Privacy Policy

Last updated: April 9, 2026

This Privacy Policy explains how Max Beato, sole proprietor, doing business as Tonos ("we", "us", "our"), collects, uses, and protects your information when you use our voice profile service ("Service"). This policy applies to all users of the Tonos web application, REST API, and MCP protocol endpoints.

Data controller: Max Beato, sole proprietor, doing business as Tonos. Contact: max@tonos.fyi

Data Protection Officer: Tonos has not appointed a Data Protection Officer as it is not required to do so under Article 37 of the GDPR. For data protection inquiries, contact max@tonos.fyi.

1. Information We Collect

Account information

When you register with email and password, we collect your email address and store a cryptographically hashed version of your password. We never store passwords in plain text.

OAuth sign-in (Article 14 disclosure)

If you sign in via Google or GitHub, we receive your name and email address from these OAuth providers. This data originates from your account with the respective provider and is transmitted to us during the authentication flow. We do not request or receive any other data from these providers (such as contacts, browsing history, or social connections). We do not receive or store your OAuth provider password.

Categories of personal data received from OAuth providers: name and email address only.

Writing samples — two categories

We handle two distinct types of writing-related data with different retention policies:

Extraction samples (redacted by default): Writing samples you submit for voice profile creation are redacted by default after re-extraction — sample text is replaced with "[redacted]" for samples with cached analysis, and deleted entirely for samples without. You can opt to keep samples by checking "Keep samples after generation." Samples submitted during initial profile creation remain until you trigger a re-extraction or delete them manually. The extraction process is one-way — the voice profile is a derived abstraction that cannot be reversed to reconstruct your original messages.

Retained exemplars (persistent): During context sub-profile extraction, the top 3 highest-quality writing samples per context type (email, DM, professional, casual) are automatically retained as exemplars for few-shot generation. Up to 20 exemplars are stored per profile. These are original writing samples, not generated drafts. They are stored in your account until you manually remove them via Settings or delete your account.

Voice profiles

We store the structured voice profile generated from your samples. This includes style dimensions (formality, warmth, directness, etc.), detected patterns, common phrases, and platform-specific modes. Voice profiles are derived abstractions — they do not contain your original messages and cannot be used to reconstruct them.

Generated content

Generated drafts are stored server-side to enable draft history, the feedback system, and quality measurement. Each draft stores the generated text, recipient, context, source text (for rewrites), platform, and model used. Drafts are retained while your account is active.

Payment information

Payments are processed entirely by Stripe. Your credit card number and payment details are sent directly to Stripe and never touch our servers. We retain only your Stripe customer ID and subscription status for billing management.

Usage data

We collect basic usage metrics: API request counts, credit consumption, endpoint paths, and timestamps. We use this for billing, rate limiting, abuse prevention, and service improvement. We do not track your browsing behavior across other websites.

2. Legal Basis for Processing (GDPR Article 13(1)(c)–(d))

For users in the European Economic Area, we process your personal data under the following legal bases, mapped to each category of data:

• Account data (email address, hashed password) — Contractual necessity (Article 6(1)(b)): required to create and maintain your account.
• Extraction samples — Consent (Article 6(1)(a)): you voluntarily provide these samples for voice profile creation. They are redacted by default after re-extraction. You may withdraw consent by not submitting samples or by deleting your profile.
• Retained exemplars — Consent (Article 6(1)(a)): automatically selected from your highest-quality writing samples during extraction. You may remove retained exemplars at any time from Settings.
• Voice profiles — Contractual necessity (Article 6(1)(b)): required to deliver the core Service.
• Payment data (Stripe customer ID, subscription status) — Contractual necessity (Article 6(1)(b)): required to manage billing and subscription access.
• Usage logs (request counts, endpoint paths, timestamps) — Legitimate interest (Article 6(1)(f)): for the security, stability, and abuse-free operation of the Service. Our legitimate interest is ensuring the security, stability, and abuse-free operation of the Service. We have assessed that this interest is not overridden by your rights, given that usage logs contain only technical metadata (request counts, endpoint paths, timestamps) and not the content of your communications.
• OAuth data (name and email from Google/GitHub) — Contractual necessity (Article 6(1)(b)): required to authenticate your account via third-party sign-in.

3. Contractual and Statutory Requirements (Article 13(2)(e))

Providing your email address and writing samples is a contractual requirement — the Service cannot function without an account identifier and voice data to analyze. If you do not provide this data, you will be unable to use the Service. Providing payment information is required only for paid plans.

4. Automated Decision-Making (Article 13(2)(f))

Tonos uses automated processing to analyze your writing samples and generate a voice profile. This processing is performed by Anthropic's Claude AI model. The voice profile extraction is fully automated — no human reviews your samples during the process.

However, this does not constitute automated decision-making that produces legal or similarly significant effects on you within the meaning of Article 22 of the GDPR. The voice profile is a tool for your use; no decisions about your access, pricing, or account status are made based on automated profiling.

5. How We Use Your Information

• To create and maintain your account
• To build and store your voice profile
• To generate messages in your voice
• To process payments and manage subscriptions
• To enforce rate limits and prevent abuse
• To communicate service updates or billing issues
• To comply with legal obligations

We do not use your data for advertising, marketing profiling, or any purpose unrelated to delivering the Service.

