Privacy Policy
Privacy Policy
Privacy Policy
At KASTRO LTD trading as The Ideas Agency ("we", "us", or "our"), operating the Toni Spark AI app via https://toni-spark.com, we respect your privacy and are committed to protecting your personal data in compliance with the UK GDPR, Data Protection Act 2018, and related laws. This policy explains how we collect, use, share, and protect data through our website (hosted on Framer) and embedded AI app (from Replit), which offers a real-time voice-based conversational assistant for generating creative ideas.
Our Details:
Controller: KASTRO LTD (Company No. 11820312, trading as The Ideas Agency)
Registered Office: Hats Gloucester Ltd, 48 Hucclecote Road, Gloucester, GL3 3RS
Contact: [Insert email, e.g., support@toni-spark.com] or [phone]. For data protection queries: [same email]. We have not appointed a Data Protection Officer but will if our processing scales.
Data We Collect and How:
We collect personal data when you interact with toni-spark.com or the app:
Voice and Conversation Data: Real-time audio from your microphone (including queries and AI responses, visible on the UI). Conversations are recorded, stored locally for 15 minutes, then transcribed via Zapier and stored as text in our private Google Drive folder for feedback, user research, and service improvements. This may include derived data like creative inferences.
Account and Authentication Data: Name, email, and basic profile info if using optional Google Auth (linked to Thenty).
Payment and Billing Data: Subscription details, such as card information (handled via Thenty and Stripe; we do not store card details directly).
Usage and Analytics Data: IP address, device information, app interactions, session heatmaps, and behaviour via Google Analytics and Microsoft Clarity.
Marketing Data: Preferences for newsletters (opt-in required).
Data is collected via forms, microphone access, APIs, cookies, and automatic logging. We do not intentionally collect data from children under 13.
Purposes and Legal Bases:
We process data for:
Delivering the Toni Spark app and voice features (necessary for contract performance).
Processing subscriptions and payments (contract).
User research and feedback on transcripts (legitimate interests; we've conducted a Legitimate Interests Assessment balancing our improvement needs with your rights—available on request).
Site/app analytics and heatmapping (legitimate interests for performance).
Sending newsletters and marketing (consent, obtained via separate tick box).
Legal compliance, such as tax records (legal obligation).
For any special category data (e.g., voice biometrics potentially inferring ethnicity or health), we rely on explicit consent where applicable. Users cannot opt out of essential processing (e.g., voice for app function), but you can object to research use.
Sharing and Processors:
We share data only as needed with trusted processors:
OpenAI (US; for real-time voice AI processing; Data Processing Addendum in place, with opt-out from training).
Zapier (US; for transcript transmission).
Google (US; for Auth, Analytics, and Drive storage).
Microsoft (US; for Clarity heatmapping).
Thenty and Stripe (for user management and payments).
Framer and Replit (for hosting).
All are bound by Data Processing Agreements (DPAs). We do not sell data and may share for legal reasons (e.g., court orders) or business transfers.
International Transfers:
Data may be transferred to the US (e.g., via OpenAI, Google, Zapier, Microsoft). We safeguard this using UK-approved mechanisms: the UK-US Data Bridge (for DPF-certified recipients like Google and Microsoft) or the International Data Transfer Agreement (IDTA) where needed. We've assessed transfer risks in line with ICO guidance.
Retention Periods:
Voice audio: Deleted after 15 minutes (transient processing).
Transcripts: Retained in Google Drive for up to 12 months for research, then deleted (or sooner if objected to).
Account and payment data: While your account is active, plus 7 years for legal/tax purposes.
Analytics data: As per provider defaults (e.g., Google Analytics up to 26 months; Clarity session data briefly).
We apply data minimisation and delete data when no longer needed.
Security Measures:
We implement robust security, including encryption for voice data, access controls, firewalls, and regular vulnerability scans. In case of a breach, we'll notify you and the ICO as required (within 72 hours for high-risk incidents).
Your Rights:
Under the UK GDPR, you have rights to: access your data, correct inaccuracies, request deletion (e.g., "right to be forgotten"), restrict processing, object (e.g., to analytics or research), data portability, and withdraw consent (e.g., for marketing). Contact us to exercise these; we'll respond within one month. You can also complain to the ICO (www.ico.org.uk). No solely automated decisions with significant effects are made.
Children’s Data:
Toni Spark is not aimed at children under 16. Users must be 13+ (confirmed via tick box at sign-up). For under 13, parental consent is required—contact us if applicable. We comply with UK age-appropriate design codes.
Cookies and Similar Technologies:
See our separate Cookie Policy for details on how we use cookies for analytics.
Changes to This Policy:
We may update this policy; changes will be posted here with the new date. Significant updates will be notified via email or site notice. Continued use constitutes acceptance.
AI-Specific Disclosures:
Toni Spark uses OpenAI for voice-to-AI conversations. Outputs are generated based on your inputs and may contain inaccuracies or biases—we follow UK AI principles for transparency and fairness. If AI processing involves high risks, we've conducted a DPIA (summary available on request).
At KASTRO LTD trading as The Ideas Agency ("we", "us", or "our"), operating the Toni Spark AI app via https://toni-spark.com, we respect your privacy and are committed to protecting your personal data in compliance with the UK GDPR, Data Protection Act 2018, and related laws. This policy explains how we collect, use, share, and protect data through our website (hosted on Framer) and embedded AI app (from Replit), which offers a real-time voice-based conversational assistant for generating creative ideas.
Our Details:
Controller: KASTRO LTD (Company No. 11820312, trading as The Ideas Agency)
Registered Office: Hats Gloucester Ltd, 48 Hucclecote Road, Gloucester, GL3 3RS
Contact: [Insert email, e.g., support@toni-spark.com] or [phone]. For data protection queries: [same email]. We have not appointed a Data Protection Officer but will if our processing scales.
Data We Collect and How:
We collect personal data when you interact with toni-spark.com or the app:
Voice and Conversation Data: Real-time audio from your microphone (including queries and AI responses, visible on the UI). Conversations are recorded, stored locally for 15 minutes, then transcribed via Zapier and stored as text in our private Google Drive folder for feedback, user research, and service improvements. This may include derived data like creative inferences.
Account and Authentication Data: Name, email, and basic profile info if using optional Google Auth (linked to Thenty).
Payment and Billing Data: Subscription details, such as card information (handled via Thenty and Stripe; we do not store card details directly).
Usage and Analytics Data: IP address, device information, app interactions, session heatmaps, and behaviour via Google Analytics and Microsoft Clarity.
Marketing Data: Preferences for newsletters (opt-in required).
Data is collected via forms, microphone access, APIs, cookies, and automatic logging. We do not intentionally collect data from children under 13.
Purposes and Legal Bases:
We process data for:
Delivering the Toni Spark app and voice features (necessary for contract performance).
Processing subscriptions and payments (contract).
User research and feedback on transcripts (legitimate interests; we've conducted a Legitimate Interests Assessment balancing our improvement needs with your rights—available on request).
Site/app analytics and heatmapping (legitimate interests for performance).
Sending newsletters and marketing (consent, obtained via separate tick box).
Legal compliance, such as tax records (legal obligation).
For any special category data (e.g., voice biometrics potentially inferring ethnicity or health), we rely on explicit consent where applicable. Users cannot opt out of essential processing (e.g., voice for app function), but you can object to research use.
Sharing and Processors:
We share data only as needed with trusted processors:
OpenAI (US; for real-time voice AI processing; Data Processing Addendum in place, with opt-out from training).
Zapier (US; for transcript transmission).
Google (US; for Auth, Analytics, and Drive storage).
Microsoft (US; for Clarity heatmapping).
Thenty and Stripe (for user management and payments).
Framer and Replit (for hosting).
All are bound by Data Processing Agreements (DPAs). We do not sell data and may share for legal reasons (e.g., court orders) or business transfers.
International Transfers:
Data may be transferred to the US (e.g., via OpenAI, Google, Zapier, Microsoft). We safeguard this using UK-approved mechanisms: the UK-US Data Bridge (for DPF-certified recipients like Google and Microsoft) or the International Data Transfer Agreement (IDTA) where needed. We've assessed transfer risks in line with ICO guidance.
Retention Periods:
Voice audio: Deleted after 15 minutes (transient processing).
Transcripts: Retained in Google Drive for up to 12 months for research, then deleted (or sooner if objected to).
Account and payment data: While your account is active, plus 7 years for legal/tax purposes.
Analytics data: As per provider defaults (e.g., Google Analytics up to 26 months; Clarity session data briefly).
We apply data minimisation and delete data when no longer needed.
Security Measures:
We implement robust security, including encryption for voice data, access controls, firewalls, and regular vulnerability scans. In case of a breach, we'll notify you and the ICO as required (within 72 hours for high-risk incidents).
Your Rights:
Under the UK GDPR, you have rights to: access your data, correct inaccuracies, request deletion (e.g., "right to be forgotten"), restrict processing, object (e.g., to analytics or research), data portability, and withdraw consent (e.g., for marketing). Contact us to exercise these; we'll respond within one month. You can also complain to the ICO (www.ico.org.uk). No solely automated decisions with significant effects are made.
Children’s Data:
Toni Spark is not aimed at children under 16. Users must be 13+ (confirmed via tick box at sign-up). For under 13, parental consent is required—contact us if applicable. We comply with UK age-appropriate design codes.
Cookies and Similar Technologies:
See our separate Cookie Policy for details on how we use cookies for analytics.
Changes to This Policy:
We may update this policy; changes will be posted here with the new date. Significant updates will be notified via email or site notice. Continued use constitutes acceptance.
AI-Specific Disclosures:
Toni Spark uses OpenAI for voice-to-AI conversations. Outputs are generated based on your inputs and may contain inaccuracies or biases—we follow UK AI principles for transparency and fairness. If AI processing involves high risks, we've conducted a DPIA (summary available on request).
