Privacy Policy

Last updated: 9 April 2026

1. Introduction & Data Controller

This Privacy Policy explains how TONIVO LTD (“Tonivo”, “we”, “us”, or “our”) collects, uses, stores, and protects your personal data when you use our platform at tonivo.co.uk.

TONIVO LTD is the data controller responsible for your personal data. We are a company registered in England and Wales.

Company number: 17117959
Registered address: The Bank Main Street, Tingewick, Buckingham, England, MK18 4NN
Data protection contact: hello@tonivo.co.uk

This policy is governed by the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018.

2. Information We Collect

a) Information you provide directly

Account registration: Email address and password (your password is cryptographically hashed and never stored in plain text).
Onboarding: Username, display name, roles (e.g. Producer, Vocalist, Mixer), and genre preferences.
Profile information: Avatar image, banner image, bio (up to 800 characters), location (up to 100 characters), external links (up to 5, HTTPS only), availability status and date, and external music profile URLs (Spotify, YouTube, SoundCloud).
Tracks: Audio files you upload (MP3 or WAV format, up to 50 MB per file, 500 MB total storage limit, maximum 50 tracks) along with title, description, and tags.
Comments: Comments you leave on other users' profiles and tracks (up to 500 characters each).
Ratings: Star ratings (1 to 5) you give to other users. Ratings are permanent once submitted.
Messages: Text messages (up to 1,000 characters) and optional attachments (images up to 5 MB; audio files up to 60 MB) sent through our messaging system.
Social actions: Users you follow and users you block.
Account deletion feedback: If you delete your account, we ask for an optional reason and details (up to 1,000 characters).

b) Information collected automatically

Authentication cookies: Essential session cookies to keep you logged in (see Section 5 for details).
Activity timestamps: We record when you were last active on the platform (updated approximately every 5 minutes).
Activity log: A record of your actions on the platform, including tracks uploaded, comments made, ratings given, follows, message reactions, and profile changes. This log is visible to you in your account settings.
Product analytics events: A first-party, server-side record of aggregate product events (e.g. signups, uploads, searches, follows) used to measure platform health. These events are stored in our own database, never shared with third parties, and contain no raw content (no message text, comment bodies, or search queries). Where associated with an account, events are anonymised when you delete your account.
Page-view analytics: Aggregate statistics about which pages are viewed, provided by Vercel Web Analytics (our hosting provider). This is cookieless, does not use any persistent identifier, and does not track visitors across sites or sessions. Visitors are identified only by a short-lived hash of the incoming request that is automatically discarded after 24 hours. See Vercel's privacy documentation for details.
Acquisition source (UTM tags): If you arrived at our signup page from a link that included UTM tags (e.g. ?utm_source=...), we store those tags on your profile so we can understand which campaigns bring us new users. These are marketing-source strings chosen by campaign operators, not user-identifying data, and are never used for advertising.
Notification data: Records of events that trigger notifications to you (e.g. new followers, comments on your tracks, new messages).
IP addresses: Your IP address is used solely for rate limiting (abuse prevention). IP addresses are stored temporarily in our rate-limiting system and automatically expire within seconds to minutes. They are not used to identify you or linked to your account.

c) Information we do not collect

We do not use tracking or advertising cookies.
We do not use any third-party analytics that track you across sessions or websites, such as Google Analytics, Facebook Pixel, or similar cross-site trackers. We do not use tracking pixels or fingerprinting scripts. For aggregate page-view statistics we use Vercel Web Analytics, which is cookieless and does not identify individual visitors (see Section 2(b)).
We do not collect device fingerprints or use hidden identifiers.
We do not collect your geographic location beyond what you voluntarily enter in your profile.
We do not collect your date of birth.

3. Lawful Bases for Processing

Under UK GDPR, we must have a lawful basis for each way we process your personal data. Here are the bases we rely on:

Processing Activity	Lawful Basis
Account creation, authentication, and email verification	Contract (Art. 6(1)(b)): necessary to provide the service
Profile data, tracks, comments, ratings, and messages	Contract: core platform features you signed up to use
Session and authentication cookies	Contract: necessary for the service to function
Transactional emails (verification, password reset)	Contract: necessary for account security
Activity logging, product analytics, page-view analytics, acquisition tracking, and notifications	Legitimate interests (Art. 6(1)(f)): platform integrity and user experience
IP address storage for rate limiting	Legitimate interests: security and abuse prevention
Account deletion feedback	Legitimate interests: service improvement

4. How We Use Your Information

To provide, maintain, and improve the Tonivo platform.
To authenticate your identity and manage your account.
To enable you to create a profile, upload music, and showcase your work.
To facilitate discovery of other users and communication between collaborators.
To deliver notifications about activity relevant to you (e.g. new followers, comments, messages).
To enforce our Terms of Service and protect against abuse, spam, and harassment.
To rate-limit requests and prevent misuse of the platform.
To send you transactional emails (account verification, password resets).
To understand how the service is used and make improvements, using first-party activity logs, aggregate product analytics we host ourselves, and aggregate page-view statistics via Vercel Web Analytics (cookieless, no cross-site tracking).

