Toxiq Privacy Policy

Effective date: February 1, 2026

Last updated: February 1, 2026

Controller: AURA MANAGEMENT LLC

Jurisdiction: United States

Who We Are

This Privacy Policy explains how AURA MANAGEMENT LLC, which operates Toxiq ("Toxiq", "we", "us", or "our"), collects, uses, shares, stores, and protects personal data when you use Toxiq, our mobile application, related websites, customer support channels, and associated services (collectively, the "Service").

If you have privacy questions, data-rights requests, or complaints, contact us at support@getdosiq.com.

Scope

This Policy applies to information processed when you:

download, install, access, or use the Service;
create an account or sign in;
purchase or manage a subscription;
use AI-assisted scan, analysis, or chat features;
scan, search, save, or submit barcodes, ingredient lists, nutrition labels, product photos, or product packaging;
create a personal profile, dietary preference list, favorites list, scan history, report history, or chat history;
use location-based features for nearby retailers or store-specific product context;
contact support;
receive service messages, marketing, or push notifications;
otherwise interact with us.

This Policy does not override any mandatory rights you may have under applicable privacy or consumer law.

Personal Data We Collect

The personal data we collect depends on the features you use.

Account and Profile Data

We may collect:

name or display name;
email address;
login credentials, authentication tokens, and sign-in provider identifiers;
pseudonymous internal user ID;
diet type, dietary restrictions, allergen preferences, ingredient avoid lists, shopping country, shopping frequency, main health concerns, household information, and other profile settings you choose to provide;
account preferences, settings, consent records, and customer-support identifiers.

Subscription and Purchase Data

If you purchase a subscription or digital feature, we may collect:

subscription tier and entitlement status;
purchase history;
renewal and cancellation status;
store transaction identifiers and receipt-related metadata;
billing-country or tax-relevant information;
pseudonymous subscription identifiers;
refund, restore, or chargeback history.

We generally do not receive your full payment card number when purchases are processed by an app store or billing processor.

User Content and Scan Data

We may collect content you submit to the Service, such as:

prompts, messages, and chat requests;
uploaded product photos, barcode scans, ingredient-list photos, nutrition-label photos, packaging images, messages, or text you choose to submit;
extracted ingredient text, nutrition facts, serving information, allergen statements, product names, brands, categories, food or product scores, warnings, positive matches, analysis output, scan reports, and scan results;
favorites, saved products, scan history, report history, chat history, reviews, comments, and support messages.

Device, App, and Technical Data

We may collect:

device model, operating system, app version, language, and time zone;
IP address or approximate location derived from IP, where relevant;
diagnostics, crash logs, performance events, and debug data;
installation IDs, push tokens, and similar identifiers;
fraud-prevention, abuse-prevention, request logs, security events, and rate-limit data.

Camera, Photos, and Location

If you grant permission, Toxiq may access your camera so you can scan product barcodes, ingredient lists, nutrition labels, and product packaging. If you grant photo library permission, Toxiq may access selected photos so you can analyze product, ingredient, label, or packaging images.

If you grant location permission, Toxiq may use your device location to identify nearby retailers, improve local product relevance, and surface store-specific product information near you. If location is unavailable or not granted, the Service may show a fallback, ask you to choose a location manually, or ask you to enable permission.

Analytics and Usage Data

If enabled, we may collect analytics about how you interact with the Service, such as screens viewed, feature usage, session length, broad engagement patterns, campaign or attribution data, and performance signals.

Messages and Notifications

If you opt in to notifications, we may process push tokens, installation IDs, notification preferences, delivery and interaction events, and message content metadata needed to send the notification.

Sources of Personal Data

We collect personal data:

directly from you;
automatically from your device or app environment;
from app stores, subscription processors, or billing providers;
from authentication providers you choose to use;
from AI, machine-learning, product data, ingredient data, barcode data, nutrition data, search, retailer data, analytics, support, fraud, security, and infrastructure providers where relevant.

How We Use Personal Data

We use personal data to:

provide, operate, and maintain the Service;
create and manage your account;
authenticate you and keep the Service secure;
process subscriptions, entitlements, cancellations, restorations, and refunds;
provide AI-assisted analysis, chat responses, scan results, product scores, ingredient flags, nutrition summaries, and other requested features;
retrieve, generate, and display product, ingredient, barcode, nutrition, retailer, and store-specific information;
personalize results based on your diet type, dietary restrictions, allergens, shopping country, shopping frequency, health concerns, household context, and preferences;
let you save content, maintain scan history, maintain conversations, manage favorites, and access scan reports;
provide support and communicate with you;
monitor performance, fix bugs, and improve reliability;
analyze usage and improve product design;
send transactional, service, legal, security, and administrative messages;
send promotional messages or marketing communications where permitted;
enforce our Terms, policies, and legal rights;
comply with law, regulator demands, court orders, tax obligations, or law-enforcement requests.

Legal Bases

Where privacy law requires a legal basis, we generally rely on the following bases:

Purpose	Typical legal basis
Account creation, login, subscriptions, entitlement delivery, restoration, scan history, chat history, report history, favorites, and requested features	Performance of a contract or steps requested before entering a contract
Customer support and service communications	Performance of a contract, legitimate interests, or legal obligation
Security, fraud prevention, abuse detection, service integrity, and rate limiting	Legitimate interests and, where applicable, legal obligation
AI processing, product analysis, image processing, barcode matching, nutrition-label processing, and chat features requested by the user	Performance of a contract and, where required, consent or another valid basis
Location-based retailer lookup and store-specific product context	Consent or permission from your device settings, and performance of the requested feature
Optional analytics, optional advertising attribution, and optional promotional push messages	Consent where required by law; otherwise legitimate interests where permitted
Crash reporting and reliability monitoring	Legitimate interests or performance of a contract, depending on necessity
Accounting, tax, and legal recordkeeping	Legal obligation
Handling rights requests, complaints, and disputes	Legal obligation and legitimate interests

Third-Party Services and APIs

We use third-party service providers and APIs to run the Service. Depending on your usage, these may include the following categories.

AI and Machine-Learning Service Providers

We may send prompts, messages, images, structured instructions, product information, profile preferences, and related metadata to third-party AI and machine-learning service providers so the Service can generate, transform, classify, moderate, extract, or summarize content.

This may include personal data if you choose to include it in your inputs. We ask you not to submit sensitive or regulated data unless that use is clearly supported and lawful.

AI outputs may be stored by us if needed to provide scan history, report history, conversation history, support, safety, or another feature you request. Providers may also apply their own retention rules depending on service type and configuration.

Product, Ingredient, Barcode, Nutrition, Search, and Retail Data Sources

We may query third-party product and ingredient data sources, public and licensed databases, search providers, barcode sources, manufacturer or retailer materials, nutrition references, and other external sources using barcodes, product names, ingredient text, nutrition-label text, search terms, location data, and related metadata to retrieve or generate relevant information.

External product, ingredient, nutrition, barcode, and retailer information may be incomplete, inaccurate, out of date, unavailable, or inconsistent with the physical product in your possession.

Billing and Subscription Infrastructure Providers

We may use app stores and billing-related providers to manage subscriptions, purchases, entitlements, receipt validation, renewals, restoration, refund workflows, and subscription analytics.

Authentication Providers

If you choose to sign in with a third-party account, the relevant provider may share identifiers such as your account ID, email address, name, and authentication token information with us so we can create or access your Toxiq account.

Analytics Providers

Where enabled, we may use analytics providers to understand app usage, improve product design, measure feature adoption, and maintain service quality. Where required by law, we will ask for your consent before enabling non-essential analytics.

Crash Reporting and Diagnostics Providers

Where enabled, we may use diagnostics providers to collect crash logs, device state, performance data, and related diagnostics so that we can investigate bugs, improve stability, and prevent outages. We configure such tools to minimize collection where possible and to avoid intentionally sending unnecessary personal data in diagnostic payloads.

Push Messaging Providers

Where enabled, we may use device platform messaging infrastructure or similar providers to deliver transactional or promotional push notifications. Push messaging generally requires a device token, installation identifier, or similar technical identifier.

How We Share Personal Data

We may share personal data only as reasonably necessary with:

service providers, processors, and infrastructure vendors acting on our behalf;
app stores, billing processors, and subscription infrastructure providers;
AI, machine-learning, image processing, product data, ingredient data, barcode data, nutrition data, search, and retailer data providers used through the Service;
analytics, diagnostics, observability, hosting, customer-support, communications, and security vendors;
authentication providers you choose to use;
legal, tax, accounting, and professional advisers;
law-enforcement bodies, regulators, courts, counterparties, or other third parties where required by law or necessary to protect rights, safety, or the Service;
a buyer, investor, or successor entity in connection with a merger, acquisition, financing, restructuring, or sale of assets.

We do not sell personal data in the ordinary meaning of that phrase. Some privacy laws define "sale" or "sharing" broadly enough to include certain advertising, analytics, or data-sharing arrangements. If that applies, we will provide any rights or opt-outs required by law.

International Transfers

We and our providers may process personal data in countries outside your place of residence, including the United States.

Where applicable law requires safeguards for international transfers, we rely on measures such as adequacy decisions, standard contractual clauses, contractual confidentiality and security protections, and other lawful transfer mechanisms.

You may contact us to request more information about the safeguards relevant to your data.

Data Retention

We keep personal data only for as long as reasonably necessary for the purposes described in this Policy, including to provide the Service, meet legal obligations, resolve disputes, enforce agreements, and protect the Service.

Category	Example retention approach
Account data	While your account is active, then a limited post-deletion period needed for security, dispute handling, or technical rollback
Subscription and transaction records	Duration of the subscription plus any legally required accounting, tax, audit, or dispute period
Profile settings, dietary preferences, allergen preferences, favorites, scan history, report history, and saved products	While needed to provide the feature or until deleted, subject to backup, legal, safety, and abuse-prevention limits
AI request and response history	Only for as long as needed for the specific feature, account history, safety, support, or quality need, and shorter where feasible
Crash reports and diagnostics	Short operational period, then deletion or aggregation
Analytics events	Based on the reporting window we select and your consent status where relevant
Support records	For a limited follow-up and dispute period after closure
Push tokens	Until notifications are disabled, the app is uninstalled, the token expires, or the account is deleted
Location data	Only as needed to identify nearby retailers, provide local product context, caching, security, or support unless a longer period is required or permitted by law

We may retain data longer where required or permitted by law, including for tax, accounting, litigation hold, fraud prevention, security incident analysis, and abuse-prevention programs.

Security

We use technical and organizational measures designed to protect personal data against unauthorized access, alteration, disclosure, loss, or destruction. Depending on the system and risk, these measures may include:

access controls and least-privilege permissions;
encryption in transit and, where appropriate, at rest;
pseudonymization or tokenization;
logging and monitoring;
environment segregation;
incident-response procedures;
vendor diligence;
regular review of security controls.

No system is perfectly secure. You are also responsible for maintaining the security of your device, credentials, and account.

Your Privacy Rights

Depending on your location and the law that applies, you may have the right to:

access your personal data;
correct inaccurate or incomplete data;
delete your data;
restrict or object to certain processing;
withdraw consent where processing relies on consent;
receive a portable copy of certain data;
opt out of certain direct marketing, profiling, sales, or sharing;
appeal a denied privacy request where applicable;
complain to a supervisory authority, attorney general, or regulator.

To exercise your rights, contact us at support@getdosiq.com.

We may need to verify your identity before acting on a request. We may also decline or limit a request where an exemption or legal exception applies.

Consent, Opt-Outs, Analytics, Crash Reporting, and Push Notifications

Consent

Where required by law, we ask for your consent before enabling non-essential analytics, enabling promotional push notifications, using optional advertising or attribution tools, accessing device permissions, or sending your data to a third-party service in a way that is not strictly necessary to provide the Service.

You may withdraw consent at any time through app settings, device settings, or by contacting us.

Analytics

If analytics is enabled, we use analytics data to understand feature usage, improve product performance, measure engagement, and make product decisions. Where analytics is not strictly necessary, we will not activate it until you consent if consent is required in your jurisdiction.

Crash Reporting

We use crash and diagnostic data to detect defects, investigate failures, prioritize bug fixes, and maintain the reliability and security of the Service. We try to configure crash tools to reduce unnecessary personal-data collection.

Push Notifications

If you allow push notifications, we may send service messages such as account alerts, billing notices, security notices, scan reminders, follow-up reminders, or feature updates. Where required by law, we will ask for a separate opt-in before sending promotional or marketing push notifications.

You can disable push notifications at any time in your device settings or in the app settings, if available.

Opt-Outs

You can opt out of marketing emails by using the unsubscribe link in the message, promotional push notifications by changing your device or app notification settings, non-essential analytics through available consent controls, and account-based communications that are not strictly necessary by contacting us, subject to legal or operational limitations.

We may still send essential service, billing, legal, security, and administrative communications.

Children's Privacy

The Service is not intended for children under 13. If we learn that we collected personal data from a child in a manner that violates applicable law, we will take steps to delete or otherwise handle that data as required.

If you believe a child has provided personal data to us unlawfully, contact us at support@getdosiq.com.

Automated Decision-Making

We do not make solely automated decisions with legal or similarly significant effects about you unless we specifically disclose that practice and provide any rights required by law.

AI-assisted ranking, classification, moderation, scoring, or recommendation tools may influence product analysis, product scores, ingredient flags, warnings, positive matches, or what content is shown, but those outputs are general informational guidance and do not replace professional judgment.

Changes to This Policy

We may update this Privacy Policy from time to time. If we make a material change, we may notify you by posting the updated version in the app or on our website, by email, or by another reasonable method.

The revised Policy will become effective on the date stated at the top, unless applicable law requires another form of notice or consent.

Contact

If you have questions, complaints, or rights requests, contact Toxiq at support@getdosiq.com.