Privacy Policy

1. Introduction

Torale Labs Inc. ("we," "us," "our") operates the Torale web monitoring platform ("Service"). This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our Service.

2. Information We Collect

2.1 Account Information

When you create an account, we collect:

• Email address: Used for authentication, account recovery, and service communications
• Authentication credentials: Password hash (if using email/password) or OAuth tokens (if using Google/GitHub login) managed by our authentication provider, Clerk
• User ID: Unique identifier generated by our system and synced with Clerk
• Account metadata: Creation date, last login, account status (active/inactive)

2.2 Task and Monitoring Data

When you create monitoring tasks, we collect:

• Search queries: The questions or topics you want to monitor (e.g., "When is the iPhone 17 release?")
• Condition descriptions: Criteria you define for triggering notifications (e.g., "A specific date has been announced")
• Schedules: Cron expressions defining execution frequency
• Notification preferences: How you want to be notified (once, always)

2.3 Execution and Results Data

When tasks execute, we store:

• Execution metadata: Start time, completion time, status (success/failed), error messages
• LLM-generated responses: Answers synthesized by AI models from search results
• Condition evaluation results: Boolean determination of whether your condition was met
• Grounding sources: URLs and metadata of web sources used to generate answers
• Agent memory: Cross-run context used for change detection
• Change summaries: Human-readable descriptions of what changed since the last execution

2.4 API Keys

When you generate API keys for programmatic access, we collect:

• Key hash: SHA256 hash of the API key (never stored in plain text)
• Key prefix: Display-only prefix for identification (e.g., "sk_...abc123")
• Key name: User-defined label (e.g., "Production API Key")
• Usage metadata: Creation date, last used timestamp

2.5 Usage and Analytics Data

We automatically collect:

• System logs: API requests, error traces, performance metrics
• Scheduling data: Job execution IDs, schedule metadata, retry attempts
• Aggregate statistics: Platform-wide metrics like total tasks, execution counts, popular queries
• IP addresses: For security, fraud prevention, and rate limiting (not linked to user profiles)

3. How We Use Your Information

We use collected information to:

• Provide the Service: Execute monitoring tasks, evaluate conditions, send notifications
• Improve Service quality: Analyze aggregate usage patterns, identify bugs, optimize performance
• Customer support: Troubleshoot issues, respond to inquiries, assist with account management
• Security and fraud prevention: Detect abuse, enforce rate limits, prevent unauthorized access
• Legal compliance: Respond to lawful requests, enforce Terms of Service
• Product development: Understand feature usage, prioritize roadmap items (using aggregated, non-identifiable data)

4. How We Share Your Information

4.1 Third-Party Service Providers

We share data with trusted third-party providers:

• Clerk: Authentication, user management, session handling
• Google Cloud Platform: Hosting, compute infrastructure, managed databases
• APScheduler: Cron-based task scheduling and execution
• AI Providers (Anthropic Claude, Perplexity): LLM inference for condition evaluation and answer generation

Important: Your search queries and monitored content are transmitted to AI providers for processing. These providers may use inputs to improve their models unless you opt out through their respective settings.

4.2 Legal Requirements

We may disclose your information if required by law, subpoena, or other legal process, or if we believe disclosure is necessary to:

• Comply with legal obligations
• Protect our rights, property, or safety
• Prevent fraud or abuse
• Enforce our Terms of Service

4.3 Business Transfers

If Torale Labs Inc. is involved in a merger, acquisition, or sale of assets, your information may be transferred as part of that transaction. We will notify you via email of any such change in ownership.

5. Administrative Access to Data

Who Has Access: Only authorized Torale employees and contractors with a legitimate business need can access the Admin Console.

What They Can See:

• User account information (email, creation date, activity stats)
• Task configurations (search queries, conditions, schedules)
• Execution history (results, LLM responses, grounding sources)
• Platform statistics (popular queries, error rates, system health)
• Scheduling metadata (execution status, cron schedules)

Why Access Is Needed:

• Debugging technical issues reported by users
• Investigating service outages or performance degradation
• Detecting and preventing abuse, spam, or Terms violations
• Generating aggregate analytics to improve the Service
• Responding to legal requests or security incidents

Access Controls: Admin Console access is logged, audited, and restricted to employees bound by confidentiality agreements. We do not sell, share, or use your data for purposes unrelated to providing and improving the Service.

6. Data Security

We implement industry-standard security measures:

• Encryption: TLS 1.3 for data in transit, AES-256 for data at rest
• Authentication: Clerk-managed OAuth and email/password with bcrypt hashing
• API key security: SHA256 hashing, no plain-text storage
• Database security: Cloud SQL with private IP, automated backups, point-in-time recovery
• Infrastructure: GKE Autopilot with network policies, Workload Identity, least-privilege IAM
• Access logging: All administrative actions are logged and auditable

However, no method of transmission or storage is 100% secure. We cannot guarantee absolute security.

7. Data Retention

We retain your information:

• Active accounts: For the duration of your account
• Deleted accounts: 90 days after account deletion (for recovery and legal purposes)
• Execution history: Indefinitely while your account is active; deleted 90 days after account deletion
• System logs: 30 days for debugging; 1 year for security logs
• Aggregated analytics: Retained indefinitely (anonymized, non-identifiable)

8. Your Privacy Rights

Depending on your jurisdiction, you may have the right to:

• Access: Request a copy of your personal data
• Correction: Update or correct inaccurate information
• Deletion: Request deletion of your account and associated data
• Data portability: Export your task configurations and execution history in JSON format
• Opt-out: Unsubscribe from marketing emails (we currently send none)
• Restrict processing: Request limitations on how we use your data

To exercise these rights, contact [email protected]. We will respond within 30 days.

9. International Data Transfers

The Service is hosted in the United States (Google Cloud us-central1 region). If you access the Service from outside the US, your data will be transferred to and processed in the United States. By using the Service, you consent to this transfer.

10. Children's Privacy

The Service is not intended for users under 18 years of age. We do not knowingly collect personal information from children. If you believe we have collected data from a child, contact [email protected].

11. Cookies and Tracking

We use essential cookies for authentication and session management via Clerk. We do not use third-party analytics, advertising cookies, or tracking pixels.

You can disable cookies in your browser settings, but this may affect Service functionality.

12. Changes to This Privacy Policy

We may update this Privacy Policy from time to time. Material changes will be communicated via email or in-app notification. Continued use of the Service after changes constitutes acceptance of the updated policy.

13. Contact Us

For questions, concerns, or requests regarding this Privacy Policy or your personal data: