Privacy Notice

Last updated: April 20, 2026

This notice describes how Tonik handles personal data. It is written under the EU General Data Protection Regulation (GDPR) and the French Loi Informatique et Libertés.

1. Who runs Tonik

Tonik is operated by Charles Pierru, based in France. For any question about your data or the rights described below, write to chypi@free.fr.

2. What data we store

When you create an account, we keep:

  • your email address,
  • your password, stored as a one-way Argon2id hash (never as plain text, never recoverable),
  • a display name (your email prefix by default; you can change it),
  • your language preference (EN or FR),
  • your tier (free, paid, or patron — today everyone is free),
  • whether your email has been verified,
  • account creation and last-updated timestamps.

We also write short-lived tokens (email verification, password reset) to a separate collection with automatic 1-hour or 24-hour expiry.

3. Why we store it

Strictly to run the service: to authenticate you, to verify your email address, to let you reset a forgotten password, to remember your language. The legal basis is performance of the contract between you and Tonik (GDPR Art. 6(1)(b)).

We do not profile you, sell your data, use it for advertising, or share it with marketing partners. We do not track your reading of Tonik content.

4. Cookies

Tonik sets one cookie — tonik_auth — which stores your signed session token. It is HttpOnly, SameSite=Lax, and marked Secure in production. It exists only to keep you logged in and is removed when you log out or delete your account. It is a strictly-necessary cookie and is exempt from the consent requirement of ePrivacy Directive Art. 5(3).

Tonik uses no analytics, advertising, or third-party tracking cookies. If that ever changes (for example when payment processing via Stripe or Patreon arrives with feature-tier upgrades), this notice will be updated and — for any non-essential cookie — a consent banner will appear before it activates.

5. Who else sees your data

Email delivery (verification and password-reset messages) is handled by Google via Gmail SMTP, acting as a data processor on our behalf. Only the recipient email address, the message subject, and the message body transit Google’s systems.

Our hosting provider, Hostinger (VPS in the EU), runs the server and database. No other third party receives your data.

6. How long we keep it

For as long as your account is open. When you delete your account (see §7), we erase your user record and every token tied to it immediately.

Server logs (IP addresses, request paths — used for debugging and rate-limit decisions) are rotated within 30 days.

7. Your rights

Under GDPR you can, at any time:

  • access the data we hold about you — use the Export button on your account page for a JSON dump, or write to us;
  • correct it — change your display name or language from the account page;
  • erase it — the Delete account button removes everything, immediately and permanently;
  • restrict or object to processing — write to us;
  • port it — the Export button emits a portable JSON file;
  • lodge a complaint with the French supervisory authority (CNIL,

cnil.fr).

8. International transfers

Your data is processed in the European Union. Gmail SMTP may route outgoing mail through Google infrastructure that transits outside the EU; Google relies on Standard Contractual Clauses for these transfers.

9. Children

Tonik is not directed at children under 16. We do not knowingly collect data from them. If you believe we have, write to us and we will delete the account.

10. Changes

If this notice changes in a way that affects you, we will update the date at the top and, when changes are material, notify you by email.