Legal

Privacy Policy for TheToolPicker.com

Last updated: February 23, 2026

This Privacy Policy outlines how TheToolPicker ("we", "us", or "our") collects, uses, processes, and protects your information, including personal data, when you use the services provided through the website www.thetoolpicker.com (the "Site" or "Service"). By using the Service, you agree to this Privacy Policy and the collection, storage, usage, and disclosure of your personal data as described herein.

1. Definitions

  • "Company": Refers to the entity operating TheToolPicker.
  • "Service": All functionality, features, and content provided through www.thetoolpicker.com, including but not limited to AI/SaaS tool discovery, directory listings, blog articles, user accounts, and tool submission services.
  • "User" or "You": Any individual or entity accessing or using the Service.
  • "Personal Data": Any information that can directly or indirectly identify a natural person, including identifiers such as name, email address, IP address, device ID, and online identifiers.
  • "Processing": Any operation performed on personal data such as collection, recording, storage, transfer, alteration, disclosure, deletion, etc.
  • "Cookies": Small data files stored in your browser to recognize your device and activity.
  • "Third Parties": External entities providing services on behalf of or in collaboration with TheToolPicker.

2. Types of Data Collected

We may collect and process the following categories of personal and non-personal data:

2.1. Data you provide directly:

  • Full name, username
  • Email address
  • Password (hashed and stored securely using bcrypt)
  • Profile picture or avatar
  • Tool submission data (tool name, description, website URL, pricing information, screenshots)
  • User reviews and ratings for tools
  • Any data entered into contact forms, feedback tools, or other form fields

2.2. Automatically collected data:

  • IP address, device type, operating system, browser type/version
  • Geolocation data (approximate, based on IP)
  • Usage data such as page views, click paths, duration of sessions, tool searches, and category browsing patterns
  • Time zone settings, screen resolution, and other technical data
  • Log data including error logs, crash reports
  • Referral source and search queries

2.3. Data from third-party integrations:

  • OAuth identity providers: We use Google OAuth for account authentication. When you sign in with Google, we receive your name, email address, and profile picture from Google.
  • Error monitoring: We use Sentry for application error tracking, which may collect technical information about errors and your session.

3. Purposes of Processing

We process your data for various legitimate business and operational purposes, including but not limited to:

  • Account creation and authentication via email/password or Google OAuth
  • User onboarding and profile personalization
  • Enabling key service functionality: tool discovery, search, filtering, favorites, and reviews
  • Processing tool submissions and managing directory listings
  • Processing support tickets, feedback, or feature requests
  • Sending transactional messages and service updates via email
  • Sending newsletters, marketing offers (only where legally permitted or with consent)
  • Enhancing security and fraud detection systems
  • Conducting internal research and performance analytics
  • Managing service uptime, bug reporting, and diagnostics via Sentry
  • Complying with legal and regulatory requirements
  • Fulfilling contractual obligations with users or partners

4. Legal Bases for Processing

Depending on your jurisdiction, the legal bases under which we collect and process data include:

  • Consent: when you explicitly agree to data collection, e.g., signing up for a newsletter or creating an account.
  • Contractual Necessity: to fulfill a service you've signed up for, such as account access, tool submissions, or directory listings.
  • Legal Obligation: to comply with applicable laws, tax obligations, or court orders.
  • Legitimate Interests: for functionality, analytics, security, and service improvement (unless overridden by your rights).

5. Cookies and Tracking Technologies

We use a variety of tracking technologies to enhance your experience, including:

  • Essential cookies: Session cookies for authentication, user preferences (theme, language), and CSRF protection
  • Authentication tokens: Secure JWT tokens for maintaining your logged-in session
  • Local storage: For storing user preferences and improving performance

Cookie Preferences: You may control cookies via your browser settings. Blocking essential cookies may prevent access to some features, including account login and personalization.

6. Data Retention

We retain data only as long as necessary for the purposes described:

  • Account data: Retained while your account is active and for up to 2 years after account deletion for legal and audit purposes
  • Tool submissions: Retained indefinitely as part of the public directory unless removal is requested
  • User reviews: Retained as long as the associated tool listing exists
  • Logs and usage data: Retained for up to 90 days for internal analysis, security, and debugging
  • Error logs (Sentry): Retained according to Sentry's data retention policies (typically 90 days)
  • If you request deletion, we will anonymize or securely destroy your personal data unless required to retain it by law

7. Sharing and Disclosure of Data

We may share your personal data with:

  • Hosting and infrastructure: Vercel (application hosting), Supabase (database and file storage)
  • Authentication: Google (OAuth sign-in)
  • Email services: SMTP providers for transactional emails
  • Error monitoring: Sentry for application error tracking and debugging
  • AI services: Google Gemini and OpenAI for content generation and processing (tool descriptions, article content)
  • Our legal, accounting, and cybersecurity service providers
  • Affiliates, successors in interest, or buyers in a corporate transaction
  • Law enforcement or regulators under legal mandate

All third-party providers are subject to strict contractual confidentiality and data protection obligations.

8. International Transfers

Your data may be transferred to and stored on servers outside your jurisdiction, including in the United States, EU, or other countries where our service providers operate. We ensure adequate safeguards through:

  • Standard Contractual Clauses (SCCs)
  • Data Processing Agreements (DPAs) with our service providers
  • Additional technical and organizational security measures
  • Selecting service providers that comply with GDPR and other applicable data protection regulations

9. Your Rights

Depending on your region (EU/EEA under GDPR, California under CCPA, Brazil under LGPD, etc.), you may have the right to:

  • Access: Request a copy of the personal data we hold about you
  • Rectification: Correct inaccurate or incomplete information
  • Erasure: Request deletion of your personal data ("right to be forgotten")
  • Restriction: Limit how we process your data in certain circumstances
  • Objection: Object to processing based on legitimate interests
  • Data portability: Receive your data in a structured, machine-readable format
  • Withdraw consent: Withdraw consent at any time, without affecting prior lawful processing
  • Complaint: Lodge a complaint with your local data protection authority

To exercise your rights, contact us at: toolpicker@supafast.tech. We respond to verified requests within 30 days.

10. Security Measures

We implement layered security approaches including:

  • HTTPS/TLS encryption on all web traffic
  • Secure password hashing using bcrypt
  • Database security through Supabase with Row Level Security (RLS) policies
  • Secure authentication via NextAuth.js with JWT tokens
  • OAuth 2.0 for third-party authentication (Google)
  • Regular security updates and dependency monitoring
  • Environment variable protection for sensitive configuration

Although we follow industry best practices, no system is entirely secure. Please use the Service with awareness of this limitation and use strong, unique passwords for your account.

11. Children's Privacy

Our Service is not intended for individuals under the age of 16 (or 13 in jurisdictions where permitted). We do not knowingly collect personal information from children. If we learn that we have collected personal data from a child without appropriate consent, we will take steps to delete such information immediately.

12. Third-Party Links and Services

TheToolPicker is a directory of third-party AI and SaaS tools. Our listings contain links to external websites and services. We are not responsible for the privacy practices, content, or security of such third parties. Please review their privacy policies separately before using their services.

13. User-Generated Content

When you submit reviews, ratings, or tool information to our platform, this content may be publicly visible. Please do not include sensitive personal information in your reviews or submissions. We reserve the right to moderate, edit, or remove user-generated content that violates our terms or community guidelines.

14. Changes to This Privacy Policy

We reserve the right to amend this Policy at any time. If we make material changes:

  • We will notify registered users via email or platform notification
  • Update the "Last Updated" date at the top of this page
  • For significant changes, we may require explicit consent before continuing to use the Service

Continued use of the Service after changes constitutes acceptance of the updated Privacy Policy.

15. Contact Us

If you have any questions about this Privacy Policy or wish to exercise your data protection rights, please contact us: