Privacy Policy

1. Introduction

This Privacy Policy explains how tollara.ai ("we", "us", "our") collects, uses, stores, shares, and protects personal data when you use the tollara.ai platform, including our website, APIs, SDKs, marketplace, account features, billing features, and related services ("Service").

This policy applies to Users, Subscribers, Developers, account holders, website visitors, and people who contact us. It should be read together with our Terms and Conditions.

2. Personal Data We Collect

We may collect and process the following categories of personal data:

• Account data, such as your name, username, email address, password credentials, roles, preferences, and account status
• Developer profile data, such as business type, business name, public profile details, branded API domain settings, service listings, documentation, logos, and support information
• Billing and transaction data, such as subscription records, usage charges, credits, refunds, payout records, tax-related details, fraud signals, chargeback information, and payment provider references
• Service usage data, such as API keys, access tokens, request identifiers, endpoints called, timestamps, usage units, rate-limit events, subscription status, quota checks, logs, and diagnostic information
• User content, such as prompts, inputs, outputs, files, configurations, service descriptions, messages, support requests, and other content submitted through the Service
• Communications data, such as messages you send to us, support tickets, dispute information, and feedback
• Technical data, such as IP address, device and browser information, approximate location from network data, cookies, session data, and security event logs

3. How We Use Personal Data

We use personal data to:

• Create, authenticate, secure, and administer accounts
• Provide the marketplace, APIs, SDKs, service invocation, subscriptions, usage metering, billing, refunds, and payout features
• Route requests between Users, Subscribers, Developers, and Developer services where needed to provide the Service
• Operate, monitor, debug, improve, and protect the Service
• Prevent fraud, abuse, unauthorised access, payment evasion, security incidents, and misuse of the Service
• Communicate with you about your account, subscriptions, services, disputes, security, legal notices, support requests, and product updates
• Comply with legal, regulatory, tax, accounting, sanctions, and payment provider obligations
• Enforce our Terms and protect our rights, users, Developers, marketplace, and third parties

4. Lawful Bases for UK Users

Where UK data protection law applies, we rely on one or more lawful bases depending on the processing activity:

• Contract, where processing is necessary to provide the Service, administer accounts, process subscriptions, meter usage, or support Developer payouts
• Legitimate interests, where we operate, secure, improve, monitor, and protect the Service, prevent fraud and abuse, resolve disputes, and enforce our Terms
• Legal obligation, where processing is needed for tax, accounting, regulatory, sanctions, law enforcement, or payment compliance obligations
• Consent, where required for optional communications, certain cookies, or other processing that legally requires consent

5. Developers and User Content

The Service allows Users and Subscribers to invoke Developer services. Depending on how a Developer service is configured, requests, inputs, outputs, request metadata, and usage information may be transmitted to or processed by the relevant Developer or their infrastructure.

Developers are responsible for complying with privacy, data protection, security, and electronic communications laws that apply to their services. Developers must not collect, use, store, or disclose personal data through their services unless they have the rights, notices, consents, lawful bases, and safeguards required by applicable law.

You should avoid submitting special category data, sensitive personal data, confidential information, regulated data, or data belonging to another person unless you are authorised to do so and the relevant service is suitable for that data.

6. Sharing Personal Data

We may share personal data with:

• Developers, where necessary to provide Developer services, process requests, report usage, resolve support issues, investigate disputes, or operate the marketplace
• Payment, billing, tax, fraud prevention, and payout providers, including Stripe where applicable
• Cloud hosting, database, monitoring, analytics, communications, email, support, security, and infrastructure providers
• Professional advisers, auditors, insurers, banks, and legal representatives
• Regulators, tax authorities, law enforcement, courts, payment networks, or other third parties where required by law or necessary to protect rights, safety, security, or the integrity of the Service
• Successors or potential successors in connection with a merger, acquisition, financing, reorganisation, or sale of business assets

7. Cookies and Similar Technologies

We may use cookies, local storage, and similar technologies to keep you signed in, secure sessions, remember preferences, operate the Service, measure performance, understand usage, and improve the product.

Where legally required, we will ask for your consent before using non-essential cookies or similar technologies. You can also control cookies through your browser settings, although blocking some cookies may affect Service functionality.

8. International Transfers

We may process and store personal data in the United Kingdom, the United States, the European Economic Area, and other countries where we or our service providers operate. Where required, we use appropriate safeguards for international transfers, such as adequacy regulations, standard contractual clauses, data processing terms, or other legally recognised transfer mechanisms.

9. Data Retention

We keep personal data for as long as reasonably necessary to provide the Service, maintain accounts, administer subscriptions and payouts, comply with legal obligations, resolve disputes, prevent fraud and abuse, enforce our Terms, and keep appropriate business records.

Retention periods vary by data type. For example, account and billing records may be retained for tax, accounting, audit, legal, and fraud prevention purposes after account closure. Usage logs and security logs may be retained where needed to investigate disputes, abuse, service reliability, or legal claims.

10. Security

We use technical and organisational measures designed to protect personal data against unauthorised access, loss, misuse, alteration, and disclosure. No online service can guarantee absolute security, so you should keep your account credentials, API keys, access tokens, and devices secure and notify us promptly if you suspect unauthorised access.

11. Your Rights

Depending on where you live and which laws apply, you may have rights to access, correct, delete, restrict, object to, or receive a copy of your personal data, and to withdraw consent where processing is based on consent. You may also have the right to complain to a data protection authority.

UK users may contact the UK Information Commissioner's Office, although we encourage you to contact us first so we can try to resolve your concern.

12. US State Privacy Rights

If a US state privacy law applies to our processing of your personal data, you may have rights to know, access, correct, delete, obtain a copy of, or opt out of certain uses or disclosures of personal data. We do not sell personal data for money. If we use advertising or analytics technologies that are considered a "sale", "sharing", or targeted advertising under applicable law, we will provide any legally required choices.

13. Children

The Service is not intended for children under 13, and we do not knowingly collect personal data from children under 13. If you believe a child has provided personal data to us, please contact us so we can take appropriate action. If a higher minimum age applies in your jurisdiction, you must meet that age to use the Service.

14. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes to the Service, our processing activities, legal requirements, or operational needs. The updated policy will be posted on the Service with a new effective date. Where required by law, we will provide additional notice or request consent.

15. Contact

To ask questions about this Privacy Policy or exercise privacy rights, contact us at support@tollara.ai.