Privacy Policy

Effective Date: May 25, 2026 Last Updated: May 25, 2026

Tonika ("Tonika," "we," "us," or "our") is a product of Awestruck Labs. This Privacy Policy describes how we collect, use, disclose, and protect your information when you use the Tonika application and website at tonika.io (collectively, the "Service").

By using the Service, you agree to the collection and use of information in accordance with this policy. Your use of the Service is also governed by our Terms of Use. If you do not agree, please do not use the Service.

1. Information We Collect

1.1 Account Information

When you create an account, we collect:

  • Name
  • Email address
  • Password (stored in hashed form; we never store plaintext passwords)
  • Billing information (processed by our payment processor; we do not store full payment card numbers)

1.2 Brand Content

Tonika is a brand context repository. You create, upload, and manage brand content within workspaces, including brand entries, templates, prompt libraries, and exported files ("Brand Content"). You own your Brand Content. We store it to provide the Service to you.

1.3 Usage Data

We automatically collect information about how you interact with the Service, including:

  • Pages visited, features used, and actions taken
  • AI Builder usage and credit consumption
  • Session duration and frequency
  • Browser type, operating system, and device information
  • IP address (used for security, fraud prevention, and approximate geolocation)

1.4 Cookies and Tracking Technologies

We use cookies and similar technologies to:

  • Maintain your authenticated session
  • Remember your preferences (workspace settings, UI state)
  • Understand aggregate usage patterns

We do not use cookies for third-party advertising. See Section 7 for cookie controls.

1.5 Communications

If you contact us (email, in-app feedback, support), we retain the content of those communications to respond and improve the Service.

2. How We Use Your Information

We use the information we collect to:

  • Provide the Service. Operate your account, store and serve your Brand Content, process exports, and run AI features you initiate.
  • Process payments. Bill for paid tiers and AI credit add-on packs.
  • Improve the Service. Analyze aggregate usage patterns to inform product decisions. We do not use your Brand Content to train AI models.
  • Communicate with you. Send service-related notices (billing confirmations, security alerts, feature updates). We will not send marketing emails without your explicit opt-in.
  • Ensure security. Detect and prevent fraud, abuse, and unauthorized access.
  • Comply with legal obligations. Respond to lawful requests from authorities when required.

3. How We Share Your Information

We do not sell your personal information. We share information only in these circumstances:

3.1 Service Providers

We use third-party service providers to operate the Service. These processors act on our behalf and are bound by data processing agreements that require them to safeguard your data, use it only for the purposes we direct, and apply appropriate security measures.

The categories of service providers we rely on are:

  • Transactional email. Sends account, billing, security, and product notifications. Data shared: email address and name. We currently use Resend for this purpose.
  • Payment processing. Handles checkout, subscription billing, and tax for paid tiers and AI credit packs. Data shared: billing details and transaction metadata. We do not store full payment card numbers.
  • AI providers. Powers AI Builder, chat suggestions, and health scoring. Data shared: the Brand Content excerpts you submit to AI features. See Section 3.2 for our training restriction.
  • Analytics. Helps us understand aggregate product usage. Data shared: anonymized or aggregated usage data.

The specific vendors in each category may change as Tonika evolves. We will keep this section current and post material changes per Section 11.

3.2 AI Data Handling

When you use AI-powered features (AI Builder, chat suggestions, health scoring), excerpts of your Brand Content are sent to third-party AI APIs to generate responses. We do not permit our AI providers to use your Brand Content for model training. We select providers whose data processing agreements prohibit training on customer inputs.

3.3 Legal Requirements

We may disclose information if required by law, subpoena, court order, or government request, or if we believe disclosure is necessary to protect our rights, your safety, or the safety of others.

3.4 Business Transfers

If Awestruck Labs is involved in a merger, acquisition, or sale of assets, your information may be transferred as part of that transaction. We will notify you before your information becomes subject to a different privacy policy.

3.5 With Your Consent

We may share information in other circumstances with your explicit consent.

4. Data Retention

  • Account information is retained for as long as your account is active and for 30 days after account deletion to allow for recovery.
  • Brand Content is retained for as long as your account is active. When you delete a workspace or entry, it moves to archive and is permanently purged within 30 days of deletion, or upon account closure.
  • Usage data is retained in aggregate form for up to 24 months for product analytics. Individual-level usage data is retained for 12 months.
  • Payment records are retained as required by applicable tax and financial regulations (typically 7 years).

5. Your Rights

5.1 All Users

Regardless of location, you can:

  • Access your Brand Content and account information at any time through the Service.
  • Export your Brand Content in multiple formats (Markdown, JSON, PDF, or custom formats depending on your tier).
  • Delete your account and all associated data through your account settings or by contacting us at privacy@tonika.io or support@tonika.io.
  • Correct inaccurate account information through your account settings.

5.2 European Economic Area, UK, and Swiss Residents (GDPR)

If you are located in the EEA, UK, or Switzerland, you have additional rights under the General Data Protection Regulation:

  • Legal basis for processing. We process your data under the following bases:

    • Contract performance (Article 6(1)(b)): to provide the Service you signed up for.
    • Legitimate interests (Article 6(1)(f)): to improve the Service, ensure security, and prevent fraud.
    • Consent (Article 6(1)(a)): for optional marketing communications, which you can withdraw at any time.
    • Legal obligation (Article 6(1)(c)): for tax, accounting, and regulatory compliance.

  • Right to erasure. Request deletion of your personal data, subject to legal retention requirements.

  • Right to restriction. Request that we limit processing of your data in certain circumstances.

  • Right to data portability. Receive your personal data in a structured, machine-readable format.

  • Right to object. Object to processing based on legitimate interests.

  • Right to lodge a complaint. File a complaint with your local data protection authority.

To exercise any GDPR right, contact us at privacy@tonika.io. We will respond within 30 days.

5.3 California Residents (CCPA)

If you are a California resident, you have the right to:

  • Know what personal information we collect and how it is used.
  • Request deletion of your personal information.
  • Opt out of the sale of personal information. We do not sell personal information.
  • Non-discrimination for exercising your privacy rights.

To exercise CCPA rights, contact us at privacy@tonika.io.

6. Data Security

We implement technical and organizational measures to protect your information, including:

  • Encryption of data in transit (TLS/HTTPS)
  • Encryption of data at rest
  • Hashed password storage
  • Access controls limiting employee access to personal data on a need-to-know basis
  • Regular security reviews

No system is completely secure. While we take reasonable precautions, we cannot guarantee absolute security. If we become aware of a breach affecting your personal data, we will notify you in accordance with applicable law.

7. Cookies and Tracking Controls

Essential Cookies

Required for the Service to function (authentication, session management). These cannot be disabled while using the Service.

Analytics Cookies

Used to understand aggregate usage patterns. You can opt out of analytics cookies through your browser settings or through the cookie preference controls in the Service.

We do not use advertising cookies or permit third-party advertising trackers.

8. International Data Transfers

Tonika is operated from the United States. If you access the Service from outside the US, your information may be transferred to, stored, and processed in the US. We rely on Standard Contractual Clauses (SCCs) or other approved transfer mechanisms to ensure adequate protection for personal data transferred from the EEA, UK, or Switzerland. If your organization requires a Data Processing Agreement (DPA), contact us at privacy@tonika.io.

9. Children's Privacy

Tonika is not directed to individuals under the age of 18. We do not knowingly collect personal information from minors. If we learn that we have collected information from an individual under 18, we will delete it promptly. If you believe a minor has provided us with personal information, contact us at privacy@tonika.io.

10. Beta and Pre-Release Features

Tonika may offer beta or pre-release features. These features may collect additional usage data to help us improve them. We will disclose any additional data collection specific to beta features at the time of enrollment. Beta features are provided "as is" and may be modified or discontinued.

11. Changes to This Policy

We may update this Privacy Policy from time to time. When we make material changes, we will:

  • Update the "Last Updated" date at the top of this page
  • Notify you via email or in-app notification for material changes
  • Post the updated policy at tonika.io/privacy

Your continued use of the Service after changes take effect constitutes acceptance of the updated policy.

12. Contact Us

For privacy-related questions, data requests, or concerns:

Awestruck Labs Email: privacy@tonika.io Website: tonika.io

Data Protection Inquiries (GDPR): privacy@tonika.io

This privacy policy was last updated on May 25, 2026.