Privacy Policy.

Toby ("we", "us") provides an Employee Relations operating system for HR teams. This Privacy Policy explains how we handle personal information when:

• You sign up, sign in, or use the Toby application
• You visit our marketing site at hiretoby.com
• Our customer (your employer) uploads or processes HR records about you in Toby

If you are an HR end-user of our customer's Toby workspace, the customer is the controller of your personal data and Toby is the processor. Direct questions about your specific HR record to your employer's People team in the first instance.

From visitors to our marketing site

• Form submissions. When you submit the Book a Demo form, we collect your name, work email, company, role, and message.
• Web logs. IP address, user-agent, referrer, requested page. Used for security monitoring and rate limiting. Retained 30 days.
• Analytics events. Page views and high-level interactions via PostHog, with autocapture and session replay disabled. User identifiers are SHA-256 hashed before leaving our infrastructure.

From customers + their authorized users

• Account data. Workspace name, billing contact, sub-domain, primary jurisdiction.
• User identity. Email, name, role within the workspace. Authentication is handled by WorkOS; we store the WorkOS user id and email.
• HR records. Content the customer uploads or generates inside Toby: case files, party rosters, document drafts, chat messages, audit-event metadata. We are a processor for this content.
• Usage data. Which features are used, AI usage volume, login frequency. Used for security, support, and billing.

We do not collect payment card data (we are invoice-billed), biometric identifiers, precise location, or your contacts.

• To deliver the Toby service to the customer and its authorized users
• To answer questions you submit and arrange demos
• To run security monitoring, abuse prevention, and rate limiting
• To improve the product (aggregate, hashed-id analytics only)
• To meet our legal obligations (tax records, contractual books)

We do not sell personal information. We do not use customer prompts or documents to train AI models that are shared between customers.

We share personal information only with sub-processors we have contracted to deliver the service. The full list lives on our Sub-processors page and is updated whenever it changes.

Categories of sub-processor:

• Infrastructure. Cloudflare (edge runtime, storage), Neon (Postgres database).
• Identity. WorkOS (authentication, MFA, SAML).
• AI inference. Anthropic (Claude). Customer content is processed for the duration of a single request and is not retained for training under our standard agreement. Enterprise customers can route inference through AWS Bedrock for in-tenant private inference.
• Operations. Resend (transactional email), Sentry (error tracking with PII pre-scrubbed), PostHog (product analytics with hashed identifiers).

We may also disclose information when required by law (subpoena, court order, regulatory request) or to protect rights, property, and safety. Customers receive notice of any compelled disclosure unless legally prohibited.

Customer data is stored in the United States by default (Neon in AWS us-east-2, Cloudflare globally distributed edge with US-pinned R2). EU data residency is available on Enterprise plans on request.

• Account data. For the duration of the customer contract plus 30 days after termination.
• Customer HR records.Per the customer's configured retention policy. Default 7 years for audit logs; configurable on Enterprise.
• Marketing form submissions. 24 months from last contact, then deleted unless you become a customer.
• Web logs. 30 days.

Audit logs are append-only and not deletable through ordinary operation, even by us. This is intentional and required for legal-hold compliance. On contract termination, audit logs are exported to the customer and deleted from our systems within the retention window above.

Depending on your jurisdiction, you may have the following rights over personal information we hold about you:

For HR records inside a customer workspace: we are the processor and your employer is the controller. Contact your employer to exercise your rights. We will support customers in responding within statutory timelines.

For account / marketing data: email privacy@hiretoby.com. We respond within 30 days (or 45 days for complex requests, with notice).

We use cookies for authentication (WorkOS session) and for preventing cross-site request forgery. We use a memory-only analytics persistence so no analytics cookie survives the page session.

We do not use third-party advertising cookies, fingerprinting, cross-site trackers, or session replay.

Toby is a business tool for HR teams. We do not knowingly collect data from anyone under 16. If you believe a child has provided personal information to us, email privacy@hiretoby.com and we will delete it.

We will post material changes here with a new effective date at least 30 days before they take effect. For substantial changes affecting customer obligations, we will email the workspace admin directly.

Knit Cage, LLC · Wyoming LLC
30 N Gould St Ste N · Sheridan, WY 82801 · United States
Privacy questions: privacy@hiretoby.com
Security disclosures: security@hiretoby.com
EU representative: contact privacy@hiretoby.com for current designation.