Skip to Content

Privacy Policy

Last Updated: March 24, 2026

TocoAI (hereinafter referred to as “we”, “us”, “our”, or “TocoAI”) is operated by TocoAI Pte. Ltd. This Privacy Policy explains how we collect, use, disclose, store, and protect your personal information (“Personal Data”). We are committed to complying with the Singapore Personal Data Protection Act (PDPA 2012 and its amendments), as well as other applicable privacy laws such as the California Consumer Privacy Act (CCPA/CPRA) where relevant, and to protecting your privacy.

By using our Service (including the website https://tocoai.dev, AI Architect domain model generation, automatic backend code generation, flowchart/sequence diagram generation, and other features), you consent to the practices described in this Privacy Policy. If you are using the Service on behalf of an entity, you represent that you have the authority to consent on behalf of that entity.

1. Personal Data We Collect

We may collect the following categories of data:

1.1 Data You Provide Directly

  • Account Information: Name, email address, password (stored in hashed form), and optional company/organization information.
  • Payment Information: Credit card or payment details processed through third-party payment processors (such as Paddle). We do not directly store full card numbers.
  • Input Content (Inputs): Requirement descriptions, prompts, existing code snippets, project context, or other materials you submit to generate outputs.
  • Feedback and Support: Comments, bug reports, customer service communications, and support tickets.
  • Other: Any other information you voluntarily provide (such as preference settings or model training opt-in choices).

1.2 Data Automatically Collected

  • Device and Log Information: IP address, browser type, operating system, device ID, access times, page views, click behavior, and error logs.
  • Usage Data: Records of your interactions with the Service (such as number of generation requests, languages/frameworks used, and feature usage frequency).
  • Cookies and Similar Technologies: Used for session management, analytics, and personalization (see Section 7 – Cookie Policy for details).
  • Inferred Location: Approximate geographic location based on IP address (used only for security, fraud detection, and performance optimization, not for marketing).

1.3 Data We Do Not Collect

We do not actively collect sensitive personal data (such as health, racial, religious, or biometric information).

We do not offer the Service to users under the age of 18. If we discover such data, we will promptly delete it.

2. How We Use Your Personal Data

We use your Personal Data only on lawful bases and primarily for the following purposes:

  • To provide, maintain, and improve the Service (e.g., processing your inputs, generating outputs, and syncing changes).
  • To manage accounts, verify identity, and process subscriptions and payments.
  • To respond to your inquiries, support requests, and send service-related notifications.
  • To analyze usage patterns, debug issues, and enhance AI accuracy and architecture generation quality (using de-identified or aggregated data).
  • To detect, prevent, and respond to fraud, abuse, and security incidents.
  • To comply with legal obligations, respond to government requests, and protect rights and safety.
  • For other purposes with your consent (such as marketing emails, which you can unsubscribe from at any time).

AI Model Training – Special Note

We do not use your Inputs, Outputs (including generated code, domain models, diagrams, etc.), or any content you create to train or improve our AI models, nor do we allow any third party to use them for training.

3. How We Share Your Personal Data

We do not sell your Personal Data. We may share it in the following circumstances:

  • With Service Providers: Cloud hosting providers (AWS, Google Cloud, etc.), payment processors (Paddle), analytics tools (Google Analytics), and customer support platforms — limited to what is necessary and minimized.
  • With Affiliates: Entities under common control with TocoAI.
  • Business Transfers: In the event of a merger, acquisition, or sale of assets.
  • Legal Requirements: When required by court order, regulatory authorities, or to protect life, property, or legal rights.
  • When You Actively Share: Through integrations or export features.
  • With Your Explicit Consent: In other situations where you have clearly agreed.

4. Data Storage and International Transfers

Your Personal Data and Content (including Inputs, Outputs, and account information) are primarily stored in data centers operated by Amazon Web Services (AWS), Google Cloud, and Microsoft Azure, mainly in the United States to optimize performance, availability, and cost.

We support data residency options: AWS, Google Cloud, and Azure provide multiple global regions. If you have specific compliance or performance requirements (e.g., data storage in the Asia-Pacific region or the European Union), please contact us at contact@tocoai.dev. We will evaluate and assist in configuring the appropriate region.

When transferring data from your location to the United States or other processing locations, we use EU Standard Contractual Clauses (SCCs) or other appropriate lawful transfer mechanisms to ensure compliance with the Singapore PDPA, EU GDPR (where applicable), Japan’s APPI (where applicable), and other relevant regulations.

Overview of U.S. Personal Information Protection: The United States has laws such as the Federal Privacy Act, but government access to personal data may be broader than under PDPA or GDPR. We ensure an equivalent level of protection through the following measures:

  • Encryption in transit and at rest (TLS 1.3 + AES-256)
  • Strict access controls (IAM roles and principle of least privilege)
  • Real-time monitoring and auditing of access logs
  • Employee confidentiality agreements and regular security training
  • International certifications of our cloud providers, including SOC 2 Type II, ISO 27001/27017/27018, etc.

5. Data Security

We implement reasonable technical, organizational, and administrative measures to protect your Personal Data, including encryption in transit (TLS), access controls, and regular audits. Both AWS and Google Cloud offer enterprise-grade security features (such as data-at-rest encryption, IAM controls, and certifications including SOC 2 and ISO 27018). However, no method of transmission or storage over the internet is 100% secure. You are responsible for keeping your account credentials safe.

6. Your Rights

Depending on your jurisdiction and applicable laws (including PDPA and others), you may have the following rights:

  • Access, correct, or update your Personal Data.
  • Withdraw consent (this does not affect the lawfulness of processing carried out before withdrawal).
  • Request deletion (subject to legal exceptions).
  • Object to certain processing (e.g., marketing).
  • Data portability (where applicable).

EU residents may lodge a complaint with the Irish Data Protection Commission or another competent supervisory authority.

To exercise your rights, please email us at contact@tocoai.dev. We will respond within a reasonable time (usually within 30 days) and may request identity verification. We will not discriminate against users who exercise their rights.

7. Cookies and Tracking Technologies

We use cookies, pixel tags, and similar technologies to collect usage information. You can manage cookies through your browser settings. Please note that disabling necessary cookies may affect the functionality of the Service.

8. Children’s Privacy

The Service is not directed at children under the age of 13 (or the minimum age required by local law). We do not knowingly collect data from children. If we become aware that we have collected such data, we will delete it immediately.

9. Changes to This Policy

We may update this Privacy Policy from time to time. Material changes will be notified via email or in-service notice. Your continued use of the Service after such changes constitutes acceptance of the updated policy.

10. Contact Us

If you have any questions, complaints, or wish to exercise your rights, please contact us at:

Email: contact@tocoai.dev

We take all privacy-related matters seriously. Thank you for trusting TocoAI.