Privacy Policy
Effective date: July 1, 2026
Last updated: July 2, 2026
This policy explains how [TOASTY LEGAL ENTITY], [ADDRESS] ("we" or "us") handles personal information in connection with Toasty(the "Service") and our public websites.
1. Two Roles: When We Decide, and When You Do
Toasty processes two very different kinds of data, and our role differs for each:
- Your account and billing data (we are the controller). For the information you give us to run your account, such as your name, email address, company, and payment details, we decide how and why it is processed, and this policy applies directly.
- Your email content and prospect data (we are a processor / service provider). The contents of your connected mailboxes, your uploaded prospect lists, and enrichment data about your prospects belong to you, our customer. We process that data only on your instructions, as your service provider (in CCPA terms) and processor, under the Data Processing Addendum. If you are a person whose information appears in a customer's mailbox or prospect list, that customer is the controller of your data and rights requests about it should go to them. If you contact us instead, we will refer your request to the relevant customer where we can identify them, and assist them in responding.
2. What We Collect, From Where, and Why
The table below uses the categories defined by the California Consumer Privacy Act (CCPA/CPRA). Sources are: (a) directly from customers; (b) customers' connected Gmail mailboxes; (c) customers' uploaded prospect lists; and (d) our payment processor.
| Category | Examples | Sources | Purposes |
|---|---|---|---|
| Identifiers | Name, email address, company, account ID | Directly from customers; connected mailboxes; uploaded prospect lists | Account creation and login; providing CRM features; customer support |
| Commercial information | Subscription plan, billing history, transaction records | Directly from customers; payment processor | Billing, invoicing, fraud prevention, accounting |
| Internet or other electronic network activity | Log data, feature usage, email open and reply events | Automatically from use of the Service | Operating and securing the Service; engagement tracking features customers turn on; debugging |
| Professional or employment-related information | Job title, employer, work contact details of prospects | Uploaded prospect lists; prospect discovery and enrichment run at the customer's direction | Providing prospecting and CRM features on the customer's instructions |
| Electronic information, including email content | The contents of messages in connected mailboxes, drafts, threads, attachments metadata | Customers' connected Gmail mailboxes | Syncing the CRM inbox, drafting AI-assisted follow-ups, running sequences, on the customer's instructions |
| Inferences | Lead temperature, follow-up suggestions, engagement scoring | Derived from the categories above | Providing CRM prioritization and AI drafting features to the customer |
We do not collect sensitive personal information as defined by the CPRA (such as government IDs, precise geolocation, or health data) and the Service is not designed to receive it.
3. We Do Not Sell or Share Personal Information
We do not sell personal information, and we do not "share" it for cross-context behavioral advertising as those terms are defined by the CCPA. We are not a data broker, we do not build or resell contact databases, and we have not sold or shared personal information in the preceding 12 months.
4. How We Disclose Information
We disclose personal information only to service providers that help us run the Service (hosting, database, AI text generation, payments, email infrastructure, and email verification), each under contracts restricting their use of the data. The current list is on our Subprocessors page. We may also disclose information if required by law or to protect the Service, our users, or the public.
5. AI Processing
AI drafting and enrichment features send relevant text (for example, a thread you asked us to draft a reply to) to Anthropic's Claude API. Under Anthropic's commercial API terms, Anthropic does not train its models on API inputs or outputs by default, and we have not opted in to any training program. We do not use your email content or prospect data to train models of our own.
6. Credential and Data Security
- Mailbox credentials (such as Gmail app passwords) are encrypted at rest using AES-256-GCM and are used only to connect to your mailbox over encrypted (TLS) connections.
- Data in transit is protected with TLS.
- Access to production systems is limited to personnel who need it to operate the Service.
- No system is perfectly secure; if a breach affects your personal information we will notify you as required by law, and as promised in the DPA.
7. Retention
We keep account and billing data for as long as your account is active and afterwards as needed for legal, tax, and accounting purposes. We keep Customer Data (email content, prospect records) for as long as your account is active; when your account is terminated, we delete or return it within 30 days as described in the DPA, except for limited backups that expire on a rolling schedule. Disconnecting a mailbox stops new syncing immediately.
8. Your Rights
Depending on where you live, you may have rights to access, correct, delete, or receive a copy of your personal information, and to be free from discrimination for exercising those rights. To make a request, email privacy@sendtoasty.com. We will verify your identity and respond within the time required by law. If your request concerns data we hold as a processor for one of our customers (see Section 1), we will refer it to that customer and assist them.
9. Global Privacy Control
Our public websites honor the Global Privacy Control (GPC) signal as an opt-out preference signal. Because we do not sell or share personal information, receiving a GPC signal does not change how we treat your data, but we recognize it as a valid opt-out where the law gives it effect.
10. Children
The Service is for business use by adults. We do not knowingly collect personal information from anyone under 16, and we do not sell the personal information of minors.
11. Changes to This Policy
If we make material changes, we will notify you by email or in-app before the changes take effect and update the "Last updated" date above.
12. Contact
[TOASTY LEGAL ENTITY], [ADDRESS]
Privacy requests: privacy@sendtoasty.com
General legal: legal@sendtoasty.com