Privacy Policy
Owned and operated by WebAir AI LLC
Effective Date: December 2025
WebAir AI LLC operates the Tokr™ mobile application and the website gotokr.com. This Privacy Policy explains how we collect, use, disclose, and protect your information. By using Tokr™ or the gotokr.com website, you agree to the practices described in this Privacy Policy.
Company Information
WebAir AI LLC
1025 Old Country Rd
Westbury, NY 11590
Email: hello@webairai.com
1. Introduction
Welcome to Tokr’s Privacy Policy. Tokr™ (“Company,” “we,” or “us”) is a legal cannabis-focused mobile app that
prioritizes user privacy and compliance with all relevant laws and App Store guidelines. This Privacy Policy
explains what information we collect, how we use and share it, and the choices you have regarding
your data. We aim to be transparent and straightforward so you can feel confident using Tokr™. By using Tokr™,
you agree to the data practices described in this Policy. If you do not agree, please do not use the app.
Key Points to Know: Tokr™ is designed for adults 21+ and is only available in jurisdictions where adult
cannabis use is legal. We do not knowingly collect data from minors (children or anyone under 21 for this
app) and actively prevent underage access. We collect certain personal information to provide our services
(like your email for login, or your location if you choose to use the dispensary finder), but we strive to
minimize data collection to only what’s relevant . We also take measures to secure your data and give
you control over it – you can withdraw certain permissions, and you can request deletion of your account/
data as described below.
This policy is organized into clear sections so you can easily find details on specific topics. Please read it
carefully. If you have any questions, contact us at privacy@tokrapp.com
2.Information We Collect
When you use Tokr™, we collect information in the following ways:
2.1 Information You Provide to Us
- Account Registration Data: When you create an account, we collect your email address and a
password (if signing up via email) or authentication tokens from Google (if you use Google Sign-In).
We may also ask for your date of birth to verify that you meet the age requirement (21+). Providing
a birth date or confirming age may be required at sign-up as part of age-gating. We do not collect
any government ID or Social Security Number; age verification is done via self-certification unless
stricter verification is required by law in your region (in which case we will let you know and possibly
use a third-party age verification service).
- Profile Information: You may choose to provide additional profile details such as a username,
profile photo, bio, location (e.g., city/state), and preferences (e.g., favorite strains or products). All
such information is optional. By default, your profile is private (not visible to others) until you choose
to share content or approve followers. Keep in mind, if you later make your profile public or approve
followers, this profile info can be seen by others on Tokr™.
- User-Generated Content: If you upload videos, post comments, submit reviews, or otherwise
contribute content (“UGC”), we will collect that content. This includes any text, images, audio, or
video you post, as well as associated metadata (like timestamps). For videos, we may also capture
thumbnails or perform automated transcription to make content searchable (the transcripts are
data too). Note that UGC you post might contain personal information if you include it (e.g.,
speaking about your medical experiences or showing your face in a video). Please be mindful that
any personal info in UGC becomes visible to others according to your privacy settings and can
21 be difficult to remove completely if it’s been viewed or copied. We encourage you to avoid sharing
sensitive personal details in content.
- Communications with Us: If you contact Tokr™ support or communicate with us via email or in-app
support chat, we will collect the information you provide in those interactions. This could include
your contact info, the content of your messages, and any attachments. We use this to assist you and
improve our services (e.g., resolving a bug you reported).
- Voluntary Information: Any other information you voluntarily provide, such as responses to
surveys, participation in promotions, or feedback forms. For example, if we run a survey about new
features, the information you provide is collected and possibly associated with your account (unless
we specify it’s anonymous).
2.2 Information We Collect Automatically
When you use Tokr™, certain data gets collected automatically by virtue of your use of the app:
- Device and Usage Information: We collect data about how you access and use Tokr™. This includes:
- Device identifiers such as your device’s model, operating system name and version, device ID (e.g.,
advertising ID or vendor ID), and device language.
- Log information like the type of mobile network (e.g., Wi-Fi, 4G), IP address (which can give a
general location), unique user ID assigned by Tokr™, and timestamps of app usage.
- App usage data such as the screens or features you access, the actions you take (e.g., viewing a
video, liking content, searching for a dispensary), crash logs, and performance metrics (e.g., load
times, errors). This info helps us understand engagement and troubleshoot issues.
- Analytics data provided by third-party analytics tools (like Firebase Analytics) which may combine
some of the above info to provide insights (for instance, how often the average user opens the app,
or which content is most popular). Analytics data is generally aggregated and doesn’t identify you
personally, but device identifiers in logs could indirectly identify a device or user over time.
- Location Data: With your permission, we collect precise location information from your device’s
GPS/location services to enable location-based features . For example, if you opt in, we collect
your current GPS coordinates to show nearby dispensaries. We may also derive location from
network signals (like Wi-Fi or cell tower info) for similar purposes. If you grant background location
permission (if that option exists in Tokr™), we might collect location occasionally even when you’re not
actively using the app, specifically to update local content or verify jurisdiction compliance – however,
Tokr’s typical behavior is to request location only while you are using the app (foreground). You will
see the standard OS prompts asking for location access, and you can choose “Allow While Using App”
or not allow. If you deny location, we do not collect it. If you allow it and later turn it off in settings,
collection stops. When location is collected, it’s used for features like showing a map of dispensaries,
confirming you’re in a legal state, and tailoring content (for example, showing news relevant to your
state). We also may use location to serve you location-relevant advertisements (see Advertising
section below), such as promotions from nearby retailers. We do not use location data for any
unrelated purposes or share your precise location with third-party advertisers without consent; any
location-based ads typically use a generalized area or are served by us directly.
