Totox Privacy Policy
Effective Date: March 23, 2026
Formulated by: Shijiazhuang Jiangte Electronic Science & Technology Co., Ltd.
1. Policy Introduction and Scope of Application
1.1 Purpose of the Policy
This Privacy Policy (hereinafter referred to as the "Policy") is formulated by Shijiazhuang Jiangte Electronic Science & Technology Co., Ltd. (hereinafter referred to as "we" or "the Company") to clearly and transparently inform users of the Totox application (hereinafter referred to as the "Application") of the full-process rules for our collection, use, storage, protection, and sharing of users' personal information, as well as the personal data rights enjoyed by users in accordance with the law and the ways to exercise such rights. This Policy always adheres to the core principles of data minimization, purpose limitation, informed consent, and security protection, strictly complies with the Google Play Developer Distribution Agreement, User Data Policy, and also conforms to the personal data protection laws and regulations of major global regions, including but not limited to the General Data Protection Regulation (GDPR), California Consumer Privacy Act (CCPA), California Privacy Rights Act (CPRA), Virginia Consumer Data Protection Act (VCDPA), Lei Geral de Proteção de Dados (LGPD), and French Data Protection Act (FADP).
1.2 Scope of Application
This Policy applies to all users aged 18 and above (hereinafter referred to as "you") who download, install, and use the Application through Google Play, covering all personal information processing behaviors in all functional modules and service scenarios of the Application, including but not limited to AI bag matching consultation, leather maintenance guidance, voice dialogue interaction, and personal profile settings. This Policy does not apply to third-party SDKs embedded in the Application or external websites/applications linked to third-party links. The information processing behaviors of such third parties are governed by their own privacy policies, and we shall not be liable for them.
1.3 Effectiveness and Revision of the Agreement
You may use the Application (which has no registration or login function) after checking and agreeing to this Policy and the Totox User Terms. Such checking behavior shall be deemed that you have fully read, understood, and agreed to all the contents of this Policy, and the personal information processing agreement between us and you shall take effect officially. If you do not agree to any content of this Policy, please do not use the Application; if you have already started using it, you shall stop immediately.
We reserve the right to revise this Policy in accordance with adjustments to business functions, technological iterations, and updates to laws and regulations. If the revised content involves changes to your core rights and interests (including but not limited to expanding the scope of data collection, changing the purpose of information use, adjusting the way of third-party sharing, etc.), we will notify you through pop-ups, prominent announcements, and other methods within the Application at least 7 natural days before the revised Policy takes effect, and clearly indicate the effective date of the revised Policy. Your continued use of the Application after the revised Policy takes effect shall be deemed acceptance of the revised Policy; if you do not agree to the revised content, you shall stop using the Application, and we will process the collected personal information in accordance with your request.
2. Information on the Data Controller and Data Protection Officer (DPO)
2.1 Data Controller
Entity Name: Shijiazhuang Jiangte Electronic Science & Technology Co., Ltd.
Contact Address: Room 1602, Unit 1, Building 2, Wanjiali Du Area, Zhengding Town, Zhengding County Shijiazhuang, Hebei, 050000
Official Contact Email: kathryncole1956@gmail.com
As the sole data controller of the Application, our Company independently assumes legal liability for the personal information processing behaviors of the Application.
2.2 Data Protection Officer (DPO)
We have appointed a full-time Data Protection Officer (DPO) who is fully responsible for supervising the compliance of the personal information processing behaviors of the Application, and receiving and handling users' consultations, requests, and complaints regarding personal data rights. All communications related to data protection from you may be sent to the above official email, with the email subject marked as "DPO Consultation/Request/Complaint", and we will provide a professional and timely response within the time limit specified by laws and regulations.
