Effective April 8, 2026

Privacy Policy.

This Privacy Policy explains how Toadstool Labs LLC, doing business as Toshiku (“Toshiku,” “we,” “us”) collects, uses, and shares information when you visit our websites, scope a test, or use our services. We sell to businesses, not consumers, and we keep this short on purpose.

Contents

What we collect
How we use it
Legal bases
Sharing
International transfers
Retention
Security
Your rights
Cookies
Children
Changes
Contact

1.What we collect

Account information — name, business email, company, role, and billing details.
Scope information — domains, IP ranges, application URLs, descriptions of systems and credentials you authorize for testing.
Test data — outputs generated during testing, including findings, observed configurations, and any data incidentally encountered while probing your Targets.
Usage information — log data, IP addresses, device and browser information, pages visited, and interactions with our Services.
Communications — messages, support requests, and survey responses.

We do not knowingly collect or solicit personal information about your end users beyond what is incidentally observed during authorized testing.

2.How we use it

To provide, operate, secure, and improve the Services.
To deliver Reports, dashboards, and notifications.
To bill, support, and communicate with you.
To detect, prevent, and address security, fraud, and abuse.
To comply with law and enforce our agreements.
To create de-identified and aggregated data, which we may use for any lawful purpose, including model training and benchmarking.

3.Legal bases (EEA / UK)

Where the GDPR or UK GDPR applies, we process personal data on the bases of contract performance, our legitimate interests in operating and securing our business, your consent (where required), and compliance with legal obligations.

4.Sharing

We share information with:

Service providers who help us run the business — hosting, payments, analytics, communications, AI infrastructure — under written contracts that restrict their use.
Auditors, lawyers, and advisors, as needed.
Authorities, when required by law or to protect rights, safety, or property.
Acquirers, in connection with a merger, acquisition, financing, or sale of assets.

We do not sell personal information, and we do not share it for cross-context behavioral advertising.

5.International transfers

We are based in the United States and may transfer information to the U.S. and other countries that may not provide the same level of data protection as your jurisdiction. Where required, we rely on Standard Contractual Clauses or other lawful transfer mechanisms.

6.Retention

We retain information for as long as needed to provide the Services, comply with law, resolve disputes, and enforce our agreements. Test outputs and Reports may be retained as part of your security history unless you request deletion in writing, subject to legal hold and our backup cycles.

7.Security

We implement reasonable administrative, technical, and physical safeguards designed to protect information. No method of transmission or storage is perfectly secure, and we cannot guarantee absolute security. Use of the Services is at your own risk.

8.Your rights

Depending on where you live, you may have rights to access, correct, delete, port, or restrict processing of your personal information, or to object to certain processing. You may also have the right to lodge a complaint with your data protection authority. To exercise these rights, contact privacy@toshiku.com. We will verify your request before responding.

California: We do not sell or share personal information as those terms are defined under the CCPA/CPRA. California residents may exercise their rights by contacting us at the address above. We will not discriminate against you for exercising your rights.

Where we act as a processor on behalf of a customer, we will direct individual rights requests to that customer, who is the controller of the relevant data.

9.Cookies

We use a small number of essential cookies to operate our site and authenticate sessions, and limited analytics to understand usage. You can control cookies through your browser settings. Disabling cookies may break parts of the Services.

10.Children

The Services are not directed to children under 16, and we do not knowingly collect their personal information. If you believe a child has provided us personal information, contact us and we will delete it.

11.Changes

We may update this Policy from time to time. The “Effective” date reflects the most recent revision. Material changes will be communicated through the Services or by email. Continued use of the Services after the effective date constitutes acceptance.

12.Contact

Toadstool Labs LLC
privacy@toshiku.com