Privacy Policy
Welcome to Toolhouse ("we," "us," or "our"). This Privacy Policy explains how we collect, use, disclose, and safeguard your personal information when you use our backend-as-a-service platform, website, and related services (collectively, the "Services").
1. Information We Collect
1.1 Personal Information
We collect personal information that you voluntarily provide to us, including:
Name and contact information (email address, phone number)
Account credentials and authentication data
Billing and payment information
Professional information (company name, job title)
Communications with our support team
1.2 Service Data
Through your use of our backend services, we may process:
Files and documents you store through our platform
Application data and databases
API keys and authentication tokens
User authentication data for your applications
Analytics and usage metrics
Log files and system performance data
1.3 Usage Information
We automatically collect information about your use of our Services, including:
IP addresses and device identifiers
Browser type and version
Operating system information
Pages visited and features used
Date and time of access
Referring and exit pages
Performance metrics and error logs
1.4 Cookies and Similar Technologies
We use cookies, web beacons, and similar tracking technologies to enhance your experience and collect usage information. See our Cookie Policy for detailed information about the types of cookies we use and your choices.
2. Legal Basis for Processing
We process your personal information based on the following legal grounds:
Contract Performance: To provide our Services and fulfill our contractual obligations
Legitimate Interests: To improve our Services, ensure security, and conduct business operations
Consent: Where you have provided explicit consent for specific processing activities
Legal Compliance: To comply with applicable laws and regulations
3. How We Use Your Information
We use collected information for the following purposes:
Providing, maintaining, and improving our Services
Processing transactions and managing your account
Communicating with you about your account, services, and support
Sending newsletters and promotional materials (with your consent)
Analyzing usage patterns and optimizing platform performance
Detecting and preventing fraud, abuse, and security threats
Enforcing our Terms of Service and other policies
Complying with legal obligations and resolving disputes
Conducting analytics for business intelligence purposes
4. Data Processing Roles and Information Sharing
4.1 Our Role as Data Processor
For data you store through our Services on behalf of your end users, we typically act as a data processor (under GDPR) or service provider (under CCPA), while you act as the data controller or business. In this capacity:
You determine the purposes and means of processing personal data
We process data only according to your documented instructions
You are responsible for ensuring lawful basis for processing and obtaining necessary consents
We assist you in responding to data subject requests and compliance obligations
4.2 Our Role as Data Controller
For your account information, billing data, and usage analytics that we collect directly from you, we act as the data controller and are responsible for compliance with applicable privacy laws.
4.3 Third-Party Service Providers and Subprocessors
We may engage trusted third-party subprocessors to assist us in providing our Services, including:
Cloud infrastructure providers (AWS, Google Cloud, Azure)
Content delivery networks (CDNs)
Monitoring and analytics services
Payment processors
Customer support platforms
Security and fraud prevention services
Backup and disaster recovery services
We maintain a list of our subprocessors and will notify you of any changes. All subprocessors are contractually bound to protect your information and may only process it for the specific services they provide to us.
4.4 Customer Data Isolation
We implement logical data isolation to ensure that your data and your end users' data is separated from other customers' data. However, we may process aggregated, anonymized usage statistics across our platform for service improvement purposes.
4.5 No Sale of Personal Data
We do not sell personal data to third parties for monetary or other valuable consideration. We do not share personal data with third parties for their own marketing purposes.
4.6 Legal Requirements
We may disclose your information when required by law or when we believe disclosure is necessary to:
Comply with legal obligations, court orders, or government requests
Protect our rights, property, or safety, or that of our users
Investigate potential violations of our Terms of Service
Prevent fraud or other illegal activities
4.7 Business Transfers
In the event of a merger, acquisition, reorganization, or sale of assets, your information may be transferred as part of that transaction. We will notify you of any such change in ownership or control of your personal information.
4.8 Consent-Based Sharing
We may share your information with your explicit consent for purposes not covered in this Privacy Policy.