- Cookies and Similar Technologies: Although Tokr™ is a mobile app, we may still use similar tracking
technologies. For instance, we might use local storage on the device to save preferences or session
info. If we have a web-based interface or landing pages, we use cookies on those sites. These
technologies help us remember your settings, keep you logged in, and gather analytics. We do not
use cookies for third-party tracking across apps, and since Tokr™ is not a web browser app, traditional
cookie use is minimal. We do assign an internal analytics ID to your account/device to distinguish
unique users for analytics – this is not an advertising identifier unless you consent to ad tracking. (If
on iOS, we respect the App Tracking Transparency framework; we don’t track you across other
companies’ apps without permission.)
- AI Budtender Interactions: If you use the AI Budtender feature, we log the questions you ask and
the AI’s responses. This is done to allow you to review past Q&As and for us to improve the AI’s
performance. These logs might contain personal data if you include personal data in your question. We
advise against sharing sensitive personal info in AI chats. Nonetheless, these chat logs are stored on
our servers (and possibly on the servers of our AI technology provider) with protections. We may
review them when necessary (e.g., if a response is reported for violating content rules or to enhance
the AI’s knowledge base).
2.3 Information from Third Parties
Sometimes we obtain information from third-party sources:
- Google Sign-In: If you use Google to log in, Google may share with us certain basic info from your
Google account, such as your name, email, and profile picture. We only request the minimum
needed to authenticate you (usually just an email and a verified status). Tokr™ will create your account
based on that info. We do not collect your Google password; that login is handled by Google.
- Third-Party Partners: If Tokr™ partners with dispensaries or other services, we might receive
information like promotional offers or referral codes that indicate you came from or went to those
partners. For example, if in the future we integrate a service to place orders with a dispensary, that
partner might share what you ordered for tracking, but currently Tokr™ does not process transactions
so this is just a hypothetical scenario.
- Service Providers: Our analytics providers (like Firebase) or ad partners might provide us reports
that contain aggregated demographic or interest information inferred about our user base. For
instance, we might see that “X% of Tokr™ users are in California” or general age bracket info derived
from analytics. This isn’t personally identifying, but it’s info we didn’t collect directly from you.
- Public Sources: We may collect public information about cannabis laws or events in your area to
provide relevant educational content. This doesn’t typically involve personal data about users, but it
might intersect with location if we tailor news by state. No personal user data comes from this; it’s
more about us gathering context for content.
We do not purchase consumer data or do any background checks. We also do not knowingly collect data
about your usage of other apps or websites (no cross-app tracking without permission).
3.How We Use Your Information
We use the collected information for various purposes consistent with providing and improving the Tokr™
app. Under Apple’s guidelines and privacy laws, we ensure that each use of data is either consented to,
required for our contract with you (the Terms of Use), or based on legitimate interests (with privacy
considerations), or another appropriate legal basis. Here are the main ways we use data:
- To Provide and Maintain the Service: We use personal data to create and maintain your account,
authenticate you at login, and allow you to use Tokr’s features. For example, your email is used to log
in and, if needed, to communicate with you (password resets, verification). Your location (if provided)
is used to run the dispensary locator feature and verify legal usage areas. Content you post is stored
and displayed within the app to fulfill the core purpose of Tokr™ (sharing educational cannabis
content). Without this data, we couldn’t operate the service.
- To Personalize and Improve User Experience: We may use information about you and your usage
to personalize Tokr™ for you. This can include tailoring the content feed to show relevant educational
videos (for instance, if you often view content about CBD, we might show you more of that), or
customizing the order of dispensary results by proximity. Location data is used to show local content
(e.g., local news, events, or region-specific notifications). We also use data to remember your
preferences – e.g., whether you set your profile public or private, or topics you follow.
- To Serve Location-Relevant Ads and Content: As noted, Tokr™ shows ads from cannabis brands and
dispensaries. We may use your location, age (to ensure you’re 21+), and certain app behaviors (like
whether you’ve viewed a particular dispensary’s page) to determine which ads to show you. These
ads are contextually or locally targeted – for example, if you are in Denver, you might see ads for
Denver dispensaries. We do not hand over your personal info (like name or precise location) to third-
party ad networks for them to target you with behavioral ads; instead, Tokr™ might decide which ad to
show and then display it within the app. If we ever use a third-party ad network, it would be
configured not to track you outside Tokr™ and to comply with App Store rules (no tracking without
opt-in) . Any advertising identifiers (like Apple’s IDFA) will only be used if you opt-in to tracking;
otherwise ads may be generalized.
- Analytics and Performance: We use data (mostly aggregated or anonymized where possible) to
understand how our app is performing and how users are engaging with it. This helps us identify
what features are popular, where users face issues (e.g., if a certain screen crashes often), and what
we should improve. For example, we might measure the number of daily active users, retention
rates, or which tutorial screens are skipped. We might also test certain features with subsets of users
(A/B testing) and use usage data to see which version works better. All such processing is aimed at
making Tokr™ better and more useful.
- Moderation and Safety: Information you provide and that we collect is crucial for content
moderation and user safety. For instance, we may automatically scan video uploads for prohibited
content. We retain logs of posts and messages to investigate any reports of misconduct or violations
of our Terms. If you report another user or content, we use the information in that report (including
any personal data in it) to take action. We also might use your age or location to enforce restrictions
(for example, ensuring someone from a certain jurisdiction isn’t posting content that’s illegal there,
or blocking under-21 users). User communications and content may be reviewed by our
moderation team if flagged . Additionally, to comply with App Store Guideline 1.2, we keep
contact info easily available and will use that to respond to you on moderation issues.
