Legal Document

Privacy Policy

Effective Date: 1 January 2025 · Last Updated: 14 April 2025 · Version: 2.1

Contents

Introduction and Identity
Definitions
Information We Collect
How We Use Your Information
Legal Basis for Processing (GDPR)
Data Sharing and Third-Party Processors
Data Retention
Your Privacy Rights
Children's Privacy
International Data Transfers
Security Measures
Cookies and Tracking Technologies
Changes to This Policy
Contact and Data Protection Officer

1. Introduction and Identity

TOUN ("we," "us," or "our") operates the TOUN mobile application and the website located at toun.app (collectively, the "Services"). TOUN is a personal connection platform designed to allow users to maintain emotional bonds with their contacts through periodic heartbeat interactions. This Privacy Policy explains how we collect, use, disclose, and safeguard your personal information when you use our Services.

Please read this Privacy Policy carefully. If you do not agree with the terms of this Privacy Policy, please do not access the Services. This Privacy Policy is incorporated by reference into our Terms of Use.

Controller Identity: For users in the European Economic Area (EEA) and the United Kingdom, TOUN acts as the data controller with respect to your personal data as defined under the General Data Protection Regulation (GDPR) and the UK GDPR respectively. For users in California, TOUN is the "business" as defined under the California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA).

2. Definitions

For the purposes of this Privacy Policy, the following terms shall have the meanings set out below:

"Personal Data": Any information relating to an identified or identifiable natural person, including name, phone number, device identifiers, and usage data.
"Processing": Any operation performed on Personal Data, including collection, recording, storage, use, disclosure, and deletion.
"Heartbeat": A user-initiated interaction signal sent to a connected contact within the TOUN application, representing an emotional or social connection gesture.
"Pulse": A shared data record in TOUN linking two mutually consented users, documenting their interaction history.
"Contact": A person identified by the user from their device contact list and added to TOUN as a connection.
"FCM Token": A device registration identifier issued by Firebase Cloud Messaging, used to deliver push notifications.
"App Check Token": A cryptographic attestation token generated by Play Integrity (Android) or DeviceCheck (iOS), verifying that interactions originate from a genuine, unmodified installation of TOUN.
"Third-Party Processor": Any entity that processes Personal Data on our behalf pursuant to a data processing agreement.

3. Information We Collect

We collect information that you provide directly, information generated by your use of the Services, and information obtained from third-party services. The categories and specific data elements are as follows:

3.1 Information You Provide Directly

Data Element	Purpose	Required
Mobile phone number (E.164 format)	Account authentication via one-time password (OTP); identity verification; connection discovery	Yes
Display name	Personalisation of the user experience and notifications to contacts	Yes
Date of birth	Age verification to confirm eligibility (13+ years)	Yes
Profile photograph	Identity representation within the application; displayed to mutual connections only	No
Contact list (on-device, read-only)	Identifying which of your device contacts are already TOUN users, enabling connection discovery; contact data is hashed using SHA-256 before transmission	No (permission-based)

3.2 Information Generated Automatically

Data Element	Purpose	Retention
Heartbeat interaction records (type, timestamp, pulse identifier)	Core product functionality; interaction history; bond state calculation	Until account deletion
Connection relationships (mutual pulse records)	Relationship graph management; connection lifecycle	Until either party deletes the connection
FCM registration tokens	Delivery of push notifications to registered devices	Until replaced by a new token or account deletion
App Check tokens (Play Integrity / DeviceCheck)	Verification that requests originate from genuine, non-emulated TOUN installations; anti-fraud and bot prevention	Not persisted; ephemeral per-request tokens
App open events and session metadata	Reciprocity nudge triggering; analytics; abuse detection	90 days
Notification interaction events (opened, dismissed)	Delivery confirmation; notification system optimisation	90 days
Crash reports and diagnostic data	Application stability; bug identification and remediation via Firebase Crashlytics	90 days
IP address (web/landing page visitors)	Fraud prevention; geographic analytics; DDoS mitigation (Vercel infrastructure)	30 days (Vercel logs)
Browser type, operating system, device model	Platform-specific optimisation; analytics segmentation	14 months (Google Analytics)

3.3 Phone Number Hashing and Privacy-Preserving Discovery

When you grant TOUN access to your device contacts, we do not upload your contacts' raw phone numbers to our servers. Instead, each phone number is normalised to E.164 format and hashed using SHA-256 on your device. Only the resulting irreversible hash is transmitted to our servers to check against the hashes of registered TOUN users. This "zero-knowledge" approach means we never store or process the raw contact phone numbers of non-users.

