Privacy Policy
Last updated: January 2026
Quick Summary
- •We collect your name and email when you sign in with Google, plus the arguments and diagrams you create.
- •Analytics (Google Analytics) are opt-in only. You can change your choice anytime via Cookie Settings in the footer.
- •AI Coach conversations and drafts are automatically deleted after 30 days.
- •You can request access to or deletion of your data at any time.
- •Privacy questions? support@toulmin.app
1. Introduction
At Toulmin Lab, we respect your privacy and are committed to protecting your personal data. This privacy policy explains how we collect, use, store, and safeguard your information when you use our service.
We are committed to transparency and compliance with data protection laws, including the General Data Protection Regulation (GDPR) for users in the European Economic Area and the United Kingdom, and applicable privacy laws in the United States and other jurisdictions.
2. Information We Collect
We collect the following types of information:
Account Information: When you sign in with Google, we collect your name and email address from your Google account. This information is used to create and manage your account.
User Content: We store the arguments, diagrams, and related content you create using our service. This is the core data necessary to provide the service to you.
AI Coach Data: If you use the AI coaching feature, we temporarily store your conversation messages and argument drafts to provide the coaching experience. This data is automatically deleted after 30 days.
Technical and Diagnostic Information: We collect error reports, performance data, and diagnostic information through Sentry to monitor service health, identify bugs, and improve reliability. This may include session replays (with all text and media automatically masked for privacy).
Optional Analytics: With your consent, we collect anonymized usage analytics through Google Analytics (via Google Tag Manager) and Vercel Analytics to understand how features are used and improve the user experience. These analytics are opt-in only and require your explicit consent.
3. How We Use Your Information
We use your information for the following purposes:
Service Delivery: To provide, maintain, and improve Toulmin Lab's core features, including user authentication, data storage, and the AI coaching feature.
Communication: To send you important service updates, respond to your requests, and provide customer support.
AI Processing: To process your inputs through our AI coaching feature using Google's Gemini AI models (via the Vercel AI SDK). Your coaching conversations are used solely to generate helpful responses and are not used to train AI models.
Service Improvement: To analyze (with your consent) how the service is used, identify areas for improvement, and develop new features. All analytics are anonymized and cannot be linked back to individual users.
Security and Compliance: To detect, prevent, and address technical issues, security threats, fraud, or violations of our terms of service.
4. Data Storage and Security
Your data is stored securely using industry-standard encryption and security practices:
Database: User accounts and saved arguments are stored in MongoDB with encryption at rest and in transit. We use reputable cloud infrastructure providers to ensure high availability and security.
Backup and Redundancy: Your data is backed up regularly to prevent data loss and ensure service continuity.
Access Controls: Access to your data is strictly limited to authorized personnel and systems necessary to provide and maintain the service.
Encryption: All data transmission occurs over secure HTTPS connections. Sensitive data is encrypted both in transit and at rest.
5. Cookies and Tracking Technologies
We use cookies and similar technologies for the following purposes:
Essential Cookies: Session cookies are required to keep you signed in and provide core functionality. These cannot be disabled.
Consent Cookie: We store your analytics consent choice in a cookie named 'tl_analytics_consent'. This cookie remembers whether you've accepted or rejected optional analytics.
Analytics Cookies (Opt-in): If you consent to analytics, Google Analytics cookies (such as '_ga', '_gid') and Vercel Analytics cookies may be set to collect anonymized usage data. These cookies are only activated after you explicitly accept them.
You can change your analytics consent at any time by clicking 'Cookie Settings' in the website footer. You can also control cookies through your browser settings, though disabling essential cookies may affect site functionality.
6. Analytics and Consent
Analytics collection is strictly opt-in and requires your explicit consent:
Consent Required: When you first visit Toulmin Lab, analytics are disabled by default. You will see a consent banner asking you to accept or reject optional analytics.
What We Track (If You Consent): With your consent, we collect anonymized data about page views, feature usage, and user interactions. We do NOT collect the content of your arguments, messages, or any personally identifiable information in analytics.
Google Analytics (via Google Tag Manager): We use Google Analytics to understand aggregate usage patterns. Google may use this data according to their own privacy policies.
Vercel Analytics: We use Vercel's privacy-friendly analytics to monitor site performance and usage.
Withdrawing Consent: You can withdraw your consent at any time by clicking 'Cookie Settings' in the footer and choosing 'Reject'. This will stop all future analytics collection and delete analytics cookies.
7. Third-Party Services and Data Processors
We use the following trusted third-party services to provide and improve Toulmin Lab:
Google (Firebase Authentication, Google Analytics, Google AI): For secure sign-in, optional analytics (with consent), and AI-powered coaching features. Google processes data according to their privacy policies.
Vercel: For application hosting and optional analytics (with consent).
MongoDB: For secure database storage of your account and content data.
Sentry: For error monitoring and performance tracking to maintain service quality.
Resend: For sending transactional emails such as password resets and account notifications.
Each of these service providers has been selected for their strong security practices and compliance with data protection regulations. We have appropriate data processing agreements in place where required.
8. Data Retention
We retain your data for different periods depending on the type:
Account Data and Saved Arguments: Retained while your account is active and for a reasonable period after account deletion to comply with legal obligations and prevent accidental data loss. You can request immediate deletion.
AI Coach Data: Conversation messages and argument drafts are automatically deleted after 30 days using database time-to-live (TTL) indexes. This ensures your coaching conversations are not retained longer than necessary.
Analytics Data: Anonymized analytics events are retained for 30 days, after which they are automatically deleted.
Diagnostic Data: Error logs and performance data collected through Sentry are retained according to Sentry's retention policies, typically 30-90 days.
Deleted Data: When you delete your account or we delete data per our retention policies, the data is permanently removed from our active systems and backups within a reasonable timeframe.
9. International Data Transfers
Toulmin Lab may process and store your data in countries outside your own, including the United States and other locations where our service providers operate.
When we transfer data internationally, we ensure appropriate safeguards are in place, such as standard contractual clauses, adequacy decisions, or other approved transfer mechanisms under applicable data protection laws.
By using Toulmin Lab, you acknowledge and consent to the transfer, storage, and processing of your data in these jurisdictions. We take steps to ensure your data receives an adequate level of protection regardless of where it is processed.
10. Your Privacy Rights
Depending on your location, you may have the following rights regarding your personal data:
Access: You can request a copy of the personal data we hold about you.
Correction: You can update or correct inaccurate personal data through your account settings or by contacting us.
Deletion: You can request deletion of your personal data. We will delete your data unless we have a legal obligation to retain it.
Data Portability: You can request a copy of your data in a structured, commonly used format.
Restriction of Processing: You can request that we limit how we use your data in certain circumstances.
Object to Processing: You can object to our processing of your data for certain purposes, including analytics (which you can control via Cookie Settings).
Withdraw Consent: Where processing is based on consent (such as analytics), you can withdraw consent at any time through Cookie Settings.
To exercise any of these rights, please contact us using the contact information provided in this policy. We will respond to your request within the timeframe required by applicable law, typically within 30 days.
11. Security Measures
We implement appropriate technical and organizational measures to protect your personal data:
Encryption: All data transmission uses industry-standard HTTPS/TLS encryption. Data at rest is encrypted using secure encryption algorithms.
Access Controls: We use role-based access controls and authentication to ensure only authorized personnel can access systems containing personal data.
Monitoring: We actively monitor for security threats, unusual activity, and potential vulnerabilities.
Regular Updates: We keep our systems and software up to date with the latest security patches.
Incident Response: We have procedures in place to detect, respond to, and notify you of any data breaches as required by law.
While we take security seriously and implement industry best practices, no method of transmission or storage is 100% secure. We cannot guarantee absolute security but continuously work to protect your data.
12. Children's Privacy
Toulmin Lab is designed for use by students and educators, including those under the age of 13.
Parental Consent: If you are under 13 years of age (or the applicable age of digital consent in your jurisdiction), you must use this service only with the consent and supervision of a parent or legal guardian.
Data Minimization: We do not knowingly collect more personal information from children than is necessary to provide the service.
School Use: When Toulmin Lab is used in an educational setting, we rely on the school or educational institution to obtain any necessary parental consents and to comply with applicable laws such as COPPA (in the United States) and GDPR (in the European Union).
If you believe we have collected personal information from a child without proper consent, please contact us immediately so we can delete the information.
13. Changes to This Policy
We may update this privacy policy from time to time to reflect changes in our practices, legal requirements, or service features.
Notification: We will notify you of any material changes by posting the updated policy on this page and updating the 'Last updated' date at the top.
Your Continued Use: Your continued use of Toulmin Lab after changes become effective constitutes your acceptance of the updated policy.
Review Regularly: We encourage you to review this policy periodically to stay informed about how we protect your information.
14. Contact Us
If you have any questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us.
We are committed to working with you to resolve any privacy concerns promptly and fairly.