Privacy Policy

Last updated: 5 June 2026

1. Data Controller

TOVI STUDIO SRL
Registered office: București, Sectorul 2, Bd. Ferdinand I nr. 118, Etaj 5, Ap. 509, Romania
Trade Register: J2025080837009
CUI: RO52751450
Data protection contact: gdpr@mytovi.com

We process your personal data in accordance with the EU General Data Protection Regulation (Regulation 2016/679, "GDPR") and Romanian Law 190/2018.

2. What Data We Collect

DataPurpose
Email addressAccount creation, authentication, notifications
Product ownership recordsDigital ownership registration
Product interaction historyStatus transitions, ownership timeline
Detection eventsAnti-theft monitoring at partner locations
IP address (sighting reports)Rate limiting, fraud prevention
Authentication cookiesSession management (strictly necessary)

We do not collect: national identification numbers (CNP), health data, biometric data, payment information, or location data from your device.

3. Legal Bases for Processing

Processing ActivityLegal Basis (GDPR Art. 6)
Account creation & authenticationContract performance — Art. 6(1)(b)
Ownership registration & transferContract performance — Art. 6(1)(b)
Transactional emailsContract performance — Art. 6(1)(b)
Anti-theft detection (gate scans)Legitimate interest — Art. 6(1)(f)
IP logging in sighting reportsLegitimate interest — Art. 6(1)(f)
Authentication cookiesContract performance + ePrivacy exemption

4. Data Recipients & Processors

We share your data with the following service providers (data processors):

ProviderPurposeLocation
Supabase Inc.Database & authenticationEU (Frankfurt)
Vercel Inc.Web hostingUS + global CDN
Resend Inc.Email deliveryUS
Sentry (Functional Software Inc.)Error monitoring (optional, with consent)EU region (Frankfurt)

Transfers to the US are covered by EU Standard Contractual Clauses (SCCs) and, where applicable, the EU-US Data Privacy Framework. Data Processing Agreements (DPAs) are in place with all processors per GDPR Art. 28.

5. Data Retention

DataRetention Period
Account data (email, ownership)Until account deletion
Product interaction historyUntil account deletion
Detection events (gate scans)30 days (auto-purged)
IP addresses in sighting reports30 days (with detection events)

Upon account deletion, all personal data is erased. Anonymised, aggregated statistics may be retained for service improvement.

6. Cookies

Strictly necessary cookies (authentication, session security, and storing your cookie choice) are essential for the service you requested and do not require consent under the ePrivacy Directive (Art. 5(3)) and Romanian Law 506/2004.

Error-monitoring (optional, with your consent): when you accept, we load the Sentry browser SDK to diagnose JavaScript errors and record a masked sample of session replays. It stays off until you opt in, and you can withdraw at any time.

We do not use advertising, cross-site tracking, or marketing cookies. Manage your preferences anytime via the Cookie settings button in the footer, or read our Cookie Policy for the full list.

7. Your Rights (GDPR Chapter III)

You have the following rights regarding your personal data:

  • Access (Art. 15) — obtain a copy of all your data
  • Rectification (Art. 16) — correct inaccurate data
  • Erasure (Art. 17) — delete your account and all data
  • Restriction (Art. 18) — restrict processing in certain cases
  • Portability (Art. 20) — receive your data in a machine-readable format
  • Objection (Art. 21) — object to processing based on legitimate interest

To exercise any right, email gdpr@mytovi.com. We will respond within 30 calendar days.

See our GDPR & Data Rights page for full details.

8. Data Security

We implement appropriate technical and organisational measures per GDPR Art. 32:

  • All data transmitted over HTTPS/TLS encryption
  • Database encryption at rest (Supabase)
  • No passwords stored — authentication via one-time codes (OTP)
  • Row-Level Security (RLS) on all database tables
  • Rate limiting on sensitive operations

9. Automated Decision-Making

The ToviGuard™ gate detection system makes automated determinations about product presence at partner locations. This processing does not produce legal effects on individuals or similarly significantly affect you. It is used solely for product monitoring and owner notification.

10. Children

myTovi is not intended for use by persons under 16 years of age, in accordance with GDPR Art. 8 and Romanian Law 190/2018. We do not knowingly collect data from minors. If you believe a minor has created an account, please contact gdpr@mytovi.com.

11. Data Breach Notification

In the event of a personal data breach, we will notify the Romanian supervisory authority (ANSPDCP) within 72 hours per GDPR Art. 33. If the breach is likely to result in high risk to your rights, we will notify you without undue delay per Art. 34.

12. Changes to This Policy

We may update this policy from time to time. Material changes will be communicated via email or in-app notification. The "Last updated" date above reflects the most recent revision.

13. Supervisory Authority

You have the right to lodge a complaint with the Romanian Data Protection Authority:

ANSPDCP (Autoritatea Națională de Supraveghere a Prelucrării Datelor cu Caracter Personal)
B-dul G-ral Gheorghe Magheru 28-30, Sector 1, 010336 București, Romania
Phone: +40.318.059.211
Email: anspdcp@dataprotection.ro
Website: dataprotection.ro