Privacy Policy

Layercode, Inc. (“Layercode”, “we”, “us”, or “our”) operates Toyo AI (“Toyo”), the Agent Native Work OS, available at toyo.ai. This Privacy Policy describes how we collect, use, store, and share your information when you use Toyo and our related services (collectively, the “Services”). It also explains your rights regarding your personal information and how to exercise them.

If you do not agree with this Policy, please do not use our Services. Capitalized terms not defined here have the meanings given in our Terms of Service.

1. How We Process Personal Information

“Personal information” means any information that relates to an identifiable individual. Data protection laws differentiate between “controllers” (who decide why and how to process data) and “processors” (who process data on a controller's instructions).

When we process your account information and platform usage data, we act as a controller.

When we process your Customer Content (the files, databases, conversations, and other data you and your agents create within your Toyo environment), we act as a processor on your behalf.

2. What We Collect

2.1 Customer Account Data

This is information about you as a customer. We collect it when you sign up, log in, and use the Services.

Information you provide

• Name and email address: provided during account creation via WorkOS authentication.
• Role and phone number: provided during onboarding.
• Company information: company name, website, and company size, provided during onboarding.

Information we collect automatically

• Geolocation data: approximate location (country, city, timezone) derived from your IP address via Cloudflare headers, collected at account creation.
• Session data: authentication tokens stored in httpOnly cookies.
• Device and browser information: collected through standard web requests.

Information from third parties

• Website content: during onboarding, we may scrape your company's public website using Firecrawl to provide your agents with business context.

2.2 Customer Usage Data

This is data about how you interact with Toyo.

• Session metadata: session titles, statuses, timestamps, and working directories.
• Task and workflow data: tasks, skills (prompt templates), scheduled agent configurations, and webhook triggers you create.
• Integration metadata: records of which third-party services you have connected (e.g. Google, Slack, GitHub, Microsoft 365), including connection status. This does not include credentials; see Section 2.4.
• Usage metrics: token consumption and API usage tracked through OpenRouter for billing purposes.

2.3 Customer Content

This is the data you and your agents create and store within your Toyo environment.

• Agent conversations: messages exchanged between you and your AI agents, stored in session history.
• Files and databases: files on your virtual machine's filesystem and databases you create within Toyo.
• Onboarding call recordings and transcripts: if you complete a voice onboarding call, the recording and transcript are stored.
• AI-generated content: any outputs your agents produce (reports, outreach drafts, data analyses, applications, etc.).
• Business knowledge: the business analysis generated during onboarding, stored on your virtual machine.

2.4 Third-Party Service Credentials

When you authorize Toyo to connect to third-party services (such as Google, Salesforce, Slack, GitHub, or Microsoft 365), we store OAuth access tokens and refresh tokens in our database. These tokens allow your agents to act on your behalf within those services. Tokens are protected by infrastructure-level encryption provided by our database provider (PlanetScale). You can revoke access to any connected service at any time.

3. How We Use Your Information

We use the information we collect for the following purposes:

• Providing the Services: to operate Toyo, provision your isolated virtual machine, run your agent sessions, store your data, and deliver the features you use.
• Authentication and security: to verify your identity, protect your account, and detect fraud or abuse.
• Billing: to track usage and process payments.
• Communication: to send you service-related notifications via email, push notification, Slack, or WhatsApp based on your notification preferences.
• Onboarding: to set up your environment with relevant business context so your agents can work effectively from day one.
• Product improvement: to analyze how the Services are used, improve features, and refine our onboarding process. This may include internal review of onboarding call transcripts for prompt tuning and quality improvement.
• AI model improvement: your data may be used to improve Toyo and the AI models that power it. See Section 4 for details.
• Legal compliance: to meet our legal obligations, respond to lawful requests, and enforce our agreements.

4. AI Models and Data Training

Toyo uses third-party AI models to power agent functionality. When you interact with Toyo, your prompts and agent conversations are sent to these providers for processing.

Your data may be used for training. We may use data processed through our Services to improve Toyo and the AI models that power it. Our third-party AI providers may also use data processed through their APIs to improve their models, subject to their own privacy policies.

If you have questions, please email privacy@toyo.ai.

5. AI Agents and Connected Services

Toyo agents operate within an isolated virtual machine with access to a filesystem, web browser, databases, and any third-party services you authorize. Agents can take actions within these environments on your behalf, including reading and writing files, executing commands, browsing the web, and interacting with connected services.

Human-in-the-loop. By default, agents request your approval before taking actions that could have significant consequences. You control how much autonomy your agents have.

Connected services disclaimer. When you authorize Toyo to connect to third-party services, you acknowledge that agents may take actions within those services on your behalf. While we implement approval mechanisms to prevent unintended actions, Layercode is not responsible for actions taken by agents within third-party services.

Internet access. Agents have internet access through their virtual machine, which enables web research, data enrichment, and interaction with web-based services. This is a core part of how Toyo operates.

6. Data Storage and Security

6.1 Where we store data

We do not currently offer EU or regional data residency options. All primary data processing occurs in the United States.

