Privacy Policy

Last updated: 2026

At Tongflow ("we," "us," "our," or "Provider"), your privacy is paramount. This Privacy Policy describes how we collect, use, process, share, and protect your personal data in connection with our website, platform, mobile applications, and services (collectively, the "Service").

BY USING THE SERVICE, YOU ACKNOWLEDGE THAT YOU HAVE READ AND UNDERSTOOD THIS PRIVACY POLICY AND CONSENT TO THE COLLECTION, USE, AND DISCLOSURE OF YOUR INFORMATION AS DESCRIBED HEREIN. IF YOU DO NOT AGREE, PLEASE DO NOT USE THE SERVICE.

1. Information We Collect

1.1 Information You Provide Directly

Account Registration: Name, email address, password, username, and optional profile information (avatar, bio, preferences).

Payment Information: Billing address, payment method details. Note: Full credit card numbers are processed by third-party payment processors; we do not store complete card numbers.

Communications: Correspondence when you contact support, participate in surveys, or provide feedback.

User Content ("Input"): All files, text, prompts, images, audio, video, and other data you upload to or create using the Service.

1.2 AI-Generated Content ("Output")

We process and temporarily store Outputs generated through your use of AI features to deliver Service functionality. Outputs may be retained for caching, improving performance, and compliance purposes.

1.3 Automatically Collected Information

Device and Technical Data: IP address, browser type and version, operating system, device type and identifiers, screen resolution, and timezone.

Usage Data: Pages visited, features used, click patterns, session duration, referring URLs, search queries, and interaction patterns.

Log Data: Server logs recording your requests, timestamps, error messages, and system activity.

1.4 Cookies and Tracking Technologies

We use cookies, web beacons, pixels, and similar technologies to collect information about your browsing behavior. See Section 9 for detailed Cookie Policy.

1.5 Third-Party Information

We may receive information from: social login providers (if you use Google, Apple, etc.); payment processors; analytics providers; and fraud prevention services.

2. Legal Basis for Processing (GDPR)

If you are in the European Economic Area (EEA), UK, or jurisdictions requiring a legal basis, we process your data based on:

  • Contractual Necessity: To provide the Service you requested and perform our agreement with you (Account management, service delivery, payment processing).
  • Consent: Where you have provided explicit consent (Marketing communications, non-essential cookies, certain data sharing).
  • Legitimate Interests: To pursue our legitimate business interests (Security, fraud prevention, service improvement, analytics) where not overridden by your rights.
  • Legal Obligation: To comply with applicable laws and regulations (Tax compliance, law enforcement requests, legal claims).

You may withdraw consent at any time. Withdrawing consent does not affect the lawfulness of prior processing.

3. How We Use Your Information

3.1 Providing the Service

  • Create and manage your account
  • Process your Input through AI models to generate Outputs
  • Enable service features and functionality
  • Process payments and subscriptions
  • Provide customer support

3.2 Improving the Service

  • Analyze usage patterns and user behavior
  • Develop new features and products
  • Conduct research and development
  • Test and optimize platform performance

3.3 Security and Compliance

  • Detect, prevent, and investigate fraud, abuse, and violations
  • Enforce our Terms of Service
  • Comply with legal obligations
  • Respond to lawful requests from authorities

3.4 Communications

  • Send transactional emails (receipts, account updates, security alerts)
  • Send marketing communications (with your consent, where required)
  • Respond to your inquiries and support requests

4. Data Sharing and Disclosure

4.1 AI Model Providers

IMPORTANT: To execute your AI workflows, your Input is transmitted to third-party AI companies, including but not limited to:

  • OpenAI (for GPT models)
  • Anthropic (for Claude models)
  • Google (for Gemini models)
  • Stability AI (for image generation)
  • Other AI providers as we integrate new capabilities

These providers process your data according to their own privacy policies. By using Tongflow, you consent to this necessary data transfer. We recommend reviewing the privacy policies of these providers.

4.2 Service Providers and Sub-processors

We share data with trusted service providers who assist us in operating the Service:

  • Cloud Infrastructure: AWS, Google Cloud, Cloudflare (hosting, storage, CDN)
  • Payment Processors: Stripe, PayPal (payment processing)
  • Analytics: Google Analytics, Mixpanel (usage analytics)
  • Communication: SendGrid, Intercom (email, customer support)

These providers are contractually bound to protect your data and use it only as instructed.

4.3 Legal and Safety Disclosures

We may disclose your information if we believe in good faith that disclosure is necessary to:

  • Comply with legal obligations, valid legal processes, or government requests
  • Enforce our Terms of Service and investigate violations
  • Detect, prevent, or address fraud, security, or technical issues
  • Protect the rights, property, or safety of Tongflow, our users, or the public

4.4 Business Transfers

If Tongflow is involved in a merger, acquisition, asset sale, or bankruptcy, your information may be transferred as part of that transaction. We will notify you of any change in ownership or use of your personal information.

4.5 With Your Consent

We may share your information with third parties when you have given explicit consent.

5. Data Security and International Transfers

5.1 Security Measures

We implement industry-standard security measures including:

  • Encryption of data in transit (TLS/SSL) and at rest (AES-256)
  • Firewalls and intrusion detection systems
  • Access controls and authentication mechanisms
  • Regular security assessments and penetration testing
  • Employee security training and access restrictions

No system is 100% secure. We cannot guarantee absolute security of your data. You use the Service at your own risk and are responsible for maintaining the security of your account credentials.

5.2 International Data Transfers

Your information may be stored and processed in countries outside your residence, including the United States and other countries where our service providers operate. These countries may have different data protection laws.

For transfers from the EEA, UK, or Switzerland, we rely on:

  • Standard Contractual Clauses (SCCs) approved by the European Commission
  • Adequacy decisions where applicable
  • Other legally approved transfer mechanisms

5.3 Breach Notification

In the event of a data breach affecting your personal information, we will notify you and relevant authorities as required by applicable law.

