Privacy Policy
This data protection notice informs you about the processing of your data by tonies GmbH, Oststraße 119, 40210 Düsseldorf (hereinafter referred to as “we”, “us”).
It applies to the use of this website and all applications, services (including payment services) and products provided by us. It applies regardless of how you access or use our applications, services and products, including access via mobile devices and by app.
Note for residents of the United States: Our shop at https://us.tonies.com/ is operated by our US subsidiary tonies US, Inc., which shares your personal data with us. As the legal basis for any data transfers within the group, we have concluded an intercompany agreement that includes the EU standard contractual clauses.
Note to UK residents: If the subject of processing activity is personal data from individuals inside the United Kingdom, the processing of personal data will be secured by the application of the UK-GDPR. In such cases, references made in this data protection notice to the GDPR shall be interpreted as reference to the corresponding regulation in the applicable UK-GDPR.
For further information, see Section IX, “Additional Information for Persons Residing in the United States”. I. Contact details of the controller and the data protection officer
1. Name and contact details of the controller
tonies GmbH, Oststraße 119, 40210 Düsseldorf, Deutschland
Contact form: contact form
For enquiries in the United States, please refer to the following address: tonies US, Inc. Attn: Privacy 3000 El Camino Real, Building 4, Suite 200 Palo Alto, CA 94306 Contact: privacy.us@tonies.com
2. Contact details of the data protection officer
Herold Unternehmensberatung GmbH, Hafenstrasse 1 A, 23568 Lübeck, Deutschland
Contact: contact form
II. Data categories, purposes and lawfulness of the processing
Depending on how you interact with us, we collect and process your personal data in different ways. In doing so, we generally rely on the following purposes and legal bases:
Consent (Art. 6 para. 1 lit. a GDPR): If you have given us your consent, we will process your data for the purpose for which you have given your consent (e.g. if you submit a product review). You can withdraw your consent at any time with future effect. This does not affect the lawfulness of the processing of your data until withdrawal.
Contract fulfilment and pre-contractual measures (Art. 6 para. 1 lit. b GDPR): We process your personal data for the purpose of providing our contractual services in connection with our websites and the tonies app (hereinafter collectively referred to as ‘platforms’) , i.e. in the context of executing our contracts with you, and, where applicable, for the purpose of implementing pre-contractual measures that are carried out upon your request regarding our products and services.
Legal and compliance requirements (Art. 6 para. 1 lit. c GDPR):We process your personal data when we are subject to a legal obligation that requires processing, e.g. to fulfil tax obligations.
Pursuit of our legitimate interests (Art. 6 para. 1 lit. f GDPR): We process your personal data on the basis of our legitimate interests, e.g. to enable you to use our website conveniently.
In addition to the above provisions, other applicable data protection laws apply. This applies in particular to the Federal Data Protection Act (BDSG) and the Telecommunications Digital Services Data Protection Act (TDDDG).
If you would like more detailed information, you can read about the individual processing operations below:
1. Website and app visitors
a. Serverlogfiles
We (i.e. our web hosting provider) collect data about every access to the server (so-called server log files) that your browser transmits to us. This involves collecting data associated with your visit to our website:
• browser type/engine/version,
• used operating system and version,
accessed URL
• referrer URL (the prior visited website),
• time of server request
• location at the time of server request
In the event of an error occurring, we also collect the following data in addition to the data already listed above:
• your User ID and customer ID, provided that you were locked into your tonies account
used end device
The processing of data is carried out in accordance with Art. 6 para. 1 lit. f GDPR on the basis of our legitimate interest (functionality and stability of the website and app, including defence against cyber-attacks and customer-friendly design of the website).
The data will be deleted 3 days after it is collected.
The data is automatically provided by the browser of the data subject.
The recipients of the personal data are IT service providers that we use within the framework of an data processing agreement.
Without disclosing personal data, such as the IP address, it is not possible to use the websites. Communication via the websites without providing data is technically impossible.
b. Cookies and similar technologies
When you use our services, we and authorised third-party providers use cookies and similar technologies (collectively referred to as ‘cookies’) to provide you with a better, faster and safer user experience or to display personalised advertising. Detailed information about the use of cookies and similar technologies, as well as your options in this regard, can be found in our cookie banner. Here you also have the option to manage your consents.
2. Contact with customer service
When you contact our customer service, we process your personal data on the basis of our legitimate interest (processing enquiries, acquiring new customers, efficient communication and ensuring customer satisfaction) pursuant to Art. 6 para. 1 lit. f GDPR and, in the case of contracts with natural persons, the initiation of a contract or the contract itself (Art. 6 para. 1 lit. b GDPR), as well as legal obligations, in particular tax and commercial law regulations (Art. 6 para. 1 lit. c GDPR).
The data is stored and processed by us solely for the purpose of responding to and processing your request.
