Privacy Policy

Categories of Personal Data Processed

• Technical data necessary for access provision, authentication, abuse prevention, and security, such as temporary tokens, session identifiers, IP address, and device or browser information.
• Contact or identifier data voluntarily provided by the user or partner (such as an email address or nickname), where applicable and limited to the selected functionality.
• Technical logs and service diagnostics used to ensure reliability, integrity, and security of the service, which may include IP address and request metadata.

Legal Bases for Processing

Personal data is processed on the following legal bases in accordance with Article 6 of the GDPR:

• Performance of a contract (Article 6(1)(b)) — where processing is necessary to provide access, authentication, or related services requested by a user or partner.
• Legitimate interests (Article 6(1)(f)) — where processing is necessary to ensure service security, prevent abuse, maintain operational stability, and protect infrastructure.
• Consent (Article 6(1)(a)) — where personal data is provided voluntarily for optional features or communications, and where consent is required under applicable law.

Launch Partner Data

For participants in the Launch Partner program, certain data such as name, logo or photo, public links, and contact details may be processed for the purpose of program administration, communication, and optional public display on the Launch Partners wall.

• Participation data is provided voluntarily and may be modified or removed through available profile settings or by contacting support.
• Visibility controls are available to determine whether participation information is publicly displayed or kept private.
• Launch Partner data may be deleted or anonymised upon request, subject to contractual or legal retention obligations.
• Personal data may be processed by trusted service providers acting as subprocessors, solely to the extent necessary for infrastructure hosting, security, email delivery, and payment processing. A current list of subprocessors is published separately.

Data Retention

Temporary data, including one-time codes, sessions, and short-lived tokens, is automatically deleted after expiry. Configuration data, partner settings, and contractual information are retained for the duration of the contractual relationship and deleted or anonymised thereafter, unless further retention is required by law.

International Data Transfers

Where personal data is processed by subprocessors located outside the European Union or the European Economic Area, appropriate safeguards are applied in accordance with Articles 44–49 of the GDPR, including adequacy decisions or Standard Contractual Clauses.

Integrating Partners

Partners integrating the Toqen SDK, API, or access mechanisms act as independent data controllers in relation to their own end users and are responsible for their respective compliance with data protection laws and for providing appropriate privacy notices.

Data Subject Rights

Data subjects have the right, subject to applicable law, to request access to their personal data, rectification, erasure, restriction of processing, data portability, or to object to certain processing activities.

Requests regarding data subject rights may be submitted by contacting hi@toqen.app. Data subjects also have the right to lodge a complaint with a competent supervisory authority in their EU member state of residence, place of work, or place of the alleged infringement.

Cookies and Similar Technologies

Information about the use of cookies and similar technologies is provided separately in the Cookies Policy.

Data Controller and Contact

The data controller responsible for processing under this Privacy Policy is . Privacy-related enquiries may be addressed to hi@toqen.app.

A Data Protection Officer has not been appointed, as the processing activities do not meet the criteria set out in Article 37 of the GDPR.