Effective: April 27, 2026 · Last updated: May 6, 2026
Controller: Ty Horton, sole proprietor (Texas, USA), operating Tonebook independently. Contact: hello@tonebook.app
Tonebook is designed to be a private AI personal-color coach. We do not perform identity recognition, do not store face embeddings or other biometric identifiers, and do not use your photos for model training by default. Photos are used only to generate your color report; in live-AI mode the selfie is sent to our processor in-flight and is not retained server-side. (Default sim mode never uploads at all.) Tonebook does process color samples derived from a face, which qualifies as biometric information under some state laws — see our Biometric Information Policy for the full disclosure. You can delete your saved data anytime in Settings.
For users in the EU, EEA, UK, and Switzerland, processing is performed under the lawful basis of your explicit consent (Article 6(1)(a) and Article 9(2)(a) where applicable). You give that consent the first time you enable Live AI mode in Settings, and you can withdraw it at any time by toggling Live AI off, deleting your data in Settings, or emailing the address above. Color analysis is provided on a non-discriminatory basis whether you consent or not — sim mode is fully functional offline.
Where data is transferred to processors in the United States (OpenAI, Supabase, PostHog, Sentry), the transfer relies on the Standard Contractual Clauses adopted by the European Commission, with each processor's published SCCs and data-processing addendum incorporated by reference.
| Data | When | Purpose |
|---|---|---|
| Selfie photo (you upload) | When you tap "Analyze my style" | Generate your AnalysisResult. In default mock mode the photo never leaves your device. In live-AI mode, the photo is sent to our Supabase edge function which calls OpenAI's vision API — the photo is processed in transit and not retained server-side. |
| Onboarding answers | During first-run | Personalize your report copy. Stored locally in your device's UserDefaults. |
| Saved reports | Each generated analysis | Stored locally in your device's Application Support directory as Codable JSON. Never uploaded. |
| Anonymous product analytics | Throughout app use | Aggregate metrics (e.g., paywall_viewed, report_viewed) via PostHog. Opt-out anytime in Settings → Send anonymous analytics. |
| Crash reports | When the app crashes | Sent to Sentry to fix bugs. No PII. Opt-out applies. |
| App Store purchase receipts | When you buy | Verified by Apple's StoreKit + RevenueCat for entitlement gating. Standard Apple-mediated flow. |
| Service | Data sent | Purpose |
|---|---|---|
| Apple StoreKit / App Store | Purchase receipts | Subscription billing |
| RevenueCat | Anonymous user ID + entitlement state | Subscription dashboard + cross-device entitlement sync |
| OpenAI (via our Supabase Edge Function, live-AI mode only) | Compressed selfie + onboarding profile JSON | Generate AnalysisResult. Subject to OpenAI's API data policy: not used for training. |
| Supabase | API requests | Edge Function hosting |
| PostHog | Anonymous event names + session ID | Product analytics. Opt-out in Settings. |
| Sentry | Crash stack traces | Crash debugging. Opt-out applies. |
For users in jurisdictions with formal data-rights frameworks (CCPA, GDPR, PIPEDA, etc.), the in-app delete-my-data flow performs a complete erasure equivalent to a Right-to-Erasure request.
Tonebook is intended for adults 18 and older. The app's first-run consent flow requires explicit confirmation that you are 18+. We do not knowingly collect data from minors.
We will update the "Last updated" date and post the new version at this URL. Material changes will be surfaced in-app on the next launch.
Email: hello@tonebook.app