Privacy Policy

Effective Date: December 12, 2025
Company Name: theTop Holdings Inc.
Legal Domicile: Delaware, United States
Website: https://thetop.com

Application: https://app.thetop.com

1. Introduction

Welcome to TheTop. Trust and data protection are foundational to our platform. This Privacy Policy (“Policy”) explains how theTop Holdings Inc. (“TheTop,” “we,” “our,” or “us”) collects, accesses, processes, stores, discloses, and safeguards information when you use our websites, applications, APIs, integrations, and related services (collectively, the “Services”).

By accessing or using the Services, you acknowledge and agree to the practices described in this Policy.

2. Scope of This Policy

This Policy applies to:

  • Registered users of TheTop (web, mobile, API, integrations)
  • Visitors to our websites
  • Prospective customers and enterprise users
  • Individuals whose data is processed through user-authorized integrations

This Policy does not apply to:

  • Third-party platforms themselves (e.g., Google, Microsoft)
  • Employee, contractor, or applicant data (governed by internal policies)

3. Our Role Under Privacy Laws

Depending on the context, TheTop acts as:

  • Data Controller when we determine the purposes and means of processing (e.g., generating daily briefs, prioritization logic).
  • Data Processor when we process data solely on behalf of a user or enterprise customer via connected services.

We comply with applicable privacy and data protection laws, including but not limited to:

  • GDPR (EU/EEA)
  • UK GDPR
  • CCPA / CPRA (California)
  • PIPEDA (Canada)
  • Applicable U.S. state privacy laws
  • Delaware consumer protection laws

4. Information We Collect and Why

4.1 Information You Provide

  • Account Information: name, email, authentication credentials (hashed), preferences
    Purpose: account creation, authentication, communications
  • Billing Information: payment method and billing details (processed via Stripe)
    Purpose: subscriptions, invoicing, fraud prevention
  • Support Communications: messages, emails, tickets, call notes
    Purpose: customer support, troubleshooting, service improvement

4.2 Information Collected Automatically

  • Usage Data: IP address, device type, browser, timestamps, interaction logs
    Purpose: security, abuse prevention, analytics, service optimization

4.3 Data From Connected Third-Party Services

With your explicit authorization, TheTop may access and process data from the following third-party services:

  • Gmail (Google APIs): email message bodies, subjects, senders/recipients, timestamps (read-only)
  • Google Calendar: event titles, descriptions, attendees, times, locations (read-only)
  • Microsoft 365 (Microsoft Graph API):
    • Outlook email metadata and message content (read-only)
    • Outlook calendar event details (read-only)

Purpose: generating summaries, extracting action items, prioritization, and delivering daily decision briefs.

We do not collect:

  • Biometric identifiers
  • Sensitive personal attributes (race, ethnicity, religion, sexual orientation, political beliefs)
  • Audio or video recordings without explicit opt-in
  • Data from services you have not explicitly connected

5. Sensitive Data Handling

TheTop is not designed to intentionally process sensitive personal data. If such data is incidentally encountered through user-authorized integrations:

  • Processing is limited strictly to delivering the requested Service
  • Data is not reused, sold, or repurposed
  • Access is restricted and logged
  • Retention is minimized

6. Third-Party Integrations

You may connect Gmail, Google Calendar, and/or Microsoft 365 at your discretion. By doing so, you authorize TheTop to access and process only the scopes explicitly granted during authorization.

If an integration is revoked or permissions change, we immediately cease data collection and initiate deletion workflows consistent with this Policy.

6.1 Google API Services & Limited Use Compliance

TheTop’s use of information received from Google APIs complies with the Google API Services User Data Policy, including the Limited Use requirements.

Specifically:

  • Permitted Use: Gmail and Google Calendar data is used solely to provide TheTop’s core functionality (daily briefs, prioritization, contextual insights).
  • No Advertising: We do not use Google user data for advertising, retargeting, or marketing.
  • No Model Training: Gmail and Calendar data is not used to train publicly available AI models.
  • No Modification: We never send, delete, or alter Gmail messages or Calendar events.

