Privacy Policy
Last updated June 9, 2026
This Privacy Policy (the “Policy”) describes how Toxome LLC, a New York limited liability company (“Toxome,” “we,” “us,” or “our”), collects, uses, discloses, and otherwise processes personal data in connection with the website located at toxome.app(the “Site”), the Toxome iOS application (the “App”), and the Toxome browser extension (the “Extension,” and together with the Site and the App, the “Services”).
This Policy forms part of, and should be read together with, our Terms of Use. By accessing or using the Services, you acknowledge that you have read and understood this Policy. Capitalized terms used but not defined in this Policy have the meanings given to them in the Terms of Use.
1. Data Controller
For the purposes of the EU General Data Protection Regulation (Regulation (EU) 2016/679) (the “GDPR”) and the UK GDPR, the data controller responsible for your personal data is Toxome LLC, a New York limited liability company. Our contact details are set out in Section 13 (Contact) below. Toxome has not appointed a data protection officer, as it is not required to do so under Article 37 of the GDPR.
2. Personal Data We Collect
We collect the following categories of personal data.
2.1 Account Data
When you register for an account through the Site or the App, we collect your email address and, where you provide them, your display name and profile photograph. Authentication is performed by Firebase Authentication, a service provided by Google LLC. We use this data to authenticate you, to associate your activity across the Services, and to send you transactional communications, including sign-in links and material notices concerning your account or the Services.
2.2 Service Data
When you use the App to scan a garment label, we collect and store the photograph of the label, the fibre composition extracted from it, the brand and category identified, and the corresponding Toxome Rating. Scans you save to your closet are retained in your account until you delete them. On the Site, we store the items you save to your wishlist and the filters you apply when browsing. We receive your subscription status from Apple, via RevenueCat, in order to determine your entitlement to premium features. During onboarding in the App, you may elect to provide preference information (including concerns, gender, budget, and focus areas), which we use to personalize the Services and which you may amend or delete at any time.
2.3 Technical and Analytics Data
We collect technical information generated by your use of the Services, including device type, browser type, approximate location derived from your IP address, and the pages or screens you access. The Services use a single first-party analytics identifier, stored on your device, to distinguish visits within our own aggregated reporting. We do not employ third-party advertising trackers and do not engage in cross-site tracking. The processing of this analytics identifier is subject to the consent requirements described in Section 5 (Cookies and Similar Technologies).
2.4 Extension Data
The Extension identifies the fibre composition, product name, brand, and image on clothing retail pages you visit, solely in order to display a garment score on the page before you. The Extension operates only on pages that disclose a fibre composition and remains inactive on all other pages. It does not read your browsing history, monitor the sites you visit, or construct a profile of you. Scoring is performed locally within the Extension, on your device; product information is transmitted to Toxome only where you elect to save an item to your wishlist or closet, in which case the product name, brand, image, link, and score are stored in your account. Authentication within the Extension uses Firebase, and your session is stored locally in the browser's extension storage.
3. Legal Bases for Processing
Where the GDPR or the UK GDPR applies, we process your personal data on the following legal bases:
- Performance of a contract (Article 6(1)(b)): to create and administer your account, authenticate you, store your closet and wishlist, and provide the premium features for which you have subscribed.
- Legitimate interests (Article 6(1)(f)): to maintain the security and integrity of the Services, prevent abuse, and analyse aggregated usage in order to operate and improve the Services. We have determined that these interests are not overridden by your rights and freedoms, and we limit such processing to data that is minimal and non-advertising in nature.
- Consent (Article 6(1)(a)): to store the first-party analytics identifier on your device where required by applicable law, and to send marketing communications. You may withdraw your consent at any time, without affecting the lawfulness of processing carried out prior to such withdrawal.
- Compliance with a legal obligation (Article 6(1)(c)): to retain records as required by law and to respond to lawful requests from public authorities.
4. Purposes of Processing
We process personal data in order to:
- operate and maintain the Services, including displaying your closet and wishlist and authenticating you;
- personalize the Services, including by recommending lower-risk alternatives in categories where your closet is assessed as higher risk;
- process subscription transactions through Apple and RevenueCat;
- send transactional communications, and marketing communications only where you have opted in;
- analyse de-identified, aggregated trends in order to improve and develop the Services; and
- comply with applicable law and protect the rights, property, and safety of Toxome and its users.
We do not sell your personal data.