At KASTRO LTD trading as The Ideas Agency ("we", "us", or "our"), operating the Toni Spark AI app via https://toni-spark.com, we respect your privacy and are committed to protecting your personal data in compliance with the UK GDPR, Data Protection Act 2018, and related laws. This policy explains how we collect, use, share, and protect data through our website (hosted on Framer) and embedded AI app (from Replit), which offers a real-time voice-based conversational assistant for generating creative ideas.
Our Details:
Controller: KASTRO LTD (Company No. 11820312, trading as The Ideas Agency)
Registered Office: Hats Gloucester Ltd, 48 Hucclecote Road, Gloucester, GL3 3RS
Contact: [Insert email, e.g., support@toni-spark.com] or [phone]. For data protection queries: [same email]. We have not appointed a Data Protection Officer but will if our processing scales.
Data We Collect and How:
We collect personal data when you interact with toni-spark.com or the app:
Voice and Conversation Data: Real-time audio from your microphone (including queries and AI responses, visible on the UI). Conversations are recorded, stored locally for 15 minutes, then transcribed via Zapier and stored as text in our private Google Drive folder for feedback, user research, and service improvements. This may include derived data like creative inferences.
Account and Authentication Data: Name, email, and basic profile info if using optional Google Auth (linked to Thenty).
Payment and Billing Data: Subscription details, such as card information (handled via Thenty and Stripe; we do not store card details directly).
Usage and Analytics Data: IP address, device information, app interactions, session heatmaps, and behaviour via Google Analytics and Microsoft Clarity.
Marketing Data: Preferences for newsletters (opt-in required).
Data is collected via forms, microphone access, APIs, cookies, and automatic logging. We do not intentionally collect data from children under 13.
Purposes and Legal Bases:
We process data for:
Delivering the Toni Spark app and voice features (necessary for contract performance).
Processing subscriptions and payments (contract).
User research and feedback on transcripts (legitimate interests; we've conducted a Legitimate Interests Assessment balancing our improvement needs with your rights—available on request).
Site/app analytics and heatmapping (legitimate interests for performance).
Sending newsletters and marketing (consent, obtained via separate tick box).
Legal compliance, such as tax records (legal obligation).
For any special category data (e.g., voice biometrics potentially inferring ethnicity or health), we rely on explicit consent where applicable. Users cannot opt out of essential processing (e.g., voice for app function), but you can object to research use.
Sharing and Processors:
We share data only as needed with trusted processors:
OpenAI (US; for real-time voice AI processing; Data Processing Addendum in place, with opt-out from training).
Zapier (US; for transcript transmission).
Google (US; for Auth, Analytics, and Drive storage).
Microsoft (US; for Clarity heatmapping).
Thenty and Stripe (for user management and payments).
Framer and Replit (for hosting).
All are bound by Data Processing Agreements (DPAs). We do not sell data and may share for legal reasons (e.g., court orders) or business transfers.
International Transfers:
Data may be transferred to the US (e.g., via OpenAI, Google, Zapier, Microsoft). We safeguard this using UK-approved mechanisms: the UK-US Data Bridge (for DPF-certified recipients like Google and Microsoft) or the International Data Transfer Agreement (IDTA) where needed. We've assessed transfer risks in line with ICO guidance.
Retention Periods:
Voice audio: Deleted after 15 minutes (transient processing).
Transcripts: Retained in Google Drive for up to 12 months for research, then deleted (or sooner if objected to).
Account and payment data: While your account is active, plus 7 years for legal/tax purposes.
Analytics data: As per provider defaults (e.g., Google Analytics up to 26 months; Clarity session data briefly).
We apply data minimisation and delete data when no longer needed.
Security Measures:
We implement robust security, including encryption for voice data, access controls, firewalls, and regular vulnerability scans. In case of a breach, we'll notify you and the ICO as required (within 72 hours for high-risk incidents).
Your Rights:
Under the UK GDPR, you have rights to: access your data, correct inaccuracies, request deletion (e.g., "right to be forgotten"), restrict processing, object (e.g., to analytics or research), data portability, and withdraw consent (e.g., for marketing). Contact us to exercise these; we'll respond within one month. You can also complain to the ICO (www.ico.org.uk). No solely automated decisions with significant effects are made.
Children’s Data:
Toni Spark is not aimed at children under 16. Users must be 13+ (confirmed via tick box at sign-up). For under 13, parental consent is required—contact us if applicable. We comply with UK age-appropriate design codes.
Cookies and Similar Technologies:
See our separate Cookie Policy for details on how we use cookies for analytics.
Changes to This Policy:
We may update this policy; changes will be posted here with the new date. Significant updates will be notified via email or site notice. Continued use constitutes acceptance.
AI-Specific Disclosures:
Toni Spark uses OpenAI for voice-to-AI conversations. Outputs are generated based on your inputs and may contain inaccuracies or biases—we follow UK AI principles for transparency and fairness. If AI processing involves high risks, we've conducted a DPIA (summary available on request).