Tovi — Privacy Policy

Effective date: June 14, 2025

Last updated: May 24, 2026

This Privacy Policy explains how the operators of Tovi ("Tovi," "we," "us," or "our") collect, use, store, share, and protect your Personal Data when you use the Tovi mobile application and any associated features, content, APIs, or tools (collectively, the "Service"). It also explains your rights and how to exercise them.

This Privacy Policy is incorporated by reference into our Terms of Use and forms part of the same agreement. All defined terms used but not defined here have the meanings given to them in the Terms of Use. In the event of any conflict between this Privacy Policy and the Terms of Use, the Terms of Use govern, except where this Privacy Policy provides greater protection for your Personal Data, in which case this Privacy Policy controls.

By using the Service, you acknowledge that you have read and understood this Privacy Policy. If you do not agree with the practices described here, please do not use the Service.

Who We Are (Data Controller)
Definitions
What Data We Collect and Why
Legal Basis for Processing (GDPR / UK GDPR)
How We Use Your Data
Data Sharing and Third-Party Processors
International Data Transfers
Data Retention
Children's Privacy
Content Moderation and AI Filtering
Cookies and Tracking Technologies
Data Security
Data Breach Notification
Your Rights
How to Exercise Your Rights
Automated Decision-Making and the EU AI Act
Changes to This Policy
Contact Us

1. Who We Are (Data Controller)

For the purposes of Regulation (EU) 2016/679 (the "GDPR"), the UK GDPR as retained under Section 3 of the European Union (Withdrawal) Act 2018 (c. 16) and supplemented by the Data Protection Act 2018 (c. 12), and other applicable data protection law, Tovi is the data controller responsible for your Personal Data collected in connection with the Service.

Contact: support@tovi.app

We do not currently have a designated Data Protection Officer (DPO), as we do not meet the thresholds under Article 37 of the GDPR that make appointing one mandatory. All data protection inquiries should be directed to the contact above.

If you are located in the European Economic Area or the United Kingdom and have concerns that cannot be resolved directly with us, you have the right to lodge a complaint with the relevant supervisory authority in your jurisdiction (see Section 14).

2. Definitions

The following definitions apply throughout this Privacy Policy and are consistent with the definitions set out in Section 1 of the Terms of Use:

"Service" — The Tovi mobile application and any associated features, content, APIs, or tools made available by Tovi.

"Personal Data" — Any information relating to an identified or identifiable natural person, as defined under Article 4(1) of Regulation (EU) 2016/679 (GDPR) and equivalently under the UK GDPR and Section 3 of the Data Protection Act 2018 (c. 12). This includes "personal information" as defined under 15 U.S.C. § 6501(8) of COPPA. For the avoidance of doubt, IP addresses and device identifiers constitute Personal Data under applicable law.

"Processing" — Any operation performed on Personal Data, as defined under Article 4(2) of Regulation (EU) 2016/679 and the equivalent provision of the UK GDPR.

"Child" / "Children" — For purposes of U.S. law, any individual under the age of 13, as defined under the Children's Online Privacy Protection Act (15 U.S.C. § 6501(1)). For purposes of EU law, any individual under the age of 16, or such lower age as permitted by the applicable EU Member State under Article 8(1) of Regulation (EU) 2016/679. For purposes of UK law, any individual under the age of 13, pursuant to the UK GDPR and the ICO's Age Appropriate Design Code issued under Section 123 of the Data Protection Act 2018 (c. 12).

"Third-Party Processor" — A third party that processes Personal Data on our behalf under a data processing agreement consistent with Article 28 of the GDPR and equivalent provisions.

"Mobile Platform" — The third-party app distribution platform through which you download the Service.

"AI Content" — Text, exercises, study paths, feedback, or other outputs generated using artificial intelligence models integrated within the Service.

3. What Data We Collect and Why

We collect the minimum Personal Data necessary to provide and improve the Service, consistent with the data minimization principle under Article 5(1)(c) of the GDPR.

3.1 Data You Provide Directly

Email address — used for account creation, authentication, and service communications.

Password — stored as a one-way cryptographic hash. We never store or transmit your password in plaintext.

