Privacy

Privacy

Privacy Policy

Last updated on May 28, 2025

Save everything on CloudCraft for free.

Upgrade for unlimited storage, end-to-end security, web editorand dedicated enterprise features.

Welcome to Toolhouse ("we," "us," or "our"). This Privacy Policy explains how we collect, use, disclose, and safeguard your personal information when you use our backend-as-a-service platform, website, and related services (collectively, the "Services").


1. Information We Collect

1.1 Personal Information

We collect personal information that you voluntarily provide to us, including:

  • Name and contact information (email address, phone number)

  • Account credentials and authentication data

  • Billing and payment information

  • Professional information (company name, job title)

  • Communications with our support team

1.2 Service Data

Through your use of our backend services, we may process:

  • Files and documents you store through our platform

  • Application data and databases

  • API keys and authentication tokens

  • User authentication data for your applications

  • Analytics and usage metrics

  • Log files and system performance data

1.3 Usage Information

We automatically collect information about your use of our Services, including:

  • IP addresses and device identifiers

  • Browser type and version

  • Operating system information

  • Pages visited and features used

  • Date and time of access

  • Referring and exit pages

  • Performance metrics and error logs

1.4 Cookies and Similar Technologies

We use cookies, web beacons, and similar tracking technologies to enhance your experience and collect usage information. See our Cookie Policy for detailed information about the types of cookies we use and your choices.


2. Legal Basis for Processing

We process your personal information based on the following legal grounds:

  • Contract Performance: To provide our Services and fulfill our contractual obligations

  • Legitimate Interests: To improve our Services, ensure security, and conduct business operations

  • Consent: Where you have provided explicit consent for specific processing activities

  • Legal Compliance: To comply with applicable laws and regulations


3. How We Use Your Information

We use collected information for the following purposes:

  • Providing, maintaining, and improving our Services

  • Processing transactions and managing your account

  • Communicating with you about your account, services, and support

  • Sending newsletters and promotional materials (with your consent)

  • Analyzing usage patterns and optimizing platform performance

  • Detecting and preventing fraud, abuse, and security threats

  • Enforcing our Terms of Service and other policies

  • Complying with legal obligations and resolving disputes

  • Conducting analytics for business intelligence purposes


4. Data Processing Roles and Information Sharing

4.1 Our Role as Data Processor

For data you store through our Services on behalf of your end users, we typically act as a data processor (under GDPR) or service provider (under CCPA), while you act as the data controller or business. In this capacity:

  • You determine the purposes and means of processing personal data

  • We process data only according to your documented instructions

  • You are responsible for ensuring lawful basis for processing and obtaining necessary consents

  • We assist you in responding to data subject requests and compliance obligations

4.2 Our Role as Data Controller

For your account information, billing data, and usage analytics that we collect directly from you, we act as the data controller and are responsible for compliance with applicable privacy laws.

4.3 Third-Party Service Providers and Subprocessors

We may engage trusted third-party subprocessors to assist us in providing our Services, including:

  • Cloud infrastructure providers (AWS, Google Cloud, Azure)

  • Content delivery networks (CDNs)

  • Monitoring and analytics services

  • Payment processors

  • Customer support platforms

  • Security and fraud prevention services

  • Backup and disaster recovery services

We maintain a list of our subprocessors and will notify you of any changes. All subprocessors are contractually bound to protect your information and may only process it for the specific services they provide to us.

4.4 Customer Data Isolation

We implement logical data isolation to ensure that your data and your end users' data is separated from other customers' data. However, we may process aggregated, anonymized usage statistics across our platform for service improvement purposes.

4.5 No Sale of Personal Data

We do not sell personal data to third parties for monetary or other valuable consideration. We do not share personal data with third parties for their own marketing purposes.

4.6 Legal Requirements

We may disclose your information when required by law or when we believe disclosure is necessary to:

  • Comply with legal obligations, court orders, or government requests

  • Protect our rights, property, or safety, or that of our users

  • Investigate potential violations of our Terms of Service

  • Prevent fraud or other illegal activities

4.7 Business Transfers

In the event of a merger, acquisition, reorganization, or sale of assets, your information may be transferred as part of that transaction. We will notify you of any such change in ownership or control of your personal information.

4.8 Consent-Based Sharing

We may share your information with your explicit consent for purposes not covered in this Privacy Policy.


5. International Data Transfers

Our Services operate globally with servers distributed across multiple jurisdictions. When we transfer your personal information across borders, we ensure appropriate safeguards are in place, including:

  • Standard Contractual Clauses approved by relevant authorities

  • Adequacy decisions by competent data protection authorities

  • Other legally recognized transfer mechanisms

Regulatory Compliance: We are committed to honoring current data protection regulations, including the General Data Protection Regulation (GDPR) for European users and the California Consumer Privacy Act (CCPA) for California residents, where applicable to your personal data.


6. Data Retention

6.1 General Retention Period

We retain your personal information for up to 365 days from the date of collection or your last interaction with our Services, unless:

  • A longer retention period is required by law

  • You have a custom retention policy as part of your service tier

  • Early deletion is requested and technically feasible

6.2 Service Data

Data stored through our backend services is retained according to your chosen service plan and any custom retention policies you have configured.

6.3 Account Deletion

When you delete your account, we will delete or anonymize your personal information within 30 days, except where retention is required for legal compliance, dispute resolution, or fraud prevention.


7. Your Rights and Choices

Depending on your location and applicable laws, you may have the following rights:

7.1 Access and Portability

  • Request access to your personal information

  • Receive a copy of your data in a portable format

7.2 Correction and Updates

  • Correct inaccurate or incomplete personal information

  • Update your account information through your account settings

7.3 Deletion

  • Request deletion of your personal information

  • Delete your account through your account settings

7.4 Processing Restrictions

  • Object to or restrict certain processing of your personal information

  • Withdraw consent where processing is based on consent

7.5 Communication Preferences

  • Unsubscribe from marketing communications

  • Adjust notification settings in your account

7.6 Data Processing Requests (For Customer Data)

If you are an end user of one of our customer's applications, and your data is processed through our Services:

  • Contact the application owner directly for data requests (they are the data controller)

  • We will assist our customers in responding to legitimate data subject requests

  • In some cases, we may refer you to the appropriate customer/data controller

7.7 API Access and Data Export

  • Access your data through our APIs and dashboard

  • Export your data in standard formats (JSON, CSV where applicable)

  • Migrate your data to other services using our export tools


8. Security Measures

We implement industry-standard technical and organizational security measures to protect your personal information, including:

8.1 Technical Safeguards

  • Encryption: Data is encrypted both in transit (using TLS 1.2+) and at rest (using AES-256 or equivalent)

  • Access Controls: Multi-factor authentication and role-based access controls for our systems

  • Network Security: Firewalls, intrusion detection systems, and secure network architectures

  • API Security: Rate limiting, authentication tokens, and secure API design practices

  • Backup Systems: Automated, encrypted backups with geographic redundancy

8.2 Operational Safeguards

  • Regular security assessments and penetration testing

  • Employee training on data protection and security practices

  • Incident response procedures and monitoring systems

  • Vendor security assessments for all subprocessors

  • Compliance with industry security frameworks (SOC 2, ISO 27001 principles)

8.3 Data Processing Safeguards

  • Logical data isolation between customers

  • Audit logging of data access and processing activities

  • Data minimization and purpose limitation practices

  • Regular data integrity checks and validation

However, no method of transmission over the internet or electronic storage is completely secure. While we implement robust security measures, we cannot guarantee absolute security of your information.


9. Data Breach Notification

In the event of a data breach that poses a risk to your rights and freedoms, we will:

  • Notify relevant supervisory authorities within 72 hours where required by law

  • Inform affected users without undue delay when the breach poses a high risk

  • Provide information about the nature of the breach and steps being taken to address it


10. Children's Privacy

Our Services are not intended for individuals under the age of 18. We do not knowingly collect personal information from children under 18. If we become aware that we have collected personal information from a child under 18, we will take steps to delete such information promptly.


11. Changes to This Privacy Policy

We may update this Privacy Policy periodically to reflect changes in our practices, Services, or applicable laws. We will:

  • Post the updated Privacy Policy on our website

  • Notify users of material changes via email or through our Services

  • Update the "Last Updated" date at the top of this Privacy Policy

Your continued use of our Services after any modifications constitutes your acknowledgment and acceptance of the updated Privacy Policy.


12. Contact Information

If you have questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us:

Email: hello@toolhouse.ai

For users in the European Union, you may also contact our Data Protection Officer at: hello@toolhouse.ai

If you are not satisfied with our response, you have the right to lodge a complaint with your local data protection authority.

This Privacy Policy is designed to be transparent about our data practices while ensuring compliance with applicable privacy laws. We encourage you to read this policy carefully and contact us with any questions.