CapabilitiesBlogGet early access

Privacy Policy

Last updated: May 6, 2026

Layercode, Inc. ("Layercode", "we", "us", or "our") operates Toyo AI ("Toyo"), the Agent Native Work OS, available at toyo.ai. This Privacy Policy describes how we collect, use, store, and share your information when you use Toyo and our related services (collectively, the "Services"). It also explains your rights regarding your personal information and how to exercise them.

If you do not agree with this Policy, please do not use our Services. Capitalized terms not defined here have the meanings given in our Terms of Service.

1. How We Process Personal Information

"Personal information" means any information that relates to an identifiable individual. Data protection laws differentiate between "controllers" (who decide why and how to process data) and "processors" (who process data on a controller's instructions).

When we process your account information and platform usage data, we act as a controller.

When we process your Customer Content (the files, databases, conversations, and other data you and your agents create within your Toyo environment), we act as a processor on your behalf.

If you require a Data Processing Agreement, contact privacy@toyo.ai.

2. What We Collect

2.1 Customer Account Data

This is information about you as a customer. We collect it when you sign up, log in, and use the Services.

Information you provide

  • Name and email address, provided during account creation.
  • Role and phone number, provided during onboarding.
  • Company information (company name, website, and company size), provided during onboarding.

Information we collect automatically

  • Approximate location (country, city, timezone) derived from your IP address, collected at account creation.
  • Authentication tokens stored in httpOnly cookies.
  • Device and browser information collected through standard web requests.

Information from third parties

During onboarding, we may scrape your company's public website to provide your agents with business context.

2.2 Customer Usage Data

This is data about how you interact with Toyo.

  • Session metadata: session titles, statuses, timestamps, and working directories.
  • Task and workflow data: tasks, prompt templates, scheduled agent configurations, and webhook triggers you create.
  • Integration metadata: records of which third-party services you have connected, including connection status. This does not include credentials; see Section 2.4.
  • Usage metrics: token consumption and API usage tracked for billing purposes.

2.3 Customer Content

This is the data you and your agents create and store within your Toyo environment.

  • Agent conversations: messages exchanged between you and your AI agents, stored in session history.
  • Files and databases: files on your virtual machine's filesystem and databases you create within Toyo.
  • Voice recordings and transcripts: if you complete a voice call with Toyo (including onboarding), the recording and transcript are stored so Toyo can provide the best possible service. All voice interactions with Toyo are recorded.
  • AI-generated content: any outputs your agents produce (reports, outreach drafts, data analyses, applications, etc.).
  • Business knowledge: the business analysis generated during onboarding, stored on your virtual machine.

2.4 Third-Party Service Credentials

When you authorize Toyo to connect to third-party services (such as Google, Salesforce, Slack, GitHub, or Microsoft 365), we store OAuth access tokens and refresh tokens in our database. These tokens allow your agents to act on your behalf within those services. Tokens are protected by infrastructure-level encryption provided by our database and hosting providers. You can revoke access to any connected service at any time.

3. How We Use Your Information

We use the information we collect for the following purposes:

  • Providing the Services: to operate Toyo, provision your isolated virtual machine, run your agent sessions, store your data, and deliver the features you use.
  • Authentication and security: to verify your identity, protect your account, and detect fraud or abuse.
  • Billing: to track usage and process payments.
  • Communication: to send you service-related notifications via email, push notification, or messaging integrations based on your notification preferences.
  • Onboarding: to set up your environment with relevant business context so your agents can work effectively from the start.
  • Service improvement: to analyze how the Services are used, improve features, and refine the customer experience. This may include review of customer data, including text and audio, to improve the quality of our service.
  • AI model improvement: your data may be used to improve Toyo and the AI models that power it. See Section 4 for details.
  • Legal compliance: to meet our legal obligations, respond to lawful requests, and enforce our agreements.

4. AI Models and Data Training

Toyo uses third-party AI models to power agent functionality. When you interact with Toyo, your prompts and agent conversations are sent to these providers for processing.

Your data may be used for training. We may use data processed through our Services, including text and audio, to improve Toyo and the AI models that power it. Our third-party AI providers may also use data processed through their APIs to improve their models, subject to their own privacy policies. We take reasonable steps to request that our providers do not use your data for model training, but we cannot guarantee compliance by all providers in all cases.

If you have questions, please email privacy@toyo.ai.

5. AI Agents and Connected Services

Toyo agents operate within an isolated virtual machine with access to a filesystem, web browser, databases, and any third-party services you authorize. Agents can take actions within these environments on your behalf, including reading and writing files, executing commands, browsing the web, and interacting with connected services.

Human-in-the-loop. By default, agents request your approval before taking actions that could have significant consequences. You control how much autonomy your agents have.

Nature of AI. AI systems are inherently unpredictable. While we implement approval mechanisms and safeguards to reduce the risk of unintended actions, you acknowledge and accept that AI agents may occasionally produce incorrect outputs, take unintended actions, or handle data in unexpected ways. By using the Services, you accept the inherent risks of AI-assisted operations. Layercode's liability for agent actions is subject to the limitations set out in our Terms of Service.

Connected services. When you authorize Toyo to connect to third-party services, you acknowledge that agents may take actions within those services on your behalf. Layercode is not responsible for actions taken by agents within third-party services, or for any data shared with those services as a result of agent actions you have authorized or directed.

Internet access. Agents have internet access through their virtual machine, which enables web research, data enrichment, and interaction with web-based services.

6. Data Storage and Security

6.1 Where we store data

We use trusted infrastructure and service providers to store and process your data. Our primary data processing occurs in the United States. A current list of our sub-processors is available upon request: privacy@toyo.ai.

We do not currently offer EU or regional data residency options.

6.2 Isolation

Each organization receives its own isolated virtual machine. Your files, databases, and agent workspace are separated from all other customers. There is no shared storage or shared processes between organizations.

6.3 Security measures

We use security measures appropriate to the sensitivity of the data, including:

  • HTTPS encryption for all data in transit.
  • HttpOnly session cookies for authentication (no client-side token storage).
  • Infrastructure-level encryption at rest provided by our hosting providers.
  • Per-organization environment isolation.
  • OAuth-based authentication for user login.

No service is completely secure. While we work to protect your data, we do not guarantee that unauthorized access, data loss, or a breach will never occur.

6.4 Your responsibilities

You are responsible for maintaining the security of your account credentials and for any actions taken through your account, including actions taken by AI agents operating under your direction. If you believe your account has been compromised, contact us immediately at privacy@toyo.ai.

7. How We Share Your Information

We do not sell your personal information. We share data only in the following circumstances:

  • Service providers and sub-processors: we share data with trusted service providers as necessary to deliver the Services. A current list is available upon request: privacy@toyo.ai.
  • AI model providers: prompts and conversations are sent to third-party AI providers for processing.
  • Legal obligations: we may disclose your information if required by law, regulation, legal process, or government request; to enforce our agreements; to protect the security of our Services; or to protect against harm, fraud, or illegal activity. If legally permitted, we will notify you of such disclosures.
  • Business transfers: in the event of a merger, acquisition, or sale of assets, your data may be transferred. We will notify you before your data is subject to a different privacy policy.
  • Aggregated or de-identified data: we may share data that has been aggregated or de-identified such that it cannot be used to identify you.

8. Data Retention and Deletion

We retain your data for as long as your account is active and as needed to provide the Services.

Inactive accounts. Accounts with no login activity for 12 months may be deleted. We will notify you by email before any deletion occurs, giving you 30 days to log in and retain your account. If no action is taken, the account and all associated data will be permanently deleted.

Session data. Agent session data (conversation histories and related metadata) is retained for up to 12 months from creation. Sessions older than 12 months may be automatically deleted.

Account deletion. When you delete your account (or when an inactive account is deleted), we run an automated deletion process that removes your virtual machine, all stored conversations, databases, files, connected service tokens, and account information from our systems and those of our sub-processors. Deletion is permanent. Once complete, your data cannot be recovered.

Exceptions. We may retain certain data after account deletion where required by law, such as billing records for tax and audit purposes, or data related to an open investigation or legal matter.

Recommendation. We recommend exporting any data you need before deleting your account.

9. Your Rights

Depending on your location, you may have some or all of the following rights regarding your personal information:

  • Access: request a copy of the personal information we hold about you.
  • Correction: request correction of inaccurate personal information.
  • Deletion: request deletion of your personal information.
  • Restriction: request that we restrict processing of your personal information.
  • Portability: request your data in a structured, machine-readable format.
  • Objection: object to processing based on legitimate interests.
  • Withdraw consent: where processing is based on consent, withdraw that consent at any time.

To exercise any of these rights, email privacy@toyo.ai with your request along with enough information to verify your identity. We will respond within 30 days (or sooner if required by applicable law). We may need to verify your identity before processing your request.

9.1 Data export

You can export individual databases as JSON and download files from your virtual machine through our API. If you need a comprehensive export of all your data, email privacy@toyo.ai.

9.2 GDPR (European Economic Area and United Kingdom)

If you are located in the EEA or UK, our legal bases for processing your personal information are:

  • Contract: processing necessary to provide the Services you have requested.
  • Legitimate interests: processing necessary for our legitimate business interests (such as security, fraud prevention, and product improvement), where those interests are not overridden by your rights.
  • Consent: where you have given consent, such as for marketing communications.
  • Legal obligation: where we are required to process data by law.

You have the right to lodge a complaint with your local data protection authority.

9.3 CCPA/CPRA (California)

If you are a California resident, you have the right to:

  • Know what personal information we collect and how we use it.
  • Request access to your personal information.
  • Request deletion of your personal information.
  • Not be discriminated against for exercising your rights.

In the past 12 months, we may have collected the following categories of personal information: identifiers, commercial information, internet or similar network activity, geolocation data, and professional or employment-related information.

We do not sell personal information as defined by the CCPA.

9.4 PIPEDA (Canada)

If you are located in Canada, you have the right to access and correct your personal information, and to withdraw consent for its collection, use, or disclosure. To exercise these rights, contact us at privacy@toyo.ai.

10. International Data Transfers

Your data may be transferred to and processed in the United States, where our primary infrastructure is located. When transferring personal data outside the EEA, UK, or Switzerland, we rely on Standard Contractual Clauses or other appropriate safeguards as required by applicable law.

For transfers from other jurisdictions, we comply with applicable cross-border data transfer requirements.

11. Cookies and Tracking

Toyo uses a minimal set of cookies and browser storage:

  • Authentication cookie: an httpOnly session cookie used to keep you logged in. This is necessary for the Services to function.
  • Local storage: temporary storage of your email address and authentication state during the login flow.

Our marketing website (toyo.ai) may use tracking technologies, including third-party pixels, for advertising and analytics purposes. These do not apply within the Toyo application (app.toyo.ai). For information about managing cookies and tracking preferences, contact privacy@toyo.ai.

12. Data Breach Notification

In the event of a security breach involving unauthorized access to your personal data by an external actor, we will notify affected users and relevant authorities as required by applicable law (within 72 hours for GDPR). Notification will include the nature of the breach, the data affected, and the steps we are taking in response.

Agent actions that result in unintended data handling are not considered security breaches under this section. Risks associated with AI agent behavior are addressed in Section 5.

13. Children

Toyo is not directed at children under 16 (or under 13 in the US and UK). We do not knowingly collect personal information from children. If we discover that a child has created an account, we will take reasonable steps to close the account and delete their information.

14. Changes to This Policy

We may update this Policy from time to time. The most current version will always be available at toyo.ai/privacy with the "Last Updated" date at the top. For material changes that affect your rights, we will notify you via email or through the Services before the changes take effect.

15. Contact Us

If you have questions about this Policy, want to exercise your rights, or have a complaint about our data practices, contact us:

Email: privacy@toyo.ai

For individuals in the EEA, UK, or Switzerland, you also have the right to lodge a complaint with your local data protection authority.