Privacy Policy

Last updated: 17 May 2026

Toxic or Nah ("the app", "we", "us") is a relationship chat analysis tool for entertainment and self-reflection. This Privacy Policy explains what information we collect, how we use it, and the choices you have. The app is operated by Alessandro Tramontin, Via Giuseppe Garibaldi 19, Ponte nelle Alpi (BL) 32014, Italy.

1. Information you provide

• Account email. When you sign in with email + OTP we store your email address to authenticate future sessions. On iOS and Android you can also use anonymous sign-in (no email required), in which case we only hold a random user identifier on the device.
• Chat screenshots. When you upload a screenshot for analysis, the image is briefly uploaded to our private storage and sent to Google Gemini (our AI provider) for processing. Screenshots are automatically deleted from our storage as soon as the analysis completes (success or failure). Any orphaned uploads from interrupted sessions are purged automatically within 24 hours. Screenshots are never used to train AI models and are never shared with third parties beyond Gemini itself. Only you can read your own uploads while they exist.
• Person details. Names, relationship status, and avatar photos you add for the people you analyze.
• Quiz answers. Three short questions we ask before the analysis (who he is to you, what you want to know, what your friends say). Used to personalize the result and the paywall recommendation.
• Payment info. Handled entirely by the payment processor (Stripe on the web, Apple In-App Purchase on iOS, Google Play Billing on Android). We never see or store your card number. We only store your customer / subscription identifier and current subscription status.

2. Information we collect automatically

• Basic technical data (browser, device type, operating system) used to render the app correctly.
• Anonymous session identifier (a random string stored in your browser's localStorage) so the app can attribute usage before you sign in.
• Push notification token (when you opt in) so we can deliver Sigils and pattern alerts.
• We do not use third-party advertising cookies, tracking pixels, or analytics that share data with ad networks.

3. Third-party services (data processors)

• Google Gemini API (Google LLC, USA) — receives the chat text and produces the analysis. Google's processing of this data is subject to their Gemini API Terms. Google provides a level of data protection equivalent to the safeguards described in this policy.
• Supabase (Supabase Inc., USA, with EU-region storage) — our database, authentication, and file storage provider.
• Stripe (Stripe Payments Europe Ltd) — handles web payments and customer portal.
• Apple App Store (Apple Inc.) — handles iOS in-app purchases and subscription management.
• Google Play (Google LLC) — handles Android in-app purchases and subscription management.
• Apple Push Notification Service (APNs) — delivers iOS push notifications.
• Firebase Cloud Messaging (FCM) (Google LLC) — delivers Android push notifications.
• Vercel (Vercel Inc., USA) — hosts the web application.

4. How we use your data

• To run the analysis you requested and personalize subsequent insights.
• To display your history (Connections, past analyses, Soul Type evolution).
• To manage your subscription and process payments.
• To deliver opt-in push notifications (Sigils, pattern alerts).
• To prevent abuse and protect the service.
• We do not sell or share your data with advertisers.
• We do not train AI models on your chats.

5. Your rights (GDPR / UK GDPR)

If you live in the European Economic Area, UK, or Switzerland you have the right to access, rectify, port, delete, and restrict processing of your personal data, plus the right to withdraw consent and to lodge a complaint with your local data protection authority.

You can exercise these rights directly:

• Export your data: Settings → Privacy & Data → Download My Data. A JSON export of every row tied to your account is generated on the spot.
• Delete your account: Settings → Privacy & Data → Delete My Account. This permanently removes your stored chats, analyses, saved guys, and auth record within 24 hours.
• Other requests: email rafcabana0000@gmail.com. We respond within 30 days.

6. Your rights (California — CCPA / CPRA)

California residents have the right to know what personal information we have collected about them, to delete that information, and to opt out of any sale or sharing of personal information. We do not sell or share personal information as those terms are defined under the CCPA. To exercise your rights, use the in-app controls above or email rafcabana0000@gmail.com.

7. Data retention

Active accounts retain data until deleted by you. Deleted accounts are purged from our active systems within 24 hours and from automated backups within 30 days. Stripe / Apple / Google retain transaction records as required by tax and accounting law (typically 7-10 years).

8. Security

Data in transit is encrypted with TLS. Data at rest in Supabase is encrypted by the platform. Authentication uses short-lived JWT tokens. Row-level security policies ensure no user can read another user's data.

9. Children

Toxic or Nah is intended for users aged 18 and older. We do not knowingly collect data from anyone under 18. If you believe a minor has provided us with personal information, email rafcabana0000@gmail.com and we will delete it.

10. Changes to this policy

We may update this Privacy Policy as the product evolves. Material changes will be communicated in-app and via email (for users with email accounts). The "Last updated" date at the top of this page always reflects the current version.

11. Contact

Questions or requests: rafcabana0000@gmail.com.