3. Collection and Use of Personal Information
We strictly follow the principle of "necessity and minimization", and only collect necessary personal information to realize the core functions of the Application and ensure the normal operation of services. There are no default-enabled device permissions; all permissions are actively authorized by you when using the corresponding functions, and we will not collect any information unrelated to the services of the Application. The personal information collected by the Application is divided into two categories: permission-authorized information and automatically collected device and application operation information. The specific scope of collection and purpose of use are as follows:
3.1 Permission-Authorized Information
The Application only applies to you for three device permissions: Camera, Photo Gallery (Images), and Microphone. All permissions are "applied on demand". You can enable or disable them at any time on your device. Disabling permissions only affects the use of the corresponding functions and does not affect the normal operation of other non-related functions of the Application. The purpose of permission application, scope of information collection, and use scenarios are strictly limited to:
1. Camera Permission: Only used for you to take a profile picture in the Application. Only the avatar image data taken by you is collected, and there is no collection or storage of other shooting content. The permission is only triggered when you actively click the "Take Avatar" function, with no background calls.
2. Photo Gallery (Images) Permission: Only used for you to select a profile picture from the device's photo gallery. Only the avatar image data selected by you is collected, and no other images or video data in your photo gallery are accessed, scanned, or collected, with no background access.
3. Microphone Permission: Only used for voice recognition and voice transcription during voice calls between you and the AI bag consultant. Only the real-time voice audio data during the call is collected and converted into text information, which is then transmitted to the AI system to realize dialogue interaction. There is no recording or audio collection outside the call, and the permission is only triggered when you actively enable the "Voice Call" function, with no background activation.
3.2 Automatically Collected Device and Application Operation Information
When you use the Application, our server will automatically collect a small amount of basic anonymized and de-identified device and application operation information. Such information cannot identify your personal identity alone or in combination with other information, and is only used to ensure the stable operation of the Application and optimize the service experience. The scope of collection and purpose of use are:
1. Basic Device Information: Device model, Android operating system version, Application version number, and device operating status (such as memory usage), used to optimize the compatibility of the Application on different devices, troubleshoot and fix application crashes, freezes, flashbacks, and other faults, and ensure service stability.
2. Application Operation Information: Records of function usage of the Application (such as operations to enter AI matching consultation, maintenance guidance, personal profile settings, and other modules) and single use duration, used to analyze user usage habits, optimize application function design (such as adjusting the position of function entrances and simplifying operation processes), and improve service experience.
3. Advertising Identifier (AAID): Only used to provide you with non-personalized advertising display services, and no targeted advertising is pushed based on your personal information. You can disable the advertising identifier on your device by yourself, and disabling it will not affect the use of any functions of the Application.
4. Basic Information for External Storage and Application Information Reading: Only used to store your avatar data and application operation cache data locally on the device, facilitating quick reading when you use the Application again. No local files of yours are stored or uploaded to our server, and no core data of other applications is read.
3.3 Limitations on Information Use
All personal information collected by us is only used to achieve the above clearly stated functional purposes, and will not be used for any other scenarios not specified in this Policy. If the purpose of information use needs to be changed due to business adjustments, we will publicly announce it prominently in the Application in advance, explain the changed purpose of use and the basis, and obtain your explicit consent again before conducting subsequent processing.
4. Storage and Security Protection of Personal Information
4.1 Storage Method, Location, and Duration
4.1.1 Storage Method
• The avatar image data provided by you through camera and photo gallery authorization is mainly stored locally on your device, and only a small amount of cache data is transmitted to our compliant server through TLS 1.3 encryption technology.
• After the voice audio data collected by the microphone is subjected to voice recognition and transcription, it is desensitized immediately, and only the converted text dialogue data is retained, and the text data is preferentially stored locally on the device.
• All personal information stored on the server is stored using AES-256 high-strength encryption technology, and anonymized/de-identified data is stored separately from data that can identify personal identity.
• The automatically collected device and application operation information is stored in an anonymized form throughout the process and is not associated with your personal identity information.
4.1.2 Storage Location
In addition to local storage on the device, the personal information collected by the Application is stored on the server in a compliant data center that meets the requirements of laws and regulations such as GDPR and CCPA. The data center has obtained ISO 27001 Information Security Management System certification and strictly follows the relevant provisions on cross-border data transmission to ensure the compliance of data storage.
4.1.3 Storage Duration
We follow the principle of "shortest necessary storage duration", and the storage duration of personal information is strictly limited to the shortest time required to achieve the service purpose, specifically:
1. Your avatar image data and text dialogue data are stored for the period during which you use the Application. If you actively delete the Application, we will delete all relevant data stored on the server within 7 natural days, and the data on the device is managed by you yourself.
2. The anonymized device and application operation information is stored until the date when the collection purpose is achieved (for example, the information used for function optimization is stored for 6 months, and will be deleted in advance if there is no subsequent optimization need).
3. If the storage duration needs to be extended due to legal and regulatory requirements (such as responding to potential legal disputes), we will only retain the relevant data within the legal scope and delete it immediately after the dispute is resolved.
4.2 Comprehensive Security Protection Measures
We attach great importance to the security of your personal information and have established a four-in-one information security protection system of technology, management, physics, and emergency response, adopting multiple measures to prevent personal information from being leaked, tampered with, lost, or accessed without authorization. The specific measures are as follows:
1. Technical Protection Measures: Deploy firewalls, Intrusion Detection Systems (IDS), Intrusion Prevention Systems (IPS), adopt Role-Based Access Control (RBAC) technology, and only authorized personnel can access user data within the necessary scope; regularly conduct security scans and vulnerability repairs on servers and databases, perform end-to-end encryption for all data transmission links, and realize technical protection throughout the entire data life cycle.
2. Management Standard Measures: Formulate a strict Personal Information Processing Management System, clarify the information access rights of internal personnel, all data access behaviors need to go through multi-factor authentication (such as account password + dynamic verification code), and conduct full-process operation log records, with the log retention period not less than 1 year; regularly conduct information security training and compliance assessment for employees to improve their awareness of data protection; establish a normalized security audit mechanism to regularly check data security risks.
3. Physical Protection Measures: The compliant data center where the server is located adopts strict physical security protection measures such as 24-hour manual on-duty, video monitoring, and access control verification to prevent illegal entry into the computer room and physical damage to the server.
4. Emergency Response Measures: Formulate an Emergency Response Plan for Data Security Incidents. If a personal information leakage, tampering, loss, or other security incident occurs, we will immediately activate the emergency plan, take remedial measures such as blocking unauthorized access, repairing security vulnerabilities, and cleaning up leaked data, and notify the affected users through Application pop-ups, emails, and other methods within 72 hours, explaining the cause of the incident, the scope of impact, and the subsequent handling measures; if the incident involves major user rights and interests, we will also report it to the relevant regulatory authorities at the same time.
5. Sharing, Transfer, and Sale of Personal Information
We always adhere to the core principle of"no sharing, no transfer, no sale". Except for the situations clearly specified in this Policy, we will not share or transfer your personal information to any third-party institutions or individuals, let alone sell your personal data in any form.
5.1 Limited Information Sharing
Only in the following strictly limited scenarios may we share necessary personal information with third parties that have passed compliance review, and the shared information is all anonymized, desensitized, or encrypted. Third parties can only use the information within the scope of providing services for us and shall not use it for any other purposes:
1. Third-Party Service Providers: To realize the core functions of the Application (such as data storage, AI voice recognition, and application crash troubleshooting), we may cooperate with third parties such as cloud storage service providers, AI technology service providers, and application statistics service providers. The shared information is the minimum necessary data required to realize the service. We have signed a Data Processing Agreement (DPA) with all third-party service providers, clarifying their data protection obligations, responsibility division, and breach handling methods, and regularly supervise their information processing behaviors. If a third party is found to violate the agreement, we will immediately terminate the cooperation and require it to delete all obtained information.
2. Legal and Public Authority Requirements: When receiving a legitimate written request (such as a subpoena, investigation letter, search warrant) from a competent authority such as a court, procuratorate, public security organ, or data protection regulatory authority, to comply with laws and regulations and cooperate with regulatory investigations, we will disclose necessary personal information within the legal scope, and strictly review the relevant requests, only providing the scope of information required by laws and regulations.