If you contact our customer service and provide the Toniebox ID as part of a support request (e.g. because your Toniebox has a technical problem), personal data you provided may be linked request-based to device-related log entries collected to date (see also section 7.d) via the identification of the device-related MAC address. In this case, customer service will actively inform you before such a link is made, and you can of course object to this at any time. The linking enables us to (i) process your support request, (ii) track down Tonieboxes or Tonies lost while in transit, (iii) resolve problems with audiothek content, and (iv) detect and defend against cases of misuse and legal violations in this context.
Your personal data will be deleted as soon as the purpose of the communication has been fulfilled. Due to legal requirements, other retention periods may apply. For example, if the communication can be considered business correspondence, we are obliged under the German Commercial Code (HGB) to retain the communication for at least 6 years.
The contact details are actively provided by the data subject themselves. The communication metadata and communication data are collected automatically.
Interested parties are required to provide data. Communication is not possible without providing data.
a. Contact form
When you use our contact form, we process the information you enter there, including the contact details you provide.
b. Callback accommodation
As part of our efforts to support you with your technical issue, we offer in limited cases callbacks with one of our specialists. For complex technical problems that cannot be solved using self-help solutions (e.g. Help Centre) or written communication (e.g. email, chat), you may under certain circumstances be offered an appointment for a personal consultation, during which the technical problem can be evaluated in further detail. In order to ensure the quality of these callbacks, we record them for documentation and later review in order to optimise our services.
If you accept a callback offered by us, we will process your name, your email address, the date you selected for the callback, the information provided during the callback, and the recording of the callback.
The recording of such callbacks is based on your explicit consent (Art. 6 para. 1 lit. a GDPR). Your consent to the recording of the conversation does not affect whether a callback will be offered to you. If you do not consent to the recording of the conversation, we will simply refrain from recording it. You can revoke your consent at any time before, during or after the callback with future effect. The legality of the processing of your data until revocation remains unaffected by this.
The recording and the personal data it contains will be retained for this purpose for a maximum of 14 days and deleted automatically thereafter.
3. Product reviews on our website
You have the option to rate the products and services offered on tonies.com.
Personal data is processed for the purpose of enabling the rating function and checking the content of ratings for compliance with the applicable conditions for customer ratings. Processing is based on your prior consent in accordance with Art. 6 para. 1 lit. a GDPR, which you declare by submitting your review. Access to and storage of information on the end device is based on the implementing laws of the ePrivacy Directive of the EU member states, , in Germany in accordance with § 25 para. 1 TDDDG.
When you submit a review, your review and rating (stars) as well as your nickname/name and email address will be stored. If your IP address indicates a risk of fraud, your IP address will be stored together with your review until the matter has been clarified. If there are no indications of fraud, we will delete your IP address.
Deletion of your review. You have the option of requesting the deletion of your review. To do so, please contact us using our contact form.
4. Orders via our online shop
When you place orders via our online shop, we store your first name, surname, company name (optional), delivery address, billing address, payment method (as a default setting for your first purchase), email address and telephone number (as voluntary information for queries regarding your order). We will then send you emails relating to your order, e.g. an order confirmation and a shipping confirmation. Depending on the payment method you have chosen, we will transfer the personal data necessary for the purchase to the respective payment service provider in order to process the payment and the purchase. The data is only passed on for the purpose of payment processing. Data processing by payment service providers is carried out under the independent data protection responsibility of the payment service providers. The following payment service providers may be used, depending on your choice during the ordering process:
PayPal (Europe) S.à r.l. et Cie, S.C.A., 22–24 Boulevard Royal, L-2449 Luxemburg https://www.paypal.com/us/legalhub/paypal/privacy-full
Klarna Bank AB (publ), Sveavägen 46, 111 34 Stockholm, Schweden https://cdn.klarna.com/1.0/shared/content/legal/terms/en-EU/privacy/
GooglePay: Google Ireland Ltd., Gordon House, Barrow Street, Dublin 4, Irland https://policies.google.com/privacy
Visa Europe Services Inc., 1 Sheldon Square, London W2 6TT, Vereinigtes Königreich https://www.visa.co.uk/legal/global-privacy-notice.html
Mastercard Europe SA, Chaussée de Tervuren 198A, B-1410 Waterloo, Belgien https://www.mastercard.com/us/en/global-privacy-notice.html
We process your personal data for the purpose of providing our contractual services in accordance with Art. 6 para. 1 lit. b GDPR (implementation of the General Terms and Conditions, processing of online orders) as well as to fulfill legal retention obligations in accordance with Art. 6 para. 1 lit. c GDPR.
The data is provided directly by the data subject.
The provision of data is required by law and contract and is necessary for the conclusion of a contract. Without the disclosure of personal data, it is not possible to conclude a contract.
5. Audio Library
If you have a tonies account and have logged in at my.tonies.com, you can use our audio library. To order audio library content, we need your personal data to process your order. For this purpose, we need your first name, last name, company (optional), billing address, email address and telephone number (optional, for enquiries about your order). If you use the audio library to assign audio library content you have already purchased to your tonies and to manage your purchased content, we do not require any personal data from you other than your tonies account login details.