6.2 Isolation

Each organization receives its own isolated virtual machine. Your files, databases, and agent workspace are separated from all other customers. There is no shared storage or shared processes between organizations.

6.3 Security measures

We use security measures appropriate to the sensitivity of the data, including:

• HTTPS encryption for all data in transit.
• HttpOnly session cookies for authentication (no client-side token storage).
• Infrastructure-level encryption at rest provided by our hosting providers.
• Per-organization environment isolation.
• OAuth-based authentication via WorkOS.

No service is completely secure. While we work to protect your data, we do not guarantee that unauthorized access, data loss, or a breach will never occur.

6.4 Your responsibilities

You are responsible for maintaining the security of your account credentials and for any actions taken through your account. If you believe your account has been compromised, take proactive steps to secure your account and contact us immediately.

7. How We Share Your Information

We do not sell your personal information. We share data only in the following circumstances:

• Service providers and sub-processors: we share data with the providers listed in Section 6.1 as necessary to deliver the Services.
• AI model providers: prompts and conversations are sent to third-party AI providers for processing.
• Legal obligations: we may disclose your information if required by law, regulation, legal process, or government request; to enforce our agreements; to protect the security of our Services; or to protect against harm, fraud, or illegal activity. If legally permitted, we will notify you of such disclosures.
• Business transfers: in the event of a merger, acquisition, or sale of assets, your data may be transferred. We will notify you before your data is subject to a different privacy policy.
• Aggregated or de-identified data: we may share data that has been aggregated or de-identified such that it cannot be used to identify you.

8. Data Retention and Deletion

We retain your data for as long as your account is active and as needed to provide the Services.

Account deletion. When you delete your account, we run an automated deletion process that removes your virtual machine, all stored conversations, databases, files, connected service tokens, and account information. Deletion is immediate and permanent. There is no retention period or soft delete. Once complete, your data cannot be recovered.

Exceptions. We may retain certain data after account deletion where required by law, such as billing records for tax and audit purposes, or data related to an open investigation or legal matter.

Recommendation. We recommend exporting any data you need before deleting your account.

9. Your Rights

Depending on your location, you may have some or all of the following rights regarding your personal information:

• Access: request a copy of the personal information we hold about you.
• Correction: request correction of inaccurate personal information.
• Deletion: request deletion of your personal information.
• Restriction: request that we restrict processing of your personal information.
• Portability: request your data in a structured, machine-readable format.
• Objection: object to processing based on legitimate interests.
• Withdraw consent: where processing is based on consent, withdraw that consent at any time.

To exercise any of these rights, email privacy@toyo.ai with your request along with enough information to determine your identity and rights under applicable laws. We will respond within 30 days (or sooner if required by applicable law). We may need to verify your identity before processing your request.

9.1 Data export

You can export individual databases as JSON and download files from your virtual machine through our API. If you need a comprehensive export of all your data, email privacy@toyo.ai.

9.2 GDPR (European Economic Area and United Kingdom)

If you are located in the EEA or UK, our legal bases for processing your personal information are:

• Contract: processing necessary to provide the Services you have requested.
• Legitimate interests: processing necessary for our legitimate business interests (such as security, fraud prevention, and product improvement), where those interests are not overridden by your rights.
• Consent: where you have given consent, such as for marketing communications.
• Legal obligation: where we are required to process data by law.

You have the right to lodge a complaint with your local data protection authority.

9.3 CCPA/CPRA (California)

If you are a California resident, you have the right to:

• Know what personal information we collect and how we use it.
• Request access to your personal information.
• Request deletion of your personal information.
• Not be discriminated against for exercising your rights.

In the past 12 months, we may have collected the following categories of personal information: identifiers, commercial information, internet or similar network activity, geolocation data, and professional or employment-related information.

We do not sell personal information as defined by the CCPA.

9.4 PIPEDA (Canada)

If you are located in Canada, you have the right to access and correct your personal information, and to withdraw consent for its collection, use, or disclosure. To exercise these rights, contact us at privacy@toyo.ai.

10. International Data Transfers

Your data may be transferred to and processed in the United States, where our primary infrastructure is located. When transferring personal data outside the EEA, UK, or Switzerland, we rely on Standard Contractual Clauses or other appropriate safeguards as required by applicable law.

For transfers from other jurisdictions, we comply with applicable cross-border data transfer requirements.

11. Cookies and Local Storage

Toyo uses a minimal set of cookies and browser storage:

• Authentication cookie: an httpOnly session cookie used to keep you logged in. This is necessary for the Services to function.
• Local storage: temporary storage of your email address and authentication state during the login flow.

We do not use analytics cookies, advertising cookies, or third-party tracking scripts in the Toyo application.

12. Children

Toyo is not directed at children under 16 (or under 13 in the US and UK). We do not knowingly collect personal information from children. If we discover that a child has created an account, we will take reasonable steps to close the account and delete their information.

13. Changes to This Policy

We may update this Policy from time to time. The most current version will always be available at toyo.ai/privacy with the “Last Updated” date at the top. For material changes that affect your rights, we will notify you via email or through the Services before the changes take effect.

14. Contact Us

If you have questions about this Policy, want to exercise your rights, or have a complaint about our data practices, contact us: