This Privacy Policy explains how Toaast collects, uses, stores, and protects personal data when you use our Service. By accessing or using Toaast, you agree to this Privacy Policy. Toaast is designed for professional, adult users. It is not intended for children under 16.
Contact information:CastlePlan AB ("Toaast", "we", "us", or "our")Borås, SwedenService: Toaast — group cards for the workplaceWebsite: https://toaast.co
Definitions
Personal Data means any information relating to an identifiable person.
Processing means any operation performed on Personal Data.
Service means the Toaast website, application, integrations, and related features.
User, you means the individual using Toaast.
Controller and Processor have the meanings defined under GDPR, depending on context.
What we collect
Data you provide
When you create an account or use Toaast, you may provide:
Name
Email address
Password (stored hashed)
Company name, subdomain, team size, and your role
Contacts you add (names, emails, birthdays, work anniversaries)
When someone signs a card via a public link, we collect their name, their email address, and the message, GIF, and stickers they add to the card. This data is provided directly by the contributor and is associated with the card it was added to.
Usage data
We collect usage information about how you interact with Toaast, such as logins and timestamps, device information, IP address, session and performance metrics, feature usage, and error diagnostics. This helps us operate, secure, and improve the Service.
How we use personal data
We process Personal Data to:
Provide and operate the Service
Enable card creation, sharing, signing, and delivery
Your consent (marketing emails, non-essential cookies)
Compliance with legal obligations (tax, accounting, data protection laws)
Sharing personal data
We share data only as necessary to operate Toaast:
Service providers / subprocessors including hosting, database, email, payments, and analytics providers
Your team members and contributors when they interact with cards you create or share
Legal or regulatory authorities, if required by law
Business transfers, such as mergers or acquisitions
With your consent, when you explicitly approve an action
We never sell Personal Data.
Subprocessors
We use the following trusted third parties to operate the Service:
Supabase — database, authentication, file storage
Vercel — application hosting
Stripe — payment processing (PCI-DSS compliant)
Resend — transactional and marketing email delivery
Giphy — GIF search functionality
Google Analytics — website analytics (with your consent)
Each subprocessor processes data only on our instructions under data processing agreements that meet GDPR requirements.
International transfers
Toaast is operated from Borås, Sweden. Data is processed within the EU or in the US. For EEA/UK users, transfers rely on Standard Contractual Clauses (SCCs) and other legally recognized mechanisms.
Data retention
We keep Personal Data only as long as necessary to provide the Service, meet legal and regulatory requirements (e.g. Swedish accounting law requires 7 years of payment records), resolve disputes, and enforce agreements. When no longer needed, data is deleted or anonymized.
If you delete your account, your data will be removed within 90 days, except where law requires longer retention.
Security
We use industry-standard technical and organizational measures, including:
Encryption in transit (HTTPS/TLS) and at rest
Hashed passwords
Access controls
Monitoring and logging
Incident response procedures
Regular security reviews
No system is 100% secure; we cannot guarantee absolute protection.
Your rights
Depending on your jurisdiction, you may have rights to:
Access your Personal Data
Correct inaccuracies
Request deletion
Request data portability
Object to processing
Withdraw consent
Lodge a complaint with a data protection authority (in Sweden: Integritetsskyddsmyndigheten — IMY)