We process your personal data for the purpose of providing our contractual services in accordance with Art. 6 para. 1 lit. b GDPR (implementation of the General Terms and Conditions, processing of online orders) as well as to fulfill legal retention obligations in accordance with Art. 6 para. 1 lit. c GDPR.
6. Tonie-Blog
Depending on which country-specific blog you access, we offer you the opportunity to comment on our tonies blog posts on our tonies.com website. If you use this option, alongside with your comment, information about the time the comment was posted and your chosen username or pseudonym will also be stored and published. Furthermore, the IP address assigned to you by your internet service provider will also be logged. We also ask for your email address; we store this, but do not publish it. The storage of this personal data is for security reasons and in case you violate the rights of third parties or post illegal content in a comment you have submitted. The storage of this personal data enables us to indemnify ourselves in the event of legal violations. Your IP address and email address are processed on the basis of our legitimate interest in accordance with Art. 6 para. 1 lit. f GDPR (IT security and legal claims).
7. Our products (Toniebox, tonies, platform)
As a network-based system with a server and clients (the Tonieboxes and Tonies with audio content), there are further data exchange processes that are necessary for the system to function properly. Further details on the general functioning of our system can also be found on our US website, our UK website or our German website.
a. Initial use of the Toniebox
Each Toniebox comes with an individual client certificate that allows it to authenticate itself uniquely to our platforms. In addition to this client certificate, a Toniebox-ID is also stored in the platforms for each Toniebox. This Toniebox-ID is also labelled on the underside of the Toniebox. When you set up the Toniebox for the first time and connect it to a new Wi-Fi network, you will be asked to enter the Toniebox-ID for verification purposes. This ensures that only authorised Tonieboxes can connect to our platforms.
b. Tonies Account
Your tonies account can be set-up via using your e-mail address. Your created tonies account can subsequently be linked to your Toniebox via the Toniebox ID labelled on the underside of your Box.
i. Tonies account set-up via e-mail
To set up your tonies account via your e-mail address, all you need is a valid e-mail address and a password of your choice. Please note that registration is only permitted if this e-mail address is actually yours or one of your email addresses.
ii. Account Setup and subsequent login via Google SSO In addition, we offer registration and subsequent login to your tonies account via your Google account (Google login). The provider for users in the Euro-pean Economic Area, UK and Switzerland is Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland (parent company: Google LLC, USA). When you use this service, we receive from Google, following your explicit consent as part of the authentication process, a unique user ID (Google ID) as well as your name, email address and, if applicable, your profile photo, if you've uploaded one to Google. We use this data received from Google exclu-sively for the purposes of authentication, account setup, and the administration of your user account. The processing serves to carry out pre-contractual/contractual measures (Art. 6(1) (b) GDPR) as well as to prevent misuse and fraud (Art. 6(1) (f) GDPR). Google is solely responsible for the provision and administration of the Google login as well as the security of the Google account. For more information on data processing by Google, please refer to Google’s privacy policy. We store the user ID and the provided email address until your user account is deleted. You can manage or revoke the account link and access rights for our app at any time in the security settings of your Google account under “Third-party apps with account access.” iii. Account setup and subsequent login via Sign In with Apple (SSO) Furthermore, we offer registration and subsequent login to your tonies account via Sign in with Apple. The provider is Apple Inc., One Apple Park Way, Cu-pertino, CA 95014, USA. When using this feature, we receive a service-specific user identifier from Apple as well as, depending on your choice, your name and your email address. Al-ternatively, an alias address provided by Apple (Hide My Email) can be used, through which Apple forwards messages to your registered email address. App-le also provides us with a binary fraud detection signal (real person). This processing serves the performance of pre-contractual/contractual measures (Art. 6 (1) (b) GDPR) as well as the prevention of abuse and fraud (Art. 6 (1) (f) GDPR). Apple is independently responsible for providing and managing Sign in with Apple. Further information on data processing by Apple, in partic-ular regarding Hide My Email and data retention periods, can be found in Ap-ple's privacy policy. We store the identifier and—if provided—the email address until your user ac-count is deleted. You can manage or deactivate Sign in with Apple at any time in your Apple account.
iv. Toniebox Set-up without using a tonies account
Toniebox 1 You do not need a tonies account to set up and use the Toniebox 1, so the essential functions of the Toniebox 1 are available to you even without registration (information on how to set up your Toniebox 1 without a tonies account can be found here). However, creating a tonies account is mandatory for using Creative Tonies and the audio library, connecting with other members, and accessing other features on our platforms. If a tonies account is deleted after the initial setup of the Toniebox 1, these special features of the tonies app can no longer be used.
Toniebox 2 A tonies account and the tonies app is required in all cases for setting up Toniebox 2 and for certain functions. This means that you cannot set up your Toniebox 2 without a tonies account and the tonies app, and you cannot use certain functions.
c. Tonies App
i. General information
If you want to use our app, you will need a tonies account (see section b) and you must also log in to the app with your email address or Apple ID and password before you can use the app. The app allows you to record voice recordings and link them to a selected Creative Tonie by uploading them from your smartphone or tablet to our server (see section e).
When you register on our app or websites, we store the information you provide, such as your email address, first name and surname.
The processing of personal data in the context of registration, login and use of the functions is carried out for the purpose of providing the services offered via the app and is therefore based on the legal basis of Art. 6 para. 1lit. b GDPR as well as to fulfill legal retention obligations in accordance with Art. 6 para. 1 lit. c GDPR.
ii. Special functions
In order for you to be able to use our app and its functions to their full extent, it must access various functionalities and data (e.g. the microphone to make sound recordings for the product). In order for us to obtain these permissions, you must grant the respective consents (declaration of consent in accordance with Art. 6 (1) (a) GDPR). We only collect permissions that are actually necessary for use. Please note that you will not be able to use the full functionality of our app unless all permissions are granted.
All users must ensure that they have the appropriate consent from the persons they record and upload via the app (or, in the case of recordings of children, from the child's parents or legal guardians). For more information, please refer to the relevant terms and conditions / terms of use for your region.
d. Ongoing use of the Toniebox and connection to our servers
i. General information
When you use your Toniebox, it attempts to connect to our servers in the following circumstances: (i) when the product is initially set up, (ii) when the product is switched on, (iii) when unknown tonies are placed on the box , and (iv) when you initiate a search for new content. If the connection to our servers is successful, the Toniebox transmits its individual client certificate, its (non-public) IP address and a timestamp. When you use tonies and the toniebox, we also receive usage and operating information and information about which content is currently assigned to a specific tonie. We use this device-related data to (i) check the functionality of the connection to the Wi-Fi network, (ii) enable error messages, error diagnosis and troubleshooting, (iii) provide customer service, (iv) operate, maintain and provide the Toniebox, (v) provide firmware updates, (vi) customise our services for users, and (vii) enable the development of new products and features.
For customers who do not have a tonies account and who do not submit a support request to our customer service department, we do not have the ability to associate the MAC address with any person connected to the Toniebox.
ii. Special functions of Toniebox 2
Tonieplay: When you use the new “tonieplay” feature, usage and operating information is collected about your interaction with the Toniebox 2. We process the data (e.g. frequency of use of individual games; errors that led to the termination of use) for the same purposes for which all other interaction data relating to the Toniebox are processed (see section 7.d.i.). Your personal data is processed for the purpose of providing our contractual services in accordance with Art. 6 para. 1 lit. b GDPR (provision of product functions).
Sleep-related functions (Bedtime mode,Sleep Timer, Sunrise Alarm with light function): The Toniebox 2 offers new features to support sleep routines (Bedtime mode, sleep timer, sunrise alarm with light function), for which we process your chosen settings (e.g. timer duration, light levels, volumes). We store these until you change the settings in the app (in which case the previous setting will be overwritten) or permanently delete your account. We do not collect data on actual sleep duration, physical reactions, or other health data within the scope of Article 9 of the GDPR.
The legal basis for the processing of your personal data is the provision of our contractually owed services in accordance with Art. 6 para. 1 lit. b GDPR (provision of product functions).
Connection and battery status display: The tonies app allows you to view the connection and battery status of your Toniebox 2 so that you know in time when the Toniebox needs to be recharged. We process your device status information to enable this status display.
Your personal data is processed for the purpose of providing our contractual services in accordance with Art. 6 para. 1 lit. b GDPR (provision of product functions).
e. Creative Tonies
When you upload audio files for your Creative Tonies to our servers (via the tonies app or our website), we convert these files on the server side to the required audio format and then make them available for listening on the Creative Tonies. Your original uploaded data will be automatically deleted after seven days. The converted data will then be available on the platforms. You can upload new data for the desired Creative Tonie as often as you like. Once the maximum running time of 90 minutes per Creative Tonie has been reached, you must delete your old data beforehand in order to replace it with new data. We do not store the old data; however, for technical reasons, the converted data is stored for at least seven days after conversion. We reserve the right to check the uploaded data for possible violations of applicable law (including copyright, personal rights and competition law), applicable case law and/or common decency. If we detect such a violation, we reserve the right to delete your data from the tonies platforms and close your tonies account. You can find more detailed information on this in our Terms of Use.
When your tonies account is terminated/closed, your audio library content and the files you have uploaded for your Creative Tonies will be deleted after termination. Terminating your tonies account will also delete any order history and the personal data contained therein. It is not possible to transfer this data to another user beforehand.
Your personal data is processed for the purpose of providing our contractual services in accordance with Art. 6 para. 1 lit. b GDPR (provision of product functions).
f. QR-Code on Toniebox packaging
Finally, we would like to point out that every Toniebox package is labelled with a QR code at the factory. This information is generally not linked to your tonies account. The only exception to this is if we have sufficient evidence of fraud. In this case, the QR code will be linked to your tonies account in order to track down Tonieboxes that have not been delivered. This serves to protect us from legal violations. We will delete the personal data used in this process as soon as the suspicion of fraud is not confirmed or a fraud investigation has been concluded and the data is no longer required as evidence or for legal defence purposes.
The processing serves to prevent abuse/fraud (Art. 6 para. 1 f GDPR).
8. Marketing measures
We conduct various marketing measures on different channels. These may include emails with news, offers, raffles and/or requests for product reviews.
If you have explicitly consented to this, we will send you personalised marketing emails. You can revoke your consent at any time with future effect. The lawfulness of the processing of your data until revocation remains unaffected.
Even without your consent, we may send you advertising by email, including requests for product reviews, to a certain extent as part of our advertising to existing customers, unless you have objected to this.
If you would like to know more, you will find a detailed list of our marketing measures below.
a. Product reviews
As a customer, you will receive an email from us requesting you to submit a product review after purchasing or using one of our products. We send this email regardless of whether you have subscribed to our newsletter.
We base the processing of your email address on Art. 6 para. 1 lit. f GDPR. Our legitimate interest lies in the further development of our products, whereby, among other things, the statutory exception in § 7 para. 3 of the Unfair Competition Act (UWG) allows us to weigh up the interests in our favour, as long as you have not objected to advertising. You can object to the use of your email address for such purposes at any time without incurring additional costs. For example, you can do this via the link at the end of each email or by selecting ‘Objection to data processing (Art. 21 GDPR)’ in the contact form and stating your objection.
For further details, see section 3 ‘Product reviews on the website’ [link].
b. “Back in stock”-notification
We offer customers and interested parties the option of clicking on the “Notify me” button to receive an email notification as soon as an item is available again in our shop. By doing so, you are only subscribing to the “Back in stock”-notification but not to our regular newsletter.
In this context, the processing of personal data is carried out on the basis of consent in accordance with Art. 6 para. 1 lit. a GDPR.
c. Advertising for existing customer
If you are a customer of ours and have already purchased products from us (including guest orders) or created an account with us, we will occasionally inform you about offers by email, unless you have objected to this.
The legal basis for this data processing is our legitimate interest within the meaning of Art. 6 para. 1 lit. f GDPR. Our legitimate interest lies in direct marketing (Recital 47 GDPR), taking into account the requirements of § 7 para. 3 UWG.
You can object to the use of your email address for such purposes at any time without incurring additional costs. For example, you can do this by clicking on the link at the end of each email or by selecting "Objection to data processing (Art. 21 GDPR)" in the contact form and stating your objection.
d. (Personalised) Newsletter
Based on your consent (Art. 6 para. 1 lit. a GDPR), you can subscribe to a (personalised) newsletter, which we will send you regularly via your preferred electronic medium (e.g. email, WhatsApp).
i. Via E-Mail
Subscription. In order to verify that you are the owner of the email address provided and that you agree to receive the newsletter, we use the so-called double opt-in procedure: After you have entered your email address in the subscription form, you will first receive an email with a confirmation link that you must activate in order to be added to our mailing list for our newsletter and thus receive the actual newsletter. When you subscribe to the newsletter, your email address and the date and time of your registration are transmitted to us, stored and processed. This data is stored solely for the purpose of verifying consent to receive and send the newsletter. The legal basis for this verification is Art. 6 para. 1 lit. c GDPR (processing to fulfil our legal obligation under Art. 7 para. 1 GDPR to provide evidence of consent).
Mandatory and optional Information. If you would like to receive our newsletter by e-mail, we need your e-mail address; you can also voluntarily provide your first and last name and your preferred form of addressing you, as well as the date of birth and/or month of birth and/or year of birth of one or more children you entertain, and provide further information (optional) in order to receive personalised advertising and offers tailored to the age group we believe you entertain. By providing additional information, your profile will be enriched and future communications to you will be personalised.
Age-appropriate product recommendations. If you would also like to be reminded of the upcoming birthday of the child or children you entertain with age-appropriate surprises, we need your email address and the date of birth of the child to receive the gift in order to send you personalised recommendations and the most suitable offers based on your interests and those of the child. Depending on the information provided and the age group, our notifications for an upcoming birthday may include discounts, product recommendations, AI-supported personalised birthday greetings, stories and songs. If we do not yet have any products for the age group you have specified, we will add the date of birth to your profile so that we can recommend suitable products at the right time. In connection with the date of birth, we may also send you information about upcoming events, such as kindergarten, school preparation and school enrolment, with appropriate listening experiences, services, products and (learning) tips to accompany you on your educational journey.
Duration of data storage. The data you provide us with (such as your date of birth) will be stored until you delete your account.
