Privacy Policy

Effective Date: April 16, 2026

Last Updated: April 16, 2026

Introduction

ToasterSync ("we," "us," or "our") operates the ToasterSync service, accessible at toastersync.com and app.toastersync.com (the "Service"). This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our Service.

We are committed to protecting your privacy. We only collect the minimum data necessary to provide our Service, and we do not sell your personal information to third parties.

Please read this Privacy Policy carefully. By using the Service, you agree to the collection and use of information in accordance with this policy. If you do not agree with our policies and practices, do not use the Service.

1. Information We Collect

We collect several types of information to provide and improve our Service.

1.1 Information You Provide Directly

Account Information

  • Email address
  • Password (stored in hashed form only)
  • Name (optional)
  • Business name (optional)

Payment Information

When you subscribe to a paid plan, payment information (credit card details, billing address) is collected and processed directly by our payment processor, Stripe. We do not store your full credit card number on our servers. We receive only a payment token and limited billing details (last four digits of your card, card type, billing postal code) for record-keeping purposes.

Integration Credentials

To connect your Toast and Shopify accounts, we collect:

  • Toast API credentials: Client ID, Client Secret, and API hostname
  • Shopify access tokens:Obtained through Shopify's secure OAuth authorization flow

These credentials are necessary for the Service to function and are stored in encrypted form.

Communications

  • Support requests and email correspondence
  • Feedback and survey responses (if you choose to provide them)

1.2 Information Collected Automatically

Usage Data

When you access the Service, we automatically collect:

  • Browser type and version
  • Operating system
  • Pages visited within the Service
  • Date and time of visits
  • Time spent on pages
  • Referring URL
  • Unique device identifiers

Log Data

Our servers automatically record information when you use the Service, including:

  • IP address
  • Request timestamps
  • API calls made
  • Error logs and diagnostic data
  • Feature usage patterns

Sync Activity Data

To provide the Service, we log:

  • Products synced and their identifiers (Toast GUIDs, Shopify product IDs)
  • Sync timestamps and status
  • Category/collection mappings
  • Error details when syncs fail

1.3 Information from Third-Party Services

From Toast

When you connect your Toast account, we access:

  • Menu and menu group information
  • Product details (names, descriptions, prices, SKUs, images, modifiers)
  • Restaurant/location identifiers

We access this information only to perform the sync functions you request. We do not access sales data, customer information, employee data, or financial reports from your Toast account.

From Shopify

When you authorize the Service via Shopify OAuth, we access:

  • Product information (to detect existing products and avoid duplicates)
  • Collection information (to map categories)
  • Store metadata (shop name, domain)

We request only the minimum Shopify permissions necessary: read_products, write_products, read_inventory, and write_inventory. We do not access customer data, orders, or financial information from your Shopify store.

2. How We Use Your Information

We use the information we collect for the following purposes:

2.1 To Provide and Maintain the Service

  • Authenticate your account and manage sessions
  • Connect to your Toast and Shopify accounts
  • Sync products between platforms as you request
  • Process payments and manage subscriptions
  • Respond to your support requests

2.2 To Improve the Service

  • Analyze usage patterns to improve features and user experience
  • Identify and fix technical issues and bugs
  • Monitor Service performance and reliability
  • Develop new features based on usage patterns

2.3 To Communicate With You

  • Send transactional emails (account confirmation, password reset, sync notifications)
  • Send Service-related announcements (planned maintenance, feature updates, security alerts)
  • Respond to your inquiries and support requests

We do not send marketing emails unless you explicitly opt in to receive them.

2.4 To Ensure Security and Prevent Fraud

  • Detect and prevent unauthorized access or abuse
  • Monitor for suspicious activity
  • Enforce our Terms of Service

2.5 To Comply With Legal Obligations

  • Respond to lawful requests from public authorities
  • Comply with applicable laws and regulations
  • Protect our legal rights and interests

3. How We Share Your Information

We do not sell, rent, or trade your personal information to third parties. We share information only in the following limited circumstances:

3.1 Service Providers

We engage trusted third-party companies to perform services on our behalf. These service providers have access to your information only to perform specific tasks and are obligated to protect your information. See Section 4 for details on our service providers.

3.2 With Your Consent

We may share your information with third parties when you explicitly consent to such sharing.

3.3 Business Transfers

If ToasterSync is involved in a merger, acquisition, or sale of assets, your information may be transferred as part of that transaction. We will notify you via email and/or prominent notice on our website of any change in ownership or uses of your personal information.

3.4 Legal Requirements

We may disclose your information if required to do so by law or in response to valid requests by public authorities (e.g., a court or government agency). We may also disclose information when we believe in good faith that disclosure is necessary to:

  • Comply with a legal obligation
  • Protect and defend our rights or property
  • Prevent or investigate possible wrongdoing
  • Protect the personal safety of users or the public
  • Protect against legal liability

3.5 Aggregated or De-Identified Data

We may share aggregated or de-identified information that cannot reasonably be used to identify you. For example, we may share statistics about how many products are synced through the Service.

4. Third-Party Services

We use the following third-party services to operate ToasterSync:

4.1 Stripe (Payment Processing)

  • Purpose: Process subscription payments and manage billing
  • Data shared: Payment information, email address, billing address
  • Privacy Policy: stripe.com/privacy

4.2 Supabase (Database and Authentication)

  • Purpose: Store account data, integration credentials, and sync logs; handle authentication
  • Data shared: All Service data
  • Privacy Policy: supabase.com/privacy

4.3 Sentry (Error Monitoring)

  • Purpose: Track and diagnose application errors to improve reliability
  • Data shared: Error logs, stack traces, browser/device information, user identifiers (anonymized where possible)
  • Privacy Policy: sentry.io/privacy

4.4 Resend (Transactional Email)

  • Purpose: Send account notifications, password resets, and sync alerts
  • Data shared: Email address, email content
  • Privacy Policy: resend.com/legal/privacy-policy

4.5 Vercel or Railway (Hosting)

4.6 Google Analytics

  • Purpose: Analyze website traffic and user behavior to improve the Service
  • Data shared: Pages visited, traffic sources, device/browser information, approximate location, user interactions
  • Privacy Policy: policies.google.com/privacy

4.7 Microsoft (Bing Webmaster Tools / Clarity)

  • Purpose: Monitor search engine performance, analyze user behavior, and improve website usability
  • Data shared: Pages visited, click patterns, session recordings (with personal information masked), search queries leading to our site
  • Privacy Policy: privacy.microsoft.com

4.8 Meta (Facebook/Instagram Pixel)

  • Purpose: Measure advertising effectiveness and build audiences for marketing campaigns
  • Data shared: Pages visited, actions taken on our site, device information, data that may be matched to your Meta account
  • Privacy Policy: facebook.com/privacy/policy

We carefully select service providers who demonstrate a commitment to data protection and security. Each provider processes data only as necessary to perform their specific function for the Service.

5. Data Storage and Security

5.1 Data Storage

Your data is stored on servers located in the United States, operated by our hosting and database providers (Vercel/Railway and Supabase). By using the Service, you consent to the transfer and storage of your data in the United States.

5.2 Security Measures

We implement appropriate technical and organizational measures to protect your information, including:

Encryption

  • All data transmitted between your browser and our servers is encrypted using TLS (HTTPS)
  • Integration credentials (Toast API credentials, Shopify tokens) are encrypted at rest using industry-standard encryption algorithms
  • Passwords are hashed using bcrypt and never stored in plain text

Access Controls

  • Access to production systems is restricted to authorized personnel
  • We use role-based access controls and the principle of least privilege
  • All access to sensitive data is logged and monitored

Infrastructure Security

  • Our infrastructure providers maintain SOC 2 compliance and implement physical security controls
  • We use managed database services with automatic backups and point-in-time recovery
  • Regular security updates are applied to all systems

Monitoring

  • We monitor our systems for security threats and unusual activity
  • Automated alerts notify us of potential security issues
  • We maintain incident response procedures

5.3 Security Limitations

While we strive to protect your information, no method of transmission over the Internet or electronic storage is 100% secure. We cannot guarantee absolute security. You are responsible for maintaining the confidentiality of your account credentials and for any activity that occurs under your account.

5.4 Reporting Security Issues

If you discover a security vulnerability, please report it to [email protected]. We appreciate responsible disclosure and will work to address confirmed issues promptly.

6. Data Retention

6.1 Active Accounts

We retain your information for as long as your account is active and as needed to provide you with the Service. This includes:

  • Account information: Retained while your account exists
  • Integration credentials: Retained while the integration is connected
  • Sync logs: Retained for 90 days for troubleshooting and support purposes
  • Payment records: Retained as required for accounting and tax compliance

6.2 Account Closure

When you close your account:

  • Your account information and integration credentials are deleted within 30 days
  • Sync logs are deleted within 30 days
  • Payment records may be retained for up to 7 years as required by law
  • Aggregated, anonymized data may be retained indefinitely for analytics purposes

6.3 Requesting Deletion

You may request deletion of your personal data at any time by contacting [email protected]. We will process your request within 30 days, subject to any legal obligations requiring us to retain certain information.

7. Your Rights and Choices

Depending on your location, you may have the following rights regarding your personal information:

7.1 Access

You have the right to request a copy of the personal information we hold about you. You can access most of your information directly through your account dashboard.

7.2 Correction

You have the right to request correction of inaccurate or incomplete personal information. You can update your account information directly through the Service, or contact us for assistance.

7.3 Deletion

You have the right to request deletion of your personal information. You can delete your account through the Service settings, or contact us to request deletion.

7.4 Data Portability

You have the right to request a copy of your data in a structured, machine-readable format. Contact us to request an export of your data.

7.5 Objection and Restriction

You have the right to object to or request restriction of certain processing of your personal information. Contact us to discuss your specific situation.

7.6 Withdraw Consent

Where we rely on your consent to process personal information, you have the right to withdraw that consent at any time. Withdrawing consent does not affect the lawfulness of processing conducted prior to withdrawal.

7.7 Exercising Your Rights

To exercise any of these rights, please contact us at [email protected]. We will respond to your request within 30 days. We may need to verify your identity before processing your request.

7.8 Non-Discrimination

We will not discriminate against you for exercising any of your privacy rights.

8. Cookies and Tracking Technologies

8.1 Essential Cookies

We use essential cookies necessary for the Service to function:

CookiePurposeDuration
sessionMaintains your authenticated sessionSession (expires on browser close)
sb-access-tokenSupabase authentication token1 hour
sb-refresh-tokenSupabase session refresh7 days

8.2 Analytics and Performance Cookies

We use analytics services to understand how visitors interact with our website and to improve the Service:

Google Analytics

  • Purpose: Analyze website traffic, user behavior, and measure the effectiveness of our marketing efforts
  • Data collected: Pages visited, time on site, traffic sources, device and browser information, approximate geographic location (country/city level), interactions with site features
  • Cookies: _ga, _ga_*, _gid, _gat
  • Duration: Up to 2 years
  • Privacy Policy: policies.google.com/privacy
  • Opt-out: tools.google.com/dlpage/gaoptout

Microsoft Clarity / Bing Webmaster Tools

  • Purpose: Understand how users interact with our website, identify usability issues, and improve search engine visibility
  • Data collected: Click patterns, scroll behavior, session recordings (with personal information masked), search performance data
  • Cookies: _clck, _clsk, MUID, CLID
  • Duration: Up to 1 year
  • Privacy Policy: privacy.microsoft.com

8.3 Marketing and Advertising Cookies

We may use marketing cookies to measure the effectiveness of our advertising and to deliver relevant advertisements:

Meta Pixel (Facebook/Instagram)

