Privacy Policy

Tovi.ae ("Tovi", "we", "our", "us") is operated by Hades Trading FZE, a company registered in Ajman Free Zone, United Arab Emirates. We are the data controller for personal information processed through this site.

Contact for any privacy matter: hello@tovi.ae.

When you visit the site (no account):

• Anonymous chat questions you send to Tovi (kept for 24 hours for rate limiting; not linked to your identity)
• A counter in your browser localStorage tracking how many free questions you've used
• Standard server logs (IP address, user agent, timestamp) kept for 30 days for security
• Google Analytics data with IP anonymization enabled (see "Third parties" below)

When you create an account:

• Email address (required)
• Display name (optional, defaults to "User")
• Password (stored as a bcrypt hash — we never see or store the plaintext)
• Tier (free or pro) and subscription status
• Account creation date and last login

When you chat with Tovi (logged in):

• The full text of your questions and Tovi's answers, stored as conversation history
• Optional language and location preferences you set in the chat (used to tailor responses)

When you upgrade to Pro:

• Stripe customer ID and subscription ID (Stripe stores your payment method on their servers — we never see your card number)
• Subscription period end date for renewal handling
• Billing address as required by Stripe and tax law

When you share an answer:

• The question + answer + a public short URL (e.g. /share/abc123) — the page is publicly accessible by anyone with the link

• Provide the service — answer your questions, save chat history, run rate limits, deliver Pro features
• Process payments — pass billing info to Stripe (we do not see your card)
• Send transactional email — welcome, subscription confirmations, payment failures, cancellations (sent from noreply@hades.ae)
• Improve Tovi — anonymous, aggregated analytics on which topics get asked most; we do not target ads to you
• Security — detect abuse, fraudulent payments, automated scraping
• Legal compliance — respond to lawful requests from UAE authorities

We do not sell, rent, or trade your personal data to anyone. We do not show third-party advertising on the site.

Tovi answers your questions using AI from xAI (the company behind Grok). When you send a question, the question text and recent conversation context are sent to xAI's servers for processing. The reply streams back to you and is also saved in our database (if you have an account).

xAI processes the request as a stateless API call. According to xAI's policy, API requests are not used to train their models. We pay xAI per request; they have no commercial relationship with you.

If you select a specific language or location in the chat, this preference is included in the request to xAI to tailor the response.

Be mindful: avoid sending sensitive personal information (full passport numbers, bank account numbers, medical records, passwords) in chat messages.

• xAI (US) — receives your chat questions for AI processing. xAI privacy policy
• Stripe (Ireland / US) — handles all card payments and stores payment methods. Stripe privacy policy
• Google Analytics (Ireland / US) — anonymous usage analytics with IP anonymization on. Google privacy policy
• Google Translate (Ireland / US) — optional, only if you click the Translate button. The page text is sent to Google for translation.
• Hostinger (Cyprus / EU) — provides our DNS, email forwarding (noreply@hades.ae), and we use their MX records.

All other infrastructure (database, web server, AI gateway) runs on our own VPS in the EU.

• Authentication cookie — stores your NextAuth session if you sign in (HTTP-only, SameSite Lax, expires after 30 days)
• Google Analytics cookies — _ga, _ga_* (used for visitor counting; expire after 2 years)
• Google Translate cookie — googtrans (set only when you actively choose to translate the page)
• localStorage values — anonymous question counter, language preference, location preference, onboarding completion flag

You can clear all of these at any time by clearing site data in your browser. Doing so signs you out and resets preferences.

• Account data — kept while your account is active. If you delete your account, all conversation history and personal data is removed within 7 days.
• Conversation history — kept indefinitely while your account exists. You can delete individual conversations from the chat sidebar at any time.
• Anonymous server logs — 30 days, then auto-deleted
• Payment records — 7 years (UAE Federal Tax Authority requirement for VAT-registered businesses)
• Shared answer permalinks — kept indefinitely unless you request deletion

You have the right to:

• Access — request a copy of all data we hold about you
• Correct — fix inaccurate information (email, name)
• Delete — close your account and erase all conversation history
• Export — Pro users can export their conversation history at any time from the account page
• Object — opt out of analytics by using a browser ad-blocker or "Do Not Track"
• Withdraw consent — at any time

To exercise any right: email hello@tovi.ae with the subject "Data request". We respond within 30 days.

We protect your data with:

• HTTPS/TLS for all traffic (Let's Encrypt certificates, auto-renewed)
• Bcrypt password hashing (no plaintext storage)
• JWT session tokens signed with a server-only secret
• Stripe-handled payments (PCI DSS Level 1)
• SPF + DKIM + DMARC on outbound email (anti-spoofing)
• Rate limiting on the API to prevent abuse
• Database access restricted to the application server only

No system is 100% secure. If we ever discover a breach affecting your data, we'll notify you within 72 hours.

Tovi is not intended for users under 13. If you are under 13, do not create an account or send chat messages. If we learn we have collected data from a child under 13, we will delete it.

Your data may be processed in the UAE, EU (Hostinger DNS), or the US (xAI, Stripe, Google). Standard contractual clauses or equivalent safeguards apply where required by GDPR or similar regulations.

We may update this policy. Material changes will be announced on the site and via email to active accounts at least 14 days before they take effect. The "Last updated" date at the top reflects the most recent revision.

This policy is governed by the laws of the United Arab Emirates, with jurisdiction in the courts of Ajman Free Zone. If you live in a region with stronger consumer protections (EU, UK), those local rights apply in addition.

Email: hello@tovi.ae
Operated by: Hades Trading FZE, Ajman Free Zone, United Arab Emirates

See also: Terms of Service · AI Content Disclaimer