Privacy Policy

Last updated: March 2026

Introduction

LowTox Technology Ltd ("we", "our", or "us"), trading as LowTox AI, provides a browser extension and web service that analyses product ingredient lists and returns safety assessments. This policy describes what data we collect, how we use it, and your rights regarding your personal data. We process data in accordance with the UK GDPR and other applicable privacy laws.

Data we collect

Ingredient text and analysis results. When you use the extension to analyse a product, we receive the ingredient list you submit. We process this via AI services (see Third-party processors below) to generate a verdict (SAFE, CAUTION, or AVOID) and summaries. We cache analysis results in our database to speed up repeat checks for the same product. Cached results are stored by ingredient hash (not by your identity). We do not log, sell, or share this data with third parties for marketing or advertising purposes.

Concern profiles (health preferences). You may optionally set concern preferences (e.g. fragrance-free, pregnancy-safe, endocrine disruptors). In the extension, these are stored locally in your browser (browser.storage) unless you give explicit consent for server-side sync. If you consent to syncing your profile to our servers, we store your concern preferences in our database to personalise analyses. Concern profiles may include information about health sensitivities or preferences that are special category data under GDPR Article 9. We process this data only with your explicit, separate consent and solely for the purpose of personalising your ingredient analyses. When generating personalised analyses, your concern profile data is included in prompts sent to OpenAI (see Third-party processors below); this is covered by OpenAI's Data Processing Agreement for special category data. You may withdraw consent and delete your concern profile at any time in your account settings.

Account and subscription data. If you create an account, we store your email address and a hashed password (or OAuth token), session information, your subscription plan status, and the dates of any trial or paid subscription. We use this to manage your account and provide paid features. We do not use this for profiling or marketing beyond transactional subscription communications.

Payment data

If you subscribe to LowTox AI Pro, your payment is processed by Stripe Technology Europe, Limited ("Stripe"), acting as our payment processor. Stripe is a data processor for LowTox Technology Ltd under Article 28 UK GDPR. LowTox Technology Ltd is the data controller for subscription and payment management data.

Data shared with Stripe:

  • Your email address (used to identify you as a Stripe customer)
  • The subscription plan you select and transaction amounts and dates
  • Your Stripe customer identifier and subscription identifier (stored in our systems to manage your subscription)

Card data: Raw card numbers, CVV, and expiry dates are entered directly into Stripe-hosted fields (Stripe Payment Element). Card data never passes through or is stored on LowTox Technology Ltd's servers or infrastructure.

The lawful basis for processing payment data is performance of contract (Article 6(1)(b) UK GDPR) - processing is necessary to manage your subscription. Stripe processes this data under its own Privacy Policy. We have executed a Data Processing Agreement with Stripe covering EU GDPR and UK GDPR.

How we use your data

  • To generate ingredient safety assessments and personalised verdicts
  • To cache results and improve response times for repeat analyses
  • To manage your account and subscription
  • To provide and improve our services
  • To comply with legal obligations

Third-party processors

We use the following third-party processors. Each processes data only as described below and under their respective data processing agreements:

  • OpenAI - ingredient text and, where you have consented, your concern profile health preferences are sent to OpenAI to generate analysis and personalised verdicts. OpenAI acts as a data processor; we have executed a Data Processing Agreement with OpenAI covering special category health data (GDPR Article 9).
  • Perplexity (Pro plan) - ingredient text may be sent to Perplexity for enriched regulatory context. Used only for analysis; not for advertising or profiling.
  • Stripe Technology Europe, Limited - payment processing for Pro subscriptions. See Payment data section above.

Data retention

Cached analysis results are retained to support repeat checks. Account data is retained for the duration of your account and for a reasonable period after deletion to meet legal obligations. Subscription and payment records are retained as required by tax and accounting law. You may request deletion of your concern profile at any time (see Your rights). We will delete or anonymise data in accordance with our retention policy and applicable law.

Your rights

Under UK GDPR and applicable law, you have the right to:

  • Access: request a copy of your personal data
  • Rectification: correct inaccurate data
  • Erasure: request deletion of your data (including your concern profile)
  • Restrict processing: in certain circumstances
  • Object: to processing based on legitimate interests
  • Data portability: receive your data in a structured format
  • Withdraw consent: for concern profile data, at any time via your account settings - without affecting your subscription

To exercise these rights, contact us (see Contact below). You also have the right to complain to a supervisory authority, such as the Information Commissioner's Office (ICO) in the UK.

Cookies and similar technologies

Our website may use cookies or local storage for session management and essential functionality. We do not use tracking cookies for advertising.

Security

We implement technical and organisational measures to protect your data against unauthorised access, loss, or misuse. Data is transmitted over HTTPS. Card data never transits our servers (handled by Stripe hosted fields). We regularly review our security practices.

Changes to this policy

We may update this policy from time to time. We will notify you of material changes by posting the updated policy on this page and updating the "Last updated" date, and where required by law, by notifying you directly. Continued use of our services after changes constitutes acceptance of the updated policy.

Contact

For privacy-related enquiries or to exercise your rights, please contact us. LowTox Technology Ltd is the data controller for personal data processed by LowTox AI.