- Communication with You: We use your contact information to send service-related
communications. These include: confirming your registration, password reset emails, verification
codes (if any), and notifications about important account or service matters (e.g., changes to terms
or privacy policy, security alerts). We may also send optional promotional communications, such
as newsletters, app updates, new feature announcements, or special offers from Tokr™ or partners.
You can opt out of marketing emails by using the unsubscribe link in them or adjusting your
settings. However, you cannot opt out of essential service communications (like those affecting your
rights or security). If you enable push notifications on the app, we may send you notifications for
things like a new follower request, a comment on your post, or general Tokr™ updates. You can
manage push notification preferences in the app settings or your device settings. We will not spam
you; we aim to send a reasonable amount of communications aligned with your usage of Tokr™.
- AI Budtender Functionality: When you ask the AI Budtender a question, we use your question data
to generate a response. The processing may happen on Tokr™ servers or via a third-party AI service
API. We use the content of your query strictly to produce an answer and to improve the AI over time.
For instance, we might analyze frequently asked questions to improve the AI’s knowledge base. We
may also filter AI queries to prevent any disallowed requests (like those encouraging illegal activity) –
this filtering is an automated use of your query content to ensure compliance. Any personal data in
your query is incidental; our intention is not to collect it, but the AI will see what you type to respond.
We don’t use these queries for any profiling beyond the scope of providing the AI service.
- Legal Compliance and Enforcement: We may use your information as necessary to comply with
legal obligations, such as responding to lawful requests by public authorities or court orders. We
also may process data to enforce our Terms of Use, to investigate or address violations or potential
illegal activities (e.g., misuse of the platform, security incidents, fraud), and to protect our rights,
property, and safety or that of our users or the public. For example, if we detect an account is likely
under 21, we might use their provided birth date or content to take action per law. If law
enforcement requests data with proper authority, we may provide it (see Section 7 on data
disclosure).
We strive to limit our uses of data to those necessary and relevant to providing a great, safe app . We
do not sell your personal data to data brokers or unrelated third parties for their marketing. We do not use
your data to profile you for anything unrelated to cannabis content and our services. Any new use of your
data beyond what’s described (for example, if in the future we consider some new data-driven feature) will
be communicated to you and, if required, consent obtained.
4. How We Share Your Information
Tokr™ understands that your information is important, and we only share it in certain circumstances:
4.1 With Other Tokr™ Users
Some of your information is visible to other users by the nature of the app’s functionality:
- Public or Shared Content: When you post UGC (videos, comments, etc.), other users (or followers)
can see that content along with your username and any profile info you’ve made visible. If your
profile is public, anyone on Tokr™ can see your posts. If private, only approved followers can. Keep in
mind, if a follower can see your content, they could potentially screenshot or share it externally
(violating our Terms, but it’s possible), so treat any content you post as potentially shareable.
- Profile Information: As mentioned, your username and photo are always visible to others in
association with your content. Other profile details (like bio or city) are visible if your profile is public
or to your followers if private. Your email or real name (unless you choose to put your real name in
the profile) are never displayed to other users.
- Social Interactions: If you follow someone and they approve, they can see that you are a follower. If
you comment on a video, other users viewing that video can see your comment and profile name. If
you like a post, the creator may see your username in the list of likes (depending on feature). We
may also show mutual followers or friends if you connect contacts (though Tokr™ does not currently
import contacts, if we did, we would ask permission first).
- AI Budtender Q&A: If we implement a community feature where AI Q&As can be made public (for
example, a forum of questions answered by the AI), we would only do so either with your content
anonymized or with your consent. By default, your AI questions are private. We do not show your
individual AI conversations to other users.
4.2 With Service Providers (Processors)
We share information with third-party companies that perform services on our behalf. These service
providers only get access to the data necessary for their function, and they are contractually obligated to
protect it and use it only for our specified purposes . Key service providers include:
- Hosting and Infrastructure: We use cloud providers (like Supabase’s hosting or Firebase’s cloud
services) to store and manage data. They might host our databases, user content, and backups. They
technically process all user data that lives in our database or file storage, but they have no
independent right to use it.
- Authentication & Account Tools: Google Firebase Authentication is used when you log in. In that
process, your credentials and tokens pass through Google’s systems securely. Similarly, if we send
verification emails or SMS (not currently in Tokr™, but if we did), we’d use providers for that.
Analytics: We use Firebase Analytics (Google) to gather usage data and Crashlytics for crash
reporting. These tools receive device and usage info (described in 2.2) and aggregate it for us.
Google may have access to some device identifiers and IP through these services, but cannot use the
data for their own purposes beyond providing analytics to us. We’ve configured these services to the
extent possible to not collect unnecessary data.
- Video Processing (Mux): Our video partner Mux receives your uploaded videos to encode and
stream them. They also collect streaming stats. They act as a processor to deliver video to viewers.
They may temporarily cache or store video content on their servers (for streaming efficiency), but
they do not have rights to use the videos beyond streaming to Tokr™ users.
- Content Moderation Tools: We might employ automated moderation services (for example, an AI
that detects nudity or hate speech in videos). If we do, your content could be sent to those services
for analysis. Such providers are typically bound to only use the data for analysis and not retain it
longer than needed. We also have human moderators (internal or contractors) who might view user
content and reports. All personnel with access to personal data are bound by confidentiality and
undergo training on privacy.