6. Third-Party Services (Sub-Processors)

We share limited data with the following third parties to operate the Service:

• Anthropic (Claude API) — Writing samples and drafting prompts are sent to Anthropic's API for voice extraction and message generation. Anthropic does not retain API inputs or outputs and does not use API data for model training. See Anthropic's Privacy Policy.
• Stripe — Handles payment processing. Stripe receives your payment method details directly. See Stripe's Privacy Policy.
• Self-hosted infrastructure — The application runs on a dedicated server with Caddy as reverse proxy. PostgreSQL is the database. No third-party platform-as-a-service provider hosts the application or database.
• Plausible CE (self-hosted) — We run a self-hosted instance of Plausible Community Edition at analytics.tonos.fyi for website analytics. Plausible is cookieless and collects no personal data. It is compliant with GDPR without requiring visitor consent.
• Google / GitHub — If you use OAuth sign-in, these providers facilitate authentication. They receive only the authentication request; we do not share your Tonos data with them.

We do not sell, rent, or trade your personal data to any third party. We do not use your data for advertising.

7. Data Location and International Transfers

Your data is processed and stored on servers located in the United States. If you are accessing the Service from outside the United States, your data will be transferred to and processed in the US. For users in the European Economic Area (EEA), United Kingdom, or Switzerland, these transfers are conducted under Standard Contractual Clauses or other appropriate safeguards as required by applicable data protection laws.

8. Data Retention

• Extraction samples: Redacted by default after re-extraction (text replaced with "[redacted]" or deleted). Samples from initial creation remain until re-extraction or manual deletion.
• Retained exemplars: Up to 20 per profile. Kept until you delete them from Settings or delete your account. Used as few-shot examples for voice-matched generation.
• Generated drafts: Retained while your account is active; deleted within 30 days of account deletion
• Voice profiles: Retained while your account is active; deleted within 30 days of account deletion
• Account data: Deleted within 30 days of account deletion
• Usage logs: Retained for 90 days, then automatically purged
• Payment records: Retained as required by tax and financial regulations (typically 7 years for transaction records)

9. Your Rights

Regardless of your location, you can:

• Access your voice profile data through the web app or API
• Delete your voice profile at any time from your settings
• Delete your account and all associated data from your settings
• Export your voice profile data via the API
• Revoke API keys at any time from your settings
• Withdraw consent for data processing by deleting your account

For European Economic Area (EEA) residents

Under the GDPR, you also have the right to:

• Request rectification of inaccurate personal data
• Request restriction of processing in certain circumstances
• Object to processing based on legitimate interest
• Data portability — receive your data in a structured, machine-readable format
• Lodge a complaint with your local data protection supervisory authority if you believe your rights have been violated. You have the right to lodge a complaint with your local supervisory authority. If you are unsure which authority to contact, see the European Data Protection Board's list at edpb.europa.eu.

For California residents

Under the California Consumer Privacy Act (CCPA), as amended by the California Privacy Rights Act (CPRA), you have the following rights:

• Know what personal information we collect and how it is used
• Request deletion of your personal information
• Do Not Sell or Share: We do not sell or share your personal information as those terms are defined under the California Consumer Privacy Act, as amended by the California Privacy Rights Act (CPRA).
• Right to limit use of sensitive personal information: We do not collect sensitive personal information as defined by the CCPA/CPRA (such as Social Security numbers, financial account credentials, precise geolocation, or biometric data).
• Non-discrimination — we will not treat you differently for exercising your CCPA rights

Categories of personal information we collect (CCPA structured disclosure)

• Category A — Identifiers: Email address; name (via OAuth sign-in); Stripe customer ID. Sources: directly from you; OAuth providers (Google/GitHub); Stripe. Business purpose: account management, authentication, billing.
• Category B — Personal information per Cal. Civ. Code 1798.80(e): Name and email address. Sources: directly from you; OAuth providers. Business purpose: account management, communications.
• Category D — Commercial information: Subscription status, credit usage, transaction history. Sources: Stripe, internal usage tracking. Business purpose: billing, subscription management.
• Category F — Internet or other electronic network activity: API request logs, endpoint usage, timestamps. Sources: automatically collected during Service use. Business purpose: security, abuse prevention, rate limiting.
• Category K — Inferences: Voice profile derived from writing samples (structured style dimensions). Sources: derived from extraction samples you provide. Business purpose: core Service delivery (voice-matched drafting).

Third parties we share personal information with: Anthropic (voice extraction and generation), Stripe (payments). Infrastructure is self-hosted. We do not share personal information with advertisers, data brokers, or social networks.

To exercise any of these rights, you may: (a) use the self-service tools in your account Settings (for access, deletion, and export), or (b) contact us at max@tonos.fyi. We will respond to verified requests within 30 days (45 days if we notify you of an extension). We verify requests by confirming ownership of the email address associated with your account.

10. Data Security

We use industry-standard security measures including encrypted connections (TLS in transit), hashed passwords (argon2id), hashed API keys (SHA-256), and secure session management. Database connections are encrypted. However, no method of electronic transmission or storage is 100% secure, and we cannot guarantee absolute security.

11. Data Breach Notification

In the event of a data breach that compromises your personal information, we will notify affected users within 72 hours of confirming the breach. We will also notify relevant supervisory authorities as required by applicable law. Notification will include the nature of the breach, data affected, steps we are taking, and steps you can take to protect yourself.

12. Cookies

We use a single session cookie to keep you signed in. This is a strictly necessary functional cookie required for the Service to operate. It contains no tracking data and expires after 7 days or when you sign out, whichever comes first. We do not use tracking cookies, analytics cookies, advertising cookies, or any third-party cookies.

13. Children

The Service is not intended for users under 18. We do not knowingly collect information from children. If you believe a child has provided us with personal data, contact us and we will promptly delete it.

14. Changes to This Policy

We may update this Privacy Policy from time to time. If we make material changes, we will notify you via email or a prominent notice within the Service at least 14 days before the changes take effect. The "Last updated" date at the top reflects the most recent revision. Continued use of the Service after changes take effect constitutes acceptance of the updated policy.

15. Contact

Questions about your privacy or data? Reach us at max@tonos.fyi.

For matters related to these Terms of Service, the same contact applies.