the European Commission are also in place as a supplementary transfer mechanism.
Our commitment on AI training: Based on our current agreement with Anthropic, your conversation data is not used by Anthropic to train AI models, and Toloo will never use your data to train AI models. We maintain this as a binding contractual requirement in our agreement with Anthropic. If Anthropic's data processing terms were ever to change in a way that affected this commitment, we would notify you in advance and update this Policy before any such change took effect. No historical conversation data is retained by Anthropic after processing.
If Toloo were to cease using Anthropic's API, your data already stored in our infrastructure (Supabase) would be unaffected.
Supabase — We use Supabase for secure data storage and authentication. Supabase is GDPR-compliant and stores your account data and conversations on EU-based servers. A data processing agreement is in place.
Vercel — We use Vercel for hosting and deployment. Vercel processes network requests but does not store or access your conversation data. A data processing agreement is in place.
No other third parties have access to your personal data. We do not use advertising networks, behavioural analytics platforms, payment processors (free tier has none), or data brokers of any kind.
We implement technical and infrastructure safeguards to protect your personal data:
In the event of a data breach that risks your rights or freedoms, we will notify the relevant supervisory authority within 72 hours and notify you without undue delay, as required by GDPR Articles 33 and 34.
Minimum age: The Services are intended for users aged 13 and above. By using Toloo, you confirm you meet this minimum age requirement.
Under-16 users (EU/EEA): Parental or guardian consent is required under GDPR Article 8 for users under 16. At registration, users under 16 are required to confirm via a dedicated checkbox that their parent or legal guardian has reviewed and consented to these terms on their behalf. This confirmation creates a record of the consent claim. If a minor under 16 accesses the Services without the required consent, the parent or legal guardian accepts responsibility for any data processed during that access.
Under-13 protection: We do not knowingly collect personal data from children under 13. If we become aware that a child under 13 has provided personal data without parental consent, we will delete that data and terminate the account immediately.
Parental concerns: Contact us immediately at hello@toloo.io if you believe your child under 13 has used the Services without your consent. We will act promptly.
Toloo uses only essential authentication cookies — small text files stored on your device that keep you logged in between sessions. These are set by Supabase and are strictly necessary for the Services to function.
We do not use tracking cookies, advertising cookies, marketing pixels, web beacons, or behavioural analytics tools of any kind.
Your account data and conversations are stored on EU-based Supabase servers. When your conversation content is processed by Anthropic (a US-based company), this constitutes an international transfer of personal data outside the EU/EEA.
This transfer is protected by two mechanisms operating in parallel: Anthropic's participation in the EU-US Data Privacy Framework (an adequacy decision by the European Commission), and Standard Contractual Clauses (SCCs) as approved by the European Commission, which serve as a supplementary safeguard. You can learn more at anthropic.com/privacy.
We only transfer data to countries or organisations that provide an adequate level of data protection as recognised by the European Commission, or where appropriate safeguards such as SCCs are in place.
Under GDPR and applicable Swedish law, you have the following rights over your personal data. Contact us at hello@toloo.io to exercise any of them — we respond within 30 days. You will never face retaliation for exercising your data rights.
Complaints: EU/EEA users may lodge a complaint with their national data protection authority. Swedish users may contact the Swedish Data Protection Authority (Integritetsskyddsmyndigheten, IMY) at imy.se. You may also contact the Irish Data Protection Commission at dataprotection.ie.
We retain personal data for as long as your account is active and for as long as necessary to fulfil the purposes described in this policy. When you delete your account, all personal data — including conversation history, mood check-ins, and onboarding answers — will be permanently deleted within 30 days.
We may retain certain data for a longer period where required by applicable Swedish or EU law (for example, for tax or accounting purposes). In such cases, only the minimum data required to meet the legal obligation is retained.
Truly anonymised and aggregated data — processed in accordance with the definition in Section 2 and from which you cannot be identified by any reasonable means — may be retained indefinitely for service improvement and analytics purposes. No individually identifiable data is retained in this category.
If we make material changes, we will notify you by updating the “Last updated” date and by notifying you by email or via a prominent notice within the Services at least 14 days before the changes take effect. Your continued use of the Services after changes take effect constitutes your acceptance of the revised policy.
If you do not agree with the changes, you may delete your account and all associated data will be removed within 30 days.
Toloo acts as the data controller for your personal data. If you have any questions, concerns, or requests regarding this Privacy Policy or your personal data, please contact us at hello@toloo.io. This address also serves as our designated privacy contact for GDPR purposes. We respond to all privacy matters within 30 days.
EU/EEA users may also contact the supervisory authority in their country of residence if unsatisfied with our response. Swedish users may contact IMY at imy.se.