Privacy Policy

1. Introduction

Tonemark ("we", "us", or "our") is operated by Ultrathink, a company based in the European Union (Poland). We are committed to protecting your personal data and respecting your privacy.

This Privacy Policy explains how we collect, use, store, and protect your information when you use our AI-powered content creation platform at tonemark.ai and app.tonemark.ai.

2. Data Controller

The data controller responsible for your personal data is:

3. Data We Collect

3.1 Account Information

• Email address (required for account creation)
• Name (if provided)
• Profile picture (if using Google Sign-In)
• Authentication data from Google Sign-In

3.2 LinkedIn Integration Data

When you connect your LinkedIn account, we collect:

• Your LinkedIn profile information (name, profile picture)
• Your email address associated with LinkedIn
• List of LinkedIn company pages you administer (if applicable)
• OAuth tokens to publish content on your behalf

Important: We only post to LinkedIn when you explicitly request it. We never post automatically or access your LinkedIn data without your direct action.

3.3 Content You Create

• Writing samples you upload for voice learning
• Personas and brand voices you create
• Content generated using our AI tools
• Knowledge base documents you upload

3.4 Usage Data

• Features you use and how often
• Content generation statistics
• Error logs and performance data
• Device information and browser type

4. How We Use Your Data

We use your personal data to:

• Provide and maintain our service
• Learn your writing style to generate personalized content
• Publish content to LinkedIn on your behalf (only when you request it)
• Send important service updates and notifications
• Improve our AI models and service quality
• Detect and prevent fraud or abuse
• Comply with legal obligations

5. Legal Basis for Processing (GDPR Article 6)

We process your personal data based on:

• Contract performance: To provide you with our service as described in our Terms of Service
• Consent: For LinkedIn integration and optional features (you can withdraw consent at any time)
• Legitimate interest: For analytics, security, and service improvement
• Legal obligation: To comply with applicable laws and regulations

6. Data Sharing and Third Parties

We share your data with the following service providers:

We do not sell your personal data to third parties. Data is only shared as necessary to provide our service.

7. International Data Transfers

Some of our service providers are based in the United States. When we transfer your data outside the EU/EEA, we ensure appropriate safeguards are in place, including:

• EU-US Data Privacy Framework certification
• Standard Contractual Clauses (SCCs) approved by the European Commission
• Technical security measures (encryption in transit and at rest)

8. Data Retention

We retain your data for as long as necessary to provide our service:

• Account data: Until you delete your account
• Content and personas: Until you delete them or your account
• LinkedIn tokens: Until you disconnect LinkedIn or they expire
• Usage logs: Up to 90 days
• Backup data: Up to 30 days after deletion

9. Your Rights (GDPR)

Under GDPR, you have the following rights:

• Right to access: Request a copy of your personal data
• Right to rectification: Correct inaccurate or incomplete data
• Right to erasure: Request deletion of your data ("right to be forgotten")
• Right to data portability: Receive your data in a machine-readable format
• Right to object: Object to processing based on legitimate interest
• Right to restrict processing: Limit how we use your data
• Right to withdraw consent: Withdraw consent at any time (e.g., disconnect LinkedIn)

To exercise your rights, contact us at privacy@tonemark.ai. We will respond within 30 days.

10. How to Delete Your Data

You can delete your data in several ways:

• Disconnect LinkedIn: Go to Settings → Social Connections → Disconnect
• Delete content: Use the delete button on any persona, document, or generated content
• Delete account: Go to Settings → Account → Delete Account
• Request deletion: Email us at privacy@tonemark.ai

11. Cookies and Tracking

We use the following cookies and tracking technologies:

• Essential cookies: Required for authentication and security
• Analytics (Vercel Analytics): Anonymous usage statistics
• Customer support (Crisp): Live chat functionality

We do not use advertising cookies or sell data to advertisers.

12. Security

We protect your data with:

• Encryption in transit (HTTPS/TLS)
• Encryption at rest (AES-256 for sensitive data like OAuth tokens)
• Secure authentication (Firebase Auth with Google Sign-In)
• Regular security audits
• Access controls and audit logging

13. California Privacy Rights (CCPA)

If you are a California resident, you have additional rights under the California Consumer Privacy Act (CCPA):

• Right to know: Request information about what personal data we collect and how we use it
• Right to delete: Request deletion of your personal data
• Right to opt-out: Opt out of the sale of your personal data
• Right to non-discrimination: We will not discriminate against you for exercising your rights

We do not sell your personal data. We do not share your personal information with third parties for their direct marketing purposes. We do not use your data for targeted advertising.

To exercise your California privacy rights, contact us at privacy@tonemark.ai.

14. Children's Privacy

Tonemark is not intended for users under 16 years of age. We do not knowingly collect personal data from children. If you believe a child has provided us with personal data, please contact us.

15. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of significant changes by:

• Posting the new policy on this page
• Updating the "Last updated" date
• Sending an email notification for material changes

16. Contact Us

For questions about this Privacy Policy or to exercise your rights, contact us at:

You also have the right to lodge a complaint with your local data protection authority. In Poland, this is the President of the Personal Data Protection Office (UODO).