ToGather – Privacy Policy
This Privacy Policy describes how 2G Labs, publisher of the ToGather application, collects, uses, and protects your personal data, in accordance with the General Data Protection Regulation (GDPR – EU Regulation 2016/679) and applicable data protection laws.
1. Data Controller
2G Labs
Simplified joint-stock company with sole shareholder (SASU) with variable share capital
Minimum share capital: €100
Subscribed share capital: €1,000
SIREN: 101 862 951
Registered address: 58 rue de Monceau, 75008 Paris 8th Arrondissement – France
Email: [email protected]
Website: https://togatherapp.fr
2. Data Collected
We collect and process the following categories of personal data. Some are required for the service to function; others are strictly optional and subject to your explicit consent.
2.1 Data collected systematically (required for the service)
- Identification data: phone number, first name, username, date of birth, gender, socio-professional category.
- Connection and device data: list of recently used IP addresses, device technical identifier, operating system and version, device push notification token, date of last connection.
- Usage data: interactions with the application, invitations sent and received, meetings organised or joined, messages exchanged in meeting chats.
- Email address: optional — collected only if you wish to exercise your right to data portability.
2.2 Data collected on the basis of your consent
- Location data: geographic position to suggest nearby meetings. Collected only if you explicitly grant geolocation consent within the application.
- Push notifications: activation of notifications on your device, subject to your notifications consent. The device push notification token is collected and retained only for the duration of this consent.
- Interests and meeting preferences: languages spoken, hobbies, parental status, smoking status, alcohol consumption.
2.3 Special category data (Art. 9 GDPR) – explicit consent required
The following data fall within the scope of Article 9 of the GDPR ("sensitive data"). Their collection and processing are strictly subject to your explicit and separate consent, obtained within the application. You may withdraw this consent at any time; your data will then be deleted immediately and in full.
- Racial or ethnic origin ART. 9
- Religious or philosophical beliefs ART. 9
- Political opinions ART. 9
- Drug consumption status ART. 9
These data are used solely for matching purposes within the connection algorithm and are never disclosed to third parties.
3. Purposes and Legal Bases for Processing
| Purpose | Legal basis (Art. 6 / Art. 9 GDPR) |
|---|---|
| Account creation and management | Contract performance (Art. 6§b) |
| Provision of the connection service | Contract performance (Art. 6§b) |
| Profiling and personalisation for connection – automated calculation of a compatibility score based on preferences, location, and profile criteria provided by the user | Contract performance (Art. 6§b) / Consent (Art. 6§a) for optional criteria |
| Processing of special category data (Art. 9) for connection purposes | Explicit consent (Art. 9§2a) |
| Collection and processing of geolocation data | Consent (Art. 6§a) |
| Sending push notifications | Consent (Art. 6§a) |
| Service-related communications | Contract performance / Legitimate interest (Art. 6§f) |
| Fraud prevention, abuse prevention, and security management | Legitimate interest (Art. 6§f) |
| Management of user and/or meeting reports and associated legal proceedings | Legitimate interest (Art. 6§f) / Legal obligation (Art. 6§c) |
| Prevention of abusive re-registration following account deletion | Legitimate interest (Art. 6§f) |
| Application logging for security and debugging purposes | Legitimate interest (Art. 6§f) |
| Compliance with legal obligations | Legal obligation (Art. 6§c) |
Information on profiling (Art. 13§2f GDPR)
ToGather incorporates an automated connection algorithm that calculates a compatibility score between users based on their stated preferences and profile data. This processing has no legal effect or similarly significant impact on you: it solely determines the meeting suggestions presented to you within the application. You may object to this profiling by contacting our team at [email protected].
4. Consent Management
Where processing is based on your consent, it is collected explicitly and timestamped in our systems. You may withdraw each of your consents at any time from the application settings. Withdrawal results in the immediate cessation of the relevant processing and the deletion of the corresponding data:
- Withdrawal of geolocation consent: your stored geographic position is immediately deleted.
- Withdrawal of consent to sensitive data (Art. 9): all special category data (racial or ethnic origin, religion, political opinions and drug usage status) is deleted immediately.
- Withdrawal of notifications consent: notifications are disabled and the device push notification token is deleted from our servers.
5. Data Sharing
Your personal data is not sold to any third party. It may only be shared with:
- Technical service providers: hosting and maintenance, bound by a confidentiality agreement and, where applicable, a data processing agreement under Art. 28 GDPR.
- Firebase (Google Ireland Ltd., Gordon House, Barrow Street, Dublin 4, Ireland): for authentication via one-time verification codes sent by SMS and application integrity verification.
- Resend: for sending transactional emails (data exports, activity reports).
- Cloudflare : infrastructure protection via Cloudflare. Data in transit is processed in accordance with Cloudflare's privacy policy and governed by Standard Contractual Clauses under Chapter V of the GDPR.
- Competent authorities: upon judicial or legal request.
No data transfer for advertising purposes takes place.
6. International Data Transfers
Your data is hosted and processed within the European Union. The third-party services referred to in Article 5 may involve transfers to third countries. In such cases, 2G Labs ensures that appropriate safeguards are in place in accordance with Chapter V of the GDPR (Standard Contractual Clauses issued by the European Commission or an adequacy decision).
7. Data Retention
Automated deletion processes are in place to ensure compliance with the following retention periods.
| Data category | Retention period | Details |
|---|---|---|
| Active account data | For the entire duration of use of the service | Until account deletion by the user. |
| Inactive accounts (no connection for 4 years) | 4 years after last connection | Automatic account deletion and immediate anonymisation of all associated data. Users are notified prior to permanent deletion. |
| Identification data following account deletion (phone number, email address, list of recently used IP addresses) | 30 days maximum | Temporary retention to prevent abusive re-registration. Automatic daily deletion. |
| Technical data from inactive devices (push notification token, list of recently used IP addresses, device identifier) | 6 months after last connection | Automatic daily deletion of devices inactive for more than 6 months. |
| Data relating to banned accounts (abusive use of the service, breach of the Terms, legal proceedings, etc.) | Indefinite period | Retained indefinitely. This retention may be limited when the user exercises their GDPR rights, within the limits of applicable legal provisions, in particular where proceedings are ongoing. |
| Report records (frozen copy of identification data of the parties involved) | 1 year from the date of the report | Retained indefinitely where legal proceedings are ongoing. The content of these records is detailed in Article 7.1 below. |
| Expired or declined invitations | 1 year | Automatic daily deletion. |
| Cancelled meetings (participant data and associated messages) | 2 years | Automatic cascading deletion of associated data (participants, invitations, messages). |
| Application logs containing technical identifiers and IP addresses | 14 days | Automatic rotation and deletion. |
| Authentication renewal tokens | 6 months or until explicit revocation | Stored as a non-reversible cryptographic digest. |
| History of SMS verification code sending attempts | 7 days | Automatic deletion upon expiry. |
7.1 Content of report records
When a report is submitted (reporting a user or a meeting), a timestamped frozen copy of the data of the users involved (victim and reported person, and where applicable the meeting organiser) is created for evidentiary purposes. This copy includes in particular: identifiers of the relevant accounts, names, phone numbers, email addresses, IP addresses, usernames, meeting identifier, participants list, content of messages exchanged in the meeting concerned, report reason and details, report date, and indication of any ongoing legal proceedings. These data are retained for 1 year and, where legal proceedings are ongoing, for an indefinite period until the proceedings are closed. The profile data of the reported person at the time of the events is also frozen: biography, avatar, date of birth, gender, as well as the socio-professional category and, where applicable, its precision.
The legal basis for this retention is the legitimate interest of 2G Labs (Art. 6§f) for the purposes of abuse prevention and the protection of individuals, as well as legal obligation (Art. 6§c) in the context of judicial proceedings.
In the event of an account ban (abusive use of the service, breach of the Terms, or legal context), the necessary data are retained for an indefinite period, unless the user exercises their GDPR rights within the limits of applicable legal provisions, in particular where proceedings are ongoing.
