Privacy Policy

Effective Date: December 2, 2025 | Last Updated: December 2, 2025

Welcome to Toneful ("we," "our," or "us"). We are committed to protecting your privacy and ensuring transparency about how we collect, use, and safeguard your personal information. This Privacy Policy explains our data practices for the Toneful Chrome extension and web service (collectively, the "Service").

Toneful is a communication confidence tool that helps you articulate your thoughts clearly across email, messaging, and professional platforms. We understand that you trust us with sensitive communication content, and we take that responsibility seriously.

By using Toneful, you agree to the practices described in this Privacy Policy. If you do not agree with this policy, please do not use our Service.

1. Information We Collect

1.1 Information You Provide Directly

Account Information:

• Email address (used as your unique identifier and for account-related communications)
• Password (stored securely using bcrypt hashing - we never store plain-text passwords)
• Full name (optional, if provided during registration)

Payment Information:

• Billing details processed through Stripe (our payment processor)
• We do NOT store your credit card information on our servers
• Stripe securely handles all payment card data in compliance with PCI DSS standards

Communication Content:

• Message fragments you enter for transformation
• AI-generated response options
• Your selected message options (which of the 3 options you chose)
• Transform history (stored for your personal reference and usage tracking)
• Context information (personal/professional setting)

Subscription and Purchase Information:

• Subscription tier (Free or Personal)
• Monthly transform usage (tracked against your plan limits)
• Lifetime transform count
• Expert Pack purchases and access

1.2 Information Collected Automatically

Usage Data:

• Number of transforms performed
• Features used (transform frequency, Expert Packs accessed)
• Which option you selected (1, 2, or 3) for analytics
• User actions (used, dismissed, regenerated)
• Error logs and diagnostic information

Technical Data:

• Browser type and version
• Operating system
• Device type
• IP address (for security, rate limiting, and fraud prevention)
• Chrome extension version

1.3 Chrome Extension Permissions

The Toneful Chrome extension requests the following permissions:

• storage: To save your preferences and authentication state locally
• tabs: To detect which communication platform you're using
• activeTab: To inject our sidebar into supported platforms
• cookies: To maintain your authentication session
• Host permissions: Access to Gmail, Outlook, LinkedIn, and WhatsApp Web to provide our sidebar functionality

2. Your Privacy Controls

Toneful offers a 3-tier privacy system that lets you control how your data is used:

Basic (Default):

• Anonymous selection tracking only (which option number you chose)
• No content analysis or personalization
• Minimum data collection for service operation

Improved:

• Edit pattern analysis to improve suggestions
• Anonymous aggregated insights
• No personal content stored for training

Personalized:

• Learning from your communication style preferences
• Personalized suggestions based on your history
• Still NOT used for AI model training

You can change your privacy tier at any time in Settings.

3. How We Use Your Information

3.1 To Provide and Improve the Service

• Process your message fragments through AI to generate communication options
• Create and manage your account, authenticate your identity
• Monitor your monthly transform usage against your plan limits
• Enable Personal features and Expert Packs based on your subscription
• Analyze usage patterns to improve user experience (aggregated, non-identifiable data only)

4. How We Share Your Information

We do not sell your personal information to third parties. We share your information only in the following limited circumstances:

4.1 Service Providers

We share information with trusted third-party service providers:

• Stripe: Payment processing for subscriptions and Expert Pack purchases
• Anthropic (Claude API): AI service that processes your messages to generate suggestions. Messages are processed in real-time for transformation only - Anthropic does not retain or train on your content.
• Supabase: Database hosting and authentication services
• Vercel: Hosting infrastructure for our web application and API

5. Your Privacy Rights

Depending on your location, you may have certain rights regarding your personal information:

5.1 Right to Access

You can view most of your information directly in your account settings or request a complete data export by emailing privacy@toneful.io.

5.2 Right to Deletion

You can permanently delete your account through Settings > Account > Delete Account. This will remove all your personal information, transform history, and usage statistics (excluding payment records required for legal compliance).

5.3 Right to Data Portability

You can export your data in JSON format through your account settings.

5.4 Right to Opt-Out

You can change your privacy tier to "Basic" at any time to minimize data collection.

6. Data Retention

• Account Information: Retained while your account is active, deleted within 30 days of account deletion request
• Transform History: Retained while your account is active, deleted within 30 days of account deletion request
• Payment Records: Retained for 7 years (legal requirement for tax and audit purposes)
• Technical Logs: Retained for 90 days for debugging and security purposes
• Usage Statistics: Aggregated, anonymized statistics may be retained indefinitely

7. Security

We implement industry-standard security measures to protect your data:

• TLS/HTTPS encryption for all data in transit
• Encrypted data storage at rest
• bcrypt password hashing (passwords are never stored in plain text)
• JWT-based authentication with HTTP-only cookies
• Rate limiting to prevent abuse and protect against attacks
• Row-level security (RLS) in our database to ensure users can only access their own data
• Regular security monitoring and updates

8. Children's Privacy

Toneful is not intended for children under 13 years of age. We do not knowingly collect personal information from children under 13. If you are a parent or guardian and believe your child has provided us with personal information, please contact us immediately at privacy@toneful.io and we will delete such information.

9. International Users

Toneful operates from and stores data primarily in the United States. If you are located outside the United States, your information will be transferred to, stored, and processed in the United States.

For users in the European Economic Area (EEA) or United Kingdom, we rely on Standard Contractual Clauses (SCCs) approved by the European Commission for international data transfers.

10. California Privacy Rights (CCPA)

If you are a California resident, you have additional rights under the California Consumer Privacy Act (CCPA):

• Right to know what personal information we collect and how it's used
• Right to delete your personal information
• Right to opt-out of the sale of personal information (we do not sell your data)
• Right to non-discrimination for exercising your privacy rights

11. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes to our practices or for legal, operational, or regulatory reasons. Material changes will be communicated via email at least 30 days before taking effect. Your continued use of Toneful after changes become effective constitutes acceptance of the updated policy.

12. Contact Us

If you have questions, concerns, or requests regarding this Privacy Policy or your personal data:

Email: privacy@toneful.io
General Support: support@toneful.io
Response Time: We aim to respond to all privacy-related inquiries within 30 days