Legal

Privacy Policy

Last updated: 10 June 2026 · Effective date: 10 June 2026

This Privacy Policy explains how TOOLKEN SOLUÇÕES DIGITAIS INOVA SIMPLES (I.S.), a business initiative registered in Brazil under the Inova Simples regime (Lei Complementar 167/2019), CNPJ 66.812.018/0001-04, with registered address at Rua Dona Maria Cesar, 170, Sala 203, Recife, State of Pernambuco, Brazil, CEP 50030-140 ("Toolken," "we," "us," or "our"), collects, uses, shares, and protects personal data when you use the Toolken platform, including the website at toolken.ai, the application at app.toolken.ai, the API gateway, and related services (the "Service").

For the purposes of the Brazilian General Data Protection Law (Lei nº 13.709/2018, "LGPD") and the EU General Data Protection Regulation ("GDPR"), Toolken is the controller of the personal data described in this Policy, except where we act as a processor/operator on your behalf (see Section 3.2).

By using the Service or signing in (including signing in with Google), you acknowledge that you have read and understood this Policy.

1. Who this Policy applies to

This Policy applies to: (a) visitors to our website; (b) account holders and authorized users of the Service ("Customers"); and (c) individuals whose personal data may be contained in data that Customers route through the Service ("End Users"). Section 3.2 explains the difference in our role for End User data.

2. Information we collect

2.1 Account and identity data

When you create an account or sign in, we collect the information needed to identify and authenticate you. If you use Sign in with Google, we receive from Google your name, email address, profile picture, and Google account identifier. If you register by other means, we collect your name, email address, and password credentials.

2.2 Customer Data routed through the gateway

The Service operates as a gateway between your applications and third-party large language model providers ("Third-Party Providers"). When you use it, requests (which may include prompts and completions) transit our systems in order to be forwarded to the Third-Party Provider, but are not stored or logged by Toolken. We retain only operational metadata about each request: token counts, model and provider identifiers, cost, latency and error data, status codes, and the attribution metadata you choose to attach (for example, headers identifying a tenant, customer, feature, agent, environment, or session). We refer to this retained metadata as "Customer Data." We do not capture or persist prompt or response content.

2.3 Usage, device, and technical data

We collect technical information automatically, such as IP address, browser and device type, operating system, pages viewed, referring URLs, timestamps, and interactions with the Service, including through cookies and similar technologies (see Section 5).

2.4 Billing data

For paid plans, payment is processed by a third-party payment processor. We receive limited billing information (such as plan, transaction status, and the last digits or token of a payment method); we do not store full payment card numbers.

2.5 Communications

If you contact us (by email, support channel, or community), we collect the content of your communications and your contact details.

3. How we use information and our legal bases

3.1 Purposes

We use personal data to: create and authenticate accounts; provide, operate, secure, and improve the Service; compute cost attribution, routing, analytics, and budget controls; process payments; communicate with you about the Service; provide support; detect, prevent, and investigate fraud, abuse, and security incidents; and comply with legal obligations.

3.2 Our role with respect to Customer Data

For account and website data, Toolken acts as a controller. For Customer Data that you route through the Service (Section 2.2), Toolken generally acts as a processor/operator that processes such data on your instructions to provide the Service. As the Customer, you are the controller of that data and are responsible for the legal bases and notices applicable to your End Users. Where required by law, the parties will enter into a Data Processing Agreement (DPA).

3.3 Legal bases

  • Performance of a contract (LGPD Art. 7, V; GDPR Art. 6(1)(b)): to provide the Service you request.
  • Consent (LGPD Art. 7, I; GDPR Art. 6(1)(a)): for certain optional processing, such as some cookies and marketing communications. You may withdraw consent at any time.
  • Legitimate interests (LGPD Art. 7, IX; GDPR Art. 6(1)(f)): to secure and improve the Service, prevent abuse, and operate our business, balanced against your rights.
  • Compliance with a legal obligation (LGPD Art. 7, II; GDPR Art. 6(1)(c)): where processing is required by law.

4. Sign in with Google: Limited Use

When you choose Sign in with Google, our access to and use of information received from Google APIs adheres to the Google API Services User Data Policy, including the Limited Use requirements. Specifically:

  • We use Google account information only to authenticate you, create and manage your account, identify you within the Service, and communicate with you about the Service.
  • We do not sell Google user data.
  • We do not use Google user data for advertising.
  • We do not allow humans to read Google user data except as necessary for security, to comply with applicable law, or where you have given affirmative consent.
  • We do not transfer Google user data except as necessary to provide or improve the Service, to comply with law, or as part of a merger or acquisition with appropriate notice.

