PRIVACY POLICY

ToxShield (“we,” “our,” or “us”) operates the website at toxshield.in and the ToxShield mobile application (collectively, the “Service”). This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our Service.

By using ToxShield, you agree to the collection and use of information in accordance with this policy. If you do not agree, please do not use the Service.

2.1 Account Information

When you create an account, we collect your email address, display name, and (if you sign up via Google OAuth) your Google profile avatar URL. This information is required to provide you access to the Service.

2.2 User-Generated Content

You may submit behavioral descriptions (free-form text), WhatsApp chat exports, and Slack chat exports for AI analysis. This content is stored in our database linked to your account and the person you are analyzing.

2.3 AI-Generated Analysis Results

When you submit content for analysis, our AI generates: toxicity scores (0–10), risk levels, detected behavioral traits, pattern analysis summaries, protection strategies, self-reflection feedback, threat type classifications, headlines, taglines, and user insights (analysis of your own communication patterns). These results are stored in our database associated with your account.

2.4 People Directory

You may create entries for people you wish to analyze, including their name and your relationship to them (e.g., ex-partner, boss, friend). Toxicity scores and risk levels are associated with each person entry.

2.5 Mood & Wellness Data

You may optionally record daily mood check-ins consisting of a mood score (1–5) and an optional note (up to 200 characters). This data is used for the wellness tracking feature and is not shared with third parties.

2.6 Purchase Information

When you purchase an analysis pack, we store the pack type, purchase status, payment gateway used (Stripe or Razorpay), and the corresponding payment session/order IDs. We do notstore your credit card number, CVV, or full payment card details — these are handled entirely by our payment processors.

2.7 Gamification Data

We automatically track your usage streaks (consecutive days of activity), earned badges, and monthly analysis usage counts to power the gamification features of the Service.

2.8 Referral Data

If you participate in our referral program, we store your unique referral code and track referral relationships (who referred whom) and referral status.

2.9 Push Notification Data

If you opt in to push notifications, we store your Web Push subscription endpoint and encryption keys to deliver notifications to your device.

2.10 Analytics

We use Vercel Analytics to collect anonymized, aggregate page view and performance data. This data contains no personally identifiable information and uses cookieless tracking.

• To provide AI-powered behavioral analysis (core service functionality)
• To maintain your people directory and analysis history
• To process payments for analysis packs via Stripe or Razorpay
• To track streaks, badges, and gamification features
• To send push notifications when you have opted in
• To manage the referral program
• To improve the Service through anonymized analytics
• To communicate service updates or policy changes

ToxShield uses the Anthropic Claude API to analyze behavioral descriptions and chat content you submit. When you request an analysis, the text content you provide (along with the person's name and relationship type) is sent to Anthropic's servers for processing.

Anthropic's API data policy states that API inputs are not used for model training by default. For more information, see Anthropic's usage policies.

Important: AI-generated analysis results are algorithmic assessments based on the text you provide. They are not clinical diagnoses and should not be treated as substitutes for professional mental health counseling, therapy, or diagnosis.

We do not sell your personal data to third parties. Data is shared only with the service providers listed above, solely for the purposes described.

Your data is stored in Supabase-managed PostgreSQL databases with cloud infrastructure encryption. Data is retained as follows:

• Account and analysis data: retained until you request account deletion
• People and their analyses: retained until you delete the person or your account
• Purchase records: retained for legal and financial compliance requirements
• Anonymized analytics: retained indefinitely (contains no personal data)

• All connections use HTTPS/TLS encryption in transit
• Data is encrypted at rest via Supabase-managed infrastructure
• Row Level Security (RLS) policies ensure users can only access their own data
• Passwords are hashed by Supabase Auth — never stored in plain text
• Payment card details never touch our servers — processed entirely by Stripe/Razorpay
• Webhook signatures are verified for all payment callbacks

While we implement industry-standard security measures, no method of electronic transmission or storage is 100% secure. We cannot guarantee absolute security.

You have the following rights regarding your personal data:

• Access: View your data via the dashboard, people directory, and settings pages
• Deletion: Request complete account deletion by contacting us at the email below. All associated data (profile, people, analyses, inputs, streaks, badges, purchases, referrals) will be permanently deleted within 30 days
• Export: Request a copy of your data by contacting us
• Correction: Update your display name and profile information via settings

For EU Users (GDPR)

You additionally have the right to object to processing, the right to data portability, and the right to lodge a complaint with your local data protection authority. Our lawful basis for processing is legitimate interest (providing the core service) and consent (optional features like push notifications).

For Indian Users (IT Act)

Under Section 43A of the Information Technology Act, 2000 and the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011, you have the right to access and correct your personal data. Mood check-in data and behavioral descriptions are treated as sensitive personal data under these rules.

ToxShield is not intended for use by children under the age of 13 (or 16 in the European Union). We do not knowingly collect personal data from children. If we become aware that we have collected data from a child, we will promptly delete it. If you believe a child has provided us with personal data, please contact us immediately.

• Authentication cookies: Supabase Auth uses HTTP-only session cookies for authentication. These are strictly necessary for the Service to function and are exempt from consent requirements.
• Analytics: Vercel Analytics uses cookieless, anonymized tracking. No tracking cookies are set.
• Local storage: We store a single preference flag for notification prompt dismissal. No personal data is stored in local storage.

We do not use any third-party tracking cookies or advertising cookies.

We may update this Privacy Policy from time to time. Changes will be posted on this page with a revised “Last updated” date. Material changes may be communicated via in-app notification. Your continued use of the Service after changes constitutes acceptance of the updated policy.

In accordance with the Information Technology Act, 2000 and rules made thereunder, the Grievance Officer for the purpose of this Privacy Policy is:

If you have any grievances regarding the processing of your personal data, you may contact the Grievance Officer. We will address your concerns within 30 days.

If you have questions about this Privacy Policy or your personal data, contact us at: