Togthr Logo
Togthr

Togthr Privacy Policy

Last updated: November 4, 2025

1. Introduction

This Privacy Policy explains how Togthr (“Togthr”, “we”, “us”, “our”) collects, uses, discloses, and protects personal data when you interact with our products, services, websites, and applications.

Company address: IITM Research Park, Kanagam Rd, Kanagam, Tharamani, Chennai, Tamil Nadu 600113

Contact: care@togthr.health

By using our services, you agree to the practices described in this Policy. If you do not agree, please do not provide personal data and request that your employer or customer does not submit it on your behalf.

We may update this Policy periodically to reflect legal, technical, or business changes. If changes materially affect your rights, we will make commercially reasonable efforts to notify you. Otherwise, please review this Policy regularly.

Controller: When we collect personal data about you for our own purposes (e.g., website usage, billing, account administration), we act as a data controller.

Processor: When our customers use our platform to process data (including PHI) about individuals (e.g., patients, staff), we act as a processor—or a “Business Associate” under HIPAA—and process the data only as instructed in our contracts, including the Data Processing Agreement (DPA) and, if applicable, the Business Associate Agreement (BAA).

Children: Our website and marketing are not directed to children. However, our customers may process minors’ health information for healthcare purposes through our platform. In such cases, our customers act as controllers, and Togthr acts strictly as a processor/Business Associate.

Third-party links and apps: Our services may include links or integrations with third-party websites, apps, plug‑ins, and tools. We do not control third‑party privacy practices, so please review their policies before using them.

2. What Data We Collect and Sources

We collect personal and business information from different sources depending on how you use our services. This includes information you provide directly, that we collect automatically, that comes from integrations and connected services, or that is provided by others (such as your employer).

2.1 Data You Provide to Us

  • Account and profile: name, role, organization, email, phone, password hashes, profile photo.
  • Business and billing: plan, seats, subscription details, transaction records, addresses, tax information.
  • Communications: support requests, feedback, survey responses.
  • Forms and content: any data entered in EHR/CRM/forms/website builder (as a controller or on behalf of your controller).
  • Job applications: CV/resume, cover letters, references, interview feedback.

2.2 Data Collected Automatically

  • Device/technical: IP address, device identifiers, operating system, browser, network details, language, time zone.
  • Usage: feature/event telemetry, session length, pages/screens viewed, clickstream data, crash logs.
  • Cookies/SDKs: see our Cookies Policy for details and controls.

2.3 Data from Integrations and Connected Services

If you connect third‑party services, we may receive:

  • Identity data (names, emails, account identifiers).
  • Email/calendar content and metadata (e.g., Gmail, Microsoft 365 Outlook).
  • Files/attachments (e.g., Google Drive, OneDrive).
  • Messages from connected channels (if enabled).
  • CRM/EHR/other system data via APIs or imports.

Google APIs – Additional Limits (Data Accessed, Usage, Sharing, Storage, Retention, Deletion):If you connect Google services (e.g., Gmail, Calendar, Drive), Togthr accesses the following specific data types to provide the features you enable: names, emails, account identifiers, email/calendar content and metadata, and files/attachments (the "Google User Data").

Togthr’s use and transfer of Google User Data will adhere to the Google API Services User Data Policy, including the Limited Use requirements.

  • Data Usage:We only use Google User Data to provide or improve user-facing features (e.g., displaying emails, managing calendars, accessing files for your direct use within Togthr).
  • Data Sharing: We do not use Google User Data for ads. We do not share this data with any third parties except with our necessary Service providers/Subprocessors (e.g., cloud hosting, security tools) strictly for the purpose of operating the Togthr service and maintaining its security, as outlined in Section 5, and in compliance with the Limited Use policy. We will not transfer or allow access to this data by any human unless you consent, required by law, necessary for security/abuse investigations, or for internal operations with data aggregated/de-identified.
  • Data Storage & Protection: We securely store and protect Google User Data using technical and organizational measures appropriate to risk, including encryption in transit and at rest, access controls, and audit logging, as detailed in Section 7.
  • Data Retention & Deletion: We retain Google User Data for as long as necessary to provide services and fulfill the purposes outlined in Section 8. You can request the deletion of your Google User Data by disconnecting the integration within the application settings or by contacting us at care@togthr.health. Upon a valid deletion request, we will delete or anonymize your Google User Data within our systems, in compliance with our data retention policy and applicable law.

Microsoft Graph – Additional Limits:If you connect Microsoft services (e.g., Outlook, Calendar, OneDrive), we use and transfer Microsoft Graph data only to provide Togthr features you enable, do not use it for ads, and limit access consistent with Microsoft’s terms and applicable law.

2.4 Data We Receive from Others

  • Your employer, customer, or colleagues may provide your details (e.g., work email) to add you as a user.
  • Service providers, payment processors, anti-abuse/security tools, and enrichment services may share signals or data under their policies and applicable law.

2.5 Special Categories, Health Data, PHI

The platform supports healthcare data, including PHI under HIPAA, when used in PHISafe features subject to a Business Associate Agreement (BAA). Our customers control whether they upload/process special categories of data or PHI. Togthr processes such data only under customer instruction and contracts (DPA/BAA).

3. How We Use Personal Data and Legal Bases

We use personal data to deliver, improve, and protect our services, based on lawful grounds for processing under applicable data protection laws (such as GDPR or HIPAA). The purposes and legal bases include:

  • Provide and secure the services: create accounts, authenticate users, operate features, administer subscriptions, provide support, prevent fraud/abuse, and maintain platform security and integrity.
    Legal bases: contract performance; legitimate interests; legal obligation (security).
  • Communications: send service announcements, security notices, product updates, onboarding, and training information.
    Legal bases: contract performance; legitimate interests; legal obligation (where applicable).
  • Product improvement and analytics: perform diagnostics, usage analytics, research, development, and quality monitoring to improve our services.
    Legal bases: legitimate interests; consent where required (e.g., certain cookies).
  • Marketing: send newsletters, product updates, or other promotional messages with your consent or where permitted. You may opt out at any time.
    Legal bases: consent; legitimate interests (B2B direct marketing, where permitted).
  • Compliance and enforcement: comply with laws, respond to lawful requests, enforce terms, and protect rights, safety, and property.
    Legal bases: legal obligation; legitimate interests.
  • AI-assisted features: to power and improve user-facing features such as drafting, summarization, or structured extraction. We do not use PHI for model training outside customer-controlled environments and contracts. If any third-party AI providers are used, we apply contractual and technical controls; PHI is not sent to NonPHI environments.

4. HIPAA and PHI

PHI processing requires a BAA and use of PHISafe features. Customers are responsible for configuration, role-based controls, and ensuring PHI is not sent via NonPHI channels.

  • PHISafe vs. NonPHI Features and Channels: Togthr designates which features are PHISafe. Example: enterprise Gmail/Outlook integrations may qualify as PHISafe only if (a) you have active BAAs with Google/Microsoft, (b) Togthr features are configured according to our guidance, and (c) a valid BAA with Togthr is in place. Social messaging channels (e.g., WhatsApp, Instagram, Facebook Messenger) are not HIPAA‑eligible by default, and PHI must not be transmitted via these channels.

You are responsible for disabling PHI in NonPHI channels and training Users accordingly.

5. Sharing and Disclosures

We may share personal data with:

  • Service Providers/Subprocessors: We engage trusted third‑party providers to deliver services such as cloud hosting, technical support, analytics, email delivery, logging, security, payments, and professional advisory. These providers are contractually bound to safeguard personal data. A list of material Subprocessors is maintained on our Security & Compliance page.This includes sharing of Google User Data strictly for service provision, as detailed in Section 2.3.
  • Integrations and Third‑Party Platforms You Enable: Data flows to third‑party platforms depend on the integrations you configure. In such cases, data is handled under the terms of those providers and the settings you control.
  • Corporate Transactions: In the event of a merger, acquisition, financing, or sale of all or part of our assets, personal data may be transferred in accordance with applicable law and with notice to affected users where legally required.
  • Legal and Safety: We may disclose data to comply with applicable laws, respond to lawful requests, enforce our agreements, or protect the rights, safety, and property of Togthr, our users, or the public.

We do not sell personal data. We do not use PHI or Google User Data for advertising purposes, and we do not share such data with third parties for advertising.

6. International Data Transfers

We may transfer personal data across borders to provide our services. When we do, we apply appropriate legal and technical safeguards to protect the data, consistent with applicable law.

  • EU/EEA/Swiss: Transfers are protected by the use of EU Standard Contractual Clauses (SCCs).
  • United Kingdom: Transfers rely on the International Data Transfer Agreement (IDTA) or the UK Addendum to the EU SCCs.
  • Canada, India, UAE, Australia, New Zealand, and Other Regions: Transfers are carried out using applicable safeguards and industry‑standard security measures.

7. Security

We implement technical and organizational measures appropriate to risk, including encryption in transit and at rest, access controls, audit logging for PHISafe services, vulnerability management, and employee training. This includes measures for securely storing and protecting Google User Data.

No system is perfectly secure; however, we act promptly to investigate, respond, and mitigate security incidents. Where required by law or contract (including under a BAA or DPA), we will notify affected parties of data breaches or incidents in a timely manner.

8. Data Retention

We retain personal data for as long as necessary to:

  • Provide services and fulfill the purposes above.
  • Comply with legal, accounting, or reporting obligations.
  • Enforce our agreements.

For processor contexts, we retain per customer instructions and contracts. We may anonymize or aggregate data for analytics and improvements.

9. Your privacy rights

Depending on your region, you may have rights such as:

  • Access, correction, deletion/erasure, restriction, portability.
  • Objection to processing or to direct marketing.
  • Withdraw consent where processing is based on consent.
  • Lodge a complaint with a regulator.
How to exercise rights:
  • If Togthr is the processor/Business Associate, please contact your healthcare provider or organization (the controller). We will assist them as required.
  • If Togthr is the controller (e.g., account admin data, website data, or to request deletion of your Google User Data as described in 2.3), contact us at care@togthr.health. We may need to verify your identity. We aim to respond within one month or applicable statutory timelines.

10. Region-Specific Notices

  • EU/UK GDPR: Rights to access, rectification, erasure, restriction, portability, objection, and to lodge a complaint with your supervisory authority. If we do not have an EU/UK establishment, we will appoint Article 27 representatives and publish their details here.
  • US (CPRA/US state laws): Rights to know/access, delete, correct, portability, and to opt out of “sale” or “sharing” of personal information and to limit use/disclosure of sensitive personal information. We do not sell personal information. If sharing for cross-context behavioral advertising (excluding PHI or Google User Data) occurs, we will provide a “Do Not Sell or Share My Personal Information” link. We will not discriminate for exercising your rights.
  • Canada (PIPEDA and provincial laws): Rights to access and correction; lodge complaints with the Office of the Privacy Commissioner of Canada or applicable provincial authorities.
  • India (DPDP Act 2023): Rights to access, correction, erasure, grievance redressal; we will designate a Grievance Officer and publish details here.
  • UAE (PDPL) and relevant free zones (DIFC/ADGM): Rights including access, correction, erasure; we will fulfill requests consistent with the applicable framework.
  • Australia (Privacy Act 1988) and New Zealand (Privacy Act 2020): Rights to access and correction; contact your local regulator if unresolved.

Regulators (references):
UK ICO: ico.org.uk
EU EDPB: edpb.europa.eu
Canada OPC: priv.gc.ca
Australia OAIC: oaic.gov.au
New Zealand Privacy Commissioner: privacy.org.nz
India (DPBI): to be updated upon final authority details
UAE Federal regulator / DIFC / ADGM: per applicable jurisdiction

11. Cookies and similar technologies

We use cookies/SDKs for essential operations, security, preferences, analytics, and, where applicable, marketing. Consent banners and regional controls are applied where required. See our Cookies Policy for details and options

12. AI-assisted features

  • Scope: drafting, summarization, extraction, classification, and similar assistance.
  • PHI and Model Training: PHI is not used to train foundation models outside customer-controlled or contracted environments. We implement data minimization and technical safeguards to limit any exposure.
  • Providers: If we use third-party AI providers (e.g., cloud Large Language Model services), they act as our processors subject to contractual agreements. We will list material providers on our Subprocessors page.

13. Data about minors

While our customers may process minors’ health data within PHISafe features, our website and marketing are not directed at children. Any processing of minors’ data in the platform is under our customer’s control and governed by our DPA/BAA.

14. Do Not Track and global privacy signals

Our services currently do not respond to browser “Do Not Track” signals. We will honor applicable global privacy control signals where required by law for optout preferences in the US.

15. Changes to this Policy

We may revise this Policy and will update the “Last updated” date. For material changes, we will provide notice via the services, email, or our website.

16. How to Contact Us

  • General privacy inquiries and rights requests (controller context): care@togthr.health
  • Postal address: Togthr, IITM Research Park, Kanagam Rd, Kanagam, Tharamani, Chennai, Tamil Nadu 600113