#Privacy Policy

Last updated: August 2025

#1. Introduction

Toybox ("we", "our", "us", or "the Service"), operated by Nevermind Software, LLC, is committed to protecting your privacy. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our mobile application and related services.

By using Toybox, you explicitly consent to the collection and use of your information as described in this Privacy Policy. If you do not agree with these practices, please do not use our Service.

#2. Information We Collect

#2.1 Information You Provide Directly

  • Account Information: Email address, name, username, profile picture
  • Authentication Data: Apple Sign-In tokens, Firebase Authentication identifiers
  • Content Inputs: Text prompts, images, videos, and other media you upload for AI processing
  • User-Generated Toys: Configurations, prompts, and settings for toys you create
  • Payment Information: Processed through RevenueCat and Apple App Store (we do not store credit card numbers)
  • Communications: Support requests, feedback, and correspondence

#2.2 Information Collected Automatically

  • Device Information: Device model, operating system, unique device identifiers, mobile network information
  • Usage Data: Features used, toys created/run, credits consumed, interaction patterns
  • Session Recordings: Complete screen recordings of app sessions via PostHog (see Section 7)
  • Analytics Data: App performance metrics, crash reports, feature adoption rates
  • Location Data: If you grant permission for location-based toys
  • Camera/Photo Library: Images accessed with your permission for AI processing

#2.3 AI Processing Data

  • Input Data: All content you provide to AI models for processing
  • Output Data: AI-generated images, videos, text, and audio
  • Model Parameters: Settings and configurations used for generation
  • Processing Metadata: Timestamps, model versions, generation parameters

#3. How We Use Your Information

#3.1 Primary Uses

  • Provide, maintain, and improve our AI toy services
  • Process your prompts and generate AI content
  • Manage your account and authenticate your identity
  • Process payments and manage subscriptions
  • Track and allocate credit usage
  • Enforce our Terms of Service and community guidelines

#3.2 Secondary Uses

  • Analyze usage patterns to improve user experience
  • Debug technical issues and provide customer support
  • Send service-related notifications (non-marketing)
  • Detect, prevent, and address fraud, abuse, or security issues
  • Comply with legal obligations and respond to legal requests
  • Develop new features and services

#3.3 Content Moderation

  • Review flagged content for policy violations
  • Implement safety filters and content restrictions
  • Investigate reports of inappropriate content or misuse
  • Train and improve our content moderation systems

#4. Information Sharing and Disclosure

#4.1 Third-Party Service Providers

We share your information with these essential service providers:

  • Replicate: AI model execution (prompts, images, generation parameters)
  • OpenAI: Vision processing and image generation (prompts, images)
  • Firebase (Google): Authentication, database, cloud storage
  • RevenueCat: Subscription management and payment processing
  • PostHog: Analytics and session recording
  • Apple: App Store payments and services

We may disclose your information if required by law or in response to:

  • Court orders, subpoenas, or other legal processes
  • Requests from law enforcement or government agencies
  • Threats to safety, security, or intellectual property rights
  • Enforcement of our Terms of Service

#4.3 Business Transfers

If we merge with, acquire, or are acquired by another company, your information may be transferred as part of that transaction. We will notify you of any such change.

#4.4 Aggregate and De-identified Data

We may share aggregated or de-identified data that cannot reasonably identify you for research, marketing, or other purposes.

#5. Data Retention

#5.1 Retention Periods

  • Account Data: Retained while your account is active plus 30 days after deletion
  • Generated Content: Stored until you delete it or for 90 days if unsaved
  • Session Recordings: 90 days
  • Analytics Data: 24 months
  • Payment Records: 7 years (legal requirement)
  • Abuse/Violation Records: Indefinitely for safety purposes

#5.2 Backup and Residual Copies

Deleted data may persist in backup systems for up to 90 days. Cached or archived copies may remain on third-party servers.

#6. International Data Transfers

Your information may be transferred to and processed in countries other than your country of residence, primarily the United States. These countries may have different data protection laws. By using Toybox, you consent to these transfers.

We implement appropriate safeguards including:

  • Standard Contractual Clauses with EU data recipients
  • Data Processing Agreements with all third-party processors
  • Encryption in transit and at rest

#7. Session Recording Disclosure

IMPORTANT: We use PostHog to record your complete app sessions. This means:

  • Every screen you view is recorded
  • All taps, swipes, and interactions are captured
  • Text you enter (except passwords) may be visible
  • Generated content and results are recorded
  • These recordings help us identify bugs and improve user experience

To opt-out: Go to Settings > Privacy > Disable Session Recording

Session recordings are:

  • Stored securely with access limited to authorized personnel
  • Used only for product improvement and debugging
  • Never shared with third parties for marketing
  • Automatically deleted after 90 days

#8. Children's Privacy

Toybox is not intended for children under 13 years of age. We do not knowingly collect personal information from children under 13. If we learn we have collected information from a child under 13, we will delete it immediately.

Users aged 13-17 should have parental consent to use our Service. Parents may contact us to request deletion of their child's information.

#9. Your Privacy Rights

#9.1 Universal Rights

Regardless of location, you can:

  • Access: Request a copy of your personal information
  • Delete: Request deletion of your account and data
  • Correct: Update inaccurate information
  • Port: Export your data in a machine-readable format
  • Restrict: Limit how we process your information
  • Object: Opt-out of certain uses of your information

#9.2 California Residents (CCPA/CPRA)

Additional rights include:

  • Right to know categories and specific pieces of personal information collected
  • Right to know purposes for collection and sharing
  • Right to request deletion of personal information
  • Right to opt-out of "sale" of personal information (we do not sell personal information)
  • Right to non-discrimination for exercising privacy rights

#9.3 European Residents (GDPR)

Additional rights include:

  • Right to withdraw consent at any time
  • Right to lodge complaints with supervisory authorities
  • Right to object to automated decision-making
  • Right to be informed of international transfers

#9.4 Exercising Your Rights

Contact us at support@nevermind.llc with:

  • Your specific request
  • Information to verify your identity
  • Your relationship to the account (if requesting for someone else)

We will respond within 30 days (45 days for complex requests).

#10. Data Security

We implement industry-standard security measures including:

  • Encryption in transit (TLS 1.2+) and at rest (AES-256)
  • Secure authentication via Firebase Auth
  • Regular security audits and penetration testing
  • Access controls and employee training
  • Incident response procedures

However, no method of electronic storage is 100% secure. You use our Service at your own risk.

#11. AI-Specific Disclosures

#11.1 Model Provider Data Sharing

When you use AI features, your inputs are sent to:

  • Replicate's servers for model execution
  • OpenAI's servers for vision/generation tasks These providers have their own privacy policies that apply to their processing.

#11.2 Content Rights and Training

  • We do not use your personal content to train AI models
  • Third-party model providers may have different policies
  • Generated content may be similar to other users' outputs
  • We cannot guarantee uniqueness or copyright status of outputs

#11.3 Prompt Logging

We may log prompts for:

  • Debugging and error resolution
  • Safety and compliance monitoring
  • Aggregate analysis (de-identified)

#12. Cookies and Tracking Technologies

While our mobile app doesn't use traditional cookies, we use:

  • Local Storage: User preferences and cache
  • Device Identifiers: Analytics and fraud prevention
  • Firebase Analytics: Usage patterns and crash reporting
  • PostHog Events: Feature usage and user journeys

Our Service may contain links to third-party websites or services. We are not responsible for their privacy practices. Review their privacy policies before providing information.

#14. Marketing and Communications

#14.1 Marketing Emails

We may send promotional emails only with your consent. Unsubscribe anytime via the link in emails or in Settings.

#14.2 Service Communications

We will send non-promotional communications about:

  • Account security and authentication
  • Payment and subscription changes
  • Policy updates and legal notices
  • Safety and compliance issues

#15. Data Breach Notification

If a breach affects your personal information, we will:

  • Notify you within 72 hours of discovery via email and in-app notification
  • Describe the data affected and potential consequences
  • Explain mitigation steps we're taking
  • Provide guidance on protecting yourself
  • Report to authorities as legally required

#16. Privacy Policy Changes

We may update this Privacy Policy periodically. We will notify you of material changes via:

  • In-app notifications
  • Email to your registered address
  • Prominent notice in the app

Continued use after changes constitutes acceptance of the updated policy.

#17. Jurisdiction-Specific Provisions

#17.1 Nevada Residents

Nevada residents may opt-out of sale of covered information by emailing support@nevermind.llc.

#17.2 Brazilian Residents (LGPD)

Brazilian residents have rights similar to GDPR, including access, correction, deletion, and portability.

#17.3 Canadian Residents (PIPEDA)

Canadian residents may access and challenge the accuracy of their personal information.

#18. Contact Information

For privacy inquiries, requests, or complaints:

Email: support@nevermind.llc
Mailing Address:
Nevermind Software, LLC
67 West St, Suite 401 Brooklyn, NY 11222 United States

Data Protection Officer: support@nevermind.llc

Response Time: Within 30 days for most requests

#19. Accessibility

We strive to make our privacy practices accessible to all users. For alternative formats of this policy or accessibility assistance, contact support@nevermind.llc.

#20. Effective Date and Acceptance

This Privacy Policy is effective as of August 2025. By using Toybox after this date, you accept these privacy practices. If you do not agree, please discontinue use immediately.