Privacy Policy

1. Introduction

Welcome to Tolok.AI ("we," "our," or "us"). We are committed to protecting your privacy and ensuring the security of your personal information. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our website and services.

By accessing or using Tolok.AI, you agree to the terms of this Privacy Policy. If you do not agree with our policies and practices, please do not use our services.

2. Information We Collect

2.1 Information You Provide

We may collect information that you provide directly to us, including:

• Account information: When you register for an account, we collect your name, email address, and password.
• Profile information: Information you add to your profile, such as profile picture, bio, and contact details.
• Content: Information you provide when using our services, including artist information, team members, and marketing content.
• Uploaded Documents & Media: PDFs, images, spreadsheets, and other files you voluntarily upload (e.g., contracts, set-lists, royalty statements).
• Communications: Information you provide when contacting us for customer support or otherwise communicating with us.
• Payment information: When you make purchases through our platform, we collect payment information, though we do not store full credit-card details.

2.2 Information We Collect Automatically

When you use our services, we may automatically collect certain information, including:

• Device information: Information about the device you use to access our services, such as hardware model, operating system, unique device identifiers, and mobile-network information.
• Log information: Information about your use of our services, including access times, pages viewed, and the page you visited before navigating to our website.
• Location information: Information about your location derived from your IP address.
• Cookies and similar technologies: We use cookies and similar technologies to collect information about your browsing behavior and preferences.
• Derived Metadata: Redacted, de-identified facts (e.g., song identifiers, venue codes, performance dates, payout amounts) extracted from your uploads and stored separately from the original files.
• Embeddings: Vector representations of text snippets created solely to power search, recommendations, and model fine-tuning.

2.3 Information From Third-Party Services

When you connect third-party accounts (such as Spotify, Apple Music, Instagram, or other platforms) to Tolok.AI, we collect information from these services as authorized by you and in accordance with their privacy policies. This may include:

• Profile information from connected social-media and music-platform accounts
• Content you've posted or shared on these platforms
• Analytics and engagement metrics related to your content
• Follower and audience information

3. How We Use Your Information

We use the information we collect for various purposes, including:

• Providing, maintaining, and improving our services, including:
  • Optical-character recognition (OCR) of uploaded documents
  • Generation of embeddings and derivative metadata
  • Training internal machine-learning models on aggregated, differentially-private data that cannot be traced back to you
• Creating anonymized industry benchmarking and analytics reports.
• Processing transactions and sending related information
• Responding to your comments, questions, and requests
• Sending technical notices, updates, security alerts, and administrative messages
• Monitoring and analyzing trends, usage, and activities in connection with our services
• Detecting, investigating, and preventing fraudulent transactions and other illegal activities
• Personalizing your experience and delivering content relevant to your interests
• Facilitating contests, sweepstakes, and promotions and processing and delivering entries and rewards

4. How We Share Your Information

We may share your personal information in the following situations:

• With Your Consent: We may share information when you direct us to do so.
• With Service Providers: We share information with vendors, consultants, and other service providers who need access to such information to carry out work on our behalf.
• For Legal Reasons: We may disclose information if we believe it is necessary to comply with applicable laws, regulations, legal processes, or governmental requests.
• In Connection with a Business Transfer: We may share information in connection with a substantial corporate transaction, such as a merger, consolidation, or asset sale.
• For Protection: We may disclose information to protect the rights, property, and safety of our company, our users, and others.

We do not share, sell, or license your raw uploads, embeddings, or derived metadata with any third party outside the scenarios listed above. All document processing occurs in logically isolated environments that are encrypted in transit and at rest using customer-specific keys. Raw uploads are never accessible to any other customer.

4.1 Model-Training Opt-Out

You may disable inclusion of your (anonymized) data in our model-improvement pipeline at any time via Settings → Privacy → Model Training Opt-Out. Disabling this feature will not affect your access to core functionality.

5. Third-Party Platforms and Services

Tolok.AI integrates with third-party platforms such as Spotify, Instagram, Apple Music, and other social media and music services. When you connect these services to your Tolok.AI account, we may collect and store information from these platforms as described in this Privacy Policy.

Please note that these third-party services have their own privacy policies. We encourage you to review the privacy policies of any third-party services you access through Tolok.AI.

6. Data Retention

We retain personal information as follows:

• Raw uploads: retained for as long as your workspace exists or until you delete them; erased from all backups within 90 days of deletion.
• Derived metadata & embeddings: retained indefinitely for service performance and fraud-detection unless you exercise your opt-out or delete your account.
• Differential-privacy training sets: retained indefinitely because they contain only noisy, non-attributable statistical signals.

If you exercise your CCPA deletion right or GDPR erasure right, we will irreversibly anonymize or delete all personal data and confirm completion within the statutory timeframe.

7. Your Rights and Data Deletion

Depending on your location, you may have certain rights regarding your personal information, including:

• Accessing, updating, or correcting your information
• Deleting your information
• Objecting to or restricting certain processing of your information
• Portability of your information
• Withdrawing consent

7.1 Data Deletion Rights

You have the right to request deletion of your personal data. To exercise this right, you can:

• Visit our Data Deletion Request page
• Email us at privacy@tolok.ai with the subject line "Data Deletion Request"
• Contact us in writing at the address provided in Section 12

For Facebook and Instagram users: In accordance with Meta Platform Terms, we provide both a data-deletion request page and a data- deletion callback that allows Meta to submit deletion requests on your behalf. When we receive a data-deletion request, we will delete all of your personal information from our active systems within 30 days, including any data obtained through Instagram or Facebook integrations.

When we delete your data, we will:

• Remove all personally identifiable information associated with your account
• Delete all content you've created or uploaded
• Remove all integration connections with third-party platforms
• Delete any analytics or insights derived from your account
• Ensure your data is also removed from our backup systems within 90 days

We may ask you to verify your identity before responding to such requests. After verification, we will process your deletion request within 30 days and send you a confirmation when the deletion is complete.

8. Children's Privacy

Our services are not directed to children under the age of 13, and we do not knowingly collect personal information from children under 13. If we learn that we have collected personal information from a child under 13, we will promptly delete that information.

9. International Data Transfers & Lawful Bases (GDPR/UK GDPR)

We are headquartered in the United States but may process your information in other countries. When we transfer personal data from the European Economic Area (EEA), the United Kingdom (UK), or Switzerland, we rely on:

• European Commission Standard Contractual Clauses (SCCs) and the UK International Data Transfer Addendum;
• Equivalent adequacy decisions, where applicable.

Lawful bases for processing: Contract fulfilment (Art. 6(1)(b)); legitimate interests (Art. 6(1)(f)) for aggregated analytics and model improvement; consent (Art. 6(1)(a)) for marketing communications.

EEA/UK residents may lodge a complaint with their local supervisory authority, but we invite you to contact us first.

10. Security

We take reasonable measures to protect your personal information from loss, theft, misuse, unauthorized access, disclosure, alteration, and destruction. Where we process data on GPUs, we use "confidential computing" nodes that encrypt memory and provide a remote-attestation report you can request via support. However, no security system is impenetrable, and we cannot guarantee absolute security.

11. Changes to This Privacy Policy

We may update this Privacy Policy from time to time. If we make material changes, we will notify you through our services or by other means, such as email. We encourage you to review the Privacy Policy whenever you access our services to stay informed about our information practices.

12. Contact Us

If you have any questions or concerns about this Privacy Policy or our privacy practices, please contact us at:

Email: privacy@tolok.ai
Address: 400B Saint Francis Ave, Nashville TN 37205

13. California Privacy Notice

This section applies solely to California residents and supplements the information contained in this Privacy Policy. It explains your “right to know,” “right to delete,” “right to correct,” and “right to opt-out of sale or sharing” under the California Consumer Privacy Act (CCPA), as amended by the California Privacy Rights Act (CPRA).

13.1 Personal Information We Collect

In the last 12 months we have collected the categories of personal information described in Section 2. We disclose these categories only for the business purposes described in Section 4. We do not “sell” personal information for monetary consideration, and we do not “share” personal information for cross-context behavioural advertising.

13.2 Your California Rights

• Right to Know: You may request that we disclose the personal information we have collected, used, or disclosed about you.
• Right to Delete: You may request that we delete personal information we have collected from you.
• Right to Correct: You may request that we correct inaccurate personal information we maintain about you.
• Right to Opt-Out of Sale/Sharing: Because we do not sell or share personal information as those terms are defined, no action is required to exercise this right.
• Right to Non-Discrimination: We will not discriminate against you for exercising any of these rights.

13.3 Submitting CCPA Requests

You (or your authorized agent) can exercise these rights by:

• Emailing privacy@tolok.ai
• Calling toll-free: 1-888-865-6556
• Completing the California Privacy Request form

We will verify your identity before fulfilling your request and respond within 45 days, or 90 days where legally permitted.