TOTO PRIVACY POLICY
Effective Date: October 1, 20251. Introduction And Scope Of This Privacy Policy
1.2. This Policy describes how we collect, use, disclose, and protect your personal data when you use our mobile applications, websites, and related services (collectively, the “App” or the “Service”), and explains your corresponding rights and choices.
1.3. By accessing or using the Service, you confirm that you have read, understood, and agree to this Policy and the data-processing practices it describes, and that you are at least eighteen (18) years old or the age of majority in your jurisdiction, whichever is higher.
1.4. If you do not agree with this Policy or cannot make the foregoing representation, you must not use the Service. In such case, please:
- (a) delete your account and request deletion of your data;
- (b) uninstall the App from your devices.
2. Categories Of Personal Data We Collect
- Account and Registration Data: name, nickname, email address, profile photo, gender, date of birth, login credentials (including Apple ID, Google ID, or Facebook ID), and any optional profile details you choose to provide.
- Communication Data: messages exchanged within the Service, correspondence with our support team, dispute resolution data, and notification preferences. Screenshots may occasionally be taken for moderation or fraud-prevention purposes.
- Device and Technical Data: IP address, time zone, device model, operating system, language settings, hardware identifiers (e.g., IDFA, AAID, IDFV), crash logs, network information, and performance data.
- Usage Data: logs of how you interact with the Service (e.g., pages or features used, time spent, frequency of logins, in-app actions, search queries, and referral source such as the app store or ad that brought you to the Service).
- Location Data: approximate location derived from your IP address or device settings. We do not collect precise GPS location unless you explicitly allow it.
- Payment and Transaction Data: transaction IDs, purchase history, subscription or in-app purchase confirmations through Apple App Store or Google Play. We do not store full payment card details; payments are processed securely by Apple or Google.
- Advertising and Analytics Data: advertising identifiers (IDFA, AAID), cookies, and tracking pixels (e.g., Meta Pixel), which may record data about your interactions with the Service and advertising content.
- Verification Data (where applicable) identity documents or selfies for age verification, along with associated metadata.
2.3. Age Restriction And Child Safety. The Service is intended for users aged eighteen (18) or older. We do not knowingly collect personal data from children. If we become aware that a child under 18 has provided data, we will promptly delete such information. Parents or guardians who believe their child may have provided us with personal data should contact us at [email protected].
3. Purposes And Legal Bases For Processing
3.1. We collect and process your personal data to provide, maintain, and improve our Service; to ensure safety and compliance; and to enhance user experience and product development.
3.2. We process your personal data only where a lawful basis applies under data-protection laws such as the GDPR, CCPA/CPRA, or ePrivacy rules. These include:
(a) performance of our contract with you;
(b) compliance with legal obligations;
(c) your consent; or
(d) our legitimate interests, provided that your rights and freedoms do not override such interests.
3.3. A detailed table describing processing purposes, data categories, examples, and corresponding legal bases is provided below.
| Purpose | Description and Examples | Categories of Data | Lawful Basis |
|---|---|---|---|
| 1. To provide the Service and administer your account | Verification of your identity, email, or device; enabling secure login; preventing fraud or abuse; customizing your in-app experience; resolving technical issues; responding to support requests. Example: adjusting in-app recommendations to your preferences. | Login details, identifiers, device data, support communications | Contract performance; Consent (if sensitive categories apply) |
| 2. To communicate with you about the Service | Sending service updates, password resets, reminders (e.g., push notifications), and feedback requests. Example: sending a push notification reminding you to open the app. | Contact information, device identifiers | Contract performance; Legitimate interest (encouraging active and safe use of the Service) |
| 3. To process in-app purchases | Processing of one-time in-app transactions via Apple App Store or Google Play. We may retain transaction IDs for accounting and fraud prevention but do not store full payment card details. | Transaction IDs, purchase history, Apple/Google account data | Contract performance; Legal obligation (fraud prevention, accounting) |
| 4. To research and improve our Service | Using analytics tools (Google Analytics, Firebase, AppsFlyer, Amplitude, Meta Pixel) to understand engagement, improve features, diagnose errors, test new functionality, and personalize experiences. | Usage data, device data, cookies, advertising IDs | Legitimate interest (improving and optimizing the Service); Consent (where required for tracking) |
| 5. To personalize ads and marketing | Using advertising IDs, cookies, and Meta Pixel to deliver targeted ads and measure campaign effectiveness. Example: showing you ads on Instagram after you used the app. | Device data, advertising IDs, cookies, interaction history | Consent (for personalized ads, where required); Legitimate interest (where permitted) |
| 6. To enforce Terms, ensure safety, and combat fraud | Using automated and human moderation to detect harmful or prohibited behavior; investigating suspected abuse or fraud; enforcing bans or restrictions. | Account data, communications, moderation logs, IP address, device identifiers | Legitimate interest (ensuring safety, preventing fraud); Legal obligation (where applicable) |
| 7. To comply with legal obligations | Retaining invoices, processing tax/accounting data, responding to law enforcement or regulatory requests. | Payment records, account data, communication logs | Legal obligation |
| 8. To defend legal claims and rights | Using data to establish, exercise, or defend against legal claims or disputes; providing evidence in arbitration or litigation. | All categories, as relevant | Legitimate interest (protection of legal rights) |
4. Disclosure Of Personal Data
4.1. We share your personal data only as described in this Policy and strictly for legitimate purposes.
4.2. We do not:
(a) sell or disclose your data to advertising platforms, data brokers, or information resellers;
(b) process your data in ways incompatible with the purposes set out in Section 3; or
(c) collect or process data beyond what is necessary for those purposes.
4.3. We require all third-party service providers to process your data lawfully, securely, and solely on our instructions. They may not use your data for their own purposes.
4.4. Personal data may be disclosed internally (among authorized employees, contractors, and affiliates) or externally (to vetted service providers) strictly on a need-to-know basis and always under confidentiality obligations.
External Third-Party Services.
We use third-party providers for hosting, analytics, performance monitoring, error tracking, and advertising attribution. Each provider processes data solely for the specified purposes.
| Third-Party Provider | Service | Purpose of Usage | Privacy Materials |
|---|---|---|---|
| Google LLC | Google Ads | Marketing and advertising | Privacy Policy |
| Meta Platforms, Inc. | Facebook / Meta Pixel | Marketing, ad measurement, campaign personalization | Privacy Policy |
| Apple Inc. | App Store / APNs | App distribution, push notifications | Privacy Policy |
| Amplitude Inc. | Amplitude | Product analytics and event tracking | Privacy Policy |
| AppsFlyer Inc. | AppsFlyer | Mobile marketing analytics and attribution | Privacy Policy |
| Google LLC | Firebase | Development purposes | Privacy Policy |
| Agora Lab, Inc. | Agora SDK | Real-time audio/video streaming and quality monitoring | Privacy Policy |
| Applovin Corporation / AppLovin (Singapore) Pte. Ltd. | AppLovin | Analytics and user engagement optimization | Privacy Policy |
5. Data Retention And Deletion
5.1. We retain your personal data only as long as necessary for the purposes outlined in this Policy or as required by law.
5.2. If you delete your account, we will remove or anonymize your data according to the following timelines:
- Account/profile data: within 30 days
- Messages, correspondence, and attachments: within 30 days.
- Technical logs and device information: deleted or anonymized within 60 days, unless retained longer for security or legal reasons.
- Payment and transaction data: retained for legal and accounting compliance (typically 5–7 years).
5.3. Where exact retention periods cannot be predefined, we apply the shortest period consistent with the processing purpose.
5.4. After expiration of the retention period, data will be permanently deleted or anonymized to prevent identification.
6. Your Rights And How To Exercise Them
6.1. Under applicable data protection laws (including GDPR and CCPA/CPRA), you have the following rights:
Access: to request confirmation of processing and obtain a copy of your data. - Rectification: to correct inaccurate or incomplete data.
- Erasure (“Right to Be Forgotten”): to request deletion of your data, subject to legal obligations.
Objection: to object to processing based on legitimate interests, including direct marketing. - Restriction: to request suspension of processing in certain cases.
- Data Portability: to receive your data in a structured, machine-readable format and transfer it elsewhere.
- Withdraw Consent: where processing relies on consent, you may withdraw it at any time.
- Complaint: to lodge a complaint with your local data-protection authority if you believe we process your data unlawfully.
6.2. To exercise your rights, contact us at [email protected]. We may need to verify your identity before responding.
6.3. We aim to respond within 30 days or, where permitted, within 60 days.
6.4. California Residents – Shine the Light. California residents may once per year request information about how we share personal data with third parties for their direct-marketing purposes. To make such a request, email [email protected] with “Request for California Shine the Light Privacy Information” in the subject line and include your state of residence and email address in the message body.
7. International Data Transfers
7.1. We operate globally and may transfer your personal data to countries other than your own.
7.2. If you are located in the EEA or UK, transfers outside these regions will only occur where:
(a) the European Commission has issued an adequacy decision for the destination country; or
(b) we have implemented Standard Contractual Clauses (SCCs) ensuring adequate safeguards.
7.3. By using the Service, you acknowledge that your data may be processed in jurisdictions with different data-protection standards, but always with appropriate safeguards in place.
8. Security Measures And Data Protection
8.1. We implement technical and organizational measures to protect your personal data against unauthorized access, loss, misuse, alteration, or disclosure. These include encryption of data in transit, access controls, regular audits, and staff confidentiality obligations.
8.2. Our service providers are contractually required to maintain equivalent data-security measures and comply with applicable laws.
8.3. While we apply commercially reasonable safeguards, no system or transmission over the Internet is entirely secure. We cannot guarantee absolute protection.
8.4. You are responsible for safeguarding your account credentials and must promptly notify us at [email protected] of any suspected unauthorized access.
8.5. In the event of a data breach that may affect your rights, we will notify you and the competent supervisory authorities as required by law.
9. Updates To This Privacy Policy
9.1. We may amend this Policy from time to time to reflect legal, technological, or operational changes.
9.2. If updates are material, we will notify you by email or in-app notice. The Effective Date will always reflect the latest version.
10. Contact Information
If you have any questions or concerns about this Policy or our data-processing practices, please contact us:
Controller: DESTRIA INVESTMENTS LIMITED
Email: [email protected]
Address: THE LEVENTIS GALLERY TOWER, Floor 13, Flat 1301, 5 A.g. Leventis, Nicosia 1097, Cyprus