Privacy Policy

1. Who we are

Tocho ("we", "us", "our") operates tocho.dev, an AI citation intelligence platform. We help content creators, businesses, and agencies optimize their content for citation by AI platforms like ChatGPT, Perplexity, and Gemini.

2. Data we collect

Account data

When you create an account, we collect your email address. We use passwordless authentication via Supabase — we never store passwords.

Content you analyze

When you submit a URL or paste content for analysis, we process that content to generate your tScore. We do not permanently store the full text of analyzed content. We store: the URL, your score, dimension breakdown, and metadata (language, content type).

Citation observations

Our citation pipeline queries AI platforms (Gemini, Perplexity, ChatGPT) with publicly available URLs to determine citation patterns. This data is aggregated and anonymized. No personal data is included in citation observations.

Usage data

We use Vercel Analytics to collect anonymous page view data. No cookies are used for tracking. We collect: page views, referrer, country (from IP geolocation), and browser type. We do not use Google Analytics or any third-party tracking pixels.

Payment data

Payment processing is handled entirely by Stripe. We never see or store your full credit card number. Stripe may collect additional data as described in their privacy policy.

3. How we use your data

• To provide the Tocho service (content analysis, scoring, optimization)
• To send transactional emails (welcome, score alerts, purchase confirmations)
• To improve our citation prediction model (aggregated, anonymized data only)
• To generate public benchmark reports (Authority Index) using aggregated data

We do not sell your data. We do not share individual data with third parties except as required to provide the service (Supabase for database, Stripe for payments, Resend for email, Anthropic/Google/OpenAI for AI analysis).

4. AI processing

When you use our optimization features, your content is sent to Anthropic (Claude) for AI-powered suggestions. Content is sent as ephemeral data — Anthropic does not retain it for training. See Anthropic's data policy for details.

Our citation pipeline queries AI platforms with publicly available URLs. No personal data is included in these queries.

5. Data retention

Account data is retained as long as your account is active. You can request deletion at any time by emailing support@tocho.dev. We will delete your account and associated data within 30 days.

Citation observations (aggregated, anonymized) are retained indefinitely as they form the basis of our prediction model.

6. Your rights

All users

• Access your data (email support@tocho.dev)
• Delete your account and data
• Export your analysis history
• Opt out of marketing emails

Brazil (LGPD)

Under Brazil's Lei Geral de Proteção de Dados, you have additional rights including: confirmation of data processing, access to your data, correction of inaccurate data, anonymization or deletion of unnecessary data, data portability, and information about shared data. Contact our Data Protection Officer at privacy@tocho.dev.

Canada (PIPEDA / Quebec Law 25)

Under PIPEDA and Quebec's Law 25 (Loi 25), you have the right to access your personal information, challenge its accuracy, and withdraw consent for its use. We conduct privacy impact assessments for new features that process personal data. Contact privacy@tocho.dev.

United States (CCPA)

California residents have the right to know what personal information is collected, request deletion, and opt out of the sale of personal information. We do not sell personal information.

7. Cookies

We use only essential cookies:

• Authentication cookies — managed by Supabase, required for login (SameSite=Lax, Secure, HttpOnly)
• Locale preference — stores your language preference (SameSite=Lax)

We do not use advertising cookies, tracking cookies, or third-party cookies.

8. Security

We implement industry-standard security measures including: HTTPS everywhere, HSTS with preload, Content Security Policy headers, encrypted data at rest, rate limiting on all endpoints, and regular security audits. Our infrastructure runs on Vercel (SOC 2 Type II certified) and Supabase (SOC 2 Type II certified).

9. Children

Tocho is not directed at children under 13. We do not knowingly collect data from children.

10. Changes

We may update this policy. Significant changes will be communicated via email to registered users. The "last updated" date at the top reflects the most recent revision.

11. Contact

For privacy questions, data requests, or complaints:

• Email: privacy@tocho.dev
• Support: support@tocho.dev