Onboarding inputs (skill goal, experience level, motivation, learning style, available time) — used to generate your personalized AI-powered learning journey.

Learning progress (XP, streaks, completed content) — used to track and display your progress within the Service.

3.2 Data Collected Automatically

IP address — used for security monitoring, fraud prevention, and approximate geolocation for legal compliance purposes.

Device information (device type, operating system version) — used for compatibility, performance optimization, and crash diagnosis.

App usage data (screens visited, session duration, feature interactions) — used for analytics and Service improvement.

Crash logs and error reports — used to diagnose and resolve technical issues.

Important: Under Article 4(1) of Regulation (EU) 2016/679, the 2025 COPPA Final Rule (16 C.F.R. Part 312), and the UK GDPR, IP addresses and device identifiers are Personal Data because they can identify or be used to identify an individual. We treat them accordingly throughout our practices and under this Policy.

3.3 Data We Do Not Collect

We do not collect government-issued identification numbers, payment card or banking details (all payments are processed by the Mobile Platform through which you downloaded the Service and we have no access to this data), precise geolocation data, biometric data, health or medical information, or sensitive special category data as defined under Article 9 of the GDPR.

4. Legal Basis for Processing (GDPR / UK GDPR)

If you are located in the European Economic Area or the United Kingdom, we are required to identify a lawful basis for each purpose for which we process your Personal Data, pursuant to Article 6 of Regulation (EU) 2016/679 and the equivalent provisions of the UK GDPR.

Providing the Service (account creation, authentication, learning journey generation, progress tracking) — we process this data on the basis of performance of a contract to which you are a party, pursuant to Article 6(1)(b) of the GDPR.

Improving the Service through analytics and crash diagnostics — we process this data on the basis of legitimate interests pursued by Tovi (improving our product and resolving technical issues), pursuant to Article 6(1)(f) of the GDPR, which are not overridden by your interests or rights.

Security monitoring and fraud prevention — we process this data on the basis of legitimate interests pursued by Tovi (protecting the integrity and security of our systems and users), pursuant to Article 6(1)(f) of the GDPR.

Compliance with legal obligations (including COPPA parental consent requirements and data breach notification) — we process this data on the basis of compliance with a legal obligation to which we are subject, pursuant to Article 6(1)(c) of the GDPR.

Service-related communications (account notifications, policy updates, security alerts) — we process this data on the basis of performance of a contract or legitimate interests, pursuant to Article 6(1)(b) or 6(1)(f) of the GDPR.

Processing based on your consent (for example, optional features or AI training if ever offered as a separate opt-in) — where applicable, we process this data on the basis of consent pursuant to Article 6(1)(a) of the GDPR.

Where we rely on legitimate interests as our lawful basis, we have determined that our interests are not overridden by your interests, rights, or freedoms, having regard to the nature of the data and the reasonable expectations of users of a learning application. You have the right to object to processing based on legitimate interests at any time (see Section 14).

Where we rely on consent, you may withdraw it at any time without affecting the lawfulness of processing carried out before withdrawal, pursuant to Article 7(3) of the GDPR.

5. How We Use Your Data

We use the Personal Data described in Section 3 for the following purposes:

Personalizing your learning experience — your onboarding inputs are used to generate a customized AI-powered learning journey tailored to your goals, experience, and available time.

Operating and maintaining your Account — including authentication, saving your progress, and enabling access to features you have subscribed to.

Content moderation — your inputs are assessed as part of our content moderation process to help ensure AI Content delivered to you is appropriate and safe. See Section 10 for full details.

Improving the Service — aggregate and anonymized usage data helps us understand how users interact with the app and where improvements can be made.

Security and integrity — monitoring for unauthorized access, abuse, and technical vulnerabilities.

Legal compliance — fulfilling our obligations under applicable law, including data protection law, children's privacy law, and applicable regulatory or court orders.

Service communications — sending you service-related notices such as account confirmations, policy updates, and security alerts. We do not send marketing communications without your separate consent.

We do not use your Personal Data for targeted advertising or behavioral profiling for advertising purposes, for sale or rental to third parties, or for training or fine-tuning third-party AI models without your explicit, separate, informed consent — and for Children under 13, without separate verifiable parental consent, in compliance with 16 C.F.R. Part 312 (effective June 23, 2025) and Article 6(1)(a) of Regulation (EU) 2016/679.

6. Data Sharing and Third-Party Processors

We do not sell your Personal Data. We share Personal Data only in the following circumstances.

6.1 Third-Party Processors

We engage trusted Third-Party Processors to help us operate the Service. These providers are permitted to use your Personal Data only as necessary to perform services for us, under contractual terms consistent with Article 28 of the GDPR, equivalent provisions of the UK GDPR, and 16 C.F.R. § 312.8.

Our current categories of Third-Party Processors are as follows:

Cloud infrastructure and database providers — used for hosting, storage, authentication, and basic analytics. Data shared includes account data, usage data, and crash logs.

AI content generation providers — used to generate personalized educational content based on your onboarding inputs. These providers receive only the data necessary to generate content (your learning goals, experience level, and skill inputs) and do not receive your email address or payment information.

Crash diagnostics and performance monitoring providers — used to identify and resolve technical errors. Data shared includes device information, crash logs, and error reports.

We do not name specific vendors in this Policy as providers may change. We maintain an up-to-date record of sub-processors and will provide it upon request at support@tovi.app.

6.2 Legal Disclosures

We may disclose Personal Data to law enforcement, regulatory authorities, or other third parties if required by applicable law, court order, or legal process, or if we believe in good faith that such disclosure is necessary to comply with a legal obligation, protect and defend our rights or property, prevent or investigate possible wrongdoing in connection with the Service, or protect the safety of users or the public.

6.3 Business Transfers

If Tovi is involved in a merger, acquisition, asset sale, or similar corporate transaction, your Personal Data may be transferred as part of that transaction. We will provide notice before your Personal Data becomes subject to a materially different privacy policy and will, where required by applicable law, seek your consent.

6.4 Aggregated or Anonymized Data

We may share aggregated, anonymized data that cannot reasonably be used to identify you with partners or publicly. This does not constitute sharing of Personal Data.

7. International Data Transfers

Tovi uses infrastructure and Third-Party Processors that may be located in various countries, including the United States. If you are located in the European Economic Area or the United Kingdom, your Personal Data may be transferred to and processed in countries outside the EEA or UK that may not provide an equivalent level of data protection.

Where we transfer Personal Data outside the EEA or UK, we ensure appropriate safeguards are in place as required by Chapter V of the GDPR and equivalent provisions of the UK GDPR. These safeguards include adequacy decisions issued by the European Commission or the UK Secretary of State under Article 45 of the GDPR where available for the destination country, or Standard Contractual Clauses (SCCs) adopted by the European Commission under Article 46(2)(c) of the GDPR, or the equivalent International Data Transfer Agreement (IDTA) or UK Addendum approved under the UK GDPR, incorporated into our agreements with relevant Third-Party Processors.

You may request details of the specific safeguards applicable to transfers of your Personal Data by contacting us at support@tovi.app.

8. Data Retention

We retain Personal Data only for as long as is necessary for the purposes for which it was collected, consistent with the storage limitation principle under Article 5(1)(e) of the GDPR and in compliance with the prohibition on indefinite data retention under the FTC's 2025 COPPA Final Rule (16 C.F.R. Part 312, effective June 23, 2025).

Account data (email address, password hash) — retained for the duration of your Account, plus up to 90 days after deletion to allow for account recovery if requested, then permanently deleted.

Onboarding inputs and learning progress data — retained for the duration of your Account, then deleted upon Account deletion.

Usage analytics data (aggregated) — retained for up to 24 months from collection, then anonymized or deleted.

Device and IP log data — retained for up to 90 days from collection for security purposes, then deleted.

Children's Personal Data (users under 13) — deleted promptly upon: (a) verified parent or guardian request; (b) discovery of collection without verifiable parental consent; or (c) Account deletion — whichever is earliest. Not retained beyond the purpose for which it was collected, in compliance with 16 C.F.R. § 312.10.

Data subject to legal hold — retained for the duration of any applicable legal obligation, regulatory investigation, or litigation hold, then deleted.

When you delete your Account, we will begin the deletion process within 30 days. Certain data may be retained for longer periods where required by applicable law or for the establishment, exercise, or defense of legal claims, as permitted under Article 17(3) of the GDPR. These retention obligations continue to apply following termination of the Terms of Use.

9. Children's Privacy

9.1 Minimum Age

The Service is not directed to or intended for use by Children under 13. We do not knowingly collect Personal Data from Children under 13 without first obtaining verifiable parental consent, in accordance with the Children's Online Privacy Protection Act (15 U.S.C. §§ 6501–6506) and the FTC's implementing regulations (16 C.F.R. Part 312), as amended by the FTC's 2025 Final Rule (effective June 23, 2025). Eligibility requirements and age-related consent obligations are set out in full in Section 3 of the Terms of Use.

9.2 Parental Consent

Where a Child under the applicable consent age wishes to use the Service, a parent or legal guardian must provide verifiable consent before Personal Data is collected. We rely on users to accurately represent their age. If we discover we have collected Personal Data from a Child under 13 without verifiable parental consent, we will delete that data promptly and without undue delay, as required under 16 C.F.R. § 312.10.

9.3 Parental Rights Under COPPA

Parents or guardians of Children who use or have used the Service may contact us at support@tovi.app to exercise the following rights under 16 C.F.R. § 312.6:

Request a description of the types of Personal Data we have collected from their Child, pursuant to 16 C.F.R. § 312.6(a)(1).
Request deletion of their Child's Personal Data, pursuant to 16 C.F.R. § 312.6(a)(2).
Withdraw consent and direct us to cease further collection or use of their Child's Personal Data, pursuant to 16 C.F.R. § 312.6(a)(3).
Agree to the collection and use of their Child's Personal Data while directing us not to disclose it to third parties, pursuant to 16 C.F.R. § 312.6(a)(4).

We will respond to verified parental requests within 30 days.

9.4 No AI Training on Children's Personal Data

Consistent with the FTC's 2025 COPPA Final Rule, we do not disclose Children's Personal Data to third parties for the purpose of training, fine-tuning, or otherwise developing artificial intelligence or machine learning models without first obtaining separate, verifiable parental consent. This applies to all Children under 13 regardless of jurisdiction, and to users under 16 in the EEA pursuant to Article 8(1) of Regulation (EU) 2016/679.

9.5 UK Children's Code

For users in the United Kingdom, we apply the standards of the ICO's Age Appropriate Design Code issued under Section 123 of the Data Protection Act 2018 (c. 12), including applying high privacy and safety settings by default for users likely to be under 18, and not using the Personal Data of child users in ways that are detrimental to their wellbeing.

10. Content Moderation and AI Filtering

We implement content moderation measures designed to filter AI Content for language and material that is inappropriate, harmful, or unsuitable for our users. These measures include automated filtering applied to AI-generated outputs prior to delivery to you, with the specific aim of ensuring that learning journeys and AI-generated educational content are age-appropriate and free from harmful, offensive, or misleading material.

For users in the United Kingdom, these moderation practices are applied consistently with the ICO's Age Appropriate Design Code issued under Section 123 of the Data Protection Act 2018 (c. 12), which requires services likely to be accessed by children to apply high safety standards by default.

We cannot guarantee that all AI Content will be entirely free from inappropriate, inaccurate, unsuitable, or offensive material. No automated filtering system is perfect, and AI systems may produce unexpected outputs despite our best efforts. If you encounter AI Content that you believe is inappropriate, harmful, inaccurate, or otherwise concerning, please report it to us immediately at support@tovi.app with the subject line "Content Report." We take all content reports seriously, investigate them promptly, and use them to improve our filtering systems.

Processing of content reports may involve a limited review of the AI Content and input data associated with the report, conducted solely for moderation and safety purposes.

11. Cookies and Tracking Technologies

As a mobile application, Tovi does not use browser cookies. However, we and our Third-Party Processors may use analogous mobile tracking technologies, including device identifiers such as advertising IDs or similar persistent identifiers assigned by your device's operating system, session tracking to record app usage patterns and feature interactions as described in Section 3.2, and crash reporting tools that automatically capture device state and error logs when the app encounters a technical error.

Where such tracking is not strictly necessary to provide the Service, we will seek your consent where required by applicable law, including the EU ePrivacy Directive (2002/58/EC) and its national implementations.

You may limit certain tracking by adjusting your device's privacy settings, including resetting your advertising ID or opting out of analytics tracking through your device's operating system settings. Note that limiting tracking may affect some features of the Service.

12. Data Security

We implement appropriate technical and organizational measures to protect your Personal Data against unauthorized access, disclosure, alteration, loss, or destruction, in accordance with Article 32 of Regulation (EU) 2016/679 and equivalent provisions of the UK GDPR.

These measures include encryption in transit using industry-standard TLS protocols for all data transmitted between your device and our servers; encryption at rest for Personal Data stored on our servers; access controls that restrict access to Personal Data to personnel and systems with a legitimate operational need, protected by authentication controls; password security through one-way cryptographic hashing so that plaintext passwords are never stored or transmitted; contractual requirements for Third-Party Processors to maintain appropriate technical and organizational security measures; and a written incident response procedure for identifying, assessing, containing, and responding to security incidents, consistent with Article 33 of the GDPR.

While we take robust precautions, no system is entirely immune from risk. The transmission of data over the internet and mobile networks carries inherent risk, and we cannot guarantee absolute security. You are responsible for maintaining the confidentiality of your Account credentials and for notifying us promptly at support@tovi.app (subject line: "Security") if you suspect unauthorized access to your Account.

13. Data Breach Notification

In the event of a Personal Data breach as defined under Article 4(12) of Regulation (EU) 2016/679, we will comply with all applicable notification obligations. This includes notifying the relevant supervisory authority without undue delay and, where feasible, within 72 hours of becoming aware of the breach, as required under Article 33 of the GDPR and equivalent provisions of the UK GDPR; notifying affected Users without undue delay where the breach is likely to result in a high risk to their rights and freedoms, in accordance with Article 34 of the GDPR; and complying with applicable U.S. state data breach notification statutes in the jurisdiction or jurisdictions relevant to affected users.

We are not liable for any breach that results from your failure to maintain the security of your Account credentials.

14. Your Rights

Depending on your jurisdiction, you have the following rights with respect to your Personal Data. We will respond to all rights requests within 30 days of receipt, extendable to 90 days for complex or multiple requests as permitted under Article 12(3) of the GDPR. We will not charge a fee for exercising your rights unless requests are manifestly unfounded or excessive under Article 12(5) of the GDPR.

Rights Under GDPR and UK GDPR (EEA and UK Users)

Right of access (Article 15 GDPR) — the right to obtain confirmation of whether we process your Personal Data and to receive a copy, along with information about how it is processed.

Right to rectification (Article 16 GDPR) — the right to have inaccurate or incomplete Personal Data corrected without undue delay.

Right to erasure / "right to be forgotten" (Article 17 GDPR) — the right to request deletion of your Personal Data in certain circumstances, including where it is no longer necessary for the purpose collected or where you withdraw consent.

Right to restriction of processing (Article 18 GDPR) — the right to request that we limit processing of your Personal Data in certain circumstances.

Right to data portability (Article 20 GDPR) — the right to receive your Personal Data in a structured, commonly used, machine-readable format and to transmit it to another controller where technically feasible.

Right to object (Article 21 GDPR) — the right to object to processing based on legitimate interests or for direct marketing. Where you object to legitimate interests processing, we will cease unless we can demonstrate compelling legitimate grounds that override your interests.

Right to withdraw consent (Article 7(3) GDPR) — where processing is based on consent, the right to withdraw at any time without affecting the lawfulness of prior processing.

Right to lodge a complaint (Article 77 GDPR) — the right to lodge a complaint with the supervisory authority in your EU Member State of habitual residence, place of work, or place of the alleged infringement. For UK users, this is the Information Commissioner's Office (ICO) at ico.org.uk.

Rights Under COPPA (U.S. — Children's Data)

Parents and guardians of Children under 13 have the rights set out in Section 9.3 of this Policy under 16 C.F.R. § 312.6.

Rights Under California Law

California residents have rights under the California Consumer Privacy Act (Cal. Civ. Code §§ 1798.100 et seq.) as amended by the California Privacy Rights Act (Proposition 24, 2020), including the right to know, the right to delete, the right to correct, the right to opt-out of sale or sharing, and the right to non-discrimination for exercising these rights. We do not sell or share Personal Data as defined under Cal. Civ. Code §§ 1798.140(ad) and 1798.140(ah).

Dispute Resolution

Any dispute relating to the exercise of your rights under this Privacy Policy is subject to the dispute resolution provisions of Section 16 of the Terms of Use, including the binding arbitration clause and class action waiver, except where those provisions conflict with mandatory applicable law in your jurisdiction as described in Terms of Use Section 16.5.

15. How to Exercise Your Rights

To exercise any of the rights described in Section 14, please contact us at support@tovi.app with the subject line "Privacy Request — [right you are exercising]." Please include your full name, the email address associated with your Account, your jurisdiction, and a clear description of your request. We may ask you to verify your identity before processing your request to protect against unauthorized disclosure of your Personal Data.

For parental requests under COPPA, please confirm that you are the parent or legal guardian of the Child in question and include sufficient information for us to locate the relevant data.

16. Automated Decision-Making and the EU AI Act

16.1 Automated Processing

The Service uses artificial intelligence technologies to generate personalized learning content and journeys based on your onboarding inputs. This constitutes automated processing of your Personal Data within the meaning of Article 22 of Regulation (EU) 2016/679. However, we do not carry out solely automated decision-making that produces legal effects or similarly significant effects on you within the meaning of Article 22(1) of the GDPR.

The AI-generated learning paths and content produced by the Service are informational and educational in nature. You retain full control over how you engage with them, and no automated decision produces a legally or similarly significant outcome for you, such as a denial of services, financial decisions, or employment-related outcomes. If this practice changes, we will update this Policy and provide you with the disclosures required under Article 13(2)(f) of the GDPR.

16.2 EU AI Act

To the extent applicable, Tovi's use of AI systems is conducted with awareness of Regulation (EU) 2024/1689 of the European Parliament and of the Council (the EU Artificial Intelligence Act, "EU AI Act"), which entered into phased application from August 2024. We do not employ AI systems that are prohibited under Article 5 of the EU AI Act. Where our AI systems constitute "high-risk" systems under Annex III of the EU AI Act, we will comply with applicable obligations as they come into force. We will update this Section and our practices as further provisions of the EU AI Act become applicable.

17. Changes to This Policy

We reserve the right to update this Privacy Policy at any time. When we make material changes, we will notify you by one or more of the following methods: in-app notification, email to the address associated with your Account, or a prominent notice within the Service, with reasonable advance notice prior to the changes taking effect.

For users in the EU or UK where material changes adversely affect your rights, we will provide at least 30 days' advance notice and you will have the right to terminate your Account without penalty pursuant to applicable mandatory consumer protection law.

The "Last updated" date at the top of this document reflects the date of the most recent revision. Your continued use of the Service after the effective date of any change constitutes your acceptance of the updated Privacy Policy. If you do not agree, you must stop using the Service and delete your Account.

18. Contact Us

General privacy inquiries: support@tovi.app

Formal data rights requests: support@tovi.app (subject line: "Privacy Request — [right you are exercising]")

Parental / COPPA requests: support@tovi.app (subject line: "Privacy Request — COPPA")

Content moderation reports: support@tovi.app (subject line: "Content Report")

Data breach or security concerns: support@tovi.app (subject line: "Security")

We aim to respond to all inquiries within five (5) business days.

You also have the right to contact the relevant supervisory authority directly. For EU users, this is the data protection supervisory authority in your EU Member State of habitual residence or place of work. For UK users, this is the Information Commissioner's Office (ICO) at ico.org.uk. For U.S. users, this is the Federal Trade Commission at ftc.gov.

Tovi is an independent product. Not affiliated with or endorsed by any academic institution, certification body, government authority, or professional licensing organization.