Privacy Policy

This Privacy Policy applies to all personal information collected through the Services, including through our website, onboarding flow, AI companion chat, mood check-in features, and any related interactions that reference or link to this policy.

Third-party services: Our Services integrate with third-party providers (detailed in Section 7). These third parties have their own privacy practices which we do not control. We encourage you to review their policies independently.

Toloo is not a covered healthcare entity under HIPAA. However, we voluntarily apply equivalent standards of sensitivity and care to all health-related information you share with us.

• “Personal Information” — any information about an identifiable individual, or information that could reasonably be used to identify a person.
• “Processing” — any operation performed on personal data, including collection, storage, use, disclosure, or deletion.
• “Services” — Toloo's website, AI companion chat, mood tracking, onboarding, and all related features.
• “User” or “You” — any individual who accesses or uses the Services.
• “AI Companion” — Toloo's conversational AI feature, powered by Anthropic's Claude model.

We collect only what is necessary to provide the Services. Nothing more.

• Account data — your email address, collected at registration and used for authentication only
• Onboarding answers — your reason for joining Toloo, mood at signup, and age range, used solely to personalise your experience
• Conversation content — your messages with Toloo's AI Companion, stored to provide continuity across sessions
• Mood check-ins — your daily mood rating and any optional notes you choose to add

• Basic usage data — login timestamps and session data, used only for service reliability and security monitoring
• Authentication cookies — essential session cookies set by Supabase to keep you logged in (see Section 10)

We use the personal information we collect for the following purposes:

• Service provision — to create and maintain your account and provide the AI Companion experience
• Personalisation — to tailor Toloo's responses based on your onboarding answers and conversation history
• Continuity — to allow Toloo to remember context from previous conversations
• Mood insights — to generate personal mood trends over time based on your check-ins
• Safety — to detect crisis language and respond with appropriate care and resources
• Service improvement — using only anonymised and aggregated data, never individual conversations
• Security & compliance — to protect the integrity of the Services and comply with legal obligations

As an EU-based service, we are required under GDPR to identify a legal basis for each type of data processing we carry out:

• Consent (Art. 6(1)(a)) — you actively consent by ticking the agreement checkbox at login. You may withdraw consent at any time by deleting your account.
• Contractual necessity (Art. 6(1)(b)) — processing required to deliver the Services you have signed up for
• Legitimate interests (Art. 6(1)(f)) — service security, reliability, and improvement, balanced against your rights and freedoms
• Vital interests (Art. 6(1)(d)) — in crisis situations, we may use conversation context to protect your safety or the safety of others
• Legal obligation (Art. 6(1)(c)) — where we are required to process data to comply with applicable EU law

We do not sell, rent, or trade your personal information. We may share personal data only in the following limited circumstances:

• Service providers — third-party infrastructure providers who process data on our behalf and are bound by strict data processing agreements
• Legal compliance — where required by EU law, court order, or lawful request from a public authority
• Safety — where we reasonably believe disclosure is necessary to prevent harm to you or others
• Business transfer — in the event of a merger or acquisition, your data would transfer under the same privacy commitments
• Aggregated data — anonymised, non-identifiable data may be used for research or service improvement

Anthropic (Claude AI) — Toloo uses Claude, an AI model developed by Anthropic, to generate responses. Your conversation messages are transmitted to Anthropic's API for this purpose. Toloo does not share your name, email, or identity with Anthropic — only the conversation content required to generate a response. Anthropic participates in the EU-US Data Privacy Framework.

Supabase — We use Supabase for secure data storage and authentication. Supabase is GDPR-compliant and stores data on EU-based servers.

Vercel — We use Vercel for hosting and deployment. Vercel processes network requests but does not store or access your conversation data.

We implement technical and infrastructure safeguards to protect your personal data:

• Encryption in transit via HTTPS/TLS on all connections
• Encryption at rest within Supabase's EU-based infrastructure
• Row-level security — your data is accessible only by your own authenticated user ID
• No shared databases between users
• No third-party advertising, behavioural analytics, or tracking tools
• Regular review of data collection and storage practices

In the event of a data breach that risks your rights or freedoms, we will notify you within 72 hours as required by GDPR Article 33.

Minimum age: The Services are intended for users aged 13 and above. By using Toloo, you confirm you meet this minimum age requirement.

Under-16 users (EU/EEA): Parental or guardian consent is required under GDPR Article 8 for users under 16.

Under-13 protection: We do not knowingly collect personal data from children under 13. If we become aware that a child under 13 has provided personal data without parental consent, we will delete that data and terminate the account immediately.

Parental concerns: Contact us immediately if you believe your child under 13 has used the Services without your consent.

Toloo uses only essential authentication cookies — small text files stored on your device that keep you logged in between sessions. These are set by Supabase and are strictly necessary for the Services to function.

We do not use tracking cookies, advertising cookies, marketing pixels, web beacons, or behavioural analytics tools of any kind.

Your data is stored on EU-based Supabase servers. When your conversation content is processed by Anthropic (a US-based company), this constitutes an international transfer of personal data outside the EU/EEA.

Anthropic participates in the EU-US Data Privacy Framework, which provides an adequate level of data protection recognised by the European Commission.

Depending on your location, you have the following rights over your personal data. Contact us to exercise any of them — we respond within 30 days.

California users (CCPA) have additional rights including the right to know what data is collected, the right to delete, and the right to opt-out of sale (we never sell data).

Complaints: EU/EEA users may lodge a complaint with their national data protection authority, or contact the Irish Data Protection Commission at dataprotection.ie.

We retain personal data for as long as your account is active. When you delete your account, all personal data — including conversation history, mood check-ins, and onboarding answers — will be permanently deleted within 30 days.

If we make material changes, we will notify you by updating the “Last updated” date and, where appropriate, by notifying you within the Services. Your continued use of the Services after changes take effect constitutes your acceptance of the revised policy.

If you have any questions, concerns, or requests regarding this Privacy Policy, please contact us at hello.toloo@gmail.com. We respond to all privacy matters within 30 days.

EU/EEA users may also contact the supervisory authority in their country of residence if unsatisfied with our response.