Unsubscribe. If you object to receiving advertising, we will save your email address on our block list to ensure that you no longer receive advertising from us. You can unsubscribe from our newsletter, for example, by clicking on the ‘unsubscribe’ link at the end of each newsletter, by sending a message to our customer service team or by using our contact form.
ii. Via WhatsApp or SMS
You can subscribe to our WhatsApp/SMS newsletter. The legal basis for our processing of your data is your consent (Art. 6 para.1lit. a GDPR). You give us this consent when you agree to processing on our platforms and confirm via your WhatsApp/SMS message that you would like to receive personalised newsletters, i.e. messages about offers and new products from the Tonies world based on your preferences (e.g. purchases, account information, interaction data), via this channel. For details on personalisation, see section 8.d.i.
Meta Platforms Ireland Ltd. (“Meta”) is responsible for data protection in relation to the operation of the WhatsApp communication platform. Information about data processing by WhatsApp can be found in Meta's privacy policy: https://www.whatsapp.com/legal/privacy-policy-eea?lang=en. We have no influence on Meta's data processing.
Unsubscribing. You can unsubscribe from the WhatsApp/SMS marketing channels at any time by sending the message ‘Stop’ in the chat.
iii. Push-notifications
With your consent, we can also provide you with recommendations via push notifications through the app. In addition to your consent, you must also confirm your app's request to receive notifications. For details on personalisation, see section 8.d.i.
e. Personalised product advertisements and recommendations
We personalise the selection of products displayed to you on our platforms based on your account information (for details on this data category, see section 8.d.i. Personalised newsletter) and, consequently, your presumed interests, in order to make the content more relevant and useful to you.
Legal basis: Account information is processed on the basis of our legitimate interest pursuant to Art. 6 para. 1 lit. f GDPR. Our legitimate interest is to show our customers advertising that is as interesting as possible for them. This includes:
Identification as gifter or user. It is necessary to identify you as a gifter or user in order to show you personalised recommendations that match your presumed purchasing motivation.
Identification of your preferences. It is necessary to determine your preferred genre and favourite Tonies characters. This is required in order to recommend products and audio content that match your preferences.
f. Measuring the effectiveness of our marketing campaigns
Based on your consent (Art. 6 para. 1 lit. a GDPR), we use your data to measure the effectiveness of our marketing campaigns.
In doing so, we measure, for example, whether a particular marketing campaign has led to specific listening activities.
Withdrawal of consent: You can withdraw your consent at any time with future effect. The lawfulness of the processing of your data until withdrawal remains unaffected.
9. Additional services
a. Refer a Friend
We offer various tools and features that allow you to share third-party information with us. For example, our referral services allow you to provide information about your friends. With the help of our referral services, you can forward or share certain content with friends, such as an email invitation to use our services. If you use these features, we will only store your friends' email addresses to enable this referral.
b. Surveys and raffles
We can also offer surveys, raffles, and competitions, which may also involve the processing of personal data. The contact details you provide may be used to contact you in connection with raffles or competitions, as well as for other advertising, marketing, or business purposes to the extent permitted by law. Some jurisdictions require us to publish the details of winners.
Participation in such surveys and raffles is always voluntary. We use third-party providers to assist us in conducting these surveys and raffles. In some cases, we only receive anonymised data from these third-party providers, while in other cases we assign the data to your customer account. For each survey and raffle, we provide you with separate information about the exact processing of personal data.
10. Applications
You can apply to us electronically. Please use the application form provided at tonies.de and be aware of our privacy policy, which contains detailed information on data protection for applications.
11. Social media presence
This data protection notice applies for the following social media appearances by us:
Legal basis: Our social media presence is based on our legitimate interest (Art. 6 para. 1 lit. f GDPR) to ensure a comprehensive presence on the internet. Depending on the social media service, usage data may also be analyzed to improve our social media presence. The legal basis for this is then the legitimate interest in analyzing usage data to improve Tonies' profile (Art. 6 para. 1 lit. f GDPR).
Responsible party and assertion of rights: When you visit one of our social media sites on Facebook, Instagram, LinkedIn, Pinterest or TikTok, we are jointly responsible with the operator of the social media platform for the data processing operations triggered during this visit (Art. 26 GDPR).
The Joint Controller Agreements are available at:
Facebook/Instagram: https://www.facebook.com/legal/terms/page_controller_addendum
Pinterest:https://business.pinterest.com/de/pinterest-advertising-services-agreement/united-states-of-america/
TikTok:https://www.tiktok.com/legal/page/global/tiktok-analytics-joint-controller-addendum/en
You can assert your rights in this case (e.g. to access, rectification, erasure, restriction of processing, data portability and complaint) against us as well as against the operator of the respective social media portal.
With regard to our YouTube profile, processing is the sole responsibility of Google (for the EU/EEA, Google Ireland Limited, Google Building Gordon House, 4 Barrow St, Dublin, D04 E5W5, Ireland, and Google Ireland Limited uses Google LLC in the USA (1600 Amphitheatre Parkway, Mountain View, CA 94043, USA) as a service provider). Information about the processing of personal data by Google can be found in Google's privacy policy: https://policies.google.com/privacy.
