Privacy Policy

Effective Date: October 20th, 2025
Company Name: TheTop Holdings Inc.
Legal Domicile: Delaware, United States
Website: https://thetop.com
 Application: https://app.thetop.com

Welcome to TheTop. Your trust is our top priority. This Privacy Policy (“Policy”) explains how theTop Holdings Inc. (“TheTop,” “we,” “our,” or “us”) collects, uses, discloses, and protects your information through our website, software applications, and related services (collectively, the “Services”). By using TheTop, you agree to the data practices described in this Policy.

1. Who This Policy Applies To

This Policy applies to registered users of our platform (web, app, API, integrations), visitors of our website, prospective clients, enterprise customers, and API users, and individuals whose data may be imported by users via third-party integrations (e.g., email metadata and content). This Policy does not apply to data handled solely by third-party applications (e.g., Gmail, Notion, Slack) or to employees, job applicants, or contractors (see Internal Data Policy).

2. Our Role Under the Law

We act as a Data Controller when determining how and why user data is processed (e.g., building summaries). We act as a Data Processor when we handle data solely on behalf of a customer (e.g., analyzing Gmail content/metadata). We comply with GDPR (EU/EEA residents), CCPA/CPRA (California residents), PIPEDA (Canada), applicable U.S. state privacy laws (e.g., Colorado, Virginia), and Delaware consumer protection laws.

3. What We Collect and Why

Account Info: name, email, login, password hash → identity, login, communication (legal basis: contract).
Billing Info: card details and billing address (via Stripe) → payments, subscriptions (legal basis: contract).
Usage Data: IP address, device type, browser, log data, interaction logs → security, analytics, personalization (legal basis: legitimate interests).
Third-party Data: from connected tools (e.g., Gmail, Slack, Notion, Calendar) → insight extraction, daily brief (legal basis: consent/contract, depending on context).
Support Data: help requests, chat logs, call notes → customer support (legal basis: legitimate interests).
We do collect and process: Email content from Gmail (full message bodies, subjects, senders/recipients, timestamps; read-only, encrypted) to generate summaries and action items; Calendar event details (titles, descriptions, attendees, times, locations) for context-aware briefs. We do not collect biometric data, race/ethnicity, political beliefs, or sexual orientation; audio/video from devices without explicit opt-in; or data from apps you haven’t explicitly connected.

4. Sensitive Data Handling

We avoid handling sensitive categories of data unless explicitly required by the user and covered under a lawful basis (e.g., HR briefings with consent). When such data is encountered (e.g., private Slack conversations), our systems do not retain, log, or reuse that content beyond what is required to render your brief or insight.

5. Data From Third-Party Integrations

When you connect services to TheTop, you authorize us to access and process scoped data per the permissions granted.

Gmail

  • Access: Read-only access to email messages (subject, body, sender, recipients, timestamps).
  • Scope: Messages from the last 14 days for initial indexing, then incremental daily sync.
  • Use: Generate AI-powered summaries, extract action items, identify important communications.
  • Storage: Email content is encrypted and stored in AWS S3 for brief generation.
  • Retention: Deleted within 30 days of account deletion or permission revocation.
  • No Modification: We NEVER send, delete, or modify your emails.

Slack

  • Access: Messages from channels or DMs that mention the user in connected workspaces.
  • Use: Highlight key blockers and requests.
  • Limitations: We only access workspaces you explicitly connect.

Notion, Asana, Jira, Google Calendar, etc.

  • Access: Task/page titles, due dates, assignment status, event titles/descriptions/attendees/times/locations.
  • Use: Extract what’s overdue, upcoming, or needs attention; provide context-aware insights.
    If an integration is revoked or permissions change, we cease all data collection immediately.

5.1 Google API Services Compliance

TheTop’s use and transfer of information received from Google APIs adheres to the Google API Services User Data Policy, including the Limited Use requirements. Specifically for Gmail and Calendar:

  • Limited Use: We use Gmail and Calendar data ONLY to provide our daily briefing service.
  • No Human Review: Your email content is processed by AI only — no TheTop employees read your emails.
  • No Transfer: We do not transfer Gmail/Calendar data to third parties except our AI provider (OpenRouter) for processing.
  • No Advertising: We never use your Gmail/Calendar data for advertising purposes.
  • No Training: We do not use your Gmail/Calendar data to train publicly available AI models.

5.2 Google Calendar

  • Access: Read-only access to calendar events (titles, descriptions, attendees, times, locations).
  • Use: Provide context-aware insights, highlight upcoming meetings, correlate with email threads.
  • Storage: Calendar data is encrypted and stored in AWS S3.
  • Retention: Deleted within 30 days of account deletion or permission revocation.
  • No Modification: We NEVER create, modify, or delete calendar events.

6. How We Use the Information

We process data to generate AI-driven daily briefings; highlight top priorities, risks, and deadlines; identify follow-ups, blockers, or unread messages; personalize the order and structure of insights; and improve AI agents via usage analytics (non-personalized). We do not sell personal data, use user data to train publicly available LLMs, or share data for advertising purposes. We may use aggregated, anonymized datasets to improve models or develop new features and apply synthetic data derived from user behavior patterns for internal testing.

7. Data Storage and Security

All data is encrypted in transit (TLS 1.2+) and at rest (AES-256) in cloud environments aligned with SOC 2 Type II, ISO 27001, and GDPR safeguards (e.g., SCCs). Additional protections include OAuth 2.0 for all third-party access, audit logs on admin actions, zero-trust internal architecture, automatic session expiration, and role-based access control. In the event of a data breach, we will notify affected users within 72 hours, per GDPR Article 33.

8. Retention and Deletion

We retain your data for the duration of your subscription or usage and up to 30 days after account cancellation (unless otherwise required), and for legal compliance (e.g., tax records, fraud logs). Upon verified request, personal and usage data are deleted within 30 days; backups are scrubbed within 90 days (rolling). Exceptions: legal holds/audits or active disputes/chargebacks.

9. International Data Transfers

As a Delaware-based company, your data may be processed in the United States. Where required by law, we use Standard Contractual Clauses (SCCs), UK International Data Transfer Agreements (IDTAs), and adequacy decisions (where applicable).

10. Your Rights and How to Exercise Them

Depending on your location, you may have the right to access your data; correct inaccurate information; delete your data; port data to another platform; object to certain types of processing; and withdraw consent at any time. Submit requests to privacy@thetop.com. We respond within 30 days (or 45 for CCPA). Identity verification may be required.

10.1 Revoking Google Permissions

You can revoke TheTop’s access to Gmail and Calendar at any time:

  1. Through Google: visit https://myaccount.google.com/permissions and remove TheTop.

  2. Email us: contact privacy@thetop.com with subject “Revoke Access”.
    Upon revocation, we stop all data collection immediately and delete your Gmail/Calendar data within 30 days.

11. CCPA/CPRA-Specific Disclosures (California)

Right to Know: see what data we’ve collected about you.
Right to Delete: request removal of personal data.
Right to Opt-Out: not applicable — we do not sell data.
Right to Non-Discrimination: no penalty for exercising privacy rights. To exercise these, email us with subject: “CCPA Request – [Your Name]”.

12. AI and Automated Decision-Making

Our AI system generates insights automatically. It does not make decisions that produce legal or similarly significant effects (e.g., credit, hiring), alter employment terms, or trigger irreversible workflows. We perform regular human-in-the-loop reviews to ensure AI quality. You may request a human review of any AI-generated decision through support.

13. Cookies and Tracking

We use cookies for session management, usage analytics, error tracking, and UX personalization. We do not use cookies for ad targeting. You may disable cookies via browser settings, but it may degrade service quality.

14. Third-Party Services and Links

We are not responsible for privacy policies or content on linked third-party websites, nor for the data practices of external tools you connect to TheTop. Review the privacy terms of each integration you authorize.

15. Children’s Privacy

TheTop is not directed to individuals under 16. We do not knowingly collect or store personal data from minors. If we learn of such activity, we will promptly delete the data.

16. Business Transfers

In the event of an acquisition, merger, reorganization, or asset sale, your data may be transferred to a successor entity. If this occurs, you will be notified and may opt out of continued data processing before the transfer is finalized.

17. Limitation of Liability

To the fullest extent permitted by law, TheTop Holdings Inc. shall not be liable for any indirect, incidental, special, or consequential damages arising out of or in connection with this Policy. We are not responsible for data breaches resulting from user error, insecure third-party tools, or revoked permissions. Use of our AI tools is at your own discretion and risk.

18. Indemnification

By using our Services, you agree to indemnify and hold harmless TheTop Holdings Inc., its officers, directors, employees, and agents from any claims, damages, losses, liabilities, or expenses arising out of your use of the Services, your violation of this Policy or applicable law, or any data/content you upload, store, or process via the platform.

19. Changes to This Policy

We may revise this Policy at any time. Material changes will be announced via email or in-app. Continued use of the Services after an update constitutes acceptance of the revised terms. Last updated: October 20th, 2025.

20. Contact Us

Privacy: privacy@thetop.com
 General/Admin: admin@thetop.com
 Mailing Address: TheTop, 7 CUSTOM HOUSE STREET, PORTLAND, ME 04103

How it WorksFeaturesSecurityPricingFAQ
© 2025 TheTop Holdings Inc. All rights reserved.
Terms and ConditionsPrivacy Policy