5. Cookies

We only use strictly necessary cookies that are essential for the platform to function. We do not use tracking, advertising, or third-party cookies. Because these cookies are strictly necessary, no cookie consent banner is required under ICO guidance.

Cookie	Purpose	Type	Duration
Supabase auth session	Keeps you logged in and authenticates your requests	HttpOnly, SameSite=Lax	Session (expires on logout or session timeout)
last_active_ping	Throttles activity timestamp updates to reduce database load	HttpOnly, SameSite=Lax	1 hour

6. Data Sharing & Third-Party Processors

We do not sell your personal data to anyone. We share data only with the following service providers who help us operate the platform, and only to the extent necessary for their specific function:

Supabase (Supabase Inc.): provides our database, user authentication, and file storage. Processes all user data. Data is stored in the EU (Frankfurt, Germany).
Upstash (Upstash Inc.): provides Redis-based rate limiting. Processes IP addresses and action counts only. Data auto-expires within seconds to minutes.
SendLayer: provides SMTP email delivery. Processes email addresses for the purpose of sending verification and password reset emails only.
Vercel (Vercel Inc.): hosts and serves the Tonivo web application. Requests pass through their infrastructure.

Each processor operates under appropriate contractual safeguards. No processor receives more data than is necessary for its specific function.

All data is stored within the EU and UK. No international transfers of your data outside the EU/UK are required.

7. Data Retention

Active accounts: Your data is retained for as long as your account exists.
Deleted accounts (soft-delete period): When you delete your account, your profile is immediately hidden from other users. Your data is retained for 30 days in case you wish to reactivate.
After 30 days (hard delete): All your data is permanently and irreversibly deleted via an automated process, including your profile, tracks, comments, ratings, messages, follows, and blocks.
Deletion feedback: If you provided a reason for deleting your account, this feedback is retained separately after hard deletion for service improvement purposes (lawful basis: legitimate interests). It is not linked to your identity after hard deletion.
Rate-limiting data (IP addresses): Automatically expires within seconds to minutes in our Redis cache. Not retained long-term.
Activity log: Retained for the lifetime of your account and deleted when your account is permanently deleted.

8. Your Rights Under UK GDPR

Under UK GDPR, you have the following rights regarding your personal data:

Right of access (Art. 15): you can request a copy of all personal data we hold about you.
Right to rectification (Art. 16): you can correct inaccurate data. Most data can be updated directly via your profile settings.
Right to erasure (Art. 17): you can delete your account and all associated data via your account settings, or by contacting us.
Right to restrict processing (Art. 18): you can request that we limit how we use your data in certain circumstances.
Right to data portability (Art. 20): you can request your data in a structured, commonly used, machine-readable format.
Right to object (Art. 21): you can object to processing based on legitimate interests. We will stop processing unless we have compelling legitimate grounds.

To exercise any of these rights, email us at hello@tonivo.co.uk with the subject line “Data Request”. We will respond within one month as required by UK GDPR.

If you are not satisfied with how we handle your request, you have the right to lodge a complaint with the Information Commissioner's Office (ICO):

Address: Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF
Website: ico.org.uk

9. Children & Age Restrictions

Tonivo is not directed at anyone under the age of 16. You must be at least 16 years old to create an account and use the platform. If we become aware that a user is under 16, we will terminate their account and delete their personal data promptly.

10. Data Security

We implement appropriate technical and organisational measures to protect your personal data, including:

Row-Level Security on all database tables, ensuring users can only access data they are authorised to see.
Passwords are cryptographically hashed and never stored in plain text.
Strong password requirements are enforced (minimum 8 characters with uppercase, lowercase, number, and special character).
Multi-tier rate limiting to prevent brute-force attacks and abuse.
File upload validation including MIME type checking, file size limits, and path traversal prevention.
Session cookies are set with HttpOnly and SameSite=Lax flags to prevent cross-site attacks.
Email verification is required before you can access the platform.
Automated decision-making and profiling: we do not use any automated decision-making or profiling that produces legal or similarly significant effects.

While we take all reasonable steps to protect your data, no method of electronic storage or transmission is 100% secure. We cannot guarantee absolute security.

11. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices or for legal, operational, or regulatory reasons. If we make material changes, we will notify you via email or an in-app notification. The “Last updated” date at the top of this page will always reflect the current version. Continued use of Tonivo after changes are communicated constitutes acceptance of the updated policy.

12. Contact Us

If you have any questions about this Privacy Policy or how we handle your data, please contact us:

Data controller: TONIVO LTD
Company number: 17117959
Registered address: The Bank Main Street, Tingewick, Buckingham, England, MK18 4NN
Email: hello@tonivo.co.uk

Supervisory authority: Information Commissioner's Office (ICO), Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF (ico.org.uk)