- Advertising Partners: If we serve ads, we might use an ad-serving platform. For instance, if we
partner with an ad network specialized in cannabis (ensuring compliance), we might need to share
non-identifying info like “show this ad to users in X region”. We will not share personally
identifying info (name, email) with advertisers. If an ad network uses cookies or IDs to deliver
ads, we will obtain necessary consent for tracking. Some advertisers might require confirmation that
an impression or click happened – in those cases an ad impression pixel might collect your device ID
or IP for the sole purpose of verifying and counting the ad delivery. We contractually require any
such partners to use data only for ad delivery and measurement, not for profiling outside Tokr™,
and to comply with Apple’s Ad Tracking Transparency rules (meaning no tracking without opt-in) .
Also, per Apple guidelines, our app allows users to report ads that are inappropriate , which
goes through our system to inform the ad provider (though that report usually does not send your
personal data, just context of which ad).
- Email/Communication Tools: If we send emails (for support or newsletters), we might use an email
service provider which will handle your email address and the content of the message. Similarly,
push notifications might go through Apple’s push notification service.
All these providers are vetted for strong privacy and security practices. We maintain agreements (like Data
Processing Addendums) with them to ensure they comply with laws like GDPR, CCPA, etc., where applicable.
We list our major third-party processors in this policy (see above), and we will update the list if we add
significant new ones. If you need a full list of sub-processors, you can contact us.
4.3 With Business Partners
At this time, Tokr™ does not extensively share personal data with business partners (like co-marketers or
researchers). However, if we run a promotion or partnership (say, a contest sponsored by a cannabis brand),
we might share winners’ contact info with that sponsor only if you participate and with your consent. We will
always tell you at the point of collection if information will be shared with a third party for their own use,
and you will have a choice (e.g., checking a box to agree). We will not sell or rent your information.
If you use some integrated feature such as ordering through a dispensary (hypothetical future feature),
your information necessary for that transaction would be shared with that dispensary (like order details and
your contact/delivery info). But as of now, Tokr™ itself does not process orders – we purely link or refer.
4.4 For Legal Reasons
We may disclose information to third parties (including government agencies or courts) if we, in good faith,
believe that such disclosure is necessary to:
- Comply with a legal obligation: This includes responding to lawful subpoenas, warrants, or court
orders, or other legal process. We will verify any request to ensure it has appropriate authority
before disclosing. If a request is overly broad, we may challenge it. Where allowed, we might notify
you of such requests (unless prohibited by law or if we believe doing so would be futile or
dangerous).
- Protect rights and safety: We might share data to enforce our Terms of Use or other policies (e.g.,
sharing info with law enforcement about someone posting content that is part of a criminal act). We
may also share data if needed to protect our rights, property, and safety or that of our users or
the public. For instance, if we suspect fraudulent activity or an imminent threat, we might alert
authorities or relevant third parties (like informing a user’s ISP of a security issue related to them).
- Address fraud or security issues: Information (like IP addresses, account activity) might be shared
with cybersecurity consultants or law enforcement if we are investigating fraud, hacking, or other
security incidents.
- Merge or Sell our Business: This is not exactly legal reasons, but for completeness – if Tokr™ is
involved in a merger, acquisition, financing due diligence, reorganization, bankruptcy, receivership,
sale of assets, or transition of service to another provider, your information may be transferred as
part of that transaction. We would ensure the successor respects your privacy rights and this Policy
(we would contractually require the data to remain protected or seek your consent where required
by law).
4.5 In Aggregated or De-Identified Form
We may share information that has been aggregated or anonymized, so it cannot reasonably be used to
identify you. For example, we could publish usage trends (like “X% of Tokr™ users prefer strain Y” or “We have
N users in California”). We could also share aggregated analytics with industry partners or research
organizations interested in cannabis use trends, but this would not include personal data. Apple’s
guidelines encourage privacy, so we ensure that such data has all personal identifiers removed and cannot
be re-associated with individuals.
4.6 Your Sharing
Keep in mind that any information you share via Tokr™ (in public content or privately to other users) can of
course be seen by those recipients. Tokr™ is not responsible for what other users do with information you
make available to them, so choose what you share wisely. If you join in-app forums or groups, those
communications may be visible to the group. If you share a link to your Tokr™ profile externally, anyone with
that link (who can access the app) might see your content depending on your privacy settings.
We do not facilitate any search engine indexing of your profile or content at this time – your Tokr™ content
is within the app environment. But if we ever had a public web feature, we would inform you and allow
opting out.
To summarize, we do not share your personal info except as needed to provide the service and as
permitted by you or by law. We strive to be transparent about any third-party data sharing. If you have
questions about specific sharing, contact us.
5. Your Rights and Choices
You have various rights and controls over your personal information. We have designed Tokr™ and our
practices to give you as much choice as feasible, in line with laws like the GDPR (for EU users) and CCPA (for
California users), and general user trust principles.
5.1 Access and Correction
You can access and update most of your profile information directly in the app. For example, you can edit
your profile photo, bio, and other optional info. If you find that any personal data we have about you is
inaccurate or incomplete, you have the right to correct it. Profile: editing it will update our records
immediately. For any other data not editable in app (such as change of email address, or information not
visible to you), you may contact us at privacy@tokrapp.com with a request, and we will assist you, subject to
verification of your identity.
For EU residents: This constitutes your right of access (to get a copy of your data) and right to
rectification (correcting errors). We will provide a copy of your personal data upon request (subject to
some exceptions like if it involves others’ data or is too repetitive). Typically, your data includes things like
your profile, posts, and usage logs. We can export those for you on request.
5.2 Account Deletion (Right to Erasure)
You have the right to delete your account and personal data. Tokr™ complies with Apple guideline 5.1.1 (v)
that requires offering account deletion within the app . In the Tokr™ app settings, there is an option to
Delete Account. Using this will initiate the deletion process: your profile will be deactivated and queued for
deletion. We might ask you to confirm by re-entering your password or via email for security.
What happens when you delete: We will remove or anonymize personal data associated with your account
within a reasonable time frame (usually within 30 days), except for data we are required or permitted to
retain by law (see Data Retention below). Content you posted may be removed from public view and
disassociated from your profile. However, some content might persist in backups or if it was re-shared by
others. We’ll do our best to scrub your personal info. If you simply uninstall the app without deleting your
account, your account remains active on our servers (though obviously not being used). We do not
automatically delete inactive accounts unless required as a matter of routine after very long periods, so
please formally delete if that is your intention.
For California residents: This aligns with your California Consumer Privacy Act (CCPA) right to request
deletion of your personal info. We honor that for all users, not just Californians.
5.3 Withdrawal of Consent / Managing Permissions
Many data uses in Tokr™ are optional and based on your consent. You can manage these:
- Location Services: You can always withdraw permission for Tokr™ to use precise location via your
device settings (under app permissions). If you do so, Tokr™ will stop collecting your GPS data. You can
still manually provide location for searches as needed. We will not attempt to force you to enable
location by blocking features beyond what’s necessary (we provide alternatives as described).
- Push Notifications: You can disable push notifications for Tokr™ in your device’s notification settings
or within the app’s settings if we provide toggles.
- Emails: To opt out of promotional emails, use the unsubscribe link in those emails or adjust your
email preferences in-app (if available) or contact us. Transactional emails (account, legal notices) you
will still receive as needed.
- Ad Tracking: If we have any third-party ads that utilize tracking, iOS will prompt you for permission
via App Tracking Transparency. If you decline, we will not share your IDFA or any cross-app identifier
with advertisers . You can also restrict ad tracking in your device privacy settings. Even if you opt
out, you may still see ads (untargeted or contextual ones), but not based on tracking your activity
outside Tokr™.
- Cookies: If using any web interface, you can manage cookies via your browser settings by clearing
or blocking them. In-app, since cookies are minimal, there’s not much to do except possibly clear app
data if needed.
- AI Budtender: If you do not want us to use your AI conversations for improvement purposes, you
might have an option to opt-out of contributing to training data (if offered in settings). Note,
however, that basic processing of queries is needed to provide the service. If you’re uncomfortable,
you can choose not to use the AI feature.
We will not retaliate or degrade your experience if you withdraw a consent or opt out of a non-essential
data use. For example, if you disable tracking, we won’t disable your access to content (though you might
get less relevant ads, that’s all). If you deny location, as explained, we provide alternatives . If you keep
your profile private, you can still use the app normally.
5.4 Privacy Settings in App
Tokr™ provides certain in-app settings to control your privacy:
- Profile Privacy: Choose between private or public profile. By default it’s private (only approved
followers see your stuff). Public means any user can see your posts. You can toggle this, but
remember going public exposes past posts too.
- Blocking: You can block specific users, which protects your privacy by preventing them from
interacting with you or seeing your profile.
- Content Visibility: Some content you post may have its own audience settings (for instance, if in
future we allow posting something to “Friends only” vs public). Use those if available to restrict who
sees particular content.
- Social Discovery: If we introduce features like “find friends by contacts” (not currently in Tokr™), we
will ask you if you want to opt in and allow access to your contacts. You can say no. If yes, you’d also
likely have control to unlink that later.
We try to build privacy into our UX.
5.5 Data Portability
If you want to port your data to another service (should one exist – e.g., if you want an export of all your
strain reviews to take elsewhere), you can request an export. We can provide your data in a commonly used
format (like JSON or CSV for profile info, maybe MP4 for your videos that you uploaded). Some parts (like
other people’s comments on your videos) might not be portable as it includes others’ data, but your own
contributions are. This is more relevant for EU users (GDPR right to data portability), and we will honor
reasonable requests.
5.6 California “Do Not Sell or Share”
Under CCPA/CPRA, California users have the right to opt-out of the “sale” or “sharing” of personal info
(where “sharing” means cross-context behavioral advertising). Tokr™ does not sell personal info for money.
To the extent we engage in any data “sharing” for ads (like using an advertising ID for personalized ads),
that would be considered “sharing” under CPRA. We only do that with consent (via Apple’s ATT prompt). If
for some reason you want to double-confirm, you can email us a “Do Not Sell or Share My Info” request and
we will ensure any advertising partners mark your profile as opted-out. However, as noted, we currently
either don’t do such sharing or rely on the OS-level controls.
5.7 EU GDPR Specific Rights
If you are in the European Economic Area (EEA) or equivalent jurisdictions, you have certain additional
rights:
- Right to Object: You can object to our processing of your data if done on legitimate interests
(including profiling). This mostly would apply to analytics or direct marketing. If you object, we will
consider if our interests are overridden by your rights and either cease or justify the processing.
Practically, you can opt out of marketing which covers a lot of that. For analytics, if you strongly
object, reach out and we can discuss possible solutions (like an internal opt-out flag).
- Right to Restrict Processing: In certain cases (like if you contest accuracy of data or the lawfulness
of processing), you can request us to restrict processing your data (just store it) until resolved.
Right to Complain: You have the right to lodge a complaint with your local data protection authority
if you believe we have violated your privacy rights. We would prefer to address it with you first, but
it’s your right.
- Legal Bases: We process personal data under these bases: consent (for things like location,
marketing, etc.), performance of a contract (Terms of Use, e.g. handling your account info is
necessary to deliver the service you signed up for), legal obligation (age verification perhaps,
retention for law), and legitimate interests (e.g., improving our service, ensuring security – we always
consider your rights in those cases).
5.8 Children’s Privacy Choices
Tokr™ is not for children. We do not knowingly collect info from children under 13 (or under 16 in certain
jurisdictions) at all, and as stated, generally under 21 are disallowed. If somehow a minor’s data is in our
system, we comply with COPPA and other laws by deleting it. A parent/guardian who discovers their
underage teen created an account can contact us to remove it. See next section for more.
In summary, Tokr provides you with robust controls: you can access, correct, delete your data, and opt
out of various uses. We’ve built compliance and user choice into the app from the ground up, following
guidelines and legal requirements. If you need any assistance exercising your rights, please contact us.
6. Age Restrictions and Children’s Privacy
Tokr™ is strictly for users 21 years of age and older (or the legal age of majority for cannabis in your
jurisdiction, if different). We do not target or permit use by minors. Our systems and Terms enforce this:
- Age Gate: Upon account creation, users must verify their age (by entering birth date or confirming
they are 21+). We rely on this self-attestation and the fact that the app is labeled with a mature age
rating in app stores (which should prevent downloads by underage users to some extent). If we have
reason to believe a user is underage (for example, if a user says in a video or comment that they are
under 21, or if analytics or reports indicate such), we will take steps to investigate and ban the
account.
- No Collection from Minors: We do not knowingly collect personal information from anyone under
13 (children) or under 18 (minors) or under 21 (people not legally allowed on Tokr™). Should we
inadvertently receive personal data from a minor (like if an underage person attempts to sign up
with a fake birth date but we later learn their true age), we will delete that data promptly. For
example, if a parent notifies us that their 17-year-old registered, we will remove the account and all
associated info.
- COPPA: Although COPPA (Children’s Online Privacy Protection Act) deals with under 13, we
voluntarily extend protections to all underage individuals because of the nature of our app. We do
not have any features directed at children. We do not have on our platform any animated characters
or designs likely to appeal to children – in fact, we explicitly ban content that targets minors.
- Parental Controls: Because the app is not for minors, we do not offer parental control features.
Instead, we rely on preventing minor usage altogether. Parents are advised to monitor their teen’s
devices and not allow Tokr™ if the teen is underage. The App Store rating for Tokr™ will be 17+ (or 18+)
which is meant to block family sharing with kids accounts, etc.
- If You Are Underage: If somehow you are reading this and under the required age, do not use
Tokr™. If you attempt to sign up, we will consider that a violation. If we discover it, we will remove you.
This is for legal compliance and community safety.
- International: In some jurisdictions, the age threshold might be different (e.g., 19 in some
countries, 18 for medical cannabis with proof, etc.). Our default is 21+ but we will adapt to stricter
rules as needed per region. For example, in Canada the legal age is 19 in some provinces – we might
allow 19+ in those places if it’s legal. But under 18 is globally a no for us. If you’re in the EU, our
service is inherently a restricted adult service, so under GDPR’s age 16 (or local lower ages like 13),
we do not allow participation.
No minors’ data is stored knowingly. In the unlikely case that a minor’s data (like a name or image in a
user’s content) appears, we have moderation practices to remove it. For example, if someone posts a video
with a child in it (even if the adult is showing how to lock cannabis away from kids), we might allow it if it’s
clearly educational and the child isn’t consuming or being targeted. But anything problematic involving
minors and cannabis would be removed and possibly reported.
7. Data Storage, Security, and Retention
7.1 Data Security Measures
We take security very seriously and implement a range of administrative, technical, and physical
safeguards to protect your information from unauthorized access, alteration, disclosure, or destruction .
These measures include:
- Encryption: Communications between the app and our servers are secured via TLS/SSL (HTTPS) to
prevent eavesdropping. Sensitive data (like passwords) is stored hashed or encrypted. For example,
passwords are never stored in plain text (we use secure hashing algorithms with salt). Any location
data transmitted is also encrypted in transit. For stored data, we utilize the security features of our
cloud providers – for instance, our databases and storage buckets are encrypted at rest.
- Access Controls: Only authorized personnel and service providers have access to personal data, and
only on a need-to-know basis. Our databases are firewall-protected, and admin access requires
strong authentication. Internally, we limit which employees can access raw data. Those who do (like
support or moderation staff) are trained in privacy and required to keep information confidential
. We also maintain logs of access to sensitive systems to detect any irregular access.
- Testing and Updates: We keep our software and dependencies up to date to patch security
vulnerabilities. We conduct periodic security assessments and code reviews. We may also employ
third-party security audits or penetration tests to identify and fix weaknesses. If we discover any
security issue, we address it with high priority.
- Secure Development Practices: We follow best practices in development (e.g., protecting against
SQL injection, using parameterized queries, proper input validation to prevent XSS, etc.). Our team
considers security from the design phase. For example, for features like AI chat, we ensure tokens or
user IDs are securely handled.
- Incident Response: We have a plan for responding to any data breaches or security incidents. In the
unlikely event of a breach affecting user data, we will notify affected users and relevant authorities
as required by law, and take steps to mitigate any harm.
- User Responsibilities: Note that you also play a role in security. Keep your password secure and do
not share it. Use a unique, strong password for Tokr™. If you suspect unauthorized access to your
account, notify us immediately. We also suggest enabling any additional security features we may
offer (like two-factor authentication, if we implement it in the future). We will never ask for your
password via email. Be cautious of phishing attempts.
Despite our efforts, no system can be 100% secure. We therefore cannot guarantee absolute security of
your data. However, we adhere to industry standards and constantly work to improve our security stance.
Apple’s guideline 1.6 also reminds developers to secure user data properly – we fully commit to that.
7.2 Data Storage Location
Your data is primarily stored on servers located in the United States. Specifically, our cloud infrastructure
(Supabase, Firebase, Mux) uses U.S. data centers (though some may have global CDNs for performance). If
you are using Tokr™ from outside the U.S., understand that your information will be transferred to and
processed in the U.S. (and possibly other countries where our providers have servers). These countries may
have data protection laws that differ from those in your country. We take steps to ensure appropriate
safeguards are in place (for example, for EU users, we rely on standard contractual clauses or other legal
transfer mechanisms to legitimize the data transfer, since the U.S. is not currently considered to have
“adequate” protection by the EU). By using Tokr™, you consent to this international transfer, storage, and
processing of your data.
We retain personal data on our servers, including backups. We do not currently use any offsite physical
storage – everything is cloud-based.
7.3 Data Retention Policy
We keep your personal information only as long as necessary to fulfill the purposes outlined in this Privacy
Policy, and to comply with legal obligations.
- Active Account: For as long as you have an account on Tokr™, we will retain the information you have
provided and that we collected, so that the app can function. This includes your profile info, content,
etc.
- After Deletion: If you delete your account (or we terminate it), we will initiate deletion of your
personal data. However, we may keep certain data for a limited time in backups or archives before
those are overwritten – typically, our backups rotate within 30-60 days. We also may retain data if
necessary for legal obligations or legitimate interests : for instance, records of transactions or
communications may be retained if required for tax, reporting, or evidence. If we banned an account
for severe violations, we might keep a hash of an identifier to prevent re-registration (this is a
security measure). But generally, we try not to keep data longer than needed.
- Content: If you removed specific content (like you deleted a video you posted), that video may
remain on our servers in backup for a short period but is inaccessible to others. If it was shared or
dueted (in case we have that feature), traces of it might persist. We make best efforts to fully remove
deleted content from production databases promptly.
- Analytics: We may keep aggregated analytics data (which no longer identify you) indefinitely to
understand trends over time. But personal usage logs we might discard or anonymize after a period
(for example, we might only keep detailed logs for a few months and then aggregate them).
- Legal Retention: Some laws require retention. For example, if a user made a purchase (in
hypothetical future, since currently no direct purchases in Tokr™), we’d keep transaction records for
accounting. Or if you consented to some terms, we may keep that consent record. Also, if there’s any
ongoing legal issue or investigation, we may retain relevant data until it’s resolved.
- Inactivity: If your account is completely inactive for a very long time (say, a few years), we might
choose to delete it and associated data as part of routine purging. We would likely notify by email
before doing so, giving you a chance to log in and keep it active.
- DMCA/Violations: If we remove content due to DMCA or Terms violation, we might keep a record of
that incident (the notice, and metadata of the content) to support our legal obligations and rights
(like defending against a claim of improper removal or tracking repeat infringers). But the content
itself might be deleted.
Data Deletion Requests: If you request deletion (under GDPR or CCPA or general user request), we will
remove personal data that we are not legally obligated to keep. We will inform you once completed. If we
must keep certain info (like email in a suppression list so we don’t email you again, or logs for legal
compliance), we’ll explain that.
We adhere to Apple’s guideline requiring privacy policies to explain data retention and deletion in clear
terms – thus, we have provided these details.
In summary, we aim to retain your data only for as long as it serves Tokr’s purposes and your needs,
and we delete it securely thereafter. We want to minimize unnecessary retention.
8. International Users and Legal Compliance
Tokr is based in the United States, but we may be accessible to users in other countries, only in
jurisdictions where cannabis content and usage is legal. Laws regarding cannabis and data privacy vary
by country, and we aim to comply with all applicable regulations.
- United States (Federal and State): Federally, cannabis is still illegal (Schedule I substance). Tokr™
does not sell cannabis; it provides information and connects users with state-legal dispensaries. We
ensure that our operations (data storage, content policies) comply with federal law to the extent
applicable (since we do not facilitate actual transactions of controlled substances, we mainly operate
in the info sphere which is protected speech, but we still ensure not to promote illegal activity). At
the state level, we obey local marketing and privacy rules. For example, some states have specific
rules on cannabis advertising (like no health claims, etc.); our content moderation incorporates
those. From a privacy perspective, U.S. has laws like CCPA (California) which we adhere to for
relevant users.
- Canada: Cannabis is legal nationwide with provincial differences. If Tokr™ serves Canadian users, we’d
adapt the age requirement (19 in most provinces, 18 in Quebec/Alberta, etc., but likely enforce 19+
to be safe). We comply with Canada’s PIPEDA (federal privacy law) for any Canadian user data –
meaning we obtain consent for data collection and allow access/correction, similar to GDPR.
- European Union and UK: In most of Europe, recreational cannabis is illegal or limited (some medical
allowances). Tokr’s focus is on legal jurisdictions; thus, we might not actively market or allow usage
in EU countries unless it's purely educational and does not violate any local laws. If EU users do use
Tokr™ (maybe for educational content), their personal data will be processed per GDPR standards: we
provide legal bases (as discussed in Rights section), and we facilitate their rights. We have appointed
a representative or point of contact in the EU for data protection inquiries if required. We also note
that by using the app, EU users consent to their data being transferred to the U.S. etc., as described
(with safeguards).
- International Data Transfers: As mentioned, we use Standard Contractual Clauses (SCCs) or other
mechanisms for EU data transfer to U.S. If any other country requires data residency or localization,
we will have to assess whether we can operate there (for example, some countries demand local
servers for certain data – currently we do not have that, so we might simply restrict use).
- Other Regions: If we have users in e.g. Australia (medical cannabis legal), or certain Latin American
countries, we will handle their data similarly. We are committed to not sharing data with
governments unless legally compelled. We also respond to user rights requests globally, not just
limiting to certain nationals.
- Compliance with App Store Guidelines: Apple’s guidelines (esp. sections 5.1.1 and 5.1.2) basically
encapsulate many privacy law principles – we follow those by providing this detailed policy and
securing consent for sensitive data uses . Also, guideline 5.1.1 (ix) notes that apps in highly
regulated fields like legal cannabis must be offered by a legal entity and geo-restricted ,
which we have done (we ensure legal entity dev and geo limitations). We also commit not to share
data in illegal ways.
- Jurisdiction-specific disclosures: If required, we include specific disclosures:
- California: We have already covered CCPA rights. We also note we do not respond to "Do Not Track"
browser signals because our app is mobile (and we handle tracking via consent frameworks).
- Nevada: Nevada law allows opting out of data sale – we don’t sell data, but Nevada residents can
email us to opt out just in case.
- EU/UK: We provided GDPR rights. We might list a contact for our Data Protection Officer if we
designate one.
- Brazil (LGPD), Australia (APP), etc.: As applicable, user rights are similar and we honor them.
- Cannabis Content Laws: Independent of privacy, since Tokr™ deals with cannabis content, we ensure
to comply with community standards and local law. For example, in some regions advertising
cannabis to the general public is restricted – because Tokr™ is 21+ gated and more educational, we try
to align with those rules. We also include disclaimers that cannabis is legally risky in some places,
etc.
- Changes due to law: If legal requirements change (for privacy or cannabis), we will update our
practices and possibly this policy. For instance, if a new law requires data minimization or additional
user rights, we’ll incorporate that. We keep a close eye on evolving regulations (like new U.S. federal
privacy laws if they come, or future changes in cannabis legality).
9.Third-Party Websites and Services
Tokr™ may contain links to third-party websites or services that we do not own or control (for example, a
dispensary’s website for online ordering, or a YouTube link someone shared, or a reference to a cannabis
lab results site, etc.). This Privacy Policy does not apply to those external sites or services. If you click on
a third-party link, you will be taken to that third party’s site/app, and their own privacy policy will govern any
data you provide or that they collect.
We are not responsible for the privacy practices of third parties. We encourage you to review the privacy
policies of any third-party site or service before providing any personal information or using it. This
includes, for example, Google if you use Google Sign-In (Google’s privacy policy applies to that action), or if
we incorporate a map via a third-party API (the provider might collect some data). Where we embed third-
party content (like maybe an embedded map or video), we will do so in a way that respects privacy as much
as possible.
Specifically, if we show a map from e.g. Apple Maps or Google Maps in-app for directions, using it might
subject you to their terms. If you follow an advertiser’s link to an external online store, any data you provide
there (like your name/address to place an order) is collected under that site’s terms, not Tokr’s.
We do not share your personal data with third parties for their independent use, except as explained. But if
you leave Tokr™, different rules apply. For clarity, if a dispensary is listed on Tokr™ and you call them or visit,
any information you provide directly to that dispensary is outside our scope.
10. Updates to This Privacy Policy
We may update this Privacy Policy from time to time to reflect changes in our practices, technologies, legal
requirements, or other factors. When we do, we will change the “last updated” date at the bottom of this
policy. If changes are significant, we will provide a more prominent notice (such as a push notification, in-
app alert, or an email notification).
Significant changes might include any new data collection, any broader sharing, or changes in your rights.
Minor changes (like clarifications or typographical corrections) might be posted without a specific notice,
but they’ll still be reflected by the date change.
Your continued use of Tokr™ after any changes to this Privacy Policy signifies your acceptance of the
updated terms, to the extent permitted by law. If you do not agree with the changes, you should
discontinue use of the app and can delete your account. We will provide a reasonable advance notice for
changes that materially affect how your data is handled, whenever possible, to give you the opportunity to
review and consent to the new policy.
We keep old versions of this Privacy Policy archived for reference. If you wish to see a prior version, you can
contact us.
11. Contact Us
If you have any questions, concerns, or requests regarding this Privacy Policy or your personal data, please
do not hesitate to contact us:
- Email: hello@webairai.com
- Address: 1025 Old Country Rd, Westbury, NY 11590
- In-App: You may be able to go to Settings -> Support/Contact and send a message directly.
We will do our best to respond to your inquiry in a timely and comprehensive manner. If you have a concern
about how we’ve handled your data, we appreciate the opportunity to make it right.
For EU/UK users: If you need to reach our Data Protection Officer (DPO) or EU representative, please email
us and we will direct you accordingly. (Our current privacy team handles DPO tasks, but we will inform you if
there’s a designated individual or entity.)
For California users: You can use the above contact info to exercise your CCPA rights (just indicate that in
your message).
We value your privacy and trust, and we are committed to safeguarding your personal information while
providing you with a valuable service on Tokr™.
Thank you for reading our Privacy Policy. By using Tokr™, you acknowledge that you understand and agree
to these practices. We encourage you to stay informed and reach out with any questions. Enjoy exploring
Tokr’s educational cannabis content responsibly and privately!