Privacy Policy

How Tocayo handles your information.

Last updated March 10, 2026

1. Introduction

Tocayo Labs, LLC ("Tocayo," "we," "us," or "our") is a Texas limited liability company that operates a web application and related services (collectively, the "Service"). The Service provides an AI-powered website builder for small businesses.

This Privacy Policy describes how we collect, use, disclose, and protect your personal information when you access or use our Service. By using Tocayo, you agree to the practices described in this policy. If you do not agree, please do not use our Service.

2. Information We Collect

2.1 Account Information

When you create an account, we collect information such as:

  • Your name, email address, and login credentials
  • Business name, industry, and description
  • Account preferences and settings

2.2 Website Content

When you use the Service to build a website, we collect and process:

  • Business descriptions and conversational inputs you provide
  • Images, text, and other content you upload or generate
  • Website configuration, design choices, and publishing settings

2.3 Payment and Billing Information

We use Stripe as our payment processor. When you subscribe to a paid plan, Stripe collects your payment card details directly. We receive only limited information from Stripe, such as the last four digits of your card, card brand, expiration date, and billing address. We do not store full payment card numbers on our servers.

2.4 Usage and Device Information

We automatically collect information about how you interact with the Service, including:

  • Device type, operating system, and unique device identifiers
  • IP address and approximate location (city or region level)
  • App and website usage patterns, feature interactions, and crash logs
  • Referring URLs and pages visited within the Service

3. Cookies and Tracking Technologies

Our website at tocayo.ai uses cookies and similar technologies for the following purposes:

3.1 Essential Cookies

We use cookies that are strictly necessary for the operation of the Service, including authentication cookies that keep you logged in to your account and maintain your session. These cookies cannot be disabled without affecting the functionality of the Service.

3.2 Analytics

We use PostHog, a product analytics platform, to understand how users interact with our website and application. PostHog collects information such as pages visited, features used, session duration, and general interaction patterns. This data helps us improve the Service and identify issues. You can learn more about PostHog's privacy practices at posthog.com/privacy.

You can manage your cookie preferences through your browser settings. Disabling non-essential cookies may limit certain analytics features but will not affect the core functionality of the Service.

4. How We Use Your Information

We use the information we collect to:

  • Provide, operate, and improve the Service, including AI-powered website generation and conversational editing
  • Host and serve the websites you create through the Service
  • Process payments and manage your subscription
  • Send transactional notifications (e.g., account verification, billing updates)
  • Analyze usage trends to improve features and user experience
  • Detect, prevent, and address fraud, abuse, and technical issues
  • Comply with legal obligations and enforce our Terms of Service

5. AI Processing

Tocayo uses artificial intelligence to generate website designs, content, and layouts based on your conversational inputs. To deliver these features, we process:

  • Your business descriptions and chat messages within the Service
  • Images and content you provide for your website
  • Your design preferences and edit requests

AI processing is performed solely to deliver and improve the core Service functionality for you. We do not sell AI-derived insights or any personal information to third parties. You may review and edit all AI-generated content before publishing.

6. How We Share Your Information

We do not sell your personal information. We may share information in the following limited circumstances:

Service Providers

We share data with third-party providers that help us operate the Service, including cloud hosting providers, AI processing services, Stripe (payment processing), and PostHog (product analytics). These providers are contractually obligated to use your data only to perform services on our behalf and in accordance with this Privacy Policy.

Published Websites

When you publish a website through Tocayo, the content you choose to include on your site (business name, descriptions, images, contact information) becomes publicly accessible on the web.

Legal Requirements

We may disclose information if required by law, legal process, or government request, or if we believe disclosure is necessary to protect the rights, property, or safety of Tocayo, our users, or the public.

Business Transfers

In connection with a merger, acquisition, or sale of assets, your information may be transferred to the acquiring entity. We will notify you of any such change via email or prominent notice within the Service.

7. Data Retention

We retain your personal information for as long as your account is active or as needed to provide the Service. Website content and conversation history are retained to support Service features such as site editing and version history.

You may request deletion of your data at any time by contacting us at privacy@tocayo.ai. Upon account deletion, we will remove your personal information within 30 days, except where retention is required by law or necessary to resolve disputes. Published websites will be taken offline upon account deletion.

8. Data Security

We implement commercially reasonable administrative, technical, and physical safeguards to protect your information, including encryption of data in transit (TLS) and at rest, access controls, and regular security reviews. However, no method of electronic transmission or storage is completely secure, and we cannot guarantee absolute security. If you become aware of a security incident affecting your account, please contact us immediately at privacy@tocayo.ai.

9. Data Breach Notification

In the event of a data breach that compromises the security, confidentiality, or integrity of your personal information, we will notify affected users as promptly as reasonably possible and in accordance with applicable state and federal law. Notification may be provided via email, in-app notice, or prominent posting on tocayo.ai, depending on the circumstances and the contact information available to us.

Where required by law, we will also notify the appropriate state attorneys general or other regulatory authorities.

10. Third-Party Services

The Service integrates with or relies on the following third-party services, each of which maintains its own privacy policy:

  • Stripe - payment processing (stripe.com/privacy)
  • PostHog - product analytics (posthog.com/privacy)

We encourage you to review the privacy practices of these providers. We are not responsible for the privacy practices of third-party services.

11. Your Rights and Choices

Depending on your jurisdiction, you may have the right to:

  • Access the personal information we hold about you
  • Correct inaccurate or incomplete information
  • Delete your personal information, subject to certain legal exceptions
  • Opt out of certain data uses, such as marketing communications
  • Data portability - receive a copy of your data in a commonly used, machine-readable format

To exercise any of these rights, contact us at privacy@tocayo.ai. We will respond to requests within 30 days or as required by applicable law. We will not discriminate against you for exercising your privacy rights.

12. Texas and State-Specific Disclosures

Tocayo Labs, LLC is organized under the laws of the State of Texas. If you are a Texas resident, the Texas Data Privacy and Security Act (TDPSA) may provide you with specific rights regarding your personal data, including the rights to access, correct, delete, and obtain a copy of your data, as well as the right to opt out of certain processing activities.

If you are a resident of California, Colorado, Connecticut, Virginia, or another state with applicable consumer privacy legislation, you may have additional rights under those laws. To exercise any state-specific privacy right, please contact us at privacy@tocayo.ai. If we are unable to resolve your request, you may have the right to appeal our decision or file a complaint with your state's attorney general.

13. Age Requirement

The Service is intended for users who are at least 18 years of age. We do not knowingly collect personal information from anyone under 18. If we become aware that we have collected information from a person under 18, we will take steps to delete it promptly. If you believe a minor has provided us with personal information, please contact us at privacy@tocayo.ai.

14. Changes to This Policy

We may update this Privacy Policy from time to time. When we make material changes, we will notify you by posting the updated policy within the app and on tocayo.ai, and by updating the "Effective Date" above. Your continued use of the Service after changes are posted constitutes acceptance of the revised policy.

15. Governing Law

This Privacy Policy and any disputes arising out of or relating to it shall be governed by and construed in accordance with the laws of the State of Texas, without regard to its conflict of law principles. Any legal action or proceeding arising under this Privacy Policy shall be brought exclusively in the state or federal courts located in Travis County, Texas, and you consent to the personal jurisdiction of such courts.

16. Contact Us

If you have questions about this Privacy Policy or wish to exercise your data rights, please contact us at:

Tocayo Labs, LLC

Email: privacy@tocayo.ai

Website: tocayo.ai