3.4 Information We Do Not Collect

We do not collect the following:

The content of private messages or communications between users (TOUN does not have a messaging feature; heartbeat interactions are signals only, not text).
Precise GPS location data.
Financial information, payment card numbers, or bank account details.
Biometric data, health data, or sensitive personal data as defined under GDPR Article 9.
Government-issued identification numbers.

4. How We Use Your Information

We use the Personal Data we collect for the following purposes:

4.1 Service Delivery

Creating and managing your TOUN account.
Authenticating your identity via Firebase Phone Authentication (one-time password verification).
Enabling heartbeat interactions and maintaining shared pulse records between mutually consented connections.
Delivering push notifications when a connection sends you a heartbeat, accepts your connection request, or when we send contextually appropriate nudge reminders.
Processing and synchronising heartbeat interaction data across your devices in real time.

4.2 Connection Discovery

Identifying which of your device contacts are existing TOUN users using privacy-preserving phone number hashing, as described in Section 3.3.
Facilitating the invitation flow for non-users via shareable deep links.

4.3 Safety, Security, and Integrity

Verifying the integrity of app installations and interactions using App Check (Play Integrity on Android; DeviceCheck on iOS) to prevent bots, emulators, and automated abuse.
Detecting, investigating, and preventing fraudulent, abusive, or harmful activity.
Enforcing our Terms of Use, including the blocklist feature that prevents unwanted contact requests.
Complying with applicable law and responding to valid legal process.

4.4 Product Improvement and Analytics

Analysing aggregated, de-identified usage patterns to understand how users interact with TOUN and to improve the product experience.
Diagnosing application crashes and technical errors via Firebase Crashlytics.
Measuring the effectiveness of notification delivery and engagement.

4.5 Communications

Sending transactional communications related to your account (e.g., connection accepted, heartbeat milestones reached).
Sending service-related announcements and critical security notices.

We do not use your Personal Data for targeted advertising, do not sell your data to third parties for their own marketing purposes, and do not engage in profiling for automated decision-making that produces legal or similarly significant effects.

5. Legal Basis for Processing (GDPR)

For users in the EEA and UK, we rely on the following legal bases under GDPR Article 6 for processing your Personal Data:

Processing Activity	Legal Basis
Account creation and authentication	Performance of a contract (Art. 6(1)(b))
Heartbeat interactions and pulse data	Performance of a contract (Art. 6(1)(b))
Push notifications (heartbeats, connection requests)	Performance of a contract; Legitimate interests (Art. 6(1)(f))
Contact discovery via hashed phone numbers	Consent (Art. 6(1)(a)), you grant device contacts permission explicitly
Analytics and crash reporting	Legitimate interests (Art. 6(1)(f)), to improve product stability and experience
App Check / fraud prevention	Legitimate interests (Art. 6(1)(f)), to protect users from bots and abuse
Legal compliance	Legal obligation (Art. 6(1)(c))
Web analytics cookies (Google Analytics)	Consent (Art. 6(1)(a)), via our cookie consent mechanism

Where we rely on legitimate interests, we have conducted a balancing test and determined that our legitimate interests are not overridden by your rights and freedoms. You may request a copy of our legitimate interests assessment by contacting us at the address in Section 14.

6. Data Sharing and Third-Party Processors

We do not sell, rent, or trade your Personal Data. We share data only in the circumstances described below, and only to the extent necessary for the stated purpose.

6.1 Authorised Third-Party Processors

We engage the following processors to operate the Services. All processors are bound by data processing agreements and applicable data protection law:

Processor	Service Provided	Data Transferred	Location
Google LLC / Firebase	Authentication (Firebase Auth), database (Firestore), file storage (Cloud Storage), push messaging (FCM), analytics (Firebase Analytics), crash reporting (Crashlytics), app integrity (App Check), serverless functions (Cloud Functions)	Account data, interaction data, FCM tokens, crash logs, analytics events	United States (with EU SCCs where applicable)
Apple Inc.	Apple Push Notification Service (APNS), delivery of push notifications to iOS devices	FCM-generated APNS device tokens (opaque identifiers; not personal data in isolation)	United States
Google LLC (Play Integrity)	Device attestation and integrity verification on Android	Attestation tokens (ephemeral; not stored)	United States
Vercel Inc.	Hosting of the toun.app website and landing pages	IP addresses, request metadata (web visitors only)	United States / Global Edge Network
Google LLC (Google Analytics 4)	Website traffic analytics (toun.app landing pages only; with cookie consent)	Pseudonymous analytics identifiers, page views, session data	United States (with EU SCCs)

6.2 Disclosure to Other Users

By using TOUN, you authorise us to make the following information visible to your mutual connections within the application:

Your display name and profile photograph (if uploaded).
The timestamp of your most recent heartbeat interaction on a shared pulse.
The type of heartbeat interaction (e.g., "thinking," "misses," "loves"), visible to the recipient at the moment of delivery only.

Your phone number is never displayed to other users within the application. Contact relationships are visible only to the two parties sharing a mutual pulse.

6.3 Business Transfers

In the event of a merger, acquisition, sale of assets, or similar business transaction, your Personal Data may be transferred to the acquiring entity. We will provide notice before your Personal Data is transferred and subject to a different Privacy Policy.

6.4 Legal Requirements

We may disclose your Personal Data if required to do so by applicable law, court order, or governmental authority; to enforce our Terms of Use or protect our legal rights; to protect the safety of any person; or to respond to a national security or law enforcement request. Where permitted by law, we will notify you of any such request.

7. Data Retention

We retain Personal Data for as long as necessary to fulfil the purposes for which it was collected, comply with our legal obligations, resolve disputes, and enforce our agreements.

Data Category	Retention Period
Account information (phone number, display name, date of birth)	Until account deletion request is processed, plus 30 days for backup reconciliation
Profile photographs	Until account deletion or user replaces/removes the image
Heartbeat interaction records (pulse data)	Until account deletion or connection removal by either party
FCM push tokens	Until superseded by a new token, device deregistration, or account deletion; stale tokens are automatically removed when FCM confirms delivery failure
Connection request records	12 months from creation, regardless of outcome (pending, accepted, declined, or blocked)
App open / session events	90 days
Crash logs (Firebase Crashlytics)	90 days (Firebase platform default)
Firebase Analytics events	14 months (Google Analytics platform default)
Legal hold data (if subject to litigation or regulatory enquiry)	Duration of the hold plus applicable statutory period

Upon account deletion, we initiate deletion of your Personal Data within 30 days. Some data may be retained in anonymised, aggregated form for statistical purposes with no ability to re-identify you.

8. Your Privacy Rights

8.1 Rights Under GDPR (EEA and UK Users)

If you are located in the EEA or UK, you have the following rights with respect to your Personal Data:

Right of Access (Art. 15): You may request a copy of all Personal Data we hold about you.
Right to Rectification (Art. 16): You may request correction of inaccurate or incomplete Personal Data.
Right to Erasure (Art. 17): You may request deletion of your Personal Data where there is no compelling reason for its continued processing.
Right to Restriction of Processing (Art. 18): You may request that we restrict processing of your data in certain circumstances.
Right to Data Portability (Art. 20): You may request your Personal Data in a structured, machine-readable format.
Right to Object (Art. 21): You may object to processing based on legitimate interests, including profiling.
Right to Withdraw Consent (Art. 7(3)): Where processing is based on consent, you may withdraw consent at any time without affecting the lawfulness of processing prior to withdrawal.
Right to Lodge a Complaint: You have the right to lodge a complaint with your local data protection supervisory authority. A list of EU supervisory authorities is available at edpb.europa.eu.

8.2 Rights Under CCPA/CPRA (California Residents)

If you are a California resident, you have the following rights:

Right to Know: You may request disclosure of the categories and specific pieces of Personal Information we have collected, used, disclosed, or sold about you in the preceding 12 months.
Right to Delete: You may request deletion of Personal Information we have collected from you, subject to certain exceptions.
Right to Correct: You may request correction of inaccurate Personal Information we maintain about you.
Right to Opt Out of Sale or Sharing: We do not sell or share Personal Information for cross-context behavioural advertising. Should this change, we will provide an opt-out mechanism.
Right to Non-Discrimination: We will not discriminate against you for exercising your privacy rights.
Right to Limit Use of Sensitive Personal Information: We will limit the use of sensitive personal information to purposes specified under CPRA.

California residents may designate an authorised agent to make a request on their behalf. We will verify the identity of the agent and the requestor before processing any request.

8.3 How to Exercise Your Rights

To exercise any of the rights described above, please contact us at privacy@toun.app with the subject line "Privacy Rights Request." We will respond within 30 days (GDPR) or 45 days (CCPA) of receiving your request. We may require verification of your identity before processing your request.

Many rights can be exercised directly within the TOUN application under Profile → Settings → Privacy & Data.

9. Children's Privacy

TOUN is not directed to children under the age of thirteen (13). We do not knowingly collect Personal Data from children under 13. If you are a parent or guardian and believe that your child has provided us with Personal Data without your consent, please contact us immediately at privacy@toun.app.

We will delete any Personal Data collected from a child under 13 upon becoming aware of such collection. In jurisdictions where a higher age of digital consent applies (e.g., 16 in certain EU member states), we require users to meet the applicable minimum age. We collect date of birth during registration for the purpose of age verification.

This policy is consistent with the Children's Online Privacy Protection Act (COPPA), the GDPR provisions on children's data, and applicable regional law.

