Privacy Policy.
Last updated: January 15, 2026
This Privacy Policy explains how Toolanta Agency(“we,” “us,” or “our”) collects, uses, discloses, and safeguards your information when you visit our website, engage our services, or otherwise interact with us. We are committed to protecting your personal data and respecting your privacy rights under applicable international laws — including the EU General Data Protection Regulation (GDPR), the UK GDPR, the California Consumer Privacy Act (CCPA/CPRA), and other applicable data protection regulations.
Quick Navigation
Information We Collect
We collect personal data that you voluntarily provide to us, as well as data collected automatically when you use our website.
A. Information you provide directly
- Identity & contact data: name, email address, phone number, business name, job title.
- Project data: project briefs, brand assets, content, business goals, and any other information you share during consultations or via intake forms.
- Payment data: billing information processed securely by our third-party payment processors. We do not store full credit card numbers on our servers.
- Communications: messages, feedback, and correspondence you send to us.
B. Information collected automatically
- Device & usage data: IP address, browser type, operating system, referring URLs, pages visited, time on page, and click patterns.
- Cookies and similar technologies: see section 8 below.
How We Use Your Information
We process your personal data for the following purposes:
- To respond to your inquiries and deliver requested services.
- To prepare proposals, statements of work, contracts, and invoices.
- To design, develop, and maintain websites, applications, and digital products on your behalf.
- To send administrative information, updates, and service-related notices.
- To send marketing communications (only with your consent, where required by law).
- To improve our website performance, security, and user experience.
- To comply with legal, tax, and accounting obligations.
Legal Basis for Processing (GDPR / UK GDPR)
If you are located in the European Economic Area (EEA), the United Kingdom, or Switzerland, we rely on the following legal bases under the GDPR:
- Performance of a contract: when processing is necessary to provide services you have hired us to perform.
- Consent: for marketing emails, non-essential cookies, and any optional data you choose to provide. You may withdraw consent at any time.
- Legitimate interests: for things like securing our website, preventing fraud, and basic analytics — where our interests are not overridden by your rights.
- Legal obligation: when we must process data to comply with applicable laws.
We do not sell your personal data. We share information only with trusted parties who help us operate our business, including:
- Service providers: hosting (e.g., Vercel, AWS), email platforms, payment processors, analytics, project management, and communication tools.
- Subcontractors: vetted freelancers or agencies who assist with specific project tasks under confidentiality agreements.
- Legal authorities: when required by law, court order, or to protect our legal rights.
- Business transfers: in the event of a merger, acquisition, or sale of assets, your data may be transferred under continued protection of this policy.
International Data Transfers
We are a globally distributed agency. Your information may be transferred to, stored, and processed in countries other than your own, including the United States and the European Union. When we transfer personal data across borders, we use appropriate safeguards as required by applicable law, including:
- European Commission’s Standard Contractual Clauses (SCCs).
- UK International Data Transfer Agreement (IDTA).
- Data Processing Agreements (DPAs) with all subprocessors.
- Reliance on adequacy decisions where applicable (e.g., EU-US Data Privacy Framework for certified recipients).
Data Retention
We retain personal data only for as long as necessary to fulfill the purposes outlined in this policy, unless a longer retention period is required or permitted by law. Typical retention periods:
- Client project data: duration of the project plus up to 7 years for tax and legal recordkeeping.
- Marketing leads and inquiries: up to 24 months from last interaction unless consent is withdrawn earlier.
- Analytics data: up to 26 months in anonymized/aggregated form.
- Backups: deleted within 90 days of project completion unless otherwise agreed in writing.
Your Privacy Rights
Depending on your location, you may have the following rights regarding your personal data:
- Access — request a copy of the personal data we hold about you.
- Rectification — correct inaccurate or incomplete data.
- Erasure (“right to be forgotten”) — request deletion of your personal data.
- Restriction of processing — limit how we use your data.
- Data portability — receive your data in a structured, machine-readable format.
- Objection — object to processing based on legitimate interests or for direct marketing.
- Withdraw consent — at any time, where processing is based on consent.
- Opt-out of sale or sharing(CCPA/CPRA) — we do not sell personal data, but California residents may still submit opt-out requests to confirm.
- Non-discrimination— we will not deny service or charge different prices for exercising your rights.
To exercise any of these rights, contact us at privacy@toolanta.com. We will respond within 30 days (45 days under CCPA, extendable where permitted).
We use cookies and similar technologies to operate and analyze our website. Categories include:
- Strictly necessary cookies: required for core site functionality (e.g., session, security).
- Analytics cookies: (e.g., Google Analytics) to understand how visitors use our site. Used only with consent where required.
- Marketing cookies: (e.g., Meta Pixel, LinkedIn Insight) to measure ad performance. Used only with consent.
You can manage your cookie preferences via our cookie banner or your browser settings.
Security of Your Information
We implement industry-standard technical and organizational measures to protect your data, including encryption in transit (HTTPS/TLS), access controls, regular backups, and restricted employee access on a need-to-know basis. However, no method of transmission or storage is 100% secure, and we cannot guarantee absolute security.
Third-Party Links
Our website may contain links to third-party websites we do not operate. We are not responsible for the privacy practices of those sites. We encourage you to review their privacy policies before providing any personal data.
Children's Privacy
Our services are not directed to individuals under the age of 16, and we do not knowingly collect personal data from children. If you believe we have collected data from a minor, please contact us so we can delete it promptly.
Changes to This Privacy Policy
We may update this Privacy Policy from time to time to reflect changes in our practices, technology, or legal requirements. The “Last updated” date at the top of this page indicates when revisions were made. Material changes will be communicated via email or a prominent notice on our website before they take effect.
Contact Us
If you have questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us using the details below.
Toolanta Agency
Email: privacy@toolanta.com
Website: https://toolanta.com
If you are unsatisfied with our response, you have the right to lodge a complaint with your local data protection authority. For EU/UK residents, you can find your supervisory authority at edpb.europa.eu.
Want to talk to a real person about your privacy concerns?
We respond to every privacy and data request personally — usually within 24 hours. No bots, no runaround.