← All legal documents

Privacy Policy

Effective: 2026-04-19

Last updated: 2026-04-19

Mataki Labs LLC (“ToasterDB,” “we,” “us,” or “our”), a Wyoming limited liability company, operates the toasterdb.com website, the ToasterDB Cloud platform (including app.toasterdb.com and docs.toasterdb.com), the ToasterDB self-hosted distribution, and related services (collectively, the “Services”). This Privacy Policy explains how we collect, use, disclose, and protect information when you use our Services.

By using our Services, you agree to the collection and use of information as described in this policy.

Information We Collect

Information You Provide

When you create an account, subscribe to a plan, or contact us, we may collect:

  • Account information: Name, email address, password (hashed), and company or organization name
  • Billing information: Payment method details are collected and processed by our payment processor (Stripe). We do not store full credit card numbers on our servers.
  • Communications: Any information you include when you contact us via email, support tickets, GitHub, or community channels, including your name, email address, and message content
  • Workspace configuration: Database connection metadata, schema definitions, field-level security policies, validation rules, privacy rules, form definitions, application code, role and permission configuration, and other content you create through the Services
  • Request payloads: Data submitted to the ToasterDB data layer (including form submissions, API request bodies, and app runtime inputs) flows through the Services to enforce policies and to deliver results. Request payloads are processed in memory to execute each request. Persistence of the resulting rows occurs in your connected PostgreSQL Database, not in ToasterDB storage, except as described under Data Retention below.

Information Collected Automatically

When you use our Services, we automatically collect:

  • Usage data: API call volumes, data-layer request counts, policy evaluation metrics, form submission counts, app runtime invocations, and feature usage metrics
  • Server logs: IP address, browser type and version, operating system, referring URL, pages visited, timestamps, and request/response metadata
  • Performance data: Page load times, API response latencies, policy evaluation latencies, database query latencies, and error logs used to maintain service reliability
  • Device information: Device type, screen resolution, and timezone

How We Use Information

We use the information we collect to:

  • Provide and maintain the Services: Enforce your field-level security, validation, and privacy policies; serve form submissions; run the app runtime; manage your account; and handle billing
  • Policy evaluation and auditability: Evaluate policies on each request and record audit events so you can review who accessed what, when, and under which policy decision
  • Improve the Services: Analyze usage patterns to identify bugs, optimize performance, and develop new features
  • Ensure security: Detect and prevent fraud, abuse, and unauthorized access to accounts, workspaces, or the data layer
  • Communicate with you: Send transactional emails (account verification, billing receipts, security alerts), respond to support requests, and provide product updates you have opted into
  • Comply with legal obligations: Respond to lawful requests from government authorities and comply with applicable laws

We do not sell your personal information to third parties.

Important: ToasterDB does not read, mine, or otherwise process the contents of your PostgreSQL Database for any purpose beyond executing the specific requests you or your authorized end users initiate through the data layer. We do not train models on your data.

Information Sharing and Disclosure

We share information only in the following circumstances:

Service Providers

We use third-party service providers to help operate our Services, including:

  • Stripe for payment processing
  • Cloud infrastructure providers for hosting and data storage
  • Monitoring and logging services for operational visibility

These providers access information only as necessary to perform their services and are bound by contractual obligations to protect your information.

Customer Data Handling

We do not share or sell the data you store in your PostgreSQL Database, the payloads that pass through the data layer, or the policy and schema definitions in your Workspace with any third party. Data passing through the data layer is used exclusively to execute the request at hand, enforce the policies you have defined, and produce the audit records you have configured.

We may disclose information if required to do so by law or in response to valid legal process, including subpoenas, court orders, or government requests. We will notify you of such requests when legally permitted to do so.

Business Transfers

In the event of a merger, acquisition, or sale of all or a portion of our assets, your information may be transferred as part of that transaction. We will notify you via email or prominent notice on our website before your information becomes subject to a different privacy policy.

Data Retention

  • Workspace configuration (schemas, policies, validation rules, form and app definitions) is retained for as long as the corresponding Workspace is active.
  • Audit logs are retained according to your plan tier (7 days for Free, 30 days for Pro, 90 days for Team, as configured for Enterprise).
  • Account data is retained for as long as your account is active. Upon account deletion, we will remove your personal information within 30 days, except where retention is required by law.
  • Billing records are retained for 7 years as required by applicable tax and accounting regulations.
  • Server logs are retained for 90 days for security and debugging purposes.
  • Customer data in your connected PostgreSQL Database is retained according to the retention settings of your database; ToasterDB does not independently retain copies of your row data beyond transient caches required to evaluate requests.

Data Security

We implement security measures appropriate to a product that sits in the access path between applications and production databases:

  • Encryption in transit: All communications between clients, ToasterDB Cloud, and your PostgreSQL Database use TLS 1.2 or higher. Older TLS versions are not supported.
  • Encryption at rest: Workspace configuration, audit records, and any cached state stored in ToasterDB Cloud are encrypted at rest using industry-standard AES-256 encryption.
  • Per-tenant isolation: Each Workspace’s configuration, audit records, and cached state are logically isolated from every other Workspace. A compromise affecting one Workspace is contained to that Workspace.
  • Credential handling: Database connection credentials and any other secrets you configure in ToasterDB Cloud are encrypted with dedicated key material and are not exposed in logs or in the console UI beyond masked identifiers.
  • Secrets never logged: Database credentials, signing keys, and other secrets are never written to application logs, error reports, crash dumps, or monitoring systems. Log redaction is enforced at the serialization layer.
  • Policy enforcement integrity: Field-level security, validation, and privacy policies are evaluated on every request before data is returned. Policy bypass requires explicit, auditable administrative action.
  • Access controls: Employee access to production systems is restricted, logged, and requires multi-party approval for changes to customer data paths.

No method of transmission over the Internet or electronic storage is 100% secure. While we strive to protect your information, we cannot guarantee absolute security.

Self-Hosted ToasterDB

You may deploy ToasterDB on your own infrastructure. When using the self-hosted distribution, request payloads, policy evaluations, and audit records remain entirely within your infrastructure; they do not transit to ToasterDB Cloud. In this configuration, the only communication with us is optional — for example, license activation, update checks, or telemetry you explicitly opt into. The self-hosted distribution is available at https://github.com/mataki-dev/toasterdb, enabling your security team to audit the code that handles your data.

Your Rights

Depending on your jurisdiction, you may have the right to:

  • Access the personal information we hold about you
  • Correct inaccurate or incomplete information
  • Delete your personal information and Workspace configuration (subject to legal retention requirements)
  • Export your data in a portable format, including Workspace configuration and audit records
  • Withdraw consent for optional data processing activities

To exercise any of these rights, contact us at legal@toasterdb.com. We will respond to your request within 30 days. If we need additional time to fulfill your request, we will notify you of the delay and the reason for it.

Data Residency

By default, all ToasterDB Cloud data is stored in the United States. Enterprise customers may elect EU data residency (in which case account data, Workspace configuration, and audit records are stored within the European Union) or request custom data residency configurations to meet specific regulatory requirements. Customers using the self-hosted distribution control data residency through their own deployment choices.

Data residency selection is made at the workspace level and applies to all configuration, audit, and cached state within that workspace.

Cookies and Tracking

The ToasterDB console at app.toasterdb.com uses strictly necessary cookies to maintain your authenticated session. We use privacy-respecting analytics on toasterdb.com and docs.toasterdb.com to understand aggregate traffic patterns; these analytics do not track individual users across sites and do not build advertising profiles. See our Cookie Policy for details.

Children’s Privacy

Our Services are not directed to individuals under the age of 16. We do not knowingly collect personal information from children. If you believe a child has provided us with personal information, please contact us and we will delete it promptly.

International Data Transfers

Mataki Labs LLC is based in the State of Wyoming, United States. If you access our Services from outside the United States, your information may be transferred to and processed in the United States, unless you have elected an alternative data residency option. By using our Services, you consent to such transfer and processing.

For customers who require specific transfer mechanisms (such as Standard Contractual Clauses), please contact us to discuss available options.

Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of material changes by posting the updated policy on this page and updating the “Last updated” date. For significant changes, we will provide additional notice via email to the address associated with your account.

Governing Law

This Privacy Policy is governed by the laws of the State of Wyoming, United States, without regard to its conflict of law provisions.

Contact Us

If you have questions about this Privacy Policy or our data practices, contact us at:

Mataki Labs LLC State of Wyoming Email: legal@toasterdb.com