Toasty Legal

Privacy Policy

Effective date: July 1, 2026
Last updated: July 2, 2026

This policy explains how [TOASTY LEGAL ENTITY], [ADDRESS] ("we" or "us") handles personal information in connection with Toasty(the "Service") and our public websites.

1. Two Roles: When We Decide, and When You Do

Toasty processes two very different kinds of data, and our role differs for each:

  • Your account and billing data (we are the controller). For the information you give us to run your account, such as your name, email address, company, and payment details, we decide how and why it is processed, and this policy applies directly.
  • Your email content and prospect data (we are a processor / service provider). The contents of your connected mailboxes, your uploaded prospect lists, and enrichment data about your prospects belong to you, our customer. We process that data only on your instructions, as your service provider (in CCPA terms) and processor, under the Data Processing Addendum. If you are a person whose information appears in a customer's mailbox or prospect list, that customer is the controller of your data and rights requests about it should go to them. If you contact us instead, we will refer your request to the relevant customer where we can identify them, and assist them in responding.

2. What We Collect, From Where, and Why

The table below uses the categories defined by the California Consumer Privacy Act (CCPA/CPRA). Sources are: (a) directly from customers; (b) customers' connected Gmail mailboxes; (c) customers' uploaded prospect lists; and (d) our payment processor.

Categories of personal information
CategoryExamplesSourcesPurposes
IdentifiersName, email address, company, account IDDirectly from customers; connected mailboxes; uploaded prospect listsAccount creation and login; providing CRM features; customer support
Commercial informationSubscription plan, billing history, transaction recordsDirectly from customers; payment processorBilling, invoicing, fraud prevention, accounting
Internet or other electronic network activityLog data, feature usage, email open and reply eventsAutomatically from use of the ServiceOperating and securing the Service; engagement tracking features customers turn on; debugging
Professional or employment-related informationJob title, employer, work contact details of prospectsUploaded prospect lists; prospect discovery and enrichment run at the customer's directionProviding prospecting and CRM features on the customer's instructions
Electronic information, including email contentThe contents of messages in connected mailboxes, drafts, threads, attachments metadataCustomers' connected Gmail mailboxesSyncing the CRM inbox, drafting AI-assisted follow-ups, running sequences, on the customer's instructions
InferencesLead temperature, follow-up suggestions, engagement scoringDerived from the categories aboveProviding CRM prioritization and AI drafting features to the customer

We do not collect sensitive personal information as defined by the CPRA (such as government IDs, precise geolocation, or health data) and the Service is not designed to receive it.

3. We Do Not Sell or Share Personal Information

We do not sell personal information, and we do not "share" it for cross-context behavioral advertising as those terms are defined by the CCPA. We are not a data broker, we do not build or resell contact databases, and we have not sold or shared personal information in the preceding 12 months.

4. How We Disclose Information

We disclose personal information only to service providers that help us run the Service (hosting, database, AI text generation, payments, email infrastructure, and email verification), each under contracts restricting their use of the data. The current list is on our Subprocessors page. We may also disclose information if required by law or to protect the Service, our users, or the public.

5. AI Processing

AI drafting and enrichment features send relevant text (for example, a thread you asked us to draft a reply to) to Anthropic's Claude API. Under Anthropic's commercial API terms, Anthropic does not train its models on API inputs or outputs by default, and we have not opted in to any training program. We do not use your email content or prospect data to train models of our own.

6. Credential and Data Security

  • Mailbox credentials (such as Gmail app passwords) are encrypted at rest using AES-256-GCM and are used only to connect to your mailbox over encrypted (TLS) connections.
  • Data in transit is protected with TLS.
  • Access to production systems is limited to personnel who need it to operate the Service.
  • No system is perfectly secure; if a breach affects your personal information we will notify you as required by law, and as promised in the DPA.

7. Retention

We keep account and billing data for as long as your account is active and afterwards as needed for legal, tax, and accounting purposes. We keep Customer Data (email content, prospect records) for as long as your account is active; when your account is terminated, we delete or return it within 30 days as described in the DPA, except for limited backups that expire on a rolling schedule. Disconnecting a mailbox stops new syncing immediately.

8. Your Rights

Depending on where you live, you may have rights to access, correct, delete, or receive a copy of your personal information, and to be free from discrimination for exercising those rights. To make a request, email privacy@sendtoasty.com. We will verify your identity and respond within the time required by law. If your request concerns data we hold as a processor for one of our customers (see Section 1), we will refer it to that customer and assist them.

9. Global Privacy Control

Our public websites honor the Global Privacy Control (GPC) signal as an opt-out preference signal. Because we do not sell or share personal information, receiving a GPC signal does not change how we treat your data, but we recognize it as a valid opt-out where the law gives it effect.

10. Children

The Service is for business use by adults. We do not knowingly collect personal information from anyone under 16, and we do not sell the personal information of minors.

11. Changes to This Policy

If we make material changes, we will notify you by email or in-app before the changes take effect and update the "Last updated" date above.

12. Contact

[TOASTY LEGAL ENTITY], [ADDRESS]
Privacy requests: privacy@sendtoasty.com
General legal: legal@sendtoasty.com