10. International Data Transfers

TOUN is operated from the United States. If you access our Services from outside the United States, your Personal Data may be transferred to, stored, and processed in the United States or other countries where our service providers operate, which may have different data protection standards than your home country.

For users in the EEA and UK, where we transfer Personal Data to countries not recognised as providing adequate protection, we rely on appropriate safeguards including:

Standard Contractual Clauses (SCCs): Approved by the European Commission under implementing decision 2021/914, incorporated into our data processing agreements with processors in non-adequate countries.
Google's cross-border data transfer mechanisms: Google LLC participates in the EU-US Data Privacy Framework and applies SCCs for data transfers involving Firebase and Google Analytics.
Adequacy Decisions: Where transfers are to countries covered by an adequacy decision of the European Commission or the UK Secretary of State, we rely on such decisions.

You may request a copy of the applicable transfer mechanism by contacting us at privacy@toun.app.

11. Security Measures

We implement appropriate technical and organisational measures designed to protect your Personal Data against unauthorised access, accidental loss, destruction, or alteration. These measures include:

Transport Encryption: All data transmitted between the TOUN application and our backend is encrypted using TLS 1.2 or higher.
At-Rest Encryption: Personal Data stored in Firestore, Firebase Storage, and associated systems is encrypted at rest using AES-256 by Google's infrastructure.
Phone Number Hashing: Phone numbers used for contact discovery are hashed on-device using SHA-256 before any transmission, as described in Section 3.3.
App Integrity Verification: Firebase App Check (Play Integrity / DeviceCheck) verifies that all API requests originate from genuine, unmodified TOUN installations, protecting against bot-driven abuse.
Firestore Security Rules: Access to user data in Firestore is governed by declarative security rules that enforce authentication and ownership boundaries, users can only access their own data and shared pulse data of connections to which they are a party.
Minimal Privilege: Cloud Functions operate with minimal IAM permissions required for their specific function.
Crash Monitoring: Firebase Crashlytics monitors application stability and is configured to collect only anonymised diagnostic data in production.

Notwithstanding our security measures, no system is completely immune from attack. In the event of a personal data breach that is likely to result in a risk to your rights and freedoms, we will notify you and the relevant supervisory authority within the timeframes required by applicable law.

12. Cookies and Tracking Technologies

The TOUN website (toun.app) uses cookies and similar technologies. The TOUN mobile application does not use browser cookies; on-device data is managed via secure application storage (SQLite via Drift and SharedPreferences).

12.1 Types of Cookies We Use (Website Only)

Category	Name	Provider	Purpose	Duration
Strictly Necessary	toun_cookie_consent	TOUN	Stores your cookie consent preferences so we do not re-ask on every visit	12 months
Analytics (opt-in)	_ga, _ga_*, _gid	Google Analytics 4	Collects pseudonymous data on page visits, traffic sources, and user behaviour to help us improve the website	Up to 2 years (_ga); 24 hours (_gid)
Analytics (opt-in)	_gcl_au	Google	Conversion measurement (used by Google Analytics and Google Tag Manager)	90 days

12.2 Managing Cookie Preferences

You can manage your cookie preferences at any time by clicking the "Cookie Settings" link in the footer of any page on toun.app. You may withdraw consent for analytics cookies at any time; this will not affect any processing that took place before withdrawal.

You may also control cookies through your browser settings. Note that disabling certain cookies may affect the functionality of our website.

12.3 Do Not Track

We honour "Do Not Track" (DNT) browser signals. When a DNT signal is detected, we will not load analytics cookies regardless of consent stored in our cookie preference record.

13. Changes to This Policy

We reserve the right to update this Privacy Policy at any time. When we make material changes, we will notify you by:

Updating the "Last Updated" and "Version" dates at the top of this document.
Displaying an in-app notification or banner within the TOUN application.
Sending a push notification to your device (where you have enabled push notifications).

Where required by applicable law, we will obtain your explicit consent to any material changes before they take effect. Your continued use of the Services after the effective date of any changes constitutes your acceptance of the revised Privacy Policy.

We encourage you to review this Privacy Policy periodically. The current version is always available at toun.app/privacy.

14. Contact and Data Protection Officer

If you have any questions, concerns, or requests relating to this Privacy Policy or our data practices, please contact us:

Privacy Enquiries
Email: privacy@toun.app
General: hello@toun.app

We will acknowledge your enquiry within 48 hours and respond substantively within 30 days (or 45 days for CCPA requests, where an extension is applied).

Supervisory Authority Complaints:
If you are in the EEA and are not satisfied with our response, you have the right to lodge a complaint with your local supervisory authority. For a list of EU data protection authorities, visit edpb.europa.eu.