Privacy Policy

Tocca is an operations platform for agencies and teams. It brings together customer relationship management (CRM), projects and tasks, timesheets, invoicing and expenses, meeting recording and transcription, email intake, and AI-assisted features in one workspace. Tocca is operated by Between Collective LDA.

For any privacy question, or to exercise the rights described below, contact us at privacy@bcagency.io.

We collect the following categories of information:

• Account information. Your name, email address, password (stored only as a salted hash), workspace/company, role, and authentication identifiers when you sign up or sign in — including via third-party providers such as Google.
• Workspace content. The data you and your team create or upload to run your business: CRM contacts, companies and deals, projects, tasks, notes, timesheets, invoices and billing details, expenses and receipts, documents, and similar records.
• Meeting and communication data. If you use meeting recording, the audio you capture or upload, the transcripts and summaries we generate, and speaker labels. If you connect email intake, the messages and attachments you direct to the Service.
• Third-party data you connect. When you authorize an integration (for example Google Workspace or Slack), we access data from that provider strictly to deliver the features you ask for. See “Google user data” below.
• Usage and device data. Log data such as IP address, browser type, pages and features used, timestamps, and performance/diagnostic telemetry, used to operate, secure, and improve the Service.
• Cookies and similar technologies. Strictly necessary cookies for authentication and session management, and limited analytics to understand product usage.

If you connect a Google account, Tocca requests only the OAuth scopes needed for the features you enable. Depending on what you turn on, these may include:

• Sign-in (email, profile). To create and authenticate your account.
• Google Calendar. To read your availability and create, update, or cancel events on your behalf when you use scheduling and meeting features.
• Gmail. To read, label, draft, or send messages only as required by the email and inbox features you explicitly enable.

How we use it. Google user data is used solely to provide and improve the specific user-facing features you request — for example reading your calendar to propose meeting times, or drafting an email you asked the Service to prepare. We access the minimum data necessary and only while you keep the integration connected.

How we store it. OAuth tokens are stored encrypted. Where a feature requires it, we cache the minimum Google content needed to deliver the feature; you can disconnect at any time to stop further access and request deletion of cached content.

How we share it. We do not sell Google user data and do not share it with third parties except service providers (sub-processors) that process it on our behalf to deliver the feature you requested, under contractual confidentiality and data-protection obligations. See “Sub-processors” below.

Limited Use disclosure. Tocca’s use and transfer of information received from Google APIs to any other app will adhere to the Google API Services User Data Policy, including the Limited Use requirements. We do not use Google user data for advertising, we do not sell it, we do not transfer or use it to train generalized artificial-intelligence or machine-learning models, and humans do not read it except where (a) you give explicit consent, (b) it is necessary for security or to comply with applicable law, or (c) the data is aggregated and anonymized for internal operations.

You can review and revoke Tocca’s access to your Google account at any time at myaccount.google.com/permissions.

Tocca uses third-party AI providers to deliver features such as transcription, summarization, drafting, and other assistance. When you use these features, the relevant content (for example meeting audio, transcripts, or text you submit) is sent to those providers’ APIs solely to produce the result you requested. Our AI providers are contractually bound not to use your content to train their general models. AI output can be inaccurate or incomplete and should be reviewed before you rely on it.

• Provide, maintain, and secure the Service and your workspace.
• Deliver the specific features you enable, including connected integrations.
• Authenticate users and enforce workspace (tenant) data isolation.
• Provide customer support and respond to your requests.
• Monitor, debug, and improve performance, reliability, and usability.
• Detect, prevent, and address fraud, abuse, and security incidents.
• Comply with legal obligations and enforce our Terms of Service.

We do not sell your personal information, and we do not use your workspace content or Google user data for advertising.

We rely on a limited set of service providers to run the Service. They process data only on our instructions and under data-protection terms. Current sub-processors include:

• Supabase — database, authentication, and file storage.
• Vercel — application hosting and content delivery.
• OpenAI — language-model and speech-to-text (transcription) processing.
• Anthropic — language-model processing.
• Google — authentication and, where you connect them, Workspace (Gmail/Calendar) APIs.
• Slack — optional messaging integration, where you enable it.

We may update this list as the Service evolves. An up-to-date list is available on request at privacy@bcagency.io.

We retain your information for as long as your account is active or as needed to provide the Service, and thereafter only as required to comply with legal obligations, resolve disputes, and enforce our agreements. You can delete individual records in the application, and you can request deletion of your account and associated data as described below. Backups are purged on a rolling schedule.

We protect data with industry-standard measures, including encryption in transit (TLS) and at rest, row-level security to isolate each workspace’s data from other tenants, hashed credentials and API keys, scoped access controls, and audit logging. No method of transmission or storage is perfectly secure, but we work to protect your information and to respond promptly to any incident.

Depending on your location, you may have rights to access, correct, export, restrict, or delete your personal information, to object to certain processing, and to withdraw consent. To exercise these rights:

• Manage or delete records directly in the application.
• Disconnect integrations (including Google) at any time from the Service settings or, for Google, at myaccount.google.com/permissions.
• Email privacy@bcagency.io to request access, export, or deletion of your account data.

We will respond within the timeframe required by applicable law. If your workspace is administered by your employer or agency, some requests may need to be directed to that workspace administrator, who is the controller of that data.

We and our sub-processors may process and store information in countries other than your own. Where we transfer personal data across borders, we rely on appropriate safeguards (such as Standard Contractual Clauses) as required by applicable law.

The Service is intended for business use by adults and is not directed to children. We do not knowingly collect personal information from children under 16. If you believe a child has provided us information, contact us and we will delete it.

We may update this Privacy Policy from time to time. When we make material changes, we will update the effective date above and, where appropriate, notify you. Your continued use of the Service after changes take effect constitutes acceptance of the updated policy.

Questions about this policy or our data practices? Email privacy@bcagency.io or support@bcagency.io. Postal address available on request.