Privacy Policy

Todata Analytics, LLC

Effective date: March 25, 2026

Todata Analytics, LLC ("Todata," "we," "us," or "our") is dedicated to respecting your privacy and maintaining trust in how we handle your personal data. This Privacy Policy explains what data we collect, how we use it, with whom we share it, and the rights you have in relation to your personal data.

This Policy applies to personal data we process when you visit our websites (including www.todata.com), use our products or services, communicate with us, or otherwise interact with Todata.

1. Personal data we collect

Depending on how you interact with us, we may collect:

  • Personal and business contact information (such as name, job title, company, postal address, email address, and telephone number).
  • Account information (such as username, password, and related account profile information).
  • Location information (such as general location derived from your IP address or other technical data).
  • Usage data (such as information about how you access and use our websites, portals, products, and services, including pages viewed, features used, access times, browser type, and device identifiers).
  • Customer content and data for analytics services (any data, including personal data, that you or your organization provide to us in connection with our analytics consulting services or products).
  • Survey and feedback information (such as information you provide in customer satisfaction surveys, feedback forms, or reviews).
  • Images, audio, and video (such as recordings or photographs from training sessions, webinars, or meetings, and recordings of calls or online meetings where permitted by law and with appropriate notice).
  • Third-party personal data (personal data about other individuals—such as your employees, customers, or collaborators—that you provide to us). If you provide such data, you are responsible for ensuring that you have the authority and appropriate legal basis to share that information with us.

Sensitive personal information. Some of the personal data described above may qualify as "sensitive personal information" under applicable U.S. state privacy laws, including the California Consumer Privacy Act as amended by the California Privacy Rights Act (collectively, "CCPA"). Sensitive personal information we may collect includes account log-in credentials (username in combination with password or security questions that permit access to an account), and precise geolocation data where you have enabled location services. We do not collect Social Security numbers, government-issued identification numbers, financial account numbers, racial or ethnic origin, religious beliefs, genetic data, biometric information, health data, or information concerning sex life or sexual orientation through our websites or products unless separately disclosed.

We collect only the personal data necessary to provide and improve our services and to fulfill our legal and contractual obligations. All personal data stored or transmitted by us is protected using industry-standard encryption technologies.

2. How we collect personal data

We collect personal data in several ways, including:

  • When you or your organization engage us to provide analytics consulting or related services.
  • When you create an account, make a purchase, or use our products or web portals.
  • When you register for, attend, or participate in training sessions, demos, events, or webinars.
  • When you complete customer satisfaction or other surveys.
  • When you request product support or otherwise communicate with us.
  • Through cookies and similar technologies when you use our websites or online services.

We may combine information collected from different sources (for example, combining your name with your postal code or usage data). When combined in a way that identifies you, we treat the combined information as personal data.

3. How we use personal data

We use personal data for the following purposes:

  • To provide and operate our services, including delivering analytics and consulting services, hosting and maintaining our platforms, and enabling core functionality. Processed on the basis of performance of a contract or steps taken at your request prior to entering a contract.
  • To manage our relationship with you, including responding to inquiries and support requests, communicating about your account or our services, and providing customer service. Processed under performance of a contract and our legitimate interests in delivering efficient support and communication.
  • To send marketing and informational communications you choose to receive, such as newsletters, product updates, event information, and promotional offers. You can opt out of marketing at any time by following the unsubscribe instructions in our emails or contacting us. Processed based on your consent. You may withdraw consent at any time.
  • To improve and develop our products and services, including data analysis, testing, research, and optimization of our services, user experience, and business operations. Processed under our legitimate interests in maintaining, enhancing, and securing our services.
  • To manage purchases, payments, refunds, and related accounting, auditing, billing, and collection activities. Processed to perform a contract and to meet legal obligations (for example, tax and financial reporting).
  • To maintain security and prevent misuse, including protecting our systems and data, detecting and preventing fraud, security incidents, and other harmful or illegal activity. Processed under our legitimate interests in protecting our business, users, and systems.
  • To comply with legal obligations and respond to lawful requests from public authorities. Processed on the basis of legal obligation.
  • For any other purpose disclosed to you at the time of collection or with your consent. Processed based on consent or another lawful basis disclosed to you.

3a. Retention periods

We retain personal data only for as long as necessary to fulfill the purposes described above, unless a longer retention period is required or permitted by law. The following schedule describes our general retention practices by category:

  • Personal and business contact information: Duration of the business relationship plus three (3) years, or as required by law.
  • Account information: Duration of account activity plus one (1) year following account closure or last activity.
  • Location information: Up to thirteen (13) months from the date of collection.
  • Usage data (website analytics): Up to twenty-six (26) months from the date of collection.
  • Customer content and data for analytics services: We retain customer content and data for the duration of the applicable service agreement. Upon termination of the agreement, we will promptly delete or, upon written request, return customer content and other confidential information to the disclosing party, subject to applicable law and any legal retention obligations. Unless otherwise required by law or agreed in writing, we typically complete deletion within thirty (30) days after termination. Upon written request, we will confirm deletion or return in writing.
  • Survey and feedback information: Three (3) years from collection, or the duration of the business relationship, whichever is longer.
  • Images, audio, and video: Up to three (3) years from collection, unless a shorter period is required by law or agreed with participants.
  • Third-party personal data: Retained in accordance with the applicable service agreement and deleted upon termination or upon request from the data controller, subject to legal retention obligations.
  • Sensitive personal information: Retained only for the duration necessary to fulfill the specific purpose for which it was collected.

Where legal, regulatory, or contractual obligations require longer retention, we retain data for the minimum period necessary to satisfy those obligations.

