This Policy applies to:

• GAO Internet websites, documentation, and dashboards.
• Developer services, including APIs, SDKs, access keys, logs, and reliability or security analytics.
• Infrastructure services such as routing, availability management, abuse prevention, and performance telemetry.
• Node operations, including node identifiers, health signals, and integrity metrics.

This Policy does not cover third-party services that you may access or integrate with through the Services (such as external dApps, wallets, blockchains, or payment providers). Their own privacy policies apply to those services.

We design the Services around the following principles:

• Data minimization — we collect only what is necessary to operate, secure, and improve the Services.
• No behavioral advertising — we do not sell personal data or run cross-site tracking for advertising.
• Security by design — access controls, encryption where appropriate, and continuous monitoring.
• Purpose limitation — data is used only for operations, security, support, and compliance.

A. Website and documentation usage

• Device and browser information such as user agent, operating system, and language.
• IP address and derived coarse location such as country or region.
• Pages requested, referrer information, and timestamps.
• Security signals used for rate limiting, bot detection, and abuse prevention.

B. Developer accounts and administration (if applicable)

• Name, business email address, company name, and role or title.
• Account identifiers and authentication events.
• API key identifiers (stored as hashes where feasible) and key rotation or revocation events.
• Billing and contact details if you purchase a paid plan.

C. Service telemetry and logs (Gateway and Network)

• Timestamps, region, latency indicators, and status or error codes.
• Request metadata necessary for security and debugging (not for advertising profiling).
• Usage metrics such as rate-limit events, quotas, and aggregate throughput.
• Security logs including attack signatures and suspicious activity indicators.

D. Node telemetry (if you operate resources)

• Node identifiers and role or capability metadata.
• Uptime and heartbeat signals, reliability indicators, and integrity measurements.
• Operational events related to scheduling and routing.

E. Payloads and content

• Application payloads may transit infrastructure components depending on system configuration.
• The Services are not designed to collect private keys or plaintext encrypted message contents.
• If you use end-to-end encryption, infrastructure services may only process encrypted data.

We use information to:

• Provide, operate, and maintain the Services.
• Route traffic and optimize system reliability and performance.
• Prevent abuse, fraud, and security attacks and enforce platform policies.
• Troubleshoot incidents and provide customer or developer support.
• Comply with legal obligations and enforce legal rights.

Depending on your location and the context, we process information based on:

• Contractual necessity to provide the Services you request.
• Legitimate interests such as security, fraud prevention, and service reliability.
• Consent for optional cookies or marketing communications where required by law.
• Legal obligations arising from lawful requests or regulatory requirements.

We may use:

• Strictly necessary cookies for security, session integrity, and load balancing.
• Optional analytics cookies only where legally permitted and/or with your consent.

You can manage cookies through your browser settings and any on-site cookie controls where available.

We may share limited information with:

• Service providers supporting operations under confidentiality obligations.
• Professional advisors such as legal counsel and auditors.
• Authorities when required by law or valid legal process.
• Successor entities in the event of a merger or acquisition, subject to safeguards.

We do not sell personal information or share it for cross-context behavioral advertising.

If personal data is transferred across national borders, we apply appropriate legal safeguards, such as contractual protections, where required by applicable law.

We retain information only as long as necessary for:

• Security monitoring and abuse prevention.
• Service reliability and incident investigation.
• Legal and regulatory compliance.
• Contractual and billing obligations.

Retention periods vary by data type and operational needs. Aggregated or de-identified data may be retained longer for analytical purposes.

Depending on your jurisdiction, you may have rights to access, correct, delete, or object to certain processing of personal data. If we act as a processor for a business customer, requests should be directed to that customer.

We apply reasonable technical and organizational measures including access controls, encryption where appropriate, continuous monitoring, and incident response procedures. However, no system is completely secure, and you are responsible for protecting your own credentials and endpoints.

The Services are not directed to children under the age of 13 or the minimum age required by applicable local law.

We may update this Privacy Policy from time to time. When changes are made, the “Last updated” date will be revised accordingly.

• Operator: Toii Labs LLC (Delaware, USA)
• Email: [email protected]
• General support: [email protected]