Free Blueprint — 60-second scan →
ToolbenchBuild my Blueprint
Privacy policy

Privacy Policy

Last updated: May 2026

DRAFT — under legal review prior to launch. Not yet binding.

In plain languageWe collect only what we need to run Toolbench for you, never sell your data, and store everything in a Context Vault you own. Export anytime. Delete anytime. Population-level learning is opt-in per source.

1. Introduction

Toolbench is the AI Platform for the Trades. We deliver an AI Context Vault and AI roles (named, persistent agents that do the work of a team member) to independent service businesses. This Privacy Policy describes what data we collect, how we use it, who we share it with, and the rights you have over your data.

The AI Context Vault is the foundation of how Toolbench works. It stores a structured representation of your business so that AI roles like your AI Marketing Director can do their job. The vault is yours: you can export it, you can delete it, you can revoke any data source at any time. We are a fiduciary of your data, not an extractor.

By using Toolbench, you agree to the practices described here. If you do not agree, do not use the service.

2. What we collect

2.1 Information you provide directly

  • Account information: business name, contact name, email address, phone number, billing address.
  • Payment information: handled by our payment processor (Stripe). We do not store full card numbers; we store a token, the last four digits, and the card brand for display.
  • Business preferences: trade categories, service area, business hours, posture configuration for AI roles (auto-execute vs. flag-for-approval), brand-voice samples.
  • Owner-supplied media: photos you upload via SMS or the dashboard, audio recordings you submit, written content you provide.

2.2 Information from connected sources

When you connect a data source through the AI Context Vault, we ingest data from that source so that your AI roles can use it. You explicitly authorize each connection. You can revoke any connection at any time.

  • Google Business Profile:profile info, hours, services, posts, photos, Q&A, reviews, attributes, messages, performance metrics.
  • Web sources: your business website (scraped content, schema markup, Core Web Vitals data).
  • Listings directories: NAP (name, address, phone) consistency data across third-party directories.
  • Map-pack rank tracking: longitudinal data on where your business ranks for local keywords.
  • Phone calls and SMS (Phase 2+, optional): with your explicit consent, recordings and transcripts of inbound calls handled by your AI Receptionist.
  • Customer relationship data (Phase 3+, optional): customer records, lifecycle interactions, communications you choose to share with the Customer Manager role.
  • Operational data (Phase 4+, optional): job records, scheduling, dispatch, accounting, when you choose to connect your Field Service Management system.

2.3 Information collected automatically

  • Usage data: pages visited, features used, time spent, agent interactions, errors and crashes.
  • Device and connection data: IP address, browser type, operating system, device identifiers.
  • Cookies and similar technologies: see our Cookie Policy at toolbench.co/cookies.

3. How we use your information

We use your information for these purposes, and only these:

  • To provide the service: every AI role queries the AI Context Vault to do its job. Your AI Marketing Director queries marketing-relevant context to optimize your Google Business Profile, draft review responses, and recommend or execute marketing actions. Future roles query the same vault for their respective scopes.
  • To improve the service: we use aggregated, anonymized signals to improve our agent models. Population-level learning across customer vaults is opt-in per source and revocable per source. See Section 5.
  • To communicate with you: service updates, billing, security notices, and (with your consent) product education.
  • To meet legal and regulatory obligations: we may retain or disclose data when required by law.
  • To prevent abuse and enforce our terms: we may use account, device, and usage data to detect fraud, abuse, or security incidents.

We do not use your data to train models that are sold or licensed to third parties. We do not use your data to train models for use in industries other than your own without explicit consent.

4. The AI Context Vault: your data, your control

Every Toolbench customer has a per-business AI Context Vault. The vault is contractor-owned. The following commitments are architecturally enforced, not just policy promises:

4.1 Export on demand

You can request a full export of your vault at any time, in structured formats (CSV for tabular data, JSON for relational data, raw blobs for files, JSON for embeddings with documented dimensions). The export endpoint is available from launch. Your vault is portable: if you choose to leave Toolbench, you can take everything with you.

4.2 Deletion on demand

You can hard-delete your entire vault, or any individual source within it, at any time. Deletion is real, not soft-delete with future re-enablement. Deletion of a source propagates to derived embeddings within thirty (30) days. Your contribution is removed from any population-level models within ninety (90) days.

4.3 Audit log

Every read of your vault by any AI role is logged with the role identity, the query, the rationale, and the timestamp. You can view this log at any time inside the Toolbench app. Every action an AI role takes on your behalf is linked back to the specific vault data that informed the action.

4.4 Permissioning

Each AI role has a scoped view of the vault: the role sees only the data it needs to do its job, enforced at the data layer. Cross-role access is explicit and logged. We do not allow agents to read data outside their authorized scope.

5. Population-level learning

To make our AI roles better for everyone, we use anonymized, aggregated signals from across customer vaults to improve our agent models. For example, an AI Marketing Director can learn that posting on Tuesdays at 9am drives higher engagement for HVAC businesses in Texas, and apply that learning across the platform.

Population-level learning is opt-in per source. By default, only Google Business Profile performance signals participate in population learning when you sign up. Photos, reviews, call recordings, customer records, and job data are excluded by default and require your explicit, per-source opt-in to be included.

You can change your population-learning configuration at any time. Revoking opt-in for a source removes that source’s contribution from population models within ninety (90) days. Your own AI roles always have full access to your own vault, regardless of your population-learning configuration.

Anonymization means:we strip your business identity from any signal that enters the population pool. We do not sell, license, or otherwise transfer population-level learnings to third parties. The learnings stay inside Toolbench’s models, used only to improve the service for our customers.

6. How we share information

We do not sell your information. We do not rent, license, or otherwise transfer your information to third parties for their own marketing or advertising purposes.

We share information in these limited circumstances:

  • Service providers (sub-processors): we use third-party vendors to operate the service. Current sub-processors include payment processing (Stripe), cloud hosting (TBD), email and SMS delivery (TBD), error tracking (TBD), and AI model providers (TBD). A current list is maintained at toolbench.co/subprocessors. Sub-processors are bound by contractual confidentiality and data protection obligations.
  • Connected platforms: when you authorize a connection (for example, Google Business Profile), we exchange data with that platform on your behalf, using your own credentials, to perform the actions you have authorized.
  • Legal compliance and protection: we may disclose information when required by law, when necessary to protect the rights, property, or safety of Toolbench, our customers, or the public, or in connection with a corporate transaction (merger, acquisition, asset sale) where the acquirer is bound by this Privacy Policy.

7. Security

We protect your information with industry-standard practices, including:

  • Encryption in transit (TLS 1.2+) and at rest (AES-256 or equivalent).
  • Per-customer credential isolation:each customer connects their own Google account; we store a refresh token per customer; we do not operate any shared ‘master’ accounts.
  • Access controls: production data access is restricted to a small number of authorized personnel, gated by SSO and MFA, and logged.
  • Audit logging: all access to customer data is logged and retained.
  • Annual third-party security assessment: required for the Google Business Profile API restricted-scope verification, performed by an approved assessor (CASA Tier 2).
  • Incident response: we maintain a documented incident response plan and will notify affected customers as required by applicable law.

No system is perfectly secure. If we discover a security incident affecting your data, we will notify you in a timely manner consistent with our legal obligations.

8. Data retention

We retain your account information and vault data for as long as you are a Toolbench customer. After your account is closed:

  • We retain a minimal set of records (billing, dispute, legal) for the period required by applicable law.
  • Vault data is hard-deleted within thirty (30) days, propagating to derived embeddings on the same schedule.
  • Your contribution to population-level learning, if any, is removed from population models within ninety (90) days.
  • Audit logs of your vault access are retained for one (1) year for security and compliance purposes, then deleted.

9. Your rights

Depending on your location, you may have rights under applicable data-protection laws including the right to access, correct, delete, port, or restrict the processing of your personal information, and the right to object to certain processing. You can exercise these rights at any time by contacting privacy@toolbench.co or by using the controls in the Toolbench app (notably the export and deletion controls in your AI Context Vault settings).

California residents have specific rights under the California Consumer Privacy Act (CCPA), including the right to know what personal information we collect, the right to delete it, and the right to opt out of any sale (we do not sell personal information). EU and UK residents have rights under the GDPR and UK GDPR. We respond to verifiable requests within the timeframes required by law.

10. International data transfers

Toolbench is operated from the United States. If you are accessing the service from outside the United States, your information will be transferred to and processed in the United States. We rely on appropriate safeguards (such as Standard Contractual Clauses) for transfers from the European Economic Area, the United Kingdom, and Switzerland.

11. Children

Toolbench is not intended for individuals under 18 years of age. We do not knowingly collect personal information from children. If you believe we have collected information from a child, please contact us at privacy@toolbench.co and we will delete it.

12. Changes to this policy

We may update this Privacy Policy from time to time. If we make material changes, we will notify you by email and post a notice in the Toolbench app at least thirty (30) days before the changes take effect. The ‘Last updated’ date at the top of this policy reflects the most recent revision.

13. Contact

For questions about this policy, your data, or to exercise your rights, contact us:

This document is a draft prepared as part of the Toolbench launch plan. It must be reviewed by qualified legal counsel before publication. Items marked [TBD] or [TO BE ADDED] require finalization before launch.