TOLL · PRIVACY POLICY
Privacy Policy
Last updated: 14 July 2026
Toll ("we", "us") operates the waitlist website you are reading, currently hosted at [DOMAIN] (a temporary address while we do not yet own a domain). This policy explains what personal data this website collects, why, and what your rights are. Toll does not exist as an application yet. This policy covers only the website in front of you — a waitlist and a short on-camera demo — not a future product.
1. Who is responsible for your data
[LEGAL ENTITY / SOLE TRADER NAME], [JURISDICTION]. Contact: litaui100@gmail.com.
2. What we collect, and why
2.1 Your email address
Collected when you submit the waitlist form. Used to hold your place on the list, to contact you if and when Toll opens for early access, and to count how many people are interested. Not used for anything else, and not sold.
2.2 A visitor identifier
A random ID your browser generates and stores locally (see "Cookies and local storage", below). It lets us tell a returning visit from a new one without cookies. It is not linked to your name unless you also give us your email.
2.3 A session identifier
A random ID generated fresh each time you load the page. It is attached to the events below so we can see the order of what happened in one visit.
2.4 Usage events
Records of what you did on this page: opened it, tapped the "Get early access" button, submitted the email form, submitted something the form could not read as an email address, started or skipped the squat test, denied camera access, reached your first and fifth squat, left the page part-way through the test (and on which rep), finished 10 squats, sent or skipped a friend invite, viewed your confirmation receipt, tapped share.
Each event may carry: which marketing link brought you here (UTM parameters), the address of the site you arrived from — the site only, never the full link with whatever was in it — the page path, your browser's language setting, and a shortened description of your browser and device (cut to 120 characters). This tells us where to focus and where people stop.
2.5 A technical error message, if this page breaks
If the code on this page fails in your browser, we send a short technical description of the failure (cut to 200 characters, at most three per visit) so that we can find out the page is broken on someone's device instead of watching visitors quietly disappear. It describes the code, not you: no video, no image, no body coordinate. Anything in it that looks like an email address is replaced before it is sent.
2.6 Your squat count
Whole numbers: how many of the 10 squats you had completed at your first rep, your fifth, at the moment you left the page, and at the end. Nothing else about what the camera saw reaches our server — see section 3, our loudest promise on this page.
2.7 Your friend's email domain, not their email
If you invite a "keeper", we record only the part of the address after the @ (for example "gmail.com"), never the address itself. See section 4.
2.8 Your IP address
We do not store your IP address ourselves, and we do not use it to profile you. Our host (Vercel) and our database (Supabase) necessarily see it on every request, as any web server does, and it may appear in their own operational logs under their policies.
2.9 What we do not collect
Your name, physical address, or phone number. Payment details — nothing on this page costs money. Your friend's email address. Any video, photo, or image of you. Any body position or camera coordinate.
3. Camera and the squat test — our loudest promise
What our server does receive from this step is small and stated plainly, so that the promise above cannot be read as more than it is: that you started the test, how many reps you had done at your first and fifth, how many you had done if you left part-way through, how many you finished with — and, if the camera or the counter failed, a short description of the failure. Every one of those is a number or a technical message about our own code. None of them describes your body or your surroundings. If you deny camera access or skip the test, your waitlist place is unaffected, and no camera data of any kind is collected.
4. Inviting a friend ("keeper")
When you name someone to set your price, the invite message is composed and sent by your own device, through your own mail app (a standard "mailto" link) — it never passes through our server. We do not see, store, or have access to that message or your friend's full email address. We record only the domain of the address you typed, so we can measure how many people use this step without holding data about someone who never agreed to anything themselves.
5. Cookies and local storage
Toll does not use cookies. This page stores two things in your browser's local storage — a standard web technology, not a cookie: (a) the visitor identifier described above, and (b) a short queue of not-yet-sent events, kept only until your connection lets them through, then deleted. This storage is not used to track you across other websites, is not shared with advertisers, and is not used to build an advertising profile. It exists only to run the two-step signup flow on this page.
6. Legal bases for processing (EEA / UK visitors)
- Email address: you give this to us by submitting the form (consent, and steps taken at your request before we could offer you a service — GDPR / UK GDPR Art. 6(1)(a) and (b)).
- Visitor and session identifiers, usage events: our legitimate interest in understanding whether this idea works and where the page loses people (Art. 6(1)(f)), weighed against the limited, non-advertising nature of what we collect.
- Friend's email domain: the same legitimate interest. We deliberately never collect the friend's full email address, specifically so that GDPR Art. 14 — which would require us to notify a third party we never meet — does not need to be met by a document like this one.
7. California / US visitors
We do not sell or share personal information as defined by the CCPA/CPRA — this page runs no ad network, no ad pixel, and no data-broker relationship. California residents have the right to know what we hold about them, correct it, delete it, and not be discriminated against for exercising these rights. To ask, write to litaui100@gmail.com.
8. Who else sees this data
- Supabase — database hosting for the waitlist table and events. Data region: [REGION].
- Vercel — hosts this website.
- Google, via the pose-detection library this page loads — only the model code is downloaded from Google's and jsDelivr's servers; no video or body data is ever sent to them, because none of it leaves your device.
We do not sell your data and do not share it with advertisers or data brokers.
9. Third-party analytics
We run none. There is no Google Analytics, no advertising pixel, no session recorder, and no third-party tracker of any kind on this page. The only record of your visit is the events listed in section 2.4, held in our own database. If that ever changes, this section changes first.
10. International transfers
If you are in the EEA or UK and your data is processed outside it — for example if [REGION] turns out to be outside the EEA/UK — we rely on [Standard Contractual Clauses / an adequacy decision — confirm once the data region is known] to keep it protected.
11. How long we keep it
Waitlist emails and usage events are kept until [RETENTION PERIOD — e.g. Toll launches and you are invited, or you ask us to delete them, whichever is sooner]. You can ask for deletion at any time — see section 12.
12. Your rights
If GDPR or UK GDPR applies to you, you can ask to access, correct, delete, restrict, or receive a copy of your data, and you can object to or withdraw consent for any processing based on it. You can also complain to your local data protection authority ([ICO for the UK / your EEA supervisory authority]). If CCPA/CPRA applies to you, see section 7. To exercise any of these, email litaui100@gmail.com. We will respond within the time required by applicable law.
13. Age
Toll is for adults. You must be 18 or older to join this waitlist. We do not knowingly collect data from anyone under 18; if we learn that we have, we will delete it.
14. Security
We use reasonable technical measures to protect what we hold — for example, the database only accepts new rows and does not let this page read existing ones back. No system is completely secure, and we cannot guarantee absolute protection.
15. Changes to this policy
We may update this policy as the waitlist page changes. The date at the top shows the last revision. Material changes will be reflected here before they take effect.
16. Contact
[LEGAL ENTITY / SOLE TRADER NAME]
litaui100@gmail.com
[JURISDICTION]