Legal and Privacy Policy

Privacy Notice for Demo Requests

When you submit a demo request, we collect and process the details you provide, such as your name, work email, company name, and any additional context you choose to share.

We use this information to:

• Contact you about demo availability and follow-up steps.
• Understand your company's needs and product fit.
• Send communications related to your request.

We do not sell your personal information. We may use third-party providers to store or process this information to run our business, subject to applicable data protection laws.

Privacy Policy

Last updated: May 7, 2026

About Toolbar

Toolbar is a software management and access lifecycle platform. We help organizations track software inventory, manage access requests and offboarding, and monitor spend and usage across business applications.

This Privacy Policy explains how we collect, use, and protect personal information when you visit our website, request a demo, use the Toolbar application, and connect identity providers.

Unless stated otherwise, the data controller for personal data covered by this Privacy Policy is Toolbar AS.

For website visits, demo requests, and direct communications with us, Toolbar generally acts as the data controller. For customer workspace data processed through the Toolbar application on behalf of an organisation, Toolbar generally acts as a data processor or service provider, and the relevant customer organisation controls how that data is used. If you use Toolbar through your employer or another organisation, please contact your organisation first for questions about workspace data they control.

1. Information We Collect

Demo and Contact Information

• Name
• Work email
• Company name
• Any additional details you provide in your request

Account and Organization Information

• Account profile details (such as name and email)
• Organization and membership data
• Role and permission data used for access control

Connected System and Product Data

• Identity provider users, work emails, display names, groups, and group memberships
• App, license, and seat records from customer-authorized integrations
• SSO logs and sign-in logs used to infer software access, activity, and recency
• Software, seat assignment, request, and task workflow data
• Audit and event metadata generated by application workflows

Software Import and AI Feature Inputs

• Uploaded software import rows and columns, including software names, vendor names, plan labels, URLs, pricing, cost figures, and other business context included by the customer
• Software vendor and product metadata used for catalog matching and enrichment

Technical and Usage Information

• Basic log and diagnostic data (including IP address and user agent)
• Operational telemetry needed to secure and maintain the service
• Error reports, performance traces, and session data collected by our error monitoring provider

2. How We Use Your Information

We use collected information to:

• Provide, secure, and improve the Toolbar service.
• Operate access workflows such as requests, approvals, and offboarding.
• Sync and reconcile data from customer-authorized integrations.
• Respond to support inquiries and communicate with administrators.
• Power AI-assisted software import and catalog enrichment features.
• Process customer content with AI subprocessors only to provide import mapping, catalog enrichment, and related product features; we do not use customer content to train AI models.
• Meet legal, security, and compliance obligations.

3. Legal Bases for Processing

Where UK GDPR or EU GDPR applies, we typically rely on the following legal bases: consent (for information you choose to submit in demo requests or voluntary feedback), contract or steps taken at your request before entering into a contract (to provide the Toolbar service), legitimate interests (to secure, maintain, and improve the service, including troubleshooting and preventing misuse), and compliance with legal obligations.

4. Data Protection & Sharing Practices

We do not sell personal data. We share data only as needed to provide the service, including with the subprocessors and service providers listed below, all of whom are bound by contractual data protection obligations.

Our primary infrastructure is hosted in Sweden (EU). Where processing occurs outside your jurisdiction, we rely on applicable legal transfer mechanisms, such as Standard Contractual Clauses (SCCs) approved by the European Commission, or adequacy decisions where relevant.

For details about the specific third-party providers we use, the data they process, and the safeguards we rely on, see our Subprocessors page.

Customers who need a processor addendum can also review and download our standard Data Processing Agreement (DPA).

5. Your Privacy Options

You may request that we:

• Provide details about personal data we hold about you
• Correct inaccurate personal data
• Delete personal data, where legally permitted
• Limit or object to certain processing, where applicable

If your personal data is processed through a Toolbar workspace managed by your employer or another organisation, that organisation is usually the best first point of contact for requests relating to workspace data.

6. Your Rights (UK & EU Residents)

If UK GDPR or EU GDPR applies to you, you may have rights including access, correction, deletion, restriction, objection, and portability, plus the right to lodge a complaint with your supervisory authority.

7. Data Security

We apply industry-standard safeguards, including encryption in transit and at rest, controlled access, and security monitoring. While we maintain robust security practices, we encourage users to also follow good security hygiene when using our services.

8. Data Retention

We keep personal data for as long as needed to provide the service and satisfy legal, accounting, and security requirements. We delete or de-identify data when it is no longer required, subject to legal retention obligations.

Retention periods vary depending on the type of data, the customer relationship, product configuration, legal requirements, and operational security needs. We use the following general categories:

• Account and organization data: kept while an account or customer workspace is active, and for a reasonable period afterwards where needed for account administration, support, legal compliance, or dispute handling.
• Customer workspace data: kept for the duration of the customer relationship and any agreed post-termination period, unless deletion is requested earlier and we are legally permitted to delete it.
• Synced directory, license, and SSO log data: kept while needed to provide inventory, access management, activity, audit, and security features for the customer workspace.
• Demo, contact, and sales data: kept while needed to respond to requests, manage follow-up, maintain business records, and respect communication preferences.
• Support, feedback, email, and troubleshooting data: kept while needed to respond to the request, maintain service reliability, investigate issues, and keep operational records.
• Security, audit, and event records: kept while needed to investigate incidents, prevent abuse, preserve auditability, comply with legal obligations, and enforce agreements.
• Backups: deleted or overwritten on normal backup rotation schedules, unless a longer retention period is required for security, continuity, legal, or compliance reasons.

9. Subprocessors and Service Providers

We engage trusted third-party service providers ("subprocessors") to host our services, store and process data, monitor reliability, and deliver AI-assisted features. Each subprocessor is engaged under a written agreement that requires appropriate technical and organisational measures to protect personal data.

We maintain a list of subprocessors with service details, data categories, processing locations, and applicable transfer safeguards on our dedicated Subprocessors page.

We review our subprocessors and update the list when providers change. Material changes will be reflected by an updated effective date on the Subprocessors page.

10. Changes to This Policy

We may update this policy from time to time. Material updates will be posted on this page with a revised "Last updated" date.

Contact Us

If you have questions about this policy or how we process personal data, contact us at: