privacy policy

Privacy Policy

Last updated June 9, 2026

This Privacy Policy (the “Policy”) describes how Toxome LLC, a New York limited liability company (“Toxome,” “we,” “us,” or “our”), collects, uses, discloses, and otherwise processes personal data in connection with the website located at toxome.app(the “Site”), the Toxome iOS application (the “App”), and the Toxome browser extension (the “Extension,” and together with the Site and the App, the “Services”).

This Policy forms part of, and should be read together with, our Terms of Use. By accessing or using the Services, you acknowledge that you have read and understood this Policy. Capitalized terms used but not defined in this Policy have the meanings given to them in the Terms of Use.

1. Data Controller

For the purposes of the EU General Data Protection Regulation (Regulation (EU) 2016/679) (the “GDPR”) and the UK GDPR, the data controller responsible for your personal data is Toxome LLC, a New York limited liability company. Our contact details are set out in Section 13 (Contact) below. Toxome has not appointed a data protection officer, as it is not required to do so under Article 37 of the GDPR.

2. Personal Data We Collect

We collect the following categories of personal data.

2.1 Account Data

When you register for an account through the Site or the App, we collect your email address and, where you provide them, your display name and profile photograph. Authentication is performed by Firebase Authentication, a service provided by Google LLC. We use this data to authenticate you, to associate your activity across the Services, and to send you transactional communications, including sign-in links and material notices concerning your account or the Services.

2.2 Service Data

When you use the App to scan a garment label, we collect and store the photograph of the label, the fibre composition extracted from it, the brand and category identified, and the corresponding Toxome Rating. Scans you save to your closet are retained in your account until you delete them. On the Site, we store the items you save to your wishlist and the filters you apply when browsing. We receive your subscription status from Apple, via RevenueCat, in order to determine your entitlement to premium features. During onboarding in the App, you may elect to provide preference information (including concerns, gender, budget, and focus areas), which we use to personalize the Services and which you may amend or delete at any time.

2.3 Technical and Analytics Data

We collect technical information generated by your use of the Services, including device type, browser type, approximate location derived from your IP address, and the pages or screens you access. The Services use a single first-party analytics identifier, stored on your device, to distinguish visits within our own aggregated reporting. We do not employ third-party advertising trackers and do not engage in cross-site tracking. The processing of this analytics identifier is subject to the consent requirements described in Section 5 (Cookies and Similar Technologies).

2.4 Extension Data

The Extension identifies the fibre composition, product name, brand, and image on clothing retail pages you visit, solely in order to display a garment score on the page before you. The Extension operates only on pages that disclose a fibre composition and remains inactive on all other pages. It does not read your browsing history, monitor the sites you visit, or construct a profile of you. Scoring is performed locally within the Extension, on your device; product information is transmitted to Toxome only where you elect to save an item to your wishlist or closet, in which case the product name, brand, image, link, and score are stored in your account. Authentication within the Extension uses Firebase, and your session is stored locally in the browser's extension storage.

Where the GDPR or the UK GDPR applies, we process your personal data on the following legal bases:

4. Purposes of Processing

We process personal data in order to:

We do not sell your personal data.

5. Cookies and Similar Technologies

The Site uses strictly necessary cookies to maintain your authenticated session. The Site also uses a single first-party analytics identifier, stored in your browser, to distinguish visits within our own aggregated reporting; this identifier is not an advertising tracker, is not shared with third parties, and is not used for cross-site tracking. Where you access the Services from the European Economic Area or the United Kingdom, we obtain your consent before storing the analytics identifier on your device, in accordance with applicable ePrivacy laws; where you access the Services from other jurisdictions, the identifier is set without a prior consent requirement, consistent with applicable law. The App relies on standard identifiers provided by Apple and governed by Apple's App Tracking Transparency framework; we do not request tracking permission, as we do not require it.

6. Recipients and Disclosures

We do not sell your personal data. We disclose personal data only to the service providers that enable us to operate the Services, and only to the extent necessary for them to perform their functions:

7. Data Retention

We retain personal data for as long as your account remains active or as necessary to provide the Services. Following a request to delete your account, we will delete your account and associated personal data within thirty (30) days, except where retention is required to comply with a legal obligation (for example, transaction records) or to establish, exercise, or defend legal claims. Aggregated and de-identified data, which cannot reasonably be attributed to you, may be retained without time limit.

8. International Transfers

Our service providers store data in data centres located in the United States. If you access the Services from outside the United States, your personal data will be transferred to, and processed in, the United States. Where personal data is transferred from the European Economic Area or the United Kingdom, we rely on the European Commission's Standard Contractual Clauses (and, for transfers from the United Kingdom, the UK International Data Transfer Addendum), together with our providers' data processing agreements, as the safeguard for such transfers, in accordance with applicable law.

9. Your Rights

Subject to applicable law, you may have the right to access, rectify, erase, restrict, or object to the processing of your personal data, the right to data portability, and the right to withdraw consent where processing is based on consent. You may exercise these rights, and those set out below, by emailing nyah@toxome.app from the email address associated with your account:

If you are located in California, you have additional rights under the California Consumer Privacy Act, including the right not to be subjected to discriminatory treatment for exercising your rights. If you are located in the European Economic Area or the United Kingdom, you have additional rights under the GDPR and the UK GDPR.

If you are located in the European Economic Area or the United Kingdom and consider that our processing of your personal data infringes applicable law, you have the right to lodge a complaint with your competent supervisory authority — in the European Economic Area, your national data protection authority; in the United Kingdom, the Information Commissioner's Office. We would, however, welcome the opportunity to address your concerns before you do so.

10. Security

We implement technical and organisational measures designed to protect personal data, including the encryption of data in transit between your device and our servers. Our storage providers encrypt data at rest and maintain industry-standard security practices. No method of transmission or storage can be guaranteed to be entirely secure; in the event of a personal data breach affecting you, we will notify you and the relevant authorities to the extent required by applicable law.

11. Children

The Services are not directed to children under the age of thirteen (13), and we do not knowingly collect personal data from such children. Where required by applicable law in the European Economic Area or the United Kingdom, the minimum age for valid consent to information society services may be higher (up to sixteen (16)). If you believe that a child has provided us with personal data, please contact us and we will delete the relevant account.

12. Changes to this Policy

We may amend this Policy from time to time. Where we make a material change, we will notify you through the Services or by email before the change takes effect. The “Last updated” date at the top of this Policy indicates the date of the current version.

13. Contact

This Policy is issued by Toxome LLC, a limited liability company registered in the State of New York. For any matter relating to privacy or this Policy, including the exercise of your rights, please contact us at nyah@toxome.app.

See also: Terms of Use.