Privacy Policy
Last updated: 7 May 2026
If you are reading this in the Tomo app: Settings → Privacy → Privacy Policy. The version on this page is the canonical one.
This policy explains what Tomo collects, why we collect it, who we share it with, and the choices you have. We try to keep it short and plain. If anything is unclear, email support@heytomo.app and we will explain.
Tomo is operated by Mohannad Ali (sole proprietor), referred to below as "we", "us", or "Tomo". This policy covers the Tomo mobile app, the website at heytomo.app, and any backend services that support them.
1. What we collect
You give us
- Phone number. We use it to send a one-time login code (OTP) and to identify your account on future logins. You cannot create an account without one.
- Display name. Shown in the app and on courses you publish.
- Profile photo (optional). Picked from your device's photo library. We never access your camera.
- Course content you create. Topics you ask Tomo to generate, prompts you write, and any course you choose to publish.
- Settings. Notification preferences, learning reminders, opt-outs you choose.
From your device, with permission
- Contacts (for friend matching only). If you tap "Find Friends", we read phone numbers from your contacts and hash them on your device before they ever leave your phone. The server only sees the hashes, compares them against hashes of users who have signed up, and tells your app which of your contacts are also on Tomo. We never see your contacts' names or raw phone numbers, and we never store your contact list on our servers.
- Push notification token. Used to deliver streak reminders, social activity, and course updates if you opt in.
- Photo library access (only when you tap "Change profile picture"). We never read photos you don't pick.
Permissions we deliberately do not request: camera, microphone, location, calendar, SMS, call logs.
Automatically
- App analytics. Screen views, taps, and feature events that help us understand which parts of the app work and which need improvement. Sent to PostHog (EU region). You can turn this off in Settings.
- Session replay (mobile). Tomo records anonymized interaction sessions of the app's UI to help us debug bugs and improve flows. All text inputs are masked before recording, so we never see anything you type. Images that appear on screen (such as your profile photo or course illustrations) may be visible in the replay. Disable in Settings if you would rather opt out.
- Crash and error logs. Stack traces, app version, and platform. May include your user ID so we can correlate errors to a single account when you report an issue.
- Device info. Device model, OS version, app version, language, timezone.
- We do not collect your IP address or location. Our PostHog organization is configured to disable IP capture (the EU Cloud default). We do not use GPS or any other location signal.
From Apple and Google, when you make a purchase
- Purchase receipts. Apple or Google handle billing and pass us a receipt token so we can verify and unlock the content you bought (e.g. Pro subscription, Sparks). We never see your payment card.
2. How we use it
- To run the app: log you in, deliver content, save progress, sync between devices.
- To match you with friends who are already on Tomo (using hashed phone comparison only).
- To send you notifications you have opted into (streak reminders, friend activity, course updates).
- To deliver subscriptions and one-off purchases you make.
- To detect bugs, fix crashes, and decide what to build next.
- To prevent abuse (rate limiting, spam detection).
- To meet legal obligations when we have to.
We do not sell your data. We do not use it for advertising. We do not share course content you keep private with anyone outside Tomo.
3. Who we share data with
We use a small number of vendors to run the service. They process data only on our instructions:
| Vendor | What they do | Where |
|---|---|---|
| Amazon Web Services | App servers and database | Ireland (eu-west-1) |
| Cloudflare | DNS, CDN, DDoS protection | Global |
| Backblaze B2 | Profile photos and course images | EU |
| PostHog (EU Cloud) | Product analytics, session replay | EU |
| Axiom | Crash and error logs | US |
| Expo / EAS | App updates and push delivery | US |
| Apple App Store | iOS distribution and in-app purchases | Per Apple's policy |
| Google Play Store | Android distribution and in-app purchases | Per Google's policy |
| Twilio | Delivers your OTP login code by SMS | Global |
If we ever need to add a new processor that meaningfully changes how your data is handled, we will update this policy and notify you in the app.
4. International transfers
Some of our vendors are based in the United States. When we transfer data outside the EU/UK, we rely on Standard Contractual Clauses or equivalent safeguards required by GDPR.
5. How long we keep it
- Account data (phone, name, profile photo, course progress, courses you created): kept until you delete your account.
- Hashed contact matches: not stored on the server. The match is computed on each request and discarded.
- Analytics events: up to 1 year in PostHog (EU), then automatically deleted.
- Session replays: 30 days, then automatically deleted.
- Crash and error logs: 90 days in Axiom, then automatically deleted.
- Database backups: rolling 30-day window. Deleted accounts roll out of backups within 30 days.
6. Your rights
Wherever you live, you have the right to:
- Access the data we hold about you.
- Correct anything that is wrong.
- Delete your account and the data attached to it.
- Export a copy of your data.
- Opt out of analytics, session replay, and push notifications in Settings.
- Withdraw consent for contacts access by revoking the permission in your phone's Settings app.
If you are in the EU, UK, or California, you also have the right to object to processing, restrict processing, and lodge a complaint with your local data protection authority. Email support@heytomo.app for any of the above and we will respond within 30 days.
To delete your account, email support@heytomo.app from the address (or with the phone number) tied to your account. We will verify and delete it within 30 days. An in-app delete option is on the way.
7. Children
Tomo is not intended for children under 13. We do not knowingly collect personal data from anyone under 13. If you believe a child under 13 has signed up, email us at support@heytomo.app and we will delete the account. In jurisdictions where the minimum age for online consent is higher than 13 (some EU countries set it at 14, 15, or 16), the local minimum applies.
8. Security
We use TLS for all connections between your device and our servers. Our database, cache, and object storage are encrypted at rest. Phone numbers from your contacts are hashed on your device before they leave your phone. Access to production systems is limited to a small number of authenticated administrators. No system is perfectly secure, but we work to keep yours safe.
9. Changes to this policy
If we change this policy in a way that meaningfully affects your rights, we will notify you in the app and update the "Last updated" date above. The current version is always at heytomo.app/privacy.
10. Contact
Email: support@heytomo.app
Operator: Mohannad Ali (sole proprietor)