You may revoke our access to your Google account at any time via your Google Account permissions settings.

5. Cookies and analytics

We use cookies and similar technologies for authentication, preferences, security, and analytics. Our only product-analytics tool is PostHog; the application also uses Sentry for error monitoring. We do not use advertising or cross-site tracking. You can control non-essential cookies through our cookie banner and your browser settings. Full details are in our Cookie Policy.

6. How we share personal data

We do not sell personal data. We share it only as follows, with service providers acting as our sub-processors under appropriate contractual safeguards:

  • Third-Party Providers (such as OpenAI, Anthropic, Google, Groq, Together AI, and OpenAI-compatible endpoints): to route requests on your behalf, as configured by you. Their processing is governed by their own terms and privacy policies.
  • Infrastructure and hosting providers: to host and operate the Service.
  • PostHog (product analytics) and Sentry (error monitoring).
  • Stripe: to process payments.
  • Resend: to send transactional and, where consented, marketing email.
  • Legal and safety: to comply with law, enforce our Terms, or protect the rights, safety, and property of Toolken, our Customers, or others.
  • Business transfers: in connection with a merger, acquisition, or sale of assets, with notice as required by law.

A current list of sub-processors can be provided on request and, where applicable, will be referenced in our DPA.

7. International data transfers

Toolken is based in Brazil, and some of our service providers and Third-Party Providers are located outside Brazil and the EU/EEA, including in the United States. When we transfer personal data internationally, we rely on appropriate safeguards, such as the legal bases for international transfer under LGPD Art. 33 (including contractual clauses and, where applicable, your consent) and, for EU/EEA data, the mechanisms under Chapter V of the GDPR, such as Standard Contractual Clauses or an adequacy decision.

8. Data retention

We retain account and identity data while your account is active and as needed to provide the Service. We retain the operational metadata described in Section 2.2 according to the retention period of your plan, after which it may be deleted or aggregated/anonymized. We retain certain data longer where required to comply with legal obligations, resolve disputes, or enforce our agreements. Aggregated or anonymized data that no longer identifies any individual may be retained.

9. Security

We implement reasonable technical and organizational measures designed to protect personal data against unauthorized access, loss, or misuse, including encryption in transit, access controls, and logging. No method of transmission or storage is completely secure, and we cannot guarantee absolute security. If we become aware of a security incident affecting your personal data, we will notify you and the competent authority as required by applicable law.

10. Your rights

10.1 Under the LGPD (Brazil)

You have the right, under LGPD Art. 18, to obtain from Toolken, with respect to your personal data: confirmation of processing; access; correction of incomplete, inaccurate, or outdated data; anonymization, blocking, or deletion of unnecessary or excessive data or data processed in noncompliance with the law; portability; deletion of data processed with consent; information about with whom we share data; information about the consequences of denying consent; and revocation of consent. You may also petition the Autoridade Nacional de Proteção de Dados (ANPD).

10.2 Under the GDPR (EU/EEA)

If you are in the EU/EEA, you have the rights of access, rectification, erasure ("right to be forgotten"), restriction of processing, data portability, objection to processing (including profiling), and withdrawal of consent. You also have the right to lodge a complaint with your local data protection supervisory authority.

10.3 Other regions

Residents of certain other jurisdictions (such as California) may have additional rights regarding their personal information. We will honor applicable rights as required by law.

10.4 How to exercise your rights

To exercise any right, contact us using the details in Section 13. We will respond within the timeframe required by applicable law. For End User data that we process on a Customer's behalf, please direct your request to the relevant Customer (controller), and we will assist them as their processor.

11. Children

The Service is not directed to individuals under 18, and we do not knowingly collect personal data from children. If you believe a child has provided us personal data, contact us and we will take appropriate steps to delete it.

12. Changes to this Policy

We may update this Policy from time to time. If we make material changes, we will provide reasonable notice (for example, by posting the updated Policy with a new "Last updated" date or by notifying you through the Service or by email). Your continued use of the Service after the changes take effect constitutes acceptance, where permitted by law.

13. Contact: Controller and Data Protection Officer

Controller: TOOLKEN SOLUÇÕES DIGITAIS INOVA SIMPLES (I.S.)
CNPJ 66.812.018/0001-04
Rua Dona Maria Cesar, 170, Sala 203, Recife/PE, Brazil, CEP 50030-140

Privacy contact / Encarregado de Dados (DPO):
Email: [email protected]
Website: https://toolken.ai