Privacy Policy

Alessio Saggiomo is the sole data controller as defined in Art. 4(7) of the General Data Protection Regulation (EU) 2016/679 ("GDPR") and is responsible for all processing activities described in this policy.

This policy applies to users in the European Union, United Kingdom, United States, Canada, and Australia.

Tonee collects and processes the following categories of personal data to deliver a personalized AI-powered styling service.

2.1 Registration & Profile

2.2 Color Analysis Data (Optional)

2.3 Digital Wardrobe

• Clothing photos: images of garments, shoes, and accessories
• Clothing metadata: category, color, material, fit, description

2.4 Interaction Data

• Outfit wizard selections: occasion, style, and other parameters chosen during outfit generation
• Optional free-text input: additional styling preferences or notes provided during outfit generation
• Outfit generation history: previously generated outfit combinations, used for anti-repetition (limited to 12 entries per user, oldest automatically deleted)
• Post-generation modifications: item swaps and adjustments made to generated outfits

2.5 Technical & Usage Data

• Firebase Analytics: pseudonymous usage events, features used, in-app actions
• Error monitoring (Sentry): stack traces, request context, device info, app version
• Firebase installation ID: pseudonymous device identifier
• Device language: Accept-Language header for localization
• FCM tokens: push notification identifiers
• Geolocation: approximate location (only when authorized) for weather-based suggestions

2.6 Monetization Data

• Subscription status: active plan, expiration date
• Usage counters: outfits generated, free responses used
• Transaction IDs: Apple App Store in-app purchase identifiers

2.7 Temporary Processing Data

3.1 Service Provision

• Generate personalized outfits using a constraint solver combined with AI verbalization
• Armocromia (color season) analysis and personalized color recommendations
• Digital wardrobe management with background removal (ML-based rembg microservice)
• Automatic garment analysis from photos (color, category, material, fit) via AI image recognition

3.2 Personalization

• Adapt suggestions based on user profile and preferences
• Improve recommendation accuracy over time
• Weather-based and occasion-specific outfit suggestions

3.3 Technical Functions

• Authentication and account security (email/password, Google, Apple sign-in)
• Password recovery and transactional emails (via Resend)
• Subscription and payment management
• Push notifications for batch analysis completion (via Firebase Cloud Messaging)

3.4 Analytics & Improvement

• Usage analytics to improve user experience (Firebase Analytics)
• Error monitoring and performance tracking (Sentry)
• Usage statistics for new feature development

Legitimate Interest Balancing Test

For processing based on legitimate interest (Firebase Analytics, Sentry error monitoring), we have conducted balancing tests confirming that our interest in improving app quality and stability does not override your fundamental rights. Analytics data is pseudonymous (Firebase installation ID, not personal identifiers), and error data is minimized to technical context only. You may object to this processing at any time (see Section 8).

In accordance with Art. 13(2)(f) GDPR, we inform you that Tonee uses automated processing, including profiling, to generate outfit suggestions.

How it works

• Constraint solver: an algorithm evaluates your wardrobe items against weather, occasion, color harmony, and style preferences to generate outfit combinations
• AI verbalization: AI models (OpenAI and Anthropic Claude) generate natural-language descriptions of outfit suggestions and analyze garment photos
• Style profiling: your preferences, past choices, and wardrobe composition are used to personalize results

Your safeguards

Tonee integrates the following third-party services to deliver its functionality:

Account Deletion

You can request account deletion at any time from within the app or by emailing us. The process works as follows:

• With active subscription: deletion is scheduled for the subscription expiration date. You receive an email confirmation with the scheduled date.
• Without active subscription: immediate deletion is performed.

In both cases, account deletion involves complete deletion and irreversible anonymization:

• All storage files (wardrobe photos, armocromia analysis images) permanently removed from Supabase Storage
• All database records (outfits, wardrobe items, outfit history, style preferences) permanently deleted
• Supabase Auth account removed
• Personal data in the user record irreversibly anonymized (name, email, profile data replaced with anonymous placeholders)
• Push notification tokens invalidated
• Confirmation email sent via Resend

Only anonymized billing records are retained where required by Italian tax law (10 years).

You have full control over your personal data. Under the GDPR, you can exercise the following rights:

8.1 Fundamental Rights

• Access (Art. 15): obtain a copy of all your personal data
• Rectification (Art. 16): correct inaccurate or incomplete data
• Erasure (Art. 17): "right to be forgotten" — complete deletion
• Restriction (Art. 18): temporarily block processing
• Portability (Art. 20): receive data in a structured, machine-readable format (exercise via email request to hello@tonee.app)
• Objection (Art. 21): object to processing based on legitimate interest
• Withdraw consent: where processing is based on consent (facial photo analysis, push notifications), you may withdraw consent at any time without affecting the lawfulness of processing carried out before withdrawal

8.2 In-App Privacy Controls

• Manage location permissions in profile settings
• Manage push notification permissions via device settings
• Request complete account deletion from the app

8.3 How to Exercise Your Rights

We implement technical and organizational measures to protect your data in accordance with Art. 32 GDPR.