Controlled Human Access (Google Data)

While most processing is automated, authorized TheTop personnel may access encrypted Google-sourced data on a limited, need-to-know basis for legitimate business purposes such as:

  • Security investigations
  • Debugging and reliability issues
  • Legal, compliance, or audit obligations
  • User-initiated support requests

All access is:

  • Logged and auditable
  • Restricted by role-based access controls
  • Governed by confidentiality and acceptable-use obligations

6.2 Microsoft 365 (Microsoft Graph API)

TheTop integrates with Microsoft 365 using the Microsoft Graph API in accordance with Microsoft’s developer and data protection requirements.

  • Access: Read-only access to Outlook email and calendar data, limited to authorized scopes
  • Use: Generate summaries, surface priorities, correlate emails with meetings, and produce daily briefs
  • No Advertising: Microsoft data is never used for advertising or marketing
  • No Modification: We do not send, modify, or delete Microsoft 365 emails or calendar events

Controlled Human Access (Microsoft Data)

Authorized personnel may access encrypted Microsoft 365–derived data only when necessary for security, compliance, system integrity, or user support, subject to logging and internal controls.

7. Data Architecture & Security Controls

We employ industry-standard security safeguards, including:

Encryption

  • At Rest: AES-256 using AWS Key Management Service (KMS)
  • In Transit: TLS 1.2+

Infrastructure

  • Encrypted AWS S3 buckets for raw email and calendar data
  • Encrypted Aurora PostgreSQL clusters for user profiles and metadata
  • VPC-only access; no public database endpoints

Access Controls

  • OAuth 2.0 authorization
  • Role-based access control (RBAC)
  • Zero-trust internal architecture
  • Audit logging of privileged actions

8. How We Use Information

We use information to:

  • Generate AI-powered daily decision briefs
  • Highlight priorities, deadlines, and risks
  • Identify follow-ups and time-sensitive communications
  • Personalize ranking and structure of insights
  • Maintain security, reliability, and compliance

We do not:

  • Sell personal data
  • Share user data for third-party advertising
  • Use private user content to train public AI models

Aggregated, anonymized, or synthetic data may be used internally for analytics, testing, and product improvement.

9. Data Retention & Deletion

  • Data is retained for the duration of your account and up to 30 days after termination
  • Backups are rotated and purged within 90 days
  • Certain records may be retained as required by law (e.g., billing, fraud, audit logs)

10. International Data Transfers

Data may be processed in the United States. Where required, we rely on:

  • Standard Contractual Clauses (SCCs)
  • UK International Data Transfer Agreements (IDTAs)
  • Adequacy decisions, where applicable

11. Your Rights

Depending on your jurisdiction, you may have the right to:

  • Access your data
  • Correct inaccuracies
  • Request deletion
  • Object to certain processing
  • Withdraw consent

Requests may be submitted to privacy@thetop.com. Verification may be required.

12. AI & Automated Processing

TheTop uses AI to generate insights and recommendations. The platform does not make automated decisions that produce legal or similarly significant effects (e.g., credit decisions, employment actions).

Human oversight mechanisms are in place, and you may request review via support.

13. Cookies & Tracking

We use cookies for authentication, analytics, error monitoring, and performance optimization. We do not use cookies for ad targeting.

14. Third-Party Links

We are not responsible for the privacy practices of third-party platforms you choose to connect to TheTop.

15. Children’s Privacy

TheTop is not intended for individuals under 16. We do not knowingly collect personal data from minors.

16. Business Transfers

In the event of a merger, acquisition, reorganization, or asset sale, user data may be transferred subject to continued protection under this Policy.

17. Limitation of Liability

To the fullest extent permitted by law, TheTop Holdings Inc. shall not be liable for indirect, incidental, special, or consequential damages arising from use of the Services, AI-generated outputs, or third-party integrations.

18. Indemnification

You agree to indemnify and hold harmless TheTop Holdings Inc., its officers, directors, employees, and agents from claims arising out of your use of the Services or violation of this Policy.

19. Changes to This Policy

We may update this Policy periodically. Material changes will be communicated via email or in-app notice. Continued use of the Services constitutes acceptance of the revised Policy.

Last Updated: December 12, 2025

20. Contact Us

Privacy: admin@thetop.com
General/Admin: admin@thetop.com

Mailing Address:
TheTop, 7 CUSTOM HOUSE STREET, PORTLAND, ME 04103

How it WorksFeaturesSecurityPricingFAQ
© 2025 TheTop Holdings Inc. All rights reserved.
Terms and ConditionsPrivacy Policy