Legal
Privacy Policy
Last updated: May 2026
1. Who We Are
Toffee is operated by Toffee Finance Inc., a corporation incorporated in the State of Texas, USA, with its registered address at 833 Grand Teton Dr, Plano, Texas 75023, USA.
Contact us: hello@toffeefinance.com
Although incorporated in the United States, Toffee Finance Inc. serves users in the United Kingdom and is therefore subject to the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018 by virtue of Article 3(2) UK GDPR (which applies to organisations outside the UK that process personal data of UK residents).
ICO Registration: We are in the process of registering with the UK Information Commissioner's Office (ICO) as required for organisations processing personal data of UK residents. Our registration reference will be published here once confirmed.
2. What Data We Collect
- Account data: name and email address when you create an account
- Financial tracking data: debt names, balances, interest rates, and payment schedules you enter into the app (used solely to provide the service)
- Device and log data: device type, operating system version, app version, and crash reports
- Analytics data: pages visited, features used, and session duration — collected only with your consent via the cookie banner
- Payment data: handled directly and securely by Stripe; we do not store your full card details
- Support communications: messages you send when contacting our support team
3. How We Use Your Data
| Purpose | Lawful Basis (UK GDPR Art. 6) |
|---|---|
| Providing and maintaining the app | Performance of contract (Art. 6(1)(b)) |
| Processing payments via Stripe | Performance of contract (Art. 6(1)(b)) |
| Improving app features and user experience | Legitimate interests (Art. 6(1)(f)) |
| Analytics and advertising tracking | Consent (Art. 6(1)(a)) — only after you accept cookies |
| Sending marketing communications | Consent (Art. 6(1)(a)) — opt-in only |
| Complying with legal obligations | Legal obligation (Art. 6(1)(c)) |
4. Cookies and Tracking
We use strictly necessary cookies to operate the service and optional analytics/advertising cookies that require your consent. You can manage your preferences at any time via the cookie banner or the "Cookie Settings" link in the footer.
For a full breakdown of every cookie we use, see our Cookie Policy.
5. Third-Party Service Providers
We share data with the following processors only to the extent necessary to provide our services:
- Stripe Inc. (US) — payment processing. Stripe Privacy Policy
- Google LLC (US) — analytics via Google Analytics 4; app distribution via Google Play
- PostHog Inc. (US) — product analytics and feature insights
- Meta Platforms Inc. (US) — advertising measurement via Facebook Pixel
- Resend Inc. (US) — transactional email delivery
- Apple Inc. (US) — app distribution via the App Store
- Vercel Inc. (US) — website hosting and performance monitoring
6. International Data Transfers
Toffee Finance Inc. is based in the United States. Data you provide may be processed by us and by the third-party processors listed above, all of which are US-based. The US does not currently hold a UK adequacy decision for most commercial data transfers.
Where required, international transfers are made under Standard Contractual Clauses (SCCs) approved for use under UK GDPR, or the UK's International Data Transfer Agreement (IDTA). You may request a copy of the applicable transfer safeguards by contacting us at hello@toffeefinance.com.
7. Data Retention
- Account data: retained while your account is active; deleted within 30 days of a verified account deletion request
- Analytics data: subject to each provider's default retention (typically 14 months for Google Analytics 4)
- Support communications: 2 years from the date of last contact
- Payment records: 7 years as required for tax and legal compliance (held by Stripe)
8. Your UK GDPR Rights
If you are in the UK, you have the following rights regarding your personal data:
- Right of access — request a copy of the personal data we hold about you
- Right to rectification — request correction of inaccurate or incomplete data
- Right to erasure — request deletion of your data in certain circumstances
- Right to restrict processing — request that we limit how we use your data
- Right to data portability — receive your data in a structured, machine-readable format
- Right to object — object to processing based on legitimate interests or direct marketing
- Right to withdraw consent — withdraw consent at any time without affecting prior processing
- Right to lodge a complaint — you have the right to complain to the UK Information Commissioner's Office (ICO) at ico.org.uk or by calling 0303 123 1113
To exercise any of these rights, contact us at hello@toffeefinance.com. We will respond within 30 days.
9. Children's Data
Toffee is intended for users aged 13 and over. Under UK GDPR Article 8, users aged 13–15 require verifiable parental or guardian consent. We do not knowingly collect personal data from children under 13. If we become aware that we have done so, we will delete that data promptly. If you believe a child under 13 has provided us with their data, please contact hello@toffeefinance.com.
10. Changes to This Policy
We may update this Privacy Policy from time to time. We will notify you of material changes via the app or by email. The "Last updated" date at the top of this page reflects the most recent revision. Continued use of Toffee after changes take effect constitutes acceptance of the updated policy.