3. Necessary for Protecting Legitimate Rights and Interests: To protect public interests, social security, or the legitimate rights and interests and property security of us and you (such as responding to fraud, service abuse, dissemination of illegal information, and other behaviors), disclose necessary personal information within a reasonable scope.
5.2 Transfer of Information
We will not transfer your personal information to any third party unless special circumstances such as corporate merger, division, dissolution, or declaration of bankruptcy occur and personal information needs to be transferred. We will publicly announce it prominently in the Application in advance, inform you of the name, contact information, and data processing rules of the receiving party, and the receiving party will continue to perform the personal information protection obligations specified in this Policy. If the receiving party changes the purpose of data processing, it will obtain your explicit consent again.
5.3 Prohibition of Data Sale and User's Right to Choose
We expressly prohibit the sale of users' personal data in any form, have never entered into a personal data sales agreement with any third party, and will not indirectly provide your personal information to third parties for commercial sales through other means.
In accordance with the requirements of laws and regulations such as CCPA, CPRA, and VCDPA, you have the right to choose not to allow your personal data to be "sold" in any form. If you have any objection to matters related to data sales, you may send a request to us through the official email specified in this Policy, and we will immediately verify it and feedback the processing result within 15 working days.
6. User's Personal Data Rights
In accordance with the personal data protection laws and regulations of major global regions such as GDPR, CCPA, CPRA, VCDPA, LGPD, and FADP, as a user of the Application, you legally enjoy multiple personal data rights such as the right to know, the right of access, the right to rectification, the right to erasure, the right to data portability, the right to withdraw consent, the right to restriction of processing, and the right to complaint and report. We provide you with convenient and barrier-free channels to exercise your rights, and will not charge you any fees for exercising your rights in any form, nor set unreasonable obstacles to restrict you from exercising your rights. At the same time, in accordance with the requirements of laws and regulations in different regions, we provide you with exclusive additional data rights. The specific rights and ways to exercise them are as follows:
6.1 Core Data Rights and Exercise Methods
1. Right to Know: You have the right to know all information such as the type of personal information we collect, the purpose of collection, the way of use, the storage duration, and the situation of third-party sharing. This Policy has detailed and transparently explained the above contents, and you may also consult us through the official email, and we will reply within 10 working days.
2. Right of Access: You have the right to request us to provide a copy of the personal information of yours that we have collected. You may send an access request through the official email, indicating the scope of the requested information, and we will provide it to you in a clear, understandable, and machine-readable form within the time limit specified by laws and regulations.
3. Right to Rectification: If you find that the personal information of yours collected and stored by us is incorrect or incomplete, you have the right to request us to rectify and supplement it. You may send a rectification request and provide relevant certificates through the official email, and we will complete the rectification within 15 working days after verification.
4. Right to Erasure: You have the right to request us to delete the personal information of yours that we have collected. If it meets the legal conditions, we will immediately perform the deletion operation. You may delete local data through the device or send a deletion request through the official email, and we will delete all relevant data on the server after verification.
5. Right to Data Portability: You have the right to request us to export your personal information in astructured, universal, and machine-readable format, facilitating you to transfer the data to other data controllers. You may send an export request through the official email, and we will sort out the data and provide you with a download link within 30 working days.
6. Right to Withdraw Consent: You have the right to unconditionally and at any time withdraw your authorization for various permissions of the Application and your consent to this Policy. You may disable device permissions through "Settings - Applications - Totox - Permissions" on the device, or send a request to withdraw consent through the official email. After withdrawing consent, we will immediately stop collecting and using the relevant personal information, but it will not affect the information processing behaviors that have been carried out based on legal authorization before the withdrawal.
7. Right to Restriction of Processing: If you have objections to the accuracy of personal information, our information processing behaviors are illegal, or you no longer need us to process personal information but need to retain it to respond to legal disputes, you have the right to request us to restrict the processing of personal information (only retain the data, and do not perform operations such as use, sharing, or modification). You may send a request to restrict processing through the official email, and we will immediately perform it after verification.
8. Right to Complaint and Report: If you believe that our personal information processing behaviors have infringed upon your legitimate rights and interests, you have the right to complain to us or report to the local data protection regulatory authority.
