This policy explains what personal data Toxic Ideas ("we", "us") collects, why, and what choices you have. It applies to toxicideas.ai and the Toxic Ideas web application.
1. Data controller
Toxic Ideas — by Possibly, Sinnhub 2, 5541 Altenmarkt, Austria. Contact: support@toxicideas.ai.
2. What data we process
- Account data: name, email, hashed password, created and last-active timestamps.
- Workspace content: startups, activities, documents, uploaded files, AI chat history, notes — everything you write into the product.
- Billing data: plan, credit balance, subscription status. Card and tax data are handled by our payment processor (see §5).
- Technical data: IP address, user-agent, request metadata, error logs (collected by our hosting and CAPTCHA providers).
- Support correspondence: emails you send to support@toxicideas.ai.
3. Purposes & legal bases
- Providing the service (Art. 6(1)(b) GDPR — contract): authentication, storing your workspace, generating AI output you requested.
- Billing & tax (Art. 6(1)(c) GDPR — legal obligation): invoicing, accounting, tax records.
- Security & fraud prevention (Art. 6(1)(f) GDPR — legitimate interest): bot mitigation, abuse detection, audit logs.
- Product communication (Art. 6(1)(b) / (f) GDPR): transactional emails about your account.
4. AI features
Toxic Ideas sends content you create (notes, activity drafts, chat prompts, uploaded documents you reference) to third-party large language models so they can generate the responses, summaries, and suggestions the product is built on. Inputs and outputs are stored in your workspace under your account.
We route all AI calls through Vercel AI Gateway, which forwards them to providers including OpenAI and Anthropic. These providers are configured under zero-data-retention agreements where available, so your prompts are not used to train their models.
AI output may be inaccurate, incomplete, or misleading. Do not rely on it as legal, financial, or professional advice.
5. Service providers (processors)
We use the following third parties to operate the service. They process your data on our behalf under contractual data-protection terms.
| Provider | Purpose | Location |
|---|---|---|
| Supabase | Database, authentication, file storage | EU (Frankfurt) |
| Vercel | Application hosting, edge network, logs | USA / global edge |
| Vercel AI Gateway | Routing of AI requests to providers | USA / global edge |
| OpenAI | AI text generation | USA |
| Anthropic | AI text generation | USA |
| Cloudflare Turnstile | Signup CAPTCHA / bot mitigation | USA / global edge |
| PostHog | Product analytics, UTM attribution, session replay | EU (Frankfurt) |
| Vercel | Web hosting, edge delivery, privacy-preserving web analytics and Core Web Vitals (cookieless) | USA / global edge |
| Polar | Payments, invoicing, tax (Merchant of Record) | USA |
Polar Software, Inc. acts as our Merchant of Record and is the independent data controller for payment, billing, and tax data collected during checkout. See polar.sh/legal/privacy.
6. International transfers
Some of our processors are based in the United States. Where data leaves the EEA, transfers are protected by the EU-U.S. Data Privacy Framework (where the recipient is certified) and/or by Standard Contractual Clauses adopted by the European Commission.
7. Retention
Workspace content is retained while your account is active and for up to 30 days after deletion to allow recovery, then permanently removed. Billing records are retained for 7 years to comply with Austrian tax law (§132 BAO). Server logs are retained for up to 30 days.
8. Your rights
Under the GDPR you have the right to access, rectify, erase, restrict processing, object to processing, and receive your data in a portable format. Email support@toxicideas.ai and we'll respond within 30 days.
You may also lodge a complaint with the Austrian data protection authority (Datenschutzbehörde), dsb.gv.at, or the supervisory authority of your EU country of residence.
9. Cookies
Necessary cookies (always active)
These cookies are required for the application to function and cannot be disabled:
- Authentication session (Supabase) — keeps you logged in.
- CAPTCHA challenge (Cloudflare Turnstile) — verifies the signup form.
- Checkout session(Polar) — set during the payment flow on Polar's domain.
- Cookie consent preference(cc_cookie) — stores your cookie consent choice so we don't ask again.
Analytics cookies (only with your consent)
With your permission, we use PostHog — a privacy-focused analytics platform hosted in the EU (Frankfurt) — to understand how visitors use the site (page views, navigation patterns, UTM attribution). PostHog may also record anonymised session replays (clicks, scrolls, page transitions) to help us identify usability issues. PostHog does not set advertising or cross-site tracking cookies.
Analytics cookies are not loaded until you give consent via the cookie banner. No tracking data is sent before you accept.
Cookieless analytics (no consent required)
We also use Vercel Web Analytics and Vercel Speed Insights to measure aggregate traffic and real-user page performance (Core Web Vitals). These tools do not set any cookies and do not store identifiers in your browser. Vercel generates a daily, server-side hash from request metadata to count unique visitors; the underlying IP address is discarded and the hash cannot be linked back to you across days. Because no personal data is stored on your device or linked to you personally, these measurements run without a consent prompt under the same legitimate-interest basis used for server access logs.
Changing your preferences
You can change or withdraw your cookie consent at any time by clicking "Manage preferences" in the cookie banner or by clearing your browser cookies. We do not run any advertising trackers.
10. Security
Data is encrypted in transit (TLS) and at rest. Access to production systems is restricted, MFA-protected, and logged. We follow industry-standard practices for credential storage and key management.
11. Changes to this policy
We may update this policy as the product or legal landscape changes. Material changes will be announced in-app or by email before they take effect. The "last updated" date at the top of this page reflects the current version.
Need a Data Processing Agreement?
If you process personal data of EU residents using Toxic Ideas in a business context, email support@toxicideas.ai and we'll send a signed DPA.