Legal · Last updated May 12, 2026

Privacy Policy

We take privacy seriously and design our products to need as little of your data as possible. This page explains, in plain language, what we collect, why, and how to control it.

1. Who we are

Tona Digital is a privately held company based in the Netherlands, registered with the Kamer van Koophandel. For privacy-related requests, contact privacy@tonadigital.com.

2. Data we collect

We collect three categories of data:

• Account data — name, email, organization, billing address. Required to operate the service and bill you correctly.
• Product data — content you process inside our products. For privacy-first products (Toolshub), this never leaves your browser. For server-side products, we encrypt at rest and in transit.
• Operational data — anonymized usage and error telemetry to keep our products stable. You can opt out at any time in account settings.

3. Legal basis

Under the GDPR, we rely on the following legal bases:

• Contract — to deliver the product or service you subscribed to.
• Legitimate interest — to keep our services secure, debug issues, and prevent fraud.
• Consent — for non-essential cookies and marketing communications.
• Legal obligation — to retain billing records as required by Dutch and EU law.

4. Where data lives

We host on EU infrastructure by default (Amsterdam, Frankfurt and London). We do not sell, rent, or share your data with third parties for marketing. We never train our models on your data without an explicit, separately signed agreement.

5. How long we keep it

• Account data: as long as your account is active, plus 90 days after deletion.
• Product content: per your account's retention setting (default 30 days for trash).
• Billing records: 7 years (Dutch tax law).
• Server logs: 30 days, then automatically purged.

6. Your rights

Under the GDPR, you have the right to access, correct, port, restrict, or delete your data, and to object to processing. To exercise any of these rights, email privacy@tonadigital.com. We will respond within 30 days.

You may also lodge a complaint with the Dutch Data Protection Authority (Autoriteit Persoonsgegevens) at autoriteitpersoonsgegevens.nl.

7. Cookies

We use a minimal set of cookies:

• Strictly necessary — session, authentication, CSRF protection. No consent required (GDPR Article 6(1)(f)).
• Preferences — theme and language. Stored only after you change a setting.
• Analytics — we use privacy-friendly, cookieless analytics (Plausible). No personal data is processed.

We do not use third-party advertising trackers, Facebook Pixel, Google Analytics, or similar.

8. Security

All traffic is forced over TLS 1.3. Passwords are hashed with Argon2id. Customer data is encrypted at rest with AES-256. We run quarterly security reviews and welcome responsible disclosure at security@tonadigital.com.

9. Changes

We may update this policy as our products evolve. When we do, we will update the "last updated" date above and email all account holders 30 days before significant changes take effect.

10. Contact

For any privacy question, please write to privacy@tonadigital.com. We read every message.