Contact Us
PINK TOMATO PTE. LTD Privacy Policy
Last Updated: February 2025
At PinkTomato ("we," "our," or "our company"), safeguarding your privacy is a fundamental commitment. This Privacy Policy outlines how we collect, use, disclose, and protect your personal and non-personal data across our products, services, websites, and applications (collectively, "Services"). We adhere to globally recognized privacy standards, including the General Data Protection Regulation (GDPR) and California Consumer Privacy Act (CCPA), ensuring transparency, accountability, and user control.
1. Data We Collect and How We Use It
1.1 Categories of Data
We process the following types of data to deliver and improve our Services:
| Data Type | Examples | Purpose | Legal Basis |
|---|---|---|---|
| Account Data | Name, email, username, password (hashed), payment details (encrypted) | User registration, subscription management, fraud prevention | Contractual necessity |
| Usage Data | IP address, device ID, browser type, clickstream data, session duration | Service optimization, crash diagnostics, feature development | Legitimate interests |
| Location Data | Approximate city-level location (derived from IP or GPS with consent) | Localized content delivery, regional compliance | Consent or legitimate interests |
| User-Generated Content | Text inputs, uploaded files, AI chat interactions (encrypted) | Core service delivery (e.g., AI tools), customer support | Contractual necessity |
| Advertising Data | Aggregated interests, ad engagement metrics, cookie identifiers (opt-out) | Personalized ads, campaign performance analysis | Consent |
1.2 Specialized Processing
- AI/ML Training: Data inputs (e.g., chat logs) are anonymized and aggregated for model training. Users may opt out via account settings.
- Payment Processing: Financial data is encrypted and retained for 7 years to comply with tax audits.
- Security Monitoring: IP addresses and device fingerprints are logged for 6 months to detect and prevent fraud.
2. Data Sharing and Third-Party Partners
2.1 Categories of Recipients
We share data only with trusted partners under strict contractual and technical safeguards:
| Partner Type | Purpose Data | Protection Measures |
|---|---|---|
| Cloud Providers | Data storage, processing, and backups | AES-256 encryption, ISO 27001-certified data centers, access restricted to EU/US regions |
| Payment Gateways | Transaction processing | PCI-DSS compliance, tokenization, annual third-party audits |
| Analytics Services | Usage insights, performance metrics | Data anonymization, IP masking, no cross-website tracking |
| Advertising Networks | Targeted ad delivery | GDPR-compliant contracts, user opt-out mechanisms, no sale of personal data |
2.2 Compliance Safeguards
- Contractual Obligations: All partners sign Data Processing Agreements (DPAs) limiting data use to specified purposes.
- Automated System Filters: Real-time monitoring tools block unauthorized data access or transfers.
- Operational Reviews: Quarterly audits ensure third-party compliance with privacy and security standards.
3. Data Security and Technical Measures
3.1 Core Protections
- Encryption:
- Data in transit: TLS 1.3 with forward secrecy.
- Data at rest: AES-256 encryption, keys managed via hardware security modules (HSMs).
- Access Controls: Role-based permissions, mandatory multi-factor authentication (MFA) for sensitive operations.
- Incident Response: 72-hour breach notification to regulators and affected users, aligned with GDPR Article 33.
3.2 Operational Protocols
- Data Minimization: Retention periods are strictly defined (e.g., crash logs deleted after 5 months).
- Vulnerability Testing: Annual penetration tests and continuous automated scanning for vulnerabilities.
4. Your Rights and Choices
4.1 Core Rights
You may exercise the following rights by emailing us:
- Access: Obtain a copy of your data in machine-readable format (e.g., JSON, CSV).
- Deletion: Request permanent removal of non-essential data (excludes legally retained records).
- Correction: Update inaccurate or incomplete information.
- Opt-Out: Withdraw consent for marketing emails, personalized ads, or AI data contributions.
- Portability: Transfer data to another service provider upon request.
4.2 Automated Decision-Making
- Transparency: Detailed explanations for algorithmic decisions (e.g., ad targeting criteria).
- Human Review: Request manual review of automated outcomes within 48 hours.
5. Global Compliance and Localization
5.1 Regional Adaptations
- EU/EEA: Data stored in Frankfurt (AWS EU-Central-1) and Dublin (Google Cloud EU-West-1).
- California: CCPA-compliant "Do Not Sell My Personal Information" toggle in account settings.
- China: Data hosted in Ningxia (AWS China) and Beijing (Azure China) under Cybersecurity Law requirements.
5.2 Cross-Border Transfers
- Safeguards: Standard Contractual Clauses (SCCs) or Binding Corporate Rules (BCRs) for international transfers.
- Government Requests: Data disclosed only upon validated legal demand, with prior user notification where feasible.
6. Children’s Privacy
- Age Restrictions: Services are not offered to users under 16 without verified parental consent.
- Verification: Age checks via payment card validation or government-issued ID upload (deleted after verification).
Copyright © 2025. Pinktomato.All rights reserved.