6. Data Retention

6.1 Retention Periods

  • Account Data: Retained while your account is active and for a reasonable period after closure for legal and business purposes.
  • User Content (Input/Output): Retained according to your storage plan settings. Deleted content may be retained in backups for up to 90 days.
  • Usage Logs: Retained for up to 24 months for analytics and security purposes.
  • Payment Records: Retained as required by tax and financial regulations (typically 7+ years).

6.2 Deletion

Upon account deletion request, we will delete your personal data within 30 days, except:

  • Data required for legal compliance or legitimate business purposes
  • Anonymized or aggregated data that no longer identifies you
  • Data in system backups (deleted in normal backup rotation cycles)

7. Your Rights and Choices

7.1 Universal Rights

Regardless of location, you can:

  • Access and update your account information via account settings
  • Delete your account by contacting [email protected]
  • Opt out of marketing communications via unsubscribe links
  • Manage cookie preferences through your browser or our cookie settings

7.2 EEA/UK Rights (GDPR)

If you are in the EEA or UK, you have the right to:

  • Access: Obtain confirmation and a copy of your personal data
  • Rectification: Correct inaccurate or incomplete data
  • Erasure: Request deletion ("Right to be Forgotten")
  • Restriction: Limit processing under certain conditions
  • Portability: Receive your data in a structured, machine-readable format
  • Object: Object to processing based on legitimate interests
  • Withdraw Consent: Withdraw consent at any time
  • Lodge Complaint: File a complaint with your supervisory authority

7.3 California Rights (CCPA/CPRA)

California residents have the right to:

  • Know: Request disclosure of personal information collected, used, and shared
  • Delete: Request deletion of personal information
  • Correct: Request correction of inaccurate personal information
  • Opt-Out of Sale/Sharing: We do not "sell" personal information in the traditional sense. If we engage in "sharing" for cross-context behavioral advertising, you may opt out.
  • Non-Discrimination: You will not be discriminated against for exercising your rights
  • Limit Sensitive Personal Information: Limit use and disclosure of sensitive personal information

To make a request, contact us at [email protected] or [email protected]. We will verify your identity before processing requests.

7.4 China Rights (PIPL)

Users in China have rights under the Personal Information Protection Law, including access, correction, deletion, portability, and withdrawal of consent. Contact [email protected] to exercise these rights.

7.5 Other Jurisdictions

If you are in Brazil (LGPD), Japan (APPI), or other jurisdictions with privacy laws, please contact us to exercise your applicable rights.

8. Children's Privacy

The Service is not intended for anyone under the age of 18 (or the age of majority in your jurisdiction). We do not knowingly collect personal information from children.

COPPA Compliance: We do not knowingly collect personal information from children under 13 in the United States. If we learn we have collected such information, we will delete it immediately.

If you believe a child has provided us with personal information, please contact us at [email protected] so we can delete it.

9. Cookie Policy

9.1 What Are Cookies

Cookies are small text files stored on your device when you visit websites. We also use similar technologies like web beacons, pixels, and local storage.

9.2 Types of Cookies We Use

  • Essential Cookies: Required for basic functionality (login sessions, security, load balancing). Cannot be disabled.
  • Functional Cookies: Remember your preferences (language, display settings).
  • Analytics Cookies: Help us understand how you use the Service to improve performance and user experience.
  • Marketing Cookies: Used for advertising and tracking (only with consent where required).

9.3 Third-Party Cookies

Our Service may contain cookies from third-party providers (Google Analytics, etc.). These cookies are governed by their respective privacy policies.

9.4 Managing Cookies

You can manage cookie preferences through:

  • Our cookie consent banner (where applicable)
  • Your browser settings (blocking or deleting cookies)
  • Opt-out tools provided by third parties (Google Analytics Opt-out, NAI, DAA)

Note: Disabling essential cookies may prevent the Service from functioning properly.

9.5 Do Not Track

Some browsers have a "Do Not Track" (DNT) feature. We currently do not respond to DNT signals, but you can use our cookie settings to manage tracking preferences.

10. Automated Decision-Making

We may use automated processing for:

  • Fraud Detection: Automated systems to identify potentially fraudulent activity
  • Content Moderation: Automated screening of content for policy violations
  • Service Optimization: Personalization and recommendation algorithms

These automated processes may have legal or significant effects. If you are in a jurisdiction that grants you rights regarding automated decision-making (e.g., GDPR Article 22), you may have the right to request human review, express your point of view, and contest the decision. Contact us to exercise these rights.

11. Marketing Communications

With your consent (where required), we may send you marketing communications about our products, services, and promotions.

Opt-Out: You can unsubscribe from marketing emails at any time by:

  • Clicking the "unsubscribe" link in any marketing email
  • Updating your communication preferences in account settings
  • Contacting us at [email protected]

Even after opting out of marketing, you will continue to receive transactional communications (receipts, security alerts, service updates).

12. Changes to This Policy

We may update this Privacy Policy periodically to reflect changes in our practices, technologies, legal requirements, or other factors.

  • For material changes, we will notify you via email to your registered address or through a prominent notice on the Service at least 30 days before the changes take effect.
  • For minor changes, we will update the "Last updated" date at the top of this policy.

Your continued use of the Service after we post changes constitutes your acceptance of the updated Privacy Policy. If you do not agree to any changes, you should stop using the Service and request deletion of your account.

13. Contact Information

If you have any questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us:

EEA/UK Representative: If you are in the EEA or UK and wish to contact our representative, please email [email protected].

We aim to respond to all privacy-related inquiries within 30 days. For access, deletion, or correction requests, we may require identity verification before processing.