5. Cookies and Similar Technologies
The Site uses strictly necessary cookies to maintain your authenticated session. The Site also uses a single first-party analytics identifier, stored in your browser, to distinguish visits within our own aggregated reporting; this identifier is not an advertising tracker, is not shared with third parties, and is not used for cross-site tracking. Where you access the Services from the European Economic Area or the United Kingdom, we obtain your consent before storing the analytics identifier on your device, in accordance with applicable ePrivacy laws; where you access the Services from other jurisdictions, the identifier is set without a prior consent requirement, consistent with applicable law. The App relies on standard identifiers provided by Apple and governed by Apple's App Tracking Transparency framework; we do not request tracking permission, as we do not require it.
6. Recipients and Disclosures
We do not sell your personal data. We disclose personal data only to the service providers that enable us to operate the Services, and only to the extent necessary for them to perform their functions:
- Firebase (Google LLC): authentication and storage of your closet, wishlist, and uploaded photographs.
- Supabase: hosting of our product catalogue. No user account is maintained with this provider; it serves only the catalogue data presented on the Site.
- RevenueCat and the Apple App Store: subscription management and payment processing. We do not receive your payment card details, which are processed by Apple.
- Vercel Inc.: hosting of the Site, including the handling of server request logs.
- Affiliate partners: where you select a link to a third-party brand, we direct you to that brand's website. Certain links contain an affiliate code by which we may earn a commission. We do not disclose your account or closet data to such brands; they receive only the fact that the referral originated from Toxome. We additionally maintain our own aggregated record of the products and brands viewed and clicked, associated with a random device identifier and not with your name or email address. This record is retained within Toxome and is not sold or disclosed to advertisers.
- Public authorities and other parties: where we receive a valid legal request, or where disclosure is necessary to comply with applicable law, enforce our Terms of Use, or protect the rights, property, or safety of Toxome or others.
7. Data Retention
We retain personal data for as long as your account remains active or as necessary to provide the Services. Following a request to delete your account, we will delete your account and associated personal data within thirty (30) days, except where retention is required to comply with a legal obligation (for example, transaction records) or to establish, exercise, or defend legal claims. Aggregated and de-identified data, which cannot reasonably be attributed to you, may be retained without time limit.
8. International Transfers
Our service providers store data in data centres located in the United States. If you access the Services from outside the United States, your personal data will be transferred to, and processed in, the United States. Where personal data is transferred from the European Economic Area or the United Kingdom, we rely on the European Commission's Standard Contractual Clauses (and, for transfers from the United Kingdom, the UK International Data Transfer Addendum), together with our providers' data processing agreements, as the safeguard for such transfers, in accordance with applicable law.
9. Your Rights
Subject to applicable law, you may have the right to access, rectify, erase, restrict, or object to the processing of your personal data, the right to data portability, and the right to withdraw consent where processing is based on consent. You may exercise these rights, and those set out below, by emailing nyah@toxome.app from the email address associated with your account:
- Deletion: in the App, via Settings → Delete account; on the Site, by written request. We will delete your account and associated data within thirty (30) days, subject to Section 7 (Data Retention).
- Access and portability: we will provide a copy of the personal data we hold about you.
- Rectification: most data is editable within the App; for any data that is not, contact us.
- Objection to analytics: we will exclude your account from product analytics upon request.
If you are located in California, you have additional rights under the California Consumer Privacy Act, including the right not to be subjected to discriminatory treatment for exercising your rights. If you are located in the European Economic Area or the United Kingdom, you have additional rights under the GDPR and the UK GDPR.
If you are located in the European Economic Area or the United Kingdom and consider that our processing of your personal data infringes applicable law, you have the right to lodge a complaint with your competent supervisory authority — in the European Economic Area, your national data protection authority; in the United Kingdom, the Information Commissioner's Office. We would, however, welcome the opportunity to address your concerns before you do so.
10. Security
We implement technical and organisational measures designed to protect personal data, including the encryption of data in transit between your device and our servers. Our storage providers encrypt data at rest and maintain industry-standard security practices. No method of transmission or storage can be guaranteed to be entirely secure; in the event of a personal data breach affecting you, we will notify you and the relevant authorities to the extent required by applicable law.
11. Children
The Services are not directed to children under the age of thirteen (13), and we do not knowingly collect personal data from such children. Where required by applicable law in the European Economic Area or the United Kingdom, the minimum age for valid consent to information society services may be higher (up to sixteen (16)). If you believe that a child has provided us with personal data, please contact us and we will delete the relevant account.
12. Changes to this Policy
We may amend this Policy from time to time. Where we make a material change, we will notify you through the Services or by email before the change takes effect. The “Last updated” date at the top of this Policy indicates the date of the current version.
13. Contact
This Policy is issued by Toxome LLC, a limited liability company registered in the State of New York. For any matter relating to privacy or this Policy, including the exercise of your rights, please contact us at nyah@toxome.app.
See also: Terms of Use.