TokiTea Privacy Policy

Introduction

TokiTea ("TokiTea," "we," "us," or "our") takes the private nature of your information very seriously. We are committed to protecting and respecting your privacy. We strive to be transparent about how we collect and process your information, keep your information secure and provide you with meaningful choices.

This policy regarding our privacy practices (the "Privacy Policy") describes how we treat the information we collect or receive when you visit and use TokiTea.APP (the "Site") and/or TokiTea's other domains, products, advertising products, services, and/or content, including our iOS and Android mobile applications (collectively with the Site, the "Services").

By using TokiTea's services (APP, SITE, etc.), you agree to the terms of this Privacy Policy.

1. Information We Collect

Information You Provide Directly

• Account Data: When you create an account, we collect your email address and password
• Communication Data: Messages you send through our support channels
• Tracked Items: Matcha products, brands, or categories you ask us to monitor (e.g., "Marukyu Koyamaen Unkaku", "Ippodo Sayaka")

Information We Collect Automatically

• Device Information: Device type, operating system, app version, and unique device identifiers
• Usage Analytics: App usage patterns, feature interactions, and performance data
• Notification Data: Delivery and engagement metrics for restock alerts
• Error Logs: Technical information to improve app stability and performance

Information from Third Parties

• Firebase Analytics: Usage statistics and app performance data from Google Firebase

2. How We Use Your Information

Primary Uses

• Service Delivery: Provide and maintain our core matcha restock alert functionality
• User Experience: Personalize your experience and improve our services
• Communication: Send you important updates, notifications, and support responses
• Security: Protect against fraud, abuse, and security threats
• Legal Compliance: Meet our legal obligations and enforce our terms

Legal Basis for Processing (GDPR)

• Consent: For marketing communications and optional features
• Contract Performance: To provide services you've requested
• Legitimate Interest: For service improvement, security, and analytics
• Legal Obligation: To comply with applicable laws and regulations

3. Information Sharing and Disclosure

Service Providers

We share information with trusted third parties who help us provide our services:

• Analytics Services: Google Firebase Analytics
• Cloud Storage: Google Firebase (Google Cloud Platform)
• Customer Support: Our support platform for user assistance

Legal Requirements

We may disclose information when required by law, court order, or to protect our rights and safety.

Business Transfers

If our company is acquired or merged, your information may be transferred as part of that transaction.

Never Sold

We never sell your personal information to third parties for their commercial purposes.

4. Data Retention and Storage

Retention Periods

• Account Information: Retained while your account is active plus 2 years
• Usage Data: Retained for 24 months for analytics and service improvement (Firebase default)

Data Deletion

You can request deletion of your personal information at any time. We'll delete your data within 30 days unless we have a legal obligation to retain it.

5. Your Rights and Choices

Universal Rights

• Access: Request a copy of your personal information
• Correction: Update or correct inaccurate information
• Deletion: Request deletion of your personal information
• Objection: Object to certain uses of your information
• Portability: Receive your data in a machine-readable format

Regional Rights

For EU/UK Residents (GDPR):

• Restrict Processing: Limit how we use your information
• Withdraw Consent: Remove consent for optional processing
• Lodge Complaints: File complaints with your local data protection authority
• Data Protection Officer: Contact our DPO at [email protected]

For California Residents (CCPA/CPRA):

• Right to Know: Categories of information collected and shared
• Right to Delete: Request deletion of personal information
• Right to Opt-Out: Opt out of sale/sharing of personal information
• Right to Correct: Correct inaccurate personal information
• Right to Limit: Limit use of sensitive personal information
• Non-Discrimination: Equal service regardless of privacy choices

For Canadian Residents (PIPEDA):

• Right to Access: Access personal information and processing details
• Right to Correction: Correct inaccurate information
• Right to Withdraw: Withdraw consent for optional processing
• Right to Complain: File complaints with Privacy Commissioner of Canada

How to Exercise Your Rights

• Email: [email protected]
• In-App: Use privacy settings in your account
• Response Time: We'll respond within 30 days (extended to 60 days for complex requests)

6. Security and Protection

Technical Safeguards

• Encryption: Data encrypted in transit and at rest using industry-standard encryption
• Access Controls: Strict employee access controls and regular security training
• Monitoring: 24/7 security monitoring and incident response procedures
• Regular Audits: Annual security assessments and penetration testing

Data Breach Response

If a security incident occurs, we'll notify affected users and regulators as required by law, typically within 72 hours of discovery.

7. International Data Transfers

Transfer Mechanisms

• Adequacy Decisions: Transfers to countries with adequate protection (EU, UK, Canada)
• Standard Contractual Clauses: EU-approved contracts for other countries
• Data Transfer Assessments: Regular review of destination country protections
• Your Rights: You can request information about specific transfers

Primary Data Locations

Based on our global user base, we process data in:

• North America: Primary processing for US and Canadian users
• Asia-Pacific: Regional processing for Asian users via Google Cloud
• Europe: EU data processed within EU boundaries
• Global Infrastructure: Google Cloud Platform with appropriate data residency controls

8. Children's Privacy

Age Requirements

• General Users: 13+ years old (16+ in the EU)
• Parental Consent: Required for users under applicable age thresholds
• Enhanced Protections: Additional safeguards for younger users
• Age Verification: Robust age verification mechanisms

Special Protections

• Limited Data Collection: Minimal data collection for younger users
• No Behavioral Advertising: No targeted advertising for children
• Parental Controls: Tools for parents to manage their children's privacy

9. Cookies and Tracking

Cookie Categories

• Essential Cookies: Required for basic app functionality and authentication
• Analytics Cookies: Firebase Analytics to understand app usage
• Authentication Cookies: Google/Apple sign-in session management

Your Cookie Choices

• App Settings: Manage analytics preferences in app settings
• Browser Settings: Use browser controls to limit cookies (web version)
• Third-Party Controls: Manage Google/Apple privacy settings directly with those providers

10. Updates and Communication

Policy Updates

• Notification: We'll notify you of significant changes via email or app notification
• Effective Date: Changes become effective 30 days after notification
• Review Rights: You can review and object to changes
• Continued Use: Continued use constitutes acceptance of updates

Communication Preferences

• Marketing Emails: Opt out anytime via unsubscribe link
• Push Notifications: Manage notification preferences in app settings
• Service Communications: Essential service emails cannot be disabled
• Frequency Controls: Customize frequency of non-essential communications