6.2 Additional Data Rights for Users in Specific Regions
For users in different regions served by the Application, in accordance with local laws and regulations, we provide you with the following exclusive additional data rights. Users in unlisted regions may enjoy corresponding rights in accordance with local laws, and we will strictly protect the realization of your rights in accordance with local legal requirements:
1. EU Region (GDPR): You enjoy the right to be forgotten and may request us to permanently delete your personal information; you enjoy the right to object to data processing and may object to our processing of personal information based on public interests or legitimate business purposes; if your personal information needs to be transferred cross-border, we will adopt measures recognized by GDPR such asStandard Contractual Clauses (SCCs) and Binding Corporate Rules (BCRs) to ensure the security of cross-border data transmission; you may complain to the Data Protection Authority (DPA) of each EU member state, and the complaint process is free of charge.
2. California, USA (CCPA/CPRA): You have the right to request us to disclose the details of the collection, use, and sharing of personal information within the past 12 months, and this disclosure service is free of charge; you have the right to object to our use of personal information for commercial purposes; if we have intentional or reckless data violations, you have the right to class action.
3. Virginia, USA (VCDPA): You have the right to opt out of targeted advertising and personalized recommendations; we will reply to your rectification and deletion requests within 15-45 working days, and may extend it once in special cases (up to 45 working days); we will retain records of your consent acquisition and withdrawal for at least 3 years.
4. Brazil (LGPD): You have the right to request us to suspend the processing of personal information; the right to request us to explain the legal basis for personal information processing; cross-border transmission of personal information requires the approval of the Brazilian Data Protection Authority (ANPD); we will reply to your data rights requests within 15 working days.
5. France (FADP): You have the right to request us to provide logs of personal information processing; the right to object to the use of your personal information for advertising purposes; our personal information processing behaviors strictly comply with the provisions of the French National Commission on Informatics and Liberties (CNIL), and you may complain and report to CNIL.
6.3 Identity Verification for Exercising Rights
To protect the security of your personal information and prevent others from fraudulently using your identity to exercise rights, when processing your right request, we may require you to completeidentity verification. The verification methods include but are not limited to: confirming your device unique identifier, explaining the core operation records of your use of the Application, etc. Verification only collects the minimum necessary information required to achieve the verification purpose. After successful verification, your request will be processed immediately, and the verification data will be deleted immediately after verification and will not be stored.
Our identity verification measures follow theprinciple of proportionality, and no overly cumbersome verification process will be set. If you cannot complete online verification, you may provide written identity documents (such as a copy of your passport) for offline verification through the official email. We will strictly keep the identity documents confidential and delete them immediately after verification.
7. Description of Third-Party Services
The Application may embed a small number of third-party SDKs (Software Development Kits) that comply with Google Play specifications, only used to realize auxiliary functions such as advertising display, application crash troubleshooting, and AI voice recognition. All third-party SDKs have passed our strict compliance review to confirm that they comply with the Google Play platform data policy and laws and regulations such as GDPR and CCPA, and only collect the minimum necessary data required to realize auxiliary functions, not your core personal information.
We have signed a Data Processing Agreement (DPA) with all third-party SDK providers, clarifying their data protection obligations, requiring them to take necessary security measures to protect your data security, and not to use the collected information for any other purposes. If we later find that a third-party SDK has illegal collection and use of user information, we will immediately terminate the integration and require it to delete all obtained information.
The Application may contain a small number of third-party links (such as links for reference on bag maintenance knowledge and compliance policies). Clicking such links will jump to third-party websites/applications. Their information processing behaviors are governed by the third party's own privacy policy, and we shall not be liable for any responsibility. It is recommended that you carefully read the third party's privacy policy before accessing.
8. Protection of Minors
The Application is only for adult users aged 18 and above, strictly follows the Google Play Children's Data Protection Guidelines, GDPR, COPPA, and other relevant laws and regulations, and will not intentionally collect or store personal information of any minor under 18 years old.