  • Purpose: Measure the effectiveness of our advertising campaigns on Meta platforms, understand actions people take on our website, and build audiences for advertising
  • Data collected: Pages visited, actions taken (such as signing up), device information, and data used to match your activity to your Meta account
  • Cookies: _fbp, fr
  • Duration: Up to 90 days
  • Privacy Policy: facebook.com/privacy/policy
  • Opt-out: You can opt out of Meta's use of cookies for advertising through your Facebook Ad Settings or through the Digital Advertising Alliance's opt-out page

8.4 Managing Cookies and Your Choices

Browser Settings

Most web browsers allow you to control cookies through their settings. You can:

  • View what cookies are stored on your device
  • Delete some or all cookies
  • Block cookies entirely or block third-party cookies only
  • Set preferences for certain websites

Note that blocking or deleting essential cookies may prevent you from using certain features of the Service.

Opt-Out Tools

Cookie Consent

When you first visit our website, you will be presented with a cookie consent banner that allows you to:

  • Accept all cookies
  • Reject non-essential cookies
  • Customize your cookie preferences

You can change your cookie preferences at any time by clicking the "Cookie Settings" link in our website footer.

8.5 Do Not Track

Some browsers have a "Do Not Track" (DNT) feature that signals to websites that you do not want your online activity tracked. We honor DNT signals where technically feasible. When we detect a DNT signal, we will disable non-essential analytics and marketing cookies for that session.

9. International Data Transfers

Our Service is operated in the United States. If you are accessing the Service from outside the United States, please be aware that your information will be transferred to, stored, and processed in the United States.

The data protection laws of the United States may differ from those in your country. By using the Service, you consent to the transfer of your information to the United States.

For users in the European Economic Area (EEA), United Kingdom, or Switzerland: We rely on Standard Contractual Clauses approved by the European Commission as the legal mechanism for transfers of personal data from the EEA to the United States.

10. Children's Privacy

The Service is not intended for individuals under the age of 18. We do not knowingly collect personal information from children under 18. If we become aware that we have collected personal information from a child under 18, we will take steps to delete that information promptly.

If you are a parent or guardian and believe your child has provided us with personal information, please contact us at [email protected].

11. California Privacy Rights

If you are a California resident, you have specific rights under the California Consumer Privacy Act (CCPA) and the California Privacy Rights Act (CPRA):

11.1 Right to Know

You have the right to request information about the categories and specific pieces of personal information we have collected about you, the categories of sources from which we collected the information, our business purpose for collecting the information, and the categories of third parties with whom we share the information.

11.2 Right to Delete

You have the right to request deletion of your personal information, subject to certain exceptions.

11.3 Right to Correct

You have the right to request correction of inaccurate personal information.

11.4 Right to Opt-Out of Sale

We do not sell personal information. Therefore, we do not offer an opt-out of sale.

11.5 Right to Non-Discrimination

We will not discriminate against you for exercising your CCPA/CPRA rights.

11.6 Authorized Agent

You may designate an authorized agent to make requests on your behalf. We may require verification of the agent's authorization.

11.7 Contact for California Residents

To exercise your California privacy rights, contact us at [email protected] or write to us at the address provided in Section 13.

12. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors.

How We Notify You:

  • Material changes will be announced via email to your registered email address
  • The "Last Updated" date at the top of this policy will be revised
  • For significant changes, we may provide additional notice within the Service

Your Continued Use:

Your continued use of the Service after the effective date of any changes constitutes your acceptance of the revised Privacy Policy. If you do not agree with the changes, you should stop using the Service and close your account.

We encourage you to review this Privacy Policy periodically to stay informed about how we protect your information.

13. Contact Us

If you have questions, concerns, or requests regarding this Privacy Policy or our privacy practices, please contact us:

Email: [email protected]

Mailing Address:
ToasterSync
PO Box 2515
Gilbert, AZ 85299
United States

We will respond to your inquiry within 30 days.

This Privacy Policy was last updated on April 16, 2026.