Privacy Policy

Information We Collect

We collect information that you provide directly to us, as well as information generated through your use of our services:

• Account information: name, email address, company name, and job title
• Calendar data: meeting titles, attendees, durations, and recurrence patterns (synced from Google Calendar or Microsoft 365)
• Compensation data: salary band or individual compensation information provided via HRIS integration or manual entry
• Usage data: feature interactions, page views, and session information within the Tolly platform
• Device and browser information: IP address, browser type, operating system, and device identifiers
• Communication data: support requests, feedback, and correspondence with our team

How We Use Your Information

• Provide, maintain, and improve the Tolly platform and its features
• Calculate meeting costs and generate analytics dashboards
• Send transactional emails, weekly Meeting Toll digests, and product updates
• Respond to support requests and communicate with you about your account
• Generate aggregated, anonymized benchmarking data (never identifying individual users or organizations)
• Detect, prevent, and address technical issues and security threats
• Comply with legal obligations and enforce our terms of service

Data Sharing

We do not sell your personal data. We share information only in the following circumstances:

• Service providers: trusted third parties that help us operate our platform (e.g., hosting, analytics, email delivery), bound by data processing agreements
• HRIS integrations: data flows through Merge.dev for HRIS connectivity; Merge acts as a data processor on our behalf
• Legal requirements: when required by law, regulation, legal process, or governmental request
• Business transfers: in connection with a merger, acquisition, or sale of assets, with prior notice to affected users
• With your consent: when you explicitly authorize sharing with a specific third party

Cookies & Analytics

We use cookies and similar tracking technologies to operate and improve our services. These include:

• Essential cookies: required for authentication, session management, and security
• Analytics cookies: help us understand how visitors interact with our website (we use privacy-focused analytics tools)
• Preference cookies: remember your settings and display preferences

You can control cookie preferences through your browser settings. Disabling certain cookies may affect the functionality of our services.

Data Security

We implement industry-standard security measures to protect your data, including:

• Encryption in transit (TLS 1.3) and at rest (AES-256)
• Per-organization encryption keys for compensation data
• Role-based access controls and least-privilege internal access policies
• Regular security audits and vulnerability assessments
• SOC 2 Type II compliance program

Your Rights (GDPR / CCPA)

Depending on your location, you may have the following rights regarding your personal data:

• Right of access: request a copy of the personal data we hold about you
• Right to rectification: request correction of inaccurate or incomplete data
• Right to erasure: request deletion of your personal data, subject to legal retention requirements
• Right to data portability: receive your data in a structured, machine-readable format
• Right to restrict processing: request that we limit how we use your data
• Right to object: object to processing based on legitimate interests or for direct marketing purposes
• Right to withdraw consent: withdraw consent at any time where processing is based on consent
• Right to non-discrimination (CCPA): we will not discriminate against you for exercising your privacy rights

To exercise any of these rights, contact us at privacy@trytolly.ai. We will respond to verified requests within 30 days.

Data Retention

We retain your personal data only as long as necessary to provide our services and fulfill the purposes described in this policy. Specifically:

• Account data is retained for the duration of your active subscription and for 90 days after account closure
• Calendar and meeting data is retained for up to 24 months for trend analysis, unless you request earlier deletion
• Compensation data is deleted within 30 days of HRIS disconnection or account closure
• Usage analytics are retained in anonymized form and are not subject to deletion requests

Children's Privacy

Tolly is designed for business use and is not intended for children under the age of 16. We do not knowingly collect personal data from children. If we become aware that we have collected data from a child under 16, we will take steps to delete that information promptly.

Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices or legal requirements. We will notify you of material changes by posting the updated policy on our website and, where appropriate, by sending you an email notification. Your continued use of our services after such changes constitutes acceptance of the updated policy.