III. Recipients and categories of recipients
Access to your personal data is restricted to those persons who need to know it in order to perform their professional duties (need-to-know principle).
Your personal data will only be disclosed to third parties (e.g. courts, police authorities or law enforcement agencies) if we are legally required to do so, if you have given your consent or another legal basis exists for this.
We may transfer your personal data for the respective purposes, in particular to the recipients and recipient categories listed below:
Private third parties: Other non-public entities, regardless of whether they are companies affiliated with us or not. For example, in the event of a merger, acquisition, financial due diligence, restructuring, insolvency, bankruptcy administration or purchase or sale of assets, your personal data may be transferred as part of such a transaction, to the extent permitted by law and/or contract.
Processors: We require support from third parties, such as hosting, IT, SaaS and marketing service providers. In such cases, we have concluded appropriate processing agreements (Art. 28 GDPR) with our service providers.
Authorities, courts, external consultants and similar third parties: We may be required to disclose personal data to authorities, courts, external advisors and similar third parties. This may be necessary, for example, to protect the rights, property or safety of you, us or third parties. In doing so, we will only disclose your data to the extent required by applicable law.
IV. Data transfer to third countries
Occasionally, your personal data will be transferred to service providers based outside the European Union or the European Economic Area. When we transfer data in this way, we ensure that an adequate level of data protection is guaranteed by implementing at least one of the following measures:
Adequacy decision by the European Commission pursuant to Art. 45 GDPR that an adequate level of data protection exists in the country of destination of the transfer.
The conclusion of standard contractual clauses (SCC) issued by the European Commission pursuant to Art. 46 GDPR.
The existence of binding corporate rules (BCR) approved by a supervisory authority based in the EU pursuant to Art. 47 GDPR.
We will be happy to provide you with the relevant documents/measures on request. The wording of the European Commission's standard contractual clauses is also available here: https://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CELEX:32021D0914
V. Retention period We process and store your personal data only for as long as is necessary to fulfil our contractual and legal obligations. If the purpose for storage no longer applies, we will delete your personal data on a regular basis, unless its temporary further processing is necessary to fulfil commercial and tax law retention obligations or to preserve evidence within the framework of the statutory limitation provisions.
The retention periods vary depending on the type of personal data collected and the purpose of the processing.
You can find more details on the retention periods in section III above and for cookies in the cookie banner.
VI. Your rights
According to applicable data protection law, you may have the following rights. To exercise your rights, please contact us using the contact details provided in section I.
Right of access You have the right to request information about whether we process personal data about you and to request a copy of the personal data we process. Please note that the right to access is not an absolute right and, for example, the legitimate interests of other persons may lead to a restriction of the right to access information.
Right to rectification You have the right to request the rectification of personal data concerning you that you believe to be inaccurate or incomplete. Taking into account the purposes of the processing, you also have the right to request the completion of incomplete personal data, including by means of a supplementary statement.
Right to erasure Under certain circumstances, you have the right to request the erasure of your personal data.
Right to restriction of processing Under certain circumstances, you have the right to request that we restrict the processing of personal data.
Right to data portability If the required conditions are met, you have the right to data portability regarding the personal data you have provided to us, i.e. the right to receive this data in a structured, commonly used and machine-readable format and, if necessary, to transfer this data to another controller without hindrance.
Right to object the processing You have the right to object to our processing of your data at any time for reasons arising from your particular situation, insofar as this is based on the protection of legitimate interests. If you exercise your right to object, we will cease processing unless we can demonstrate compelling legitimate grounds for further processing that outweigh your rights and interests. If we process your personal data for direct marketing purposes, you have the right to object to the processing of your data by us for this purpose at any time. If you exercise your right to object, we will cease processing your data for this purpose.
Right to withdraw consent You may withdraw your consent(s) at any time with future effect. This does not affect the lawfulness of the processing of your data until revocation.
Right to lodge a complaint with the supervisory authority If you believe that the processing of your personal data violates the GDPR, you also have the right to lodge a complaint with a supervisory authority.
You can consult the list of supervisory authorities of the European Data Protection Board to find the contact details of the relevant authority: https://edpb.europa.eu/about-edpb/about-edpb/members_en
To exercise your rights, you can use this contact form, make changes directly in your mytonies profile, or contact us at the address provided in the section above entitled ‘Name and contact details of the controller’ or contact our data protection officer (see section II above).
Notice to users in California: For information on additional rights, please see the section entitled “Additional privacy rights for California residents”.
VII. Note - No intentional collection of data from children
Although our services are intended to be enjoyed by users of all ages, we only collect personal information from adult users, and do not knowingly collect personal information from children under 13 (or other age as required under applicable law) as part of our services. Users may not upload audio of a child or other personal information that may identify a child without first obtaining the explicit consent of that child’s parent or guardian. Parents or guardians should supervise their children’s use of our services at all times. If you are a parent or guardian and learn that your child has provided us with personal information without your consent, you may contact us as specified in section I .
VIII. Status and updating of this data protection notice
We regularly update our website, app and products. Such updates may require adjustments to this privacy policy. In this case, we will publish a new version of the privacy policy on our website and in the app.
This privacy policy was last updated in September 2025.
IX. Additional information for persons resident in the United State
The following section applies to our US customers.
Your Choices regarding Cookies
You may stop or restrict the placement of cookies and similar technologies on your device or remove them by adjusting your preferences as your browser or device permits. The online advertising industry also provides websites from which you may opt out of receiving targeted ads from data partners and other advertising partners that participate in self-regulatory programs. You can access these and learn more about targeted advertising and consumer choice and privacy, at www.networkadvertising.org/managing/opt_out.asp, http://www.youronlinechoices.eu/, and https://youradchoices.ca/choices/. To separately make choices for mobile apps on a mobile device, you can download DAA’s AppChoices application from your device’s app store. Alternatively, for some devices you may use your device’s platform controls in your settings to exercise choice.
Information for residents of California
This section only applies to our processing of personal information that is subject to the California Consumer Privacy Act of 2018 ("CCPA").
Category of Personal Information Collected | Examples | Category of Third Parties to Whom We Disclose Information |
|---|---|---|
A. Identifiers. | A real name, alias, postal address, unique personal identifier, online identifier, Internet Protocol address, email address, account name, or other similar identifiers. | Service Providers, Data analytics providers, Advertising networks |
B. Personal information categories listed in the California Customer Records statute (Cal. Civ. Code § 1798.80(e)). | A name or address. | Service Providers |
C. Protected classification characteristics under California or federal law. | Age (40 years or older) | Service Providers, Data analytics providers |
D. Commercial information. | Records of products or services purchased, obtained, or considered, or other purchasing or consuming histories or tendencies. | Service Providers, Data analytics providers, Advertising networks |
E. Internet or other electronic network activity. | Profile reflecting a consumer's preferences. | Service Providers, Data analytics providers, Advertising networks |
F. Inferences drawn from other personal information to create a profile about a consumer. | Profile reflecting a consumer's preferences. | Service Providers, Data analytics providers, Advertising networks |
Furthermore, California residents have the right to be informed whether tonies has shared this personal data for business purposes (e.g. with a service provider) in the past 12 months. California residents can find the relevant information below:
tonies does not “sell” personal data within the meaning of the CCPA and has no knowledge of the “sale” of personal data of minors under the age of 16. 2. Additional data protection rights for residents of California
In addition to the rights described in the section titled "Your privacy rights" above, California residents have the following rights:
Non-Discrimination
: California residents have the right not to receive discriminatory treatment by us for the exercise of their rights conferred by the CCPA.
Authorized Agent:
You, or someone legally authorized to act on your behalf, may make a verifiable consumer request related to your personal information. To designate an authorized agent, please contact us as set forth in the section "Controller's name and address and whom you can contact" above and provide written authorization signed by you and your designated agent.
Verification:
To protect your privacy when you make a request, we will ask you to provide sufficient information that allows us to reasonably verify you are the person about whom we collected personal information or an authorized representative, which may include asking you to answer questions regarding your use of our services.
Refer-a-Friend and Similar Incentive Programs
We may offer referral programs or other incentivized data collection programs. For example, we may offer incentives to you such as discounts or promotional items or credit in connection with these programs, wherein you provide your personal information in exchange for a reward, or provide personal information regarding your friends or colleagues (such as their email address) and receive rewards when they sign up to use our Services. (The referred party may also receive rewards for signing up via your referral.) These programs are entirely voluntary and allow us to grow our business and provide additional benefits to you. The value of your data to us depends on how you ultimately use our Services, whereas the value of the referred party's data to us depends on whether the referred party ultimately becomes a User of our Services. Said value will be reflected in the incentive offered in connection with each program.
Information for residents of Nevada
If you are a resident of Nevada, you have the right to opt-out of the sale of certain Personal Information to third parties who intend to license or sell that Personal Information. You can exercise this right by contacting us at privacy.us@tonies.com with the subject line "Nevada Do Not Sell Request" and providing us with your name and the email address associated with your account. Please note that we do not currently sell your Personal Information as sales are defined in Nevada Revised Statutes Chapter 603A.
Updated June 2026
![[EN-GB] - EOL Featured Menu](https://res.cloudinary.com/tonies/image/fetch/f_auto,q_auto,c_fill,w_100,h_100/https://images.ctfassets.net/l6vo76cztcax/1T3lteRpYOf9Kcg8Uo7aRB/305b574ec8aee386661078fc80b4b4f5/Ecommerce_Featured_Menu_736x736__2_.jpg)



![[EN-GB] - Featured Menu "Tonieplay"](https://res.cloudinary.com/tonies/image/fetch/f_auto,q_auto,c_fill,w_100,h_100/https://images.ctfassets.net/l6vo76cztcax/2zOANiqgrrL1Tlhib1POQU/a4363ff6cf1a624cc0f29c5535806669/736x736_Tonieplay.png)