5. International Data Transfers
Our Services operate globally with servers distributed across multiple jurisdictions. When we transfer your personal information across borders, we ensure appropriate safeguards are in place, including:
Standard Contractual Clauses approved by relevant authorities
Adequacy decisions by competent data protection authorities
Other legally recognized transfer mechanisms
Regulatory Compliance: We are committed to honoring current data protection regulations, including the General Data Protection Regulation (GDPR) for European users and the California Consumer Privacy Act (CCPA) for California residents, where applicable to your personal data.
6. Data Retention
6.1 General Retention Period
We retain your personal information for up to 365 days from the date of collection or your last interaction with our Services, unless:
A longer retention period is required by law
You have a custom retention policy as part of your service tier
Early deletion is requested and technically feasible
6.2 Service Data
Data stored through our backend services is retained according to your chosen service plan and any custom retention policies you have configured.
6.3 Account Deletion
When you delete your account, we will delete or anonymize your personal information within 30 days, except where retention is required for legal compliance, dispute resolution, or fraud prevention.
7. Your Rights and Choices
Depending on your location and applicable laws, you may have the following rights:
7.1 Access and Portability
Request access to your personal information
Receive a copy of your data in a portable format
7.2 Correction and Updates
Correct inaccurate or incomplete personal information
Update your account information through your account settings
7.3 Deletion
Request deletion of your personal information
Delete your account through your account settings
7.4 Processing Restrictions
Object to or restrict certain processing of your personal information
Withdraw consent where processing is based on consent
7.5 Communication Preferences
Unsubscribe from marketing communications
Adjust notification settings in your account
7.6 Data Processing Requests (For Customer Data)
If you are an end user of one of our customer's applications, and your data is processed through our Services:
Contact the application owner directly for data requests (they are the data controller)
We will assist our customers in responding to legitimate data subject requests
In some cases, we may refer you to the appropriate customer/data controller
7.7 API Access and Data Export
Access your data through our APIs and dashboard
Export your data in standard formats (JSON, CSV where applicable)
Migrate your data to other services using our export tools
8. Security Measures
We implement industry-standard technical and organizational security measures to protect your personal information, including:
8.1 Technical Safeguards
Encryption: Data is encrypted both in transit (using TLS 1.2+) and at rest (using AES-256 or equivalent)
Access Controls: Multi-factor authentication and role-based access controls for our systems
Network Security: Firewalls, intrusion detection systems, and secure network architectures
API Security: Rate limiting, authentication tokens, and secure API design practices
Backup Systems: Automated, encrypted backups with geographic redundancy
8.2 Operational Safeguards
Regular security assessments and penetration testing
Employee training on data protection and security practices
Incident response procedures and monitoring systems
Vendor security assessments for all subprocessors
Compliance with industry security frameworks (SOC 2, ISO 27001 principles)
8.3 Data Processing Safeguards
Logical data isolation between customers
Audit logging of data access and processing activities
Data minimization and purpose limitation practices
Regular data integrity checks and validation
However, no method of transmission over the internet or electronic storage is completely secure. While we implement robust security measures, we cannot guarantee absolute security of your information.
9. Data Breach Notification
In the event of a data breach that poses a risk to your rights and freedoms, we will:
Notify relevant supervisory authorities within 72 hours where required by law
Inform affected users without undue delay when the breach poses a high risk
Provide information about the nature of the breach and steps being taken to address it
10. Children's Privacy
Our Services are not intended for individuals under the age of 18. We do not knowingly collect personal information from children under 18. If we become aware that we have collected personal information from a child under 18, we will take steps to delete such information promptly.
11. Changes to This Privacy Policy
We may update this Privacy Policy periodically to reflect changes in our practices, Services, or applicable laws. We will:
Post the updated Privacy Policy on our website
Notify users of material changes via email or through our Services
Update the "Last Updated" date at the top of this Privacy Policy
Your continued use of our Services after any modifications constitutes your acknowledgment and acceptance of the updated Privacy Policy.
12. Contact Information
If you have questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us:
Email: hello@toolhouse.ai
For users in the European Union, you may also contact our Data Protection Officer at: hello@toolhouse.ai
If you are not satisfied with our response, you have the right to lodge a complaint with your local data protection authority.
This Privacy Policy is designed to be transparent about our data practices while ensuring compliance with applicable privacy laws. We encourage you to read this policy carefully and contact us with any questions.