Privacy Policy
Last updated: 5 June 2026
1. Data Controller
TOVI STUDIO SRL
Registered office: București, Sectorul 2, Bd. Ferdinand I nr. 118, Etaj 5, Ap. 509, Romania
Trade Register: J2025080837009
CUI: RO52751450
Data protection contact: gdpr@mytovi.com
We process your personal data in accordance with the EU General Data Protection Regulation (Regulation 2016/679, "GDPR") and Romanian Law 190/2018.
2. What Data We Collect
| Data | Purpose |
|---|---|
| Email address | Account creation, authentication, notifications |
| Product ownership records | Digital ownership registration |
| Product interaction history | Status transitions, ownership timeline |
| Detection events | Anti-theft monitoring at partner locations |
| IP address (sighting reports) | Rate limiting, fraud prevention |
| Authentication cookies | Session management (strictly necessary) |
We do not collect: national identification numbers (CNP), health data, biometric data, payment information, or location data from your device.
3. Legal Bases for Processing
| Processing Activity | Legal Basis (GDPR Art. 6) |
|---|---|
| Account creation & authentication | Contract performance — Art. 6(1)(b) |
| Ownership registration & transfer | Contract performance — Art. 6(1)(b) |
| Transactional emails | Contract performance — Art. 6(1)(b) |
| Anti-theft detection (gate scans) | Legitimate interest — Art. 6(1)(f) |
| IP logging in sighting reports | Legitimate interest — Art. 6(1)(f) |
| Authentication cookies | Contract performance + ePrivacy exemption |
4. Data Recipients & Processors
We share your data with the following service providers (data processors):
| Provider | Purpose | Location |
|---|---|---|
| Supabase Inc. | Database & authentication | EU (Frankfurt) |
| Vercel Inc. | Web hosting | US + global CDN |
| Resend Inc. | Email delivery | US |
| Sentry (Functional Software Inc.) | Error monitoring (optional, with consent) | EU region (Frankfurt) |
Transfers to the US are covered by EU Standard Contractual Clauses (SCCs) and, where applicable, the EU-US Data Privacy Framework. Data Processing Agreements (DPAs) are in place with all processors per GDPR Art. 28.
5. Data Retention
| Data | Retention Period |
|---|---|
| Account data (email, ownership) | Until account deletion |
| Product interaction history | Until account deletion |
| Detection events (gate scans) | 30 days (auto-purged) |
| IP addresses in sighting reports | 30 days (with detection events) |
Upon account deletion, all personal data is erased. Anonymised, aggregated statistics may be retained for service improvement.
6. Cookies
Strictly necessary cookies (authentication, session security, and storing your cookie choice) are essential for the service you requested and do not require consent under the ePrivacy Directive (Art. 5(3)) and Romanian Law 506/2004.
Error-monitoring (optional, with your consent): when you accept, we load the Sentry browser SDK to diagnose JavaScript errors and record a masked sample of session replays. It stays off until you opt in, and you can withdraw at any time.
We do not use advertising, cross-site tracking, or marketing cookies. Manage your preferences anytime via the Cookie settings button in the footer, or read our Cookie Policy for the full list.
7. Your Rights (GDPR Chapter III)
You have the following rights regarding your personal data:
- Access (Art. 15) — obtain a copy of all your data
- Rectification (Art. 16) — correct inaccurate data
- Erasure (Art. 17) — delete your account and all data
- Restriction (Art. 18) — restrict processing in certain cases
- Portability (Art. 20) — receive your data in a machine-readable format
- Objection (Art. 21) — object to processing based on legitimate interest
To exercise any right, email gdpr@mytovi.com. We will respond within 30 calendar days.
See our GDPR & Data Rights page for full details.
8. Data Security
We implement appropriate technical and organisational measures per GDPR Art. 32:
- All data transmitted over HTTPS/TLS encryption
- Database encryption at rest (Supabase)
- No passwords stored — authentication via one-time codes (OTP)
- Row-Level Security (RLS) on all database tables
- Rate limiting on sensitive operations
9. Automated Decision-Making
The ToviGuard™ gate detection system makes automated determinations about product presence at partner locations. This processing does not produce legal effects on individuals or similarly significantly affect you. It is used solely for product monitoring and owner notification.
10. Children
myTovi is not intended for use by persons under 16 years of age, in accordance with GDPR Art. 8 and Romanian Law 190/2018. We do not knowingly collect data from minors. If you believe a minor has created an account, please contact gdpr@mytovi.com.
11. Data Breach Notification
In the event of a personal data breach, we will notify the Romanian supervisory authority (ANSPDCP) within 72 hours per GDPR Art. 33. If the breach is likely to result in high risk to your rights, we will notify you without undue delay per Art. 34.
12. Changes to This Policy
We may update this policy from time to time. Material changes will be communicated via email or in-app notification. The "Last updated" date above reflects the most recent revision.
13. Supervisory Authority
You have the right to lodge a complaint with the Romanian Data Protection Authority:
ANSPDCP (Autoritatea Națională de Supraveghere a Prelucrării Datelor cu Caracter Personal)
B-dul G-ral Gheorghe Magheru 28-30, Sector 1, 010336 București, Romania
Phone: +40.318.059.211
Email: anspdcp@dataprotection.ro
Website: dataprotection.ro