If it is found that a minor uses the Application without the consent of a guardian, we will immediately close their use permission and delete all collected relevant information (if any) within 7 natural days; if you are a minor under 18 years old, please do not download, install, or use the Application; if you are a guardian of a minor and find that the minor uses the Application, you may contact us through the official email to exercise rights such as accessing, rectifying, and deleting the minor's relevant information.
9. Disclaimer
Although we have taken reasonable and comprehensive security protection measures and service guarantee measures, due to the complexity of the network environment, technical limitations, force majeure, and other factors, there are still some risks beyond our full control. In such cases, we shall not be liable accordingly in accordance with the law, specifically as follows:
1. Disclaimer for AI Services: The AI bag matching suggestions, leather maintenance guidance, cleaning and care plans, etc., provided by the Application are all reference information generated based on general bag knowledge and material characteristics, and do not constitute professional fashion matching advice or professional leather goods maintenance guidance. You should rationally use them in combination with your own use needs and the actual situation of the bag. We shall not be liable for any damage to the bag or poor matching effect caused by the use of the above suggestions.
2. Disclaimer for Information Security: We have taken comprehensive information security protection measures in accordance with the agreement of this Policy, but cannot completely avoid personal information leakage, tampering, or loss caused by third-party factors or force majeure such as network transmission interruption, hacker attacks, virus infections, and force majeure (such as earthquakes, floods, wars). We shall not be liable for such situations, but will fully cooperate with the relevant departments in investigation and handling to assist you in reducing losses.
3. Disclaimer for Service Quality: The Application provides services on an "as-is" basis. We make every effort to ensure the continuity and stability of the services, but do not guarantee that the services are free of interruptions or errors (such as temporary service interruptions caused by server maintenance, network failures, or technical iterations). We shall not be liable for indirect losses caused to you due to service interruptions or errors (such as slight aging of the bag due to failure to obtain maintenance guidance in a timely manner); if the service interruption lasts more than 24 hours, we will make an announcement prominently in the Application.
4. Disclaimer for User Behavior: When using the Application, you shall comply with the provisions of laws and regulations and the Totox User Terms, and independently bear legal liability for the content you publish and the operations you perform. If legal liability is caused by your publication of illegal information, abuse of services, infringement of the legitimate rights and interests of others, etc., you shall bear it yourself. We have the right to delete illegal content and stop providing services for you in accordance with relevant regulations.
10. Complaint and Contact Channels
If you have any questions or objections to the content of this Policy, need to exercise your personal data rights, or have complaints or suggestions about our personal information processing behaviors, you may contact us through the followingexclusive channels. We will arrange special personnel to handle it to ensure that your demands are responded to in a timely and professional manner:
1. Official Contact Email: kathryncole1956@gmail.com (it is recommended to mark the email subject, such as "Data Rights Request", "Privacy Policy Consultation", "Complaint and Report");
2. Response Time Limit: After receiving your request, consultation, or complaint, we will complete the verification and feedback the processing result within the time limit specified by laws and regulations (1 month for GDPR, 45 days for CCPA/CPRA, 15 days for LGPD, and 10 working days for general consultations); if your request is relatively complex and requires an extension of processing time, we will notify you in advance via email of the reason for the extension and the expected response time.
If you are not satisfied with our processing result, you have the right to complain and report to the local data protection regulatory authority. We will actively cooperate with the investigation and handling work of the regulatory authority and rectify in accordance with the regulatory requirements.
11. Other Terms
1. This Policy is an important part of theTotox User Terms and has the same legal effect as the Totox User Terms. If there is any inconsistency between the two, this Policy shall prevail;
2. The conclusion, performance, interpretation, and dispute resolution of this Policy shall all apply to the general civil and commercial legal norms globally;
3. If any clause of this Policy is deemed invalid or unenforceable, it shall not affect the validity and enforceability of other clauses;
4. The final interpretation right of this Policy belongs to Shijiazhuang Jiangte Electronic Science & Technology Co., Ltd.
Shijiazhuang Jiangte Electronic Science & Technology Co., Ltd.
March 23, 2026