Privacy Policy

LAST UPDATED · 14 MAY 2026

This Privacy Policy explains how the Master Togan AI service ("the Service", "we", "us") collects, uses, stores, and discloses personal data when you use the Master Togan AI mobile or web application or visit mastertogan.com.

We process personal data in accordance with the EU General Data Protection Regulation (GDPR), the California Consumer Privacy Act (CCPA), and applicable local privacy laws.

01 Who we are

The Service is operated by the team behind Master Togan. For questions about this policy or to exercise your rights under GDPR / CCPA, contact us at privacy@mastertogan.com.

02 What data we collect

Account data: email address, optional display name, and a unique account identifier we generate.
Authentication data: when you sign in via Apple, Google, or X (Twitter), we receive only the minimum required by those providers — a stable user identifier, your email (when not hidden), and your display name. We do not request or store your social-media password, friends, posts, or contacts.
Chat content: the questions you send and the AI-generated replies you receive. Stored to your account so you can resume past conversations.
Usage data: request timestamps, request IDs, error codes, and approximate request counts (for rate-limit and quota enforcement). No marketing trackers, no cross-site tracking pixels.
Technical data: server-side request logs (IP address, user-agent, route, latency) for operational diagnostics; retained for 30 days.

03 What data we do NOT collect

Precise geolocation.
Contacts, photos, microphone, camera, or other device sensors.
Browsing history outside the Service.
Health, biometric, genetic, or financial-account data.
Children's data — the Service is intended for users aged 17 and over.

04 Why we process your data

To provide the Service (legal basis: performance of the contract you accept by signing up).
To authenticate you when you sign in or refresh a session (legal basis: contract).
To enforce free-tier quotas and prevent abuse (legal basis: legitimate interest).
To comply with legal obligations when required by a competent authority (legal basis: legal obligation).

05 Who we share data with

We share the minimum data necessary with the following processors. Each is bound by a written data-processing agreement.

Microsoft Azure — hosting (Function App, PostgreSQL, AI Search). Data lives in West Europe.
OpenAI — your chat messages are sent to OpenAI's chat-completion API for response generation; OpenAI does not train its models on API data (per OpenAI's data-usage policy for API customers).
Authentication providers — Apple, Google, and X (Twitter), only when you choose to sign in with them.
Legal authorities — when required by valid legal process.

We do not sell or rent personal data. We do not share data with advertisers.

06 Where data is stored and how long

Account data and chat history: stored in Azure Database for PostgreSQL (West Europe) for as long as your account is active.
Server logs: 30 days then automatically purged.
Session tokens: 1 hour (access token) / 14 days (refresh token).
Once you delete your account (Section 8), all of your data is removed within 30 days, except where retention is mandated by law.

07 International transfers

Some of our processors (notably OpenAI) are based in the United States. Transfers are protected by the EU Standard Contractual Clauses or equivalent safeguards.

08 Your rights (GDPR + CCPA)

You have the right to:

Access — request a copy of the data we hold about you. The app provides one-tap JSON export (Account → Export My Data).
Rectification — correct inaccurate data; you can edit your profile in-app or contact us.
Erasure — delete your account and all associated data. The app provides one-tap deletion (Account → Delete My Account).
Restriction / Objection — restrict or object to certain processing; contact us.
Portability — receive your data in a machine-readable format (the JSON export covers this).
Withdraw consent — at any time, with no detriment to data processed before withdrawal.
Complain — lodge a complaint with your local supervisory authority.
California residents: you additionally have the right to know, delete, opt-out of sale (we do not sell), and non-discrimination under CCPA.

09 Security

We protect your data using industry-standard safeguards: TLS 1.2+ in transit, encryption at rest in Azure, HS256-signed session JWTs, refresh-token rotation, role-based access control on every authenticated endpoint, and structured server-side logging for incident response. No system is perfectly secure; if we become aware of a personal-data breach affecting you, we will notify the competent authority within 72 hours and you without undue delay, as required by Article 33 GDPR.

10 AI and content disclaimers

The Service generates responses using a large language model trained on a private corpus of Master Togan's published material. Outputs are AI-generated, may be incorrect, and are not professional medical, legal, financial, or mental-health advice. We make no warranty about the accuracy of any output. If you need professional advice, consult a qualified human professional.

11 Cookies and local storage

The mobile app stores your session tokens in your device's secure storage (iOS Keychain / Android Keystore). The web app uses localStorage for the same purpose. No third-party advertising or analytics cookies are set.

12 Changes to this policy

We may update this policy as the Service evolves. Material changes will be surfaced in the app and on this page with an updated "Last updated" date. Continued use of the Service after a change constitutes acceptance of the updated policy.

13 Children

The Service is intended for users aged 17 and over. If you are under 17 you may not use the Service. If we learn that we have collected data from a child under 17, we will delete it.

14 Contact

Questions or requests under this policy can be sent to privacy@mastertogan.com.

END OF TRANSMISSION