TTovi

Privacy Policy

Your family's privacy, in plain language. No fine print tricks.

The short version

We know you're busy. Here's what matters:

  • We never collect data directly from children. Tovi is a parent-facing app. Your child never interacts with it.
  • No ads. No third-party tracking of children. No data selling. Not now, not ever.
  • Minimal data, maximum privacy. We store your email for authentication. For your child, we only keep their first name and age in months — no birthdates, no photos, no biometrics.
  • You own your data. Delete everything anytime from Settings. One tap.
  • Your data stays in the EU. Stored on European servers with strong privacy protections.

Children's privacy (COPPA)

Tovi serves families with children ages 0–5, so protecting children's privacy isn't just a legal requirement — it's our responsibility as parents ourselves.

How we comply with COPPA

  • Children never use the app directly. Tovi is designed for parents, caregivers, and grandparents. There are no child-facing interfaces, no child accounts, and no features that require a child to interact with a device.
  • We do not collect personal information from children. All information is provided by the parent. We store a child's first name and age in months to personalise activity recommendations. We do not store birthdates, photos, voice recordings, or any other identifiable information about children.
  • No advertising or behavioural tracking of children. Tovi has no ads, no advertising SDKs, no retargeting pixels, and no behavioural profiling of children. Period.
  • No sharing of children's information with third parties. A child's first name and age are never shared with advertisers, data brokers, or any third party.
  • Parental control. Parents can review, modify, or delete all data associated with their child at any time from the Settings screen in the app.

If you believe a child under 13 has somehow provided personal information to Tovi without parental involvement, please contact us immediately at [email protected] and we will delete it within 24 hours.

What we collect and why

From you (the parent)

Email address — Used for authentication via magic link sign-in (powered by Clerk). No passwords stored. We send you a link, you click it, you're in.

Your name (optional) — To personalise your experience within the app.

About your child

First name — To personalise activity cards (“Mira's morning activities”). First name only. No last names.

Age in months — To match activities to your child's developmental stage. We store age in months, not a birthdate. We cannot reverse-engineer your child's date of birth from this.

What we do NOT collect

Birthdates

Photos or videos

Location data

Contact lists

Voice recordings

Social security or ID numbers

Financial information

Device identifiers for tracking

Services we use

We use a small number of trusted services to run Tovi. Here's exactly what they are and what they do:

Clerk — Authentication

Handles sign-in via magic links sent to your email. No passwords are stored. Clerk processes your email address to authenticate you. They do not receive any information about your child.

Umami — Privacy-focused analytics

Self-hosted on our own servers. Tracks anonymous, aggregate usage (page views, general device types) so we can improve Tovi. No cookies, no personal identifiers, no cross-site tracking. GDPR-compliant by design.

Google Analytics — Website analytics

Used on the marketing website (trytovi.com) to understand how parents find us. IP anonymisation is enabled. This does not run inside the Tovi app itself and does not track children or child-related data.

Resend — Email delivery

Sends transactional emails (magic links, daily activity emails). Resend processes your email address only. They do not receive any information about your child.

Cloudflare — DNS and security

Provides DNS routing and DDoS protection for our website. Standard web infrastructure — no personal data processing beyond what's needed to route your request.

That's the complete list. We do not use Facebook Pixel, advertising networks, retargeting services, data brokers, or any service whose business model depends on selling user data.

Where your data lives

Server-side data

Your account data (email, child's first name, age in months) is stored on Hetzner servers located in the European Union (Germany/Finland). Hetzner is a European hosting provider subject to EU data protection laws, including GDPR. Your data does not leave the EU.

On-device data

Tovi is a Progressive Web App (PWA). Some data — including your activity history, preferences, and cached content — is stored locally on your device via service worker caching and local storage. This data never leaves your device and can be cleared by uninstalling the PWA or clearing your browser data.

Your rights

You have full control over your data. Always.

Delete your data

Go to Settings in the app and tap “Delete my account.” This permanently removes all your data from our servers — your email, your child's name, everything. No waiting period, no hoops to jump through.

You can also email [email protected] with the subject “Delete my data” and we'll handle it within 48 hours.

Access your data

Want to know exactly what we have? Email us and we'll send you a complete copy of all data associated with your account. Spoiler: it's not much.

Modify your data

Update your child's name or age anytime from the app. Change your email by contacting us. You don't need a reason.

Opt out of emails

Every email we send has an unsubscribe link. One click, no guilt, no “are you sure?” sequence.

GDPR compliance

If you're in the European Economic Area (EEA), the UK, or Switzerland, you have additional rights under the General Data Protection Regulation:

  • Legal basis: We process your email address based on your consent (when you sign up) and legitimate interest (to provide the service). Child information is processed based on parental consent.
  • Data portability: You can request a machine-readable export of your data.
  • Right to object: You can object to processing at any time by contacting us.
  • Data location: All server-side data is stored within the EU (Hetzner, Germany/Finland).
  • Supervisory authority: You have the right to lodge a complaint with your local data protection authority.

How we protect your data

  • All connections use HTTPS/TLS encryption in transit
  • Passwordless authentication via magic links (no passwords to breach)
  • EU-based servers with physical security controls
  • Minimal data collection — we can't leak what we don't have
  • No third-party access to child-related information

Changes to this policy

If we make meaningful changes to how we handle your data, we'll email you before the changes take effect. We will never quietly reduce your privacy protections. Minor wording updates (typos, clarifications that don't change meaning) may happen without notice.

Questions about privacy?

We're real people and real parents. If anything in this policy is unclear, or if you have concerns about how we handle data, please reach out.

Email: [email protected]

Entity: Drumworks Ventures FZ LLC, Dubai, UAE

Last updated: April 4, 2026