Privacy Policy

Last Updated: November 7, 2025
Data Controller: Tolion Health AI
Contact: info@tolion.com

This Privacy Policy (“Policy”) explains how Tolion Heath AI (“we”, “us”, “our”) collects, uses, stores, and protects your personal data when you use the our mobile application Tolion Brain Coach (the “App”), our websites (https://tolion.com/ and https://tolionbraincoach.com/), services, tools, and features, or otherwise interact with us (collectively, the “Services”).

Changes To This Policy

We may modify this Policy from time to time, in which case we will update the “Last Updated” date at the top of this Policy. If we make material changes to how we use or disclose personal data we collect, we will use reasonable efforts to notify you (such as by emailing you at the last email address you provided us, by posting notice of such changes on the Services or by other means consistent with applicable law) and will take additional steps as required by applicable law. If you do not agree to any updates to this Policy, please do not continue using or accessing the Services.

Information We Collect

When you use or access the Services, we collect certain categories of information about you from a variety of sources. In addition to the specific uses discussed below, we may use this information to provide and improve the Services (including testing, research, internal analytics and product development and improvement, including, without limitation, our current and future artificial intelligence and/or machine learning algorithms and models) and to maintain our business relationship, including by enhancing the safety and security of our Services, providing customer support, complying with applicable legal obligations, enforcing any applicable terms of service, and protecting our rights and the rights of our employees, users or other individuals.

Information You Provide to Us

Some features of the Services may require you to directly provide certain information, including information about yourself. You may elect not to provide this information, but doing so may prevent you from using or accessing these features. Information that you directly submit through our Services may include:

  • Basic contact details and personal identifiers: such as name, and email. We use this information to create and maintain your account and provide the Services.
  • Demographic data: such as age, gender, height, weight, and race/ethnicity.
  • Health and wellness data: such as information about your physical, mental, and emotional well-being, data collected from wearable devices when you choose to enable integrations with your devices (e.g., activity and exercise data, sleep metrics, etc.), and information about your medical and family medical history. We use this informaiton to provide and improve the Services . For more informaiton about our collection, use, and disclosure of health and wellness data, and Consumer Health Data, please see our Consumer Health Data Privacy Policy https://tolion.com/consumer-health-data-privacy-policy/.
  • Account information, such as your Apple ID, username, password, security questions that you select and the answers you provide. We use this information to provide the Services. If you choose to register an account, you are responsible for keeping your account credentials safe. We recommend you do not share your access details with anyone else. If you believe your account has been compromised, please contact us immediately.
  • Any other information you choose to include in communications with us, for example, when sending a message through the Services, completing questionnaires, or interacting with our chatbot.

Information Collected Automatically

We and third parties may also use cookies, pixels or other tracking technologies to automatically collect certain information about your interactions with the Services. This information is collected and used to tailor your experience with the Services, run analytics, better understand user interactions with the Services, etc. Such information includes:

  • Device information, such as device type, operating system, unique device identifier, and internet protocol (IP) address.
  • Location information, such as approximate location derived from your IP address.
  • Other information regarding your interaction with the Services, such as browser type, log data, date and time stamps, clickstream data, interactions with marketing emails, and ad impressions.

Most browsers accept cookies automatically, but you may be able to control the way in which your devices permit the use of cookies. If you so choose, you may block or delete certain of our cookies from your browser; however, blocking or deleting cookies may cause some of the Services, including any portal features and general functionality, to work incorrectly.

Your browser settings may also allow you to transmit a “Do Not Track” signal when you visit various websites. Like many websites, our website is not designed to respond to “Do Not Track” signals received from browsers.

Information Collected From Other Sources

We may obtain information about you from outside sources, including information that we collect directly from third parties and information from third parties that you choose to share with us. Such information includes:

  • Data collected from wearables and health tracking devices we receive when you choose to share and link data from third-party services with the Services [which we use with your consent].
  • Analytics data we receive from analytics providers such as Google Analytics, which we use in our legitimate interests to improve our website, communications and the Services.

Any information we receive from outside sources will be treated in accordance with this Policy. We are not responsible for the accuracy of the information provided to us by third parties and are not responsible for any third party’s policies or practices. For more information, see the section below, Third-Party Websites and Links.

De-identified and Anonymized Information

We may deidentify or anonymize your information such that it cannot reasonably be used to infer information about you or otherwise be linked to you (or we may collect information that has already been deidentified/anonymized), and we may use and/or disclose such deidentified/anonymized information for any purpose.

Disclosure of your Information

We may disclose your information for legitimate purposes subject to this Policy, including the following categories of third parties:

  • Our affiliates or others within our corporate group, to efficiently provide the Services.
  • Vendors or other service providers who help us provide the Services, including for system administration, cloud storage, security, customer relationship management, marketing communications, web analytics, payment networks, and payment processing.
  • Third parties in connection with or anticipation of an asset sale, merger, bankruptcy, or other business transaction, as a matter of our legitimate interests to run a successful and efficient business.

We may also disclose your information as needed to comply with applicable law or any obligations thereunder, to cooperate with law enforcement, judicial orders, and regulatory inquiries, to enforce any applicable terms of service, and to ensure the safety and security of our business, employees, and users.

Third-Party Websites And Links

We may provide links to third-party websites or platforms. If you follow links to sites or platforms that we do not control and are not affiliated with us, you should review the applicable privacy notice, policies and other terms. We are not responsible for the privacy or security of, or information found on, these sites or platforms. Information you provide on public or semi-public venues, such as third-party social networking platforms, may also be viewable by other users of the Services and/or users of those third-party platforms without limitation as to its use. Our inclusion of such links does not, by itself, imply any endorsement of the content on such platforms or of their owners or operators.

Children’s Privacy

Our Services are not intended for children, and we do not seek or knowingly collect any personal data about children. If we become aware that we have unknowingly collected information about a child, in particular any child under 13 years of age, we will make commercially reasonable efforts to delete such information from our database. If you are the parent or guardian of a child under 13 years of age who has provided us with their personal data, you may contact us using the below information to request that it be deleted.

Data Security and Retention

Despite our reasonable efforts to protect your information, no security measures are impenetrable, and we cannot guarantee “perfect security.” Any information you send to us electronically, while using the Services or otherwise interacting with us, may not be secure while in transit. We recommend that you do not use unsecure channels to send us sensitive or confidential information.

We retain your information for as long as is reasonably necessary for the purposes specified in this Policy. When determining the length of time to retain your information, we consider various criteria, including whether we need the information to continue to provide you the Services, resolve a dispute, enforce our contractual agreements, prevent harm, promote safety, security and integrity, or protect ourselves, including our rights, property or products.

Data Transfers

The information we collect from you may be stored and processed in countries outside the European Economic Area (EEA) and UK. For any transfers of data from the EEA or the UK, the data transfer will be under the European Commission’s model contracts for the transfer of personal data to third countries (i.e., the standard contractual clauses; specifically, module two (controller to processor transfer), as relevant) or the UK Information Commissioner’s international data transfer addendum to the EU standard contractual clauses, as relevant, unless the data transfer is to a country that has been determined by the European Commission or the relevant UK authorities, as applicable, to provide an adequate level of protection for individuals’ rights and freedoms for their personal data.

Contact Information

For any questions, requests, or concerns regarding this Policy or your rights under GDPR, please contact us:

  • Email (general): info@tolion.com
  • Address: Tolion Health Inc., 11 Blossom Circle, Natick, MA 01760
Copyright © 2025 Tolion Health, Inc. All Rights Reserved.