Privacy Policy

1. Introduction

Metis Labs, LLC ("Tokaro," "we," "us," or "our") is committed to protecting your privacy. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use the Tokaro platform and related services (the "Service").

By using the Service, you consent to the practices described in this Privacy Policy. If you do not agree, please do not use the Service.

2. Information We Collect

2.1 Information You Provide

• Account information: Name, email address, password, and organization details when you register
• Profile information: Role, title, and preferences you configure
• Engagement data: Process descriptions, organizational information, business context, and other content you submit during guided conversations, analysis, design, simulation, and specification workflows
• Communications: Messages you send to us, feedback, and support requests
• Payment information: Billing details processed through our third-party payment processor (we do not store full payment card numbers)

2.2 Information Collected Automatically

• Usage data: Features used, pages visited, actions taken, timestamps, and session duration
• Device information: Browser type, operating system, device identifiers, and screen resolution
• Log data: IP address, access times, referring URLs, and error logs
• Cookies and similar technologies: Session cookies for authentication and preferences (see Section 7)

2.3 Information from Third Parties

• Authentication providers: If you sign in via Google or another identity provider, we receive your name, email, and profile picture
• Organization administrators: Your organization admin may provide your email address when inviting you to join

3. How We Use Your Information

We use the information we collect to:

• Provide, operate, and maintain the Service
• Process your engagement data through AI models to generate analysis, designs, simulations, and specifications
• Authenticate your identity and manage your account
• Enforce usage limits and quotas associated with your subscription
• Send transactional communications (account verification, password resets, invitation emails, security alerts)
• Provide customer support and respond to inquiries
• Monitor and analyze usage trends to improve the Service
• Detect, prevent, and address security incidents, fraud, and abuse
• Comply with legal obligations

4. AI Processing and Data Handling

The Service uses third-party AI model providers (such as Anthropic, Google, and OpenAI) to process your engagement data and generate outputs. When using these providers:

• Your data is transmitted to the AI provider solely for the purpose of generating the requested output
• We use API-based access with contractual commitments from providers that they will not use your data to train their models
• AI-processed data is not shared across organizations or users
• We do not use your engagement data to train our own models without your explicit consent

You can request information about which AI providers processed your data by contacting us.

5. How We Share Your Information

We do not sell your personal information. We may share your information in the following circumstances:

• Within your organization: Other members of your organization on Tokaro can see shared engagement data, as determined by your organization's access controls
• Service providers: Third-party vendors who assist us in operating the Service (hosting, AI model providers, email delivery, payment processing, analytics). These providers are contractually obligated to protect your data
• Legal compliance: When required by law, legal process, or government request
• Safety and rights: To protect the rights, property, or safety of Tokaro, our users, or the public
• Business transfers: In connection with a merger, acquisition, or sale of assets, where your data may be transferred to the successor entity

6. Data Retention

We retain your data for as long as your account is active or as needed to provide the Service. Specifically:

• Account data: Retained until account deletion
• Engagement data: Retained until the engagement is deleted or your account is terminated. After account termination, data is available for export for 30 days, then permanently deleted
• Usage logs: Retained for up to 12 months for security and operational purposes
• Backups: May persist in encrypted backups for up to 90 days after deletion

7. Cookies and Tracking

We use the following types of cookies:

• Essential cookies: Required for authentication and core Service functionality. These cannot be disabled
• Analytics cookies: Help us understand how users interact with the Service to improve it. These can be disabled

We do not use advertising cookies or share cookie data with advertising networks. You can manage cookie preferences through your browser settings.

8. Data Security

We implement appropriate technical and organizational measures to protect your data, including:

• Encryption of data in transit (TLS 1.2+) and at rest
• Multi-tenant data isolation ensuring organizations cannot access each other's data
• Regular security assessments and monitoring
• Role-based access controls within the Service
• Secure cloud infrastructure hosted on Google Cloud Platform

While we take reasonable precautions, no method of electronic transmission or storage is 100% secure. We cannot guarantee absolute security.

9. Your Rights

Depending on your jurisdiction, you may have the following rights:

• Access: Request a copy of the personal data we hold about you
• Correction: Request correction of inaccurate or incomplete data
• Deletion: Request deletion of your personal data, subject to legal retention requirements
• Data portability: Request your data in a structured, machine-readable format
• Objection: Object to certain processing of your data
• Restriction: Request restriction of processing in certain circumstances
• Withdraw consent: Where processing is based on consent, you may withdraw it at any time

To exercise any of these rights, contact us at privacy@tokaro.ai. We will respond within 30 days.

10. International Data Transfers

The Service is hosted in the United States. If you access the Service from outside the United States, your data will be transferred to and processed in the United States. We take appropriate safeguards to ensure your data is protected in accordance with this Privacy Policy and applicable law.

11. Children's Privacy

The Service is not directed to individuals under the age of 18. We do not knowingly collect personal information from children. If we learn that we have collected data from a child, we will delete it promptly.

12. California Privacy Rights (CCPA)

If you are a California resident, you have additional rights under the California Consumer Privacy Act (CCPA), including the right to know what personal information we collect, the right to request deletion, and the right to opt out of the sale of personal information. We do not sell personal information.

To exercise your CCPA rights, contact us at privacy@tokaro.ai.

13. European Privacy Rights (GDPR)

If you are in the European Economic Area (EEA), United Kingdom, or Switzerland, we process your personal data on the following legal bases:

• Contract performance: To provide the Service you have subscribed to
• Legitimate interests: To improve the Service, ensure security, and communicate with you
• Consent: Where you have given explicit consent for specific processing
• Legal obligation: To comply with applicable laws

You may lodge a complaint with your local data protection authority if you believe we have violated your rights.

14. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of material changes by posting the updated policy on the Service and updating the "Last updated" date. For significant changes, we may also notify you by email.

15. Contact Us

If you have questions or concerns about this Privacy Policy or our data practices, please contact us at: