Privacy Policy
Effective Date: 2026-07-08 Last Updated: 2026-07-08
1. Introduction
Welcome to Toasty (“we”, “us”, “our”). Toasty is a mobile reading-companion application that helps you start, finish, and sustain a long-term reading practice with the physical books you already own.
This Privacy Policy explains what information we collect, how we use it, who we share it with, and the choices you have. We’ve tried to write it in plain English. If anything is unclear, email us at [email protected].
This policy applies to the Toasty mobile application and any related services we provide (“Service”). It does not cover third-party services that integrate with Toasty (those have their own policies — see §6).
2. Who We Are
Toasty is operated by Ching-Wei Hua (“we”), an individual sole proprietor based in Taiwan.
- Contact: [email protected]
- Data protection contact: same as Contact above
3. Information We Collect
We collect the minimum information needed to provide the Service. The categories below correspond to the iOS Privacy Manifest disclosures shown on our App Store listing.
3.1 Account information
When you sign up via Apple Sign-In or Google Sign-In, we receive:
- Your email address
- Your authentication provider identifier (an opaque user ID from Apple or Google)
- Your display name, if your provider returns one
We do not collect or store your password — authentication is handled entirely by Apple or Google via Supabase Auth.
3.2 Profile and preferences
- Your reading-state self-identification (Slumped / Steady / Optimizing) and reader identity selection, captured during onboarding
- Your timezone (inferred from device) so that scheduled push notifications arrive at appropriate times
- Your notification preferences (whether you’ve enabled push, what time you want morning reading prompts, which categories you’ve enabled)
- Your language / locale preference
3.3 Reading content you provide
- Photographs of book table-of-contents pages and covers that you upload for processing
- Book metadata you input (title, author, total page count, starting page)
- Generated reading plans and slice schedules derived from the above
- Reading session records: which slice you started, when you started and completed it, how long it took
- Your responses to in-app reading intent and motivation prompts
We process the photos via Google Gemini API for optical character recognition. Photos are sent to Google’s API and are subject to Google’s data handling terms. After processing, we retain the photo file for the lifetime of the book in your library so you can re-process it if needed; you can remove it by removing the book.
3.4 Subscription and payment information
We do not receive or store your payment card details. Payments are processed entirely by Apple via the App Store. We receive only:
- Your subscription status (trial / active / cancelled / expired)
- The plan you are on
- Subscription start, renewal, and expiration dates
- Anonymized transaction identifiers from RevenueCat
3.5 Device and technical information
- Device model, operating system version, and app version (for support and crash diagnosis)
- Push notification token (issued by Apple Push Notification service, used to deliver notifications)
- Crash reports (stack traces and device state at the moment of a crash) via Sentry
- Usage analytics (screen views, feature usage, anonymous behavioral patterns) via PostHog
- IP address (used briefly to detect approximate region and to mitigate abuse; not stored long-term linked to your identity)
3.6 What we deliberately do NOT collect
- Contents of books beyond table-of-contents pages you choose to scan
- Highlights, notes, or annotations within books
- Contacts, calendar, photo library (except photos you explicitly choose to upload)
- Microphone or camera access (except camera when you explicitly take a TOC photo)
- Precise location
4. How We Use Your Information
We use the information we collect to:
- Provide the Service: process your book uploads, generate reading plans, deliver reading sessions, schedule notifications
- Operate your subscription: validate access, send trial reminders, send renewal and cancellation notifications
- Personalize your experience: tailor companion messages and recommendations based on your reading state and history
- Improve the Service: analyze aggregated usage to find and fix bugs, improve features
- Communicate with you: respond to support requests, send service-related notices (subscription changes, security)
- Comply with legal obligations and protect against misuse
We do not:
- Sell your personal information to third parties
- Use your reading content to train AI models for other customers
- Share your reading content with advertisers or data brokers
- Run advertising in the app
5. Legal Basis for Processing (EU/UK users)
If you are in the European Economic Area or the United Kingdom, our legal basis for processing your information depends on the activity:
- Performance of a contract: processing necessary to provide the Service you subscribed to
- Legitimate interests: product improvement, fraud prevention, securing the Service
- Consent: push notifications, analytics (where required by local law)
- Legal obligation: complying with applicable laws
You may withdraw consent at any time where consent is the basis (see §10).
6. Service Providers / Data Processors
We use the following service providers to operate Toasty. Each receives only the information needed to perform its function and is bound to use it only for that purpose.
| Provider | Purpose | Data shared |
|---|---|---|
| Apple (Sign in with Apple, App Store, Push Notification service) | Authentication, payment processing, push delivery | Authentication tokens, subscription transactions, push tokens |
| Google (Sign in with Google, Gemini API) | Authentication, OCR processing | Auth tokens; uploaded book photo content |
| Supabase | Authentication backend, application database | Email, auth identifiers, profile data, reading history |
| RevenueCat | Subscription management abstraction layer over Apple IAP | Subscription transaction metadata |
| OneSignal | Push notification delivery | Push tokens, notification content, basic device metadata |
| Sentry | Crash and error reporting | Crash stack traces, device metadata at crash moment |
| PostHog | Product analytics | Pseudonymous usage events, feature interactions |
| Fly.io | Application hosting | Server-side data in motion through application servers |
Each provider operates under its own privacy policy. We perform reasonable due diligence on their data practices but do not control their internal handling.
7. International Data Transfers
We are based in Taiwan. Our service providers operate primarily in the United States. By using Toasty, you understand that your information will be processed in the United States and other jurisdictions that may have different data-protection laws than your jurisdiction.
Where required by EU/UK law, we rely on Standard Contractual Clauses with our service providers to safeguard transfers.
8. Data Retention
- Account data: retained as long as your account is active
- Reading content (photos, plans, sessions): retained as long as the book is in your library; deleted when you remove the book or delete your account
- Subscription history: retained for tax and audit purposes for up to seven (7) years
- Crash reports and analytics: retained in aggregated form indefinitely; identifiable form retained 180 days
- Push tokens: deleted when you disable push or delete your account
When you delete your account (see §10), we hard-delete your personal data within 30 days, except where retention is required by law (e.g., tax records for paid transactions).
9. Children’s Privacy
Toasty is not directed to children under 13. We do not knowingly collect personal information from children under 13. If you believe a child under 13 has provided us information, contact us at [email protected] and we will delete it.
If you are between 13 and the age of majority in your jurisdiction, you may use Toasty only with a parent’s or guardian’s involvement.
10. Your Rights and Choices
Regardless of where you live, you have the following rights through Toasty:
- Access: see what we have about you (request via [email protected])
- Delete: delete your account and associated data from within the app (Settings → Account → Delete Account) — this permanently removes your data within 30 days
- Correct: correct profile information from Settings → Account
- Stop notifications: disable push notifications from Settings → Notifications (or from the iOS Settings app)
- Cancel subscription: manage and cancel your subscription from the iOS App Store subscription settings
If you are in the EU/UK (GDPR) or California (CCPA), you have additional rights including:
- Data portability (request a copy of your data in a structured format)
- Restriction of processing
- Objection to certain processing
- Lodging a complaint with your local data protection authority
To exercise additional rights, email [email protected] with the subject “Privacy Rights Request” and we will respond within 30 days.
11. California Residents (CCPA)
If you are a California resident, the California Consumer Privacy Act (“CCPA”) provides you specific rights regarding your personal information. We:
- Do not sell your personal information (we have not done so in the preceding 12 months and have no plans to)
- Do not share your personal information for cross-context behavioral advertising
- Respect the Global Privacy Control (GPC) signal
You may exercise your CCPA rights by emailing [email protected].
12. Security
We use industry-standard measures to protect your information:
- HTTPS encryption for all data in transit
- Encryption at rest for sensitive data via our infrastructure providers
- Authentication via Apple and Google (we never see your password)
- Regular dependency updates and security review of code changes
- Access controls limiting which team members can see what data
No system is perfectly secure. If we discover a breach that materially affects you, we will notify you promptly as required by applicable law.
13. Cookies and Tracking Technologies
The Toasty mobile app does not use cookies. We use device identifiers (Apple’s IDFV) and pseudonymous analytics identifiers to track usage in aggregate. We do not use cross-app tracking and respect Apple’s App Tracking Transparency framework.
The Toasty marketing website may use cookies; see the cookie notice on the website when you visit it.
14. Changes to This Policy
We may update this Privacy Policy from time to time. When we make material changes, we will:
- Update the “Last Updated” date at the top
- Notify you within the app or via email at least 14 days before the change takes effect
- Maintain the prior version available on request
Your continued use of Toasty after the changes take effect indicates your acceptance of the updated policy.
15. Contact
Privacy questions, requests, or concerns:
Email: [email protected]
For data protection inquiries from EU/UK users, you may also contact your local data protection authority.
This Privacy Policy was drafted on 2026-05-23. We aim to keep it readable and current. If you spot something confusing or wrong, please tell us.