Skip to content
Toado
Log in Start free
Legal

Privacy Policy

Last updated: 2026-05-02

1. Who we are

Toado (“we,” “us,” “our”) is a product of JH Media Group, LLC, a Wyoming limited liability company. This policy explains how we collect, use, and protect personal data when you use toado.dev, app.toado.dev, the Toado Chrome extension, the Toado MCP server, and related services (collectively, the “Services”).

2. Personal data we collect

We collect the following categories of personal data:

  • Account data: name, email, company name, hashed password, and authentication tokens.
  • Bug capture data: screenshots, console logs, network HAR, JS error stack traces, DOM snapshots, page URLs, viewport size, browser version, and any annotations you create. This is the primary content of the Service and is provided by you.
  • Usage and diagnostic data: feature usage, error logs, request timestamps, IP addresses, user agents, and audit-trail entries used to operate, secure, and improve the Service.
  • Billing data: collected and processed by our payment provider (Stripe). We retain only the last 4 digits, brand, and expiration of your card via Stripe’s tokenized references; we do not store full payment instruments.
  • Communications: the contents of any messages you send us (support, sales, feedback).

3. Browser extension uninstall feedback

When you uninstall the Toado browser extension from Chrome, your browser automatically opens a one-time feedback page at toado.dev/x/uninstall. This is the only URL Chrome allows extension authors to open at uninstall time, and we use it to ask why you’re leaving so we can improve the product.

The page is optional. You can close it without submitting. If you do submit, we receive the text you wrote and the version of the extension you had installed (so we can correlate feedback with specific releases). We do not collect identifying information, IP addresses, or cookies on that page, and we do not associate the feedback with your Toado account, even if you happen to be signed in to Toado in the same browser. Feedback is delivered to an internal email address and is not shared with third parties.

4. How we use personal data

We process personal data to:

  • Provide, secure, and improve the Service;
  • Authenticate you and protect against fraud and abuse;
  • Communicate with you about your account, transactions, and product updates;
  • Comply with legal obligations and respond to lawful requests.

We do not sell personal data, and we do not use it for advertising or third-party profiling.

5. Legal bases (EEA / UK)

For users in the EEA or UK, we process personal data under one or more of the following legal bases under GDPR / UK GDPR: (a) performance of a contract with you; (b) our legitimate interests in operating and improving the Service; (c) compliance with our legal obligations; and (d) where required, your consent.

6. Cookies and similar technologies

The marketing site (toado.dev) does not currently use tracking cookies or third-party analytics that profile visitors. The application (app.toado.dev) uses strictly necessary cookies for authentication and session management (HttpOnly, SameSite=Lax). Lax is required so that the Chrome extension’s OAuth consent flow can return you to the app while still authenticated; Strict would break that flow. If we add analytics in the future, we will use a privacy-friendly provider (e.g., Plausible, Fathom) that does not require a cookie banner under most regimes; this page will be updated accordingly.

Do Not Track: some browsers transmit a “Do Not Track” (DNT) signal. Because there is no consistent industry standard for how DNT signals should be honored, we do not respond to DNT signals. You can still opt out of any tracking we add in the future using the controls described here, and California residents may exercise rights described in § 13.

7. Data you redact before upload

Toado redacts sensitive HTTP headers (Authorization, Cookie, Set-Cookie, x-api-key, webhook signature headers, and others), URL query parameters that match common credential names (token, access_token, api_key, and similar), URL fragments (where OAuth implicit-flow tokens often live), and credential-shaped JSON keys inside request and response bodies. This redaction runs in the extension on your local machine before any capture leaves your browser. The same rules are re-applied on our servers as a defense-in-depth check. You can extend the list with workspace-specific header names from the extension’s Options page.

The annotation tools on each ticket include a black-out shape that visually covers regions of the captured screenshot. This is a visual layer on top of the original capture; the captured image itself is preserved unchanged in your workspace’s storage so that ticket history stays intact. Black-out shapes are not a substitute for redacting sensitive information before it reaches the page being captured. Annotations and the underlying ticket are editable by anyone in your workspace who has edit permission.

8. Iframe content

When you capture a page, Toado captures the same console, network, and JavaScript-error data from any iframes that page embeds (for example, an embedded payment widget, a third-party support chat, or an analytics dashboard). This applies to iframes from any origin the host page chose to embed; we capture only what the host page already loaded as part of itself.

Why this matters: many web applications render their most important interactive content inside iframes (Stripe Elements, embedded analytics, microfrontends). Capturing only the top frame would silently miss the very logs you are trying to debug.

The same client-side header redaction that protects your top-frame requests applies to iframe requests. Sensitive headers (Authorization, Cookie, x-api-key, and any extra patterns you configure in the extension’s Options page) are stripped before any data leaves your browser. Server-side redaction runs again on receipt as a second line of defense.

9. How we share data

We share personal data only with:

  • Subprocessors we use to operate the Service. The current list is on our Security page.
  • Authorized members of your team, under your control and the role-based access we provide.
  • Government, law enforcement, or regulators, when legally required and after appropriate review.
  • Acquirers, in the event of a corporate transaction (merger, acquisition, asset sale), under contractual obligations equivalent to this policy.

10. International data transfers

Our infrastructure is currently hosted in the United States. If you access the Service from outside the US, your data will be transferred to and processed in the US. For transfers from the EEA, UK, or Switzerland, we rely on Standard Contractual Clauses (SCCs) and equivalent mechanisms. A Data Processing Addendum is available on request from contact@jhmediagroup.com.

11. Security

We implement administrative, technical, and physical safeguards designed to protect personal data, including TLS 1.2+ encryption in transit, encryption at rest for stored captures and database volumes, role-based access controls, rate limiting, audit logging, and least-privilege access for our team. The full posture is documented on our Security page. No system is perfectly secure; we cannot guarantee absolute security.

12. Retention

We retain bug capture data for as long as your account is active, plus 30 days after deletion to allow account recovery. Audit logs are retained for 365 days regardless of plan. Billing records are retained for 7 years to meet tax and accounting requirements. Anonymized, aggregated data may be retained indefinitely for analytics purposes.

13. Your rights

Depending on your location, you may have the right to access, correct, delete, export, restrict processing of, or object to processing of your personal data, and to lodge a complaint with a supervisory authority. You can view and correct your account information from the user settings page. For deletion, export, or restriction-of-processing requests, contact contact@jhmediagroup.com and we’ll respond within 30 days.

California residents have additional rights under the CCPA / CPRA, including the right to know, delete, correct, and opt out of “sale” or “sharing” of personal information. We do not sell or share personal information as those terms are defined under California law.

Categories of personal information we collect (CCPA notice). In the last 12 months we have collected the following categories of personal information, and we disclose them to subprocessors solely for the business purposes described in § 4:

  • Identifiers (e.g., name, email, account ID, IP address).
  • Customer-records information (Cal. Civ. Code § 1798.80) (e.g., billing name, hashed password).
  • Commercial information (e.g., subscription plan, transaction history).
  • Internet or other electronic network activity (e.g., feature usage, session timestamps, error logs).
  • Geolocation (city-level, derived from IP; we do not collect precise GPS).
  • User-supplied content (the bug captures, annotations, and comments you submit; this content may incidentally include other categories of personal information depending on what was on the page captured).

We do not collect biometric, sensory, professional, education, or sensitive personal information categories. We do not sell or share any personal information. We do not use personal information for cross-context behavioral advertising.

14. Children

Toado is not directed to and is not intended for use by anyone under 16. We do not knowingly collect personal data from children under 16. If you believe we have inadvertently collected such data, contact us and we will delete it.

15. Automated decision-making

We do not engage in solely automated decision-making that produces legal or similarly significant effects on you within the meaning of GDPR Article 22.

16. Changes to this policy

We may update this policy from time to time. Material changes will be communicated by email to active account holders and posted at the top of this page with an updated revision date. Your continued use of the Service after a change constitutes acceptance of the updated policy.

17. Contact

Privacy questions or requests: contact@jhmediagroup.com.
Postal: JH Media Group, LLC, Attn: Privacy, 1740 Dell Range Blvd Ste H 13-84075, Cheyenne, WY 82009, USA.