GDPR & EU Data Protection

Last updated: May 10, 2026

This page explains how Toolsy handles personal data under the European Union's General Data Protection Regulation (GDPR), the UK GDPR, and equivalent national laws of EEA member states. It complements our main Privacy Policy; if anything here conflicts with that document, this page governs for EU/EEA/UK residents.

1. Data controller

The data controller for Toolsy is the operator of the site (the individual publisher behind toolsy.website). For data-protection inquiries: hello@toolsy.website.

2. What is "personal data" on Toolsy

Under GDPR, "personal data" means any information relating to an identified or identifiable natural person. On Toolsy, the only data we touch that could conceivably qualify is:

• Your IP address — handled only in memory during a request; never stored in raw form. We persist only a SHA-256 hash salted with a daily-rotating value, which is irreversible and cannot be used to re-identify you after 24 hours.
• Your User-Agent string — we keep only the browser and OS family (e.g. "Chrome / Windows"), not the full string.
• Your country — derived from your IP at request time by our hosting provider, when available.

We hold no email addresses, names, account credentials, payment data, or any other directly identifying information. We have no way to look up information about you because we don't store identifying keys.

3. Legal basis for processing (Art. 6 GDPR)

We rely on two legal bases:

• Legitimate interests (Art. 6(1)(f)) for: server-side analytics with hashed IPs (running a free service requires understanding aggregate traffic and detecting abuse); essential cookies (theme preference); and non-personalized advertising via Google AdSense, which is necessary to fund the free Service.
• Consent (Art. 6(1)(a)) for: personalized advertising and any optional third-party cookies set by Google or its partners that go beyond what is strictly necessary for ad delivery and fraud prevention.

4. Advertising and consent

Toolsy serves ads through Google AdSense. For visitors from the European Economic Area, the United Kingdom, and Switzerland, Google's services are configured to operate under the EU user consent policy and the IAB Transparency & Consent Framework (TCF v2.2).

When you visit from one of these regions you will see a consent banner the first time you load the site. You can:

• Accept all — Google and its certified partners may use cookies for personalized advertising, ad measurement, audience insights, and product development.
• Reject all — you will still see ads, but they will not be personalized to your previous browsing, and additional optional cookies will not be set.
• Manage options — choose specific purposes and partners individually.

Your consent choice is stored client-side and can be changed at any time by clicking the "Cookie settings" link in the footer, or by clearing your browser cookies for this site.

Even without consent, certain cookies may be set for security, fraud prevention, and to remember your consent choice itself — these qualify as "strictly necessary" under the ePrivacy Directive and do not require consent.

5. International data transfers

Toolsy is hosted on infrastructure that may process requests in data centers within the EU, the United States, and other regions. When data is transferred outside the EU/EEA we rely on safeguards including:

• European Commission adequacy decisions where they apply (e.g. for participants in the EU–US Data Privacy Framework)
• European Commission Standard Contractual Clauses (SCCs)
• our hosting provider's and Google's data processing agreements

6. Your rights under GDPR (Arts. 15–22)

As an EU/EEA/UK resident you have the right to:

• Access — request a copy of any personal data we hold about you
• Rectification — correct inaccurate data
• Erasure ("right to be forgotten") — request deletion
• Restriction — limit how we process your data
• Portability — receive your data in a machine-readable format
• Object — to processing based on legitimate interests, including direct marketing
• Withdraw consent — at any time, for processing based on consent
• Lodge a complaint — with a supervisory authority in your country of residence

Because Toolsy stores no identifying information about you (no email, name, or account), most requests are effectively non-applicable on our side — we have nothing to correct or hand over. For requests related to data held by Google as a result of advertising on Toolsy, please use Google's own data-subject request channels at Google Privacy Help.

To exercise any right, email hello@toolsy.website. We respond within 30 days, free of charge. We may ask for additional information to verify your identity, but only the minimum strictly necessary.

7. Data processors and sub-processors

Toolsy uses the following third-party processors. Each operates under its own privacy notice and DPA:

• Vercel Inc. — serverless hosting (USA / multi-region). Privacy policy.
• Google LLC / Google Ireland Ltd. — advertising via AdSense. Privacy policy. For EU residents, Google Ireland Ltd. is the local data controller for ads-related processing.
• Cloudflare, Inc. — content delivery for fonts and JavaScript libraries (cdnjs). Privacy policy.

8. Automated decision-making and profiling

Toolsy itself does not make automated decisions about you. Personalized advertising delivered by Google may involve profiling within the meaning of Art. 22 GDPR; this is governed entirely by Google's own systems and policies and is subject to your consent as described in section 4.

9. Retention

See section 8 of the Privacy Policy. In short: server analytics (with hashed IPs) up to 90 days; aggregates indefinitely; tool inputs are not retained.

10. Supervisory authority

You have the right to lodge a complaint with the supervisory authority in your country of residence. A list of EU authorities is available at edpb.europa.eu. UK residents may complain to the Information Commissioner's Office (ICO).

We would appreciate a chance to address concerns directly first — emailing hello@toolsy.website is usually faster than the regulator route, but the right to complain is unconditional.

11. Updates

Material changes to GDPR-related practices will be announced via a notice on the homepage and reflected in the "Last updated" date above.