8. Data Security
2G Labs implements technical and organisational measures to protect your data against any loss, alteration, disclosure, or unauthorised access, including:
- Encryption of communications in transit via the HTTPS/TLS protocol with activation of strict transport security policy (one-year duration, applicable to subdomains).
- Secure authentication: verification by one-time code sent by SMS, validation performed entirely server-side, short-lived access tokens (15 minutes), application integrity verification at the time of each authentication request.
- Strict access controls: separation of User and Administrator roles, principle of least privilege, restriction of access to personal data to the data subject only.
- Request rate limiting: automatic control mechanisms applied to all sensitive access points.
- Monitoring of administrative access and logging of security events.
- Automated purge processes ensuring compliance with the retention periods defined in Article 7.
9. Your Rights (GDPR)
In accordance with the GDPR, you have the following rights:
- Right of access (Art. 15): obtain a copy of your personal data via the export function available in the application.
- Right to rectification (Art. 16): correct inaccurate or incomplete data from the application or by contacting us.
- Right to erasure (Art. 17): request deletion of your account and immediate anonymisation of your data via the application.
- Right to restriction (Art. 18): request restriction of the processing of your data in certain cases provided for by the GDPR (dispute over accuracy, objection to deletion, etc.).
- Right to data portability (Art. 20): receive your data in a structured, machine-readable format. Requests are processed within a maximum of 30 days. A valid email address is required to receive the export.
- Right to object (Art. 21): object to the processing of your data based on legitimate interest, including automated profiling for connection purposes.
- Right to withdraw consent (Art. 7§3): withdraw your consent at any time from the application settings, without affecting the lawfulness of prior processing.
- Specific rights regarding special category data (Art. 9): withdrawal of consent to sensitive data results in their immediate and full deletion.
The exercise of these rights is subject to legal retention obligations, in particular in the event of a ban and ongoing judicial or administrative proceedings.
To exercise your rights outside of the features available directly in the application, contact us at: [email protected]. We will respond within a maximum of 30 days.
You also have the right to lodge a complaint with the CNIL (French Data Protection
Authority):
3 Place de Fontenoy – TSA 80715 – 75334 Paris Cedex 07 –
www.cnil.fr
10. Cookies and Similar Technologies
The application uses cookies and similar technologies solely to ensure its proper functioning, remember your preferences, and generate anonymous usage statistics. No advertising cookies are used. You can manage your preferences from the application settings.
11. Disclaimer of Liability – In-Person Meetings and Messaging
11.1 In-Person Meetings Between Users
ToGather is exclusively a digital connection tool. 2G Labs disclaims all liability for any incident, accident, physical, moral, or material harm occurring during in-person meetings organised between users, regardless of cause or nature.
Each user is solely responsible for their own actions, personal safety, and the consequences of their meetings. In the event of an incident, contact the relevant authorities (police, emergency services) and report the situation via the ToGather reporting feature or at [email protected].
11.2 In-App Message Exchanges
Messages exchanged between users are private communications placed under the sole responsibility of their authors. 2G Labs shall not be held liable for the content of messages or their consequences (emotional harm, harassment, fraud, etc.).
If you receive illegal, threatening, or harassing messages, use the reporting and blocking features in the application and contact the relevant authorities if necessary.
12. Access Requirements and Service Security
ToGather is reserved for persons aged 18 years and older. Any attempt to gain unauthorised access to 2G Labs' systems (intrusion, automated data collection, denial-of-service attack, etc.) will be subject to legal prosecution under Articles 323-1 to 323-7 of the French Penal Code.
13. Changes to This Privacy Policy
2G Labs reserves the right to amend this policy at any time. Any material changes will be notified to users via the application. Continued use of the service after notification constitutes acceptance of the updated policy.
14. Contact
2G Labs – publisher of the ToGather application
58 rue de Monceau, 75008 Paris – France
SIREN: 101 862 951
Email: [email protected]
Website: https://togatherapp.fr
© 2026 2G Labs – All rights reserved. This document constitutes the official Privacy Policy of the
ToGather application, available on the App Store (Apple) and Google Play Store (Google).
Version 1.5 – updated May 30, 2026. Supersedes version 1.4 of May 29, 2026.