9.1 Technical Measures

• Authentication: Google OAuth 2.0, Apple Sign-In, email/password with secure hashing
• JWT validation: token-based authentication with automatic rotation
• HTTPS: TLS encryption for all client-server communication
• Secure storage: Supabase (SOC 2 compliant) with encryption at rest
• Row-Level Security (RLS): database policies ensuring users can only access their own data
• Signed URLs: time-limited access control for storage files
• Rate limiting: 150 requests/min global, 10-20/min for AI endpoints
• Local encryption: iOS Keychain / Android Keystore for sensitive local data
• On-device compression: images are compressed before upload to minimize exposure
• CASCADE delete: complete data cleanup on account deletion

9.2 Organizational Measures

• System access limited to the data controller only
• All service providers comply with international standards (SOC 2, ISO 27001)
• Automated account deletion and data cleanup systems

Some of our service providers are located outside the European Union. All transfers comply with GDPR Art. 44-49.

Tonee is a mobile application. Unlike websites, it does not use traditional HTTP cookies. Below is how data is stored and collected on your device.

11.1 On-Device Storage

• Secure Storage: authentication tokens and sensitive credentials are stored using iOS Keychain (iOS) or Android Keystore (Android), both hardware-backed encryption systems
• SharedPreferences / UserDefaults: non-sensitive settings (theme, language, onboarding status)
• Image cache: temporary wardrobe image cache for performance, managed by the app

11.2 Firebase Analytics

• Uses a pseudonymous Firebase installation ID (not a personal identifier)
• No traditional cookies are set
• No Apple ATT (App Tracking Transparency) prompt required — Firebase Analytics is first-party analytics and does not track across apps
• Data is used solely to understand app usage and improve features

11.3 Error Monitoring (Sentry)

• Captures stack traces, device model, OS version, and app version when errors occur
• No intentional collection of personally identifiable information (PII)
• Data automatically expires after 30 days

In accordance with Art. 33 and Art. 34 GDPR:

• Supervisory authority notification: in the event of a personal data breach, we will notify the Italian Data Protection Authority (Garante per la Protezione dei Dati Personali) within 72 hours of becoming aware, unless the breach is unlikely to result in a risk to your rights and freedoms
• User notification: if a breach is likely to result in a high risk to your rights and freedoms, we will notify you without undue delay, describing the nature of the breach, likely consequences, and measures taken or proposed
• Documentation: we maintain a record of all data breaches, including facts, effects, and remedial actions taken, regardless of whether notification is required
• Other jurisdictions: where required by applicable law in other jurisdictions (including the UK, US states, Canada, and Australia), we will also comply with local breach notification requirements

Tonee is intended for users aged 16 or older (or the minimum age required by local legislation for digital consent).

• We do not knowingly collect data from anyone under 16
• If we become aware that a minor's data has been collected, we will delete it immediately
• Parents or guardians can contact us to report concerns at hello@tonee.app

This policy may be updated to reflect:

• New app features and data processing activities
• Changes in applicable legislation
• Improvements to our privacy practices

Supervisory Authority

If you believe that the processing of your personal data infringes applicable data protection law, you have the right to lodge a complaint with your local data protection authority. For EU users, our lead authority is:

Users in other jurisdictions may also contact the relevant authority in their country (see Section 16 for jurisdiction-specific details).

In addition to the rights described above, the following jurisdiction-specific provisions apply depending on your location.

16.1 United States (CCPA/CPRA — California Residents)

Under the California Consumer Privacy Act (CCPA) as amended by the CPRA:

• Categories of personal information collected: identifiers (name, email), internet activity (usage events), sensory data (wardrobe photos), inferences (style preferences, color analysis)
• We do not sell or share your personal information for cross-context behavioral advertising
• Your rights: right to know, right to delete, right to correct, right to opt-out of sale (not applicable), right to limit use of sensitive personal information, right to non-discrimination
• To exercise your rights: contact hello@tonee.app
• Response timeline: we will acknowledge your request within 10 business days and provide a substantive response within 45 calendar days (extendable by an additional 45 days with notice)

16.2 United Kingdom (UK GDPR)

• Your rights under the UK GDPR are substantially equivalent to those listed in Section 8
• Supervisory authority: Information Commissioner's Office (ICO), ico.org.uk
• International transfers: transfers from the UK are protected by the UK International Data Transfer Agreement (UK IDTA) or the EU-UK adequacy decision, as applicable

16.3 Canada (PIPEDA)

• Under the Personal Information Protection and Electronic Documents Act (PIPEDA), you have the right to access, correct, and withdraw consent for your personal information
• Supervisory authority: Office of the Privacy Commissioner of Canada (OPC), priv.gc.ca
• To exercise your rights: contact hello@tonee.app

16.4 Australia (Privacy Act 1988)

• We comply with the Australian Privacy Principles (APPs) set out in the Privacy Act 1988
• You have the right to access and request correction of your personal information
• Supervisory authority: Office of the Australian Information Commissioner (OAIC), oaic.gov.au
• To exercise your rights or make a complaint: contact hello@tonee.app