4. How we share personal data

We may share personal data with:

  • Affiliated entities and partners, for example with an affiliated partner or association at your specific request.
  • Service providers, contractors, and vendors that perform services on our behalf, such as cloud hosting providers (including Microsoft Azure), analytics providers, customer support tools, customer relationship management providers, and other suppliers who process personal data for us in order to provide services. These providers are contractually required to safeguard personal data and may only use it as instructed by us.
  • Professional advisors, such as lawyers, auditors, and insurers, where necessary for the provision of their professional services.
  • Public authorities or other third parties when required to do so by law, regulation, legal process, or governmental request, or when we believe disclosure is necessary to protect the rights, property, or safety of Todata, our customers, or others.
  • Other third parties with your consent or at your direction.

We do not sell personal information as "sale" is defined under applicable privacy laws. We also do not share personal information for cross-context behavioral advertising as that term is defined under the CCPA. We may disclose personal information to service providers and contractors, including analytics and customer relationship management providers, solely to help us operate our websites and services, understand website usage, manage communications, and support our business operations. To the extent that any disclosure of personal information to a third party could be interpreted as a "sale" or "sharing" under applicable law, we provide consumers with the rights described in Section 8a below.

When sharing personal data with third parties, we limit the data disclosed to what is necessary for the relevant purpose and require recipients to protect it appropriately.

5. Training and optimization of AI systems

We may use artificial intelligence or machine learning-enabled tools to support internal operations, service delivery, analytics, product improvement, quality assurance, security, and administrative efficiency. We do not use personal information submitted by customers through our services to train generalized artificial intelligence or machine learning models for the benefit of other customers unless we specifically disclose that practice and have an appropriate legal basis to do so.

Where AI-enabled tools are used in connection with personal data, we apply reasonable safeguards designed to support data minimization, access controls, security, and compliance with applicable law.

6. International data transfers

Todata is based in the United States and may process personal data in the United States and other countries that may have different data protection laws than your country of residence.

Where we transfer personal data from the European Economic Area (EEA) or the United Kingdom (UK) to countries that have not been deemed to provide an adequate level of protection, we use appropriate safeguards, such as standard contractual clauses approved by the European Commission or the UK government, and implement additional technical and organizational measures where appropriate.

7. Cookies and similar technologies

We use cookies and similar technologies on our websites and portals to:

  • enable core site functionality,
  • remember your preferences,
  • analyze usage and performance, and
  • support security and fraud prevention.

We may use third-party tools such as Google Analytics and HubSpot to measure website traffic, understand how visitors use our site, manage communications, and improve our services. We do not use these tools to sell personal information or to share personal information for cross-context behavioral advertising.

You can control cookies through your browser settings and other tools. If you disable certain cookies, some features of our websites or services may not function properly.

Opt-out preference signals. Our websites recognize opt-out preference signals, including the Global Privacy Control (GPC). When we detect a GPC or similar signal from your browser, we treat it as a valid request to opt out of the sale or sharing of personal information associated with that browser. You do not need to take any additional steps. For more information about GPC, visit globalprivacycontrol.org.

8. Your privacy rights

Depending on your location and applicable law (including the GDPR for EEA and UK residents and certain U.S. state privacy laws), you may have some or all of the following rights regarding your personal data:

  • Right of access – to know whether we process your personal data and to request a copy of that data.
  • Right to rectification – to request that inaccurate or incomplete personal data be corrected.
  • Right to erasure ("right to be forgotten") – to request that we delete your personal data, subject to certain limitations (for example, where we must retain data to complete a transaction or comply with legal obligations).
  • Right to restriction of processing – to request that we restrict the processing of your personal data under certain circumstances.
  • Right to data portability – to request that we provide your personal data in a structured, commonly used, and machine-readable format and, where technically feasible, transmit it to another controller.
  • Right to object – to object to certain processing of your personal data, including processing based on our legitimate interests and direct marketing.
  • Right to withdraw consent – where processing is based on consent, you may withdraw your consent at any time. This will not affect the lawfulness of any processing before withdrawal, but may impact your ability to use some services.
  • Right to lodge a complaint – you may lodge a complaint with a competent supervisory authority if you believe that our processing of your personal data violates applicable law.

To exercise your rights, please contact us using the details in the "Data Protection Officer," "EU and UK GDPR representatives," or "How to contact us" sections below. We may need to verify your identity before responding to your request. Some rights may be subject to limitations under applicable law.

8a. Notice to California residents

This section applies to California residents whose personal information is subject to the California Consumer Privacy Act, as amended by the California Privacy Rights Act (collectively, "CCPA"). This notice supplements the information in the rest of our Privacy Policy.

Categories of personal information collected. In the preceding twelve (12) months, we have collected the following categories of personal information as defined by the CCPA: identifiers (such as name, email address, IP address); personal information categories listed in California Civil Code Section 1798.80(e) (such as name, address, telephone number); internet or other electronic network activity information (such as browsing history on our websites and interactions with our portals); geolocation data (general location derived from IP address); professional or employment-related information (such as job title and company); and inferences drawn from any of the above (such as preferences or usage patterns).

Categories of sensitive personal information collected. We may collect the following categories of sensitive personal information: account log-in credentials (username in combination with a password that permits access to an account). We use sensitive personal information only for the purposes permitted by the CCPA, including to perform the services you request and to maintain the security of our systems.

Sources. We collect personal information from the sources described in Sections 1 and 2 of this Privacy Policy, including directly from you, automatically through your use of our websites and services, and from third-party sources.

Purposes. We use personal information for the business and commercial purposes described in Section 3 of this Privacy Policy.

Disclosure, sale, and sharing. In the preceding twelve (12) months, we have disclosed personal information to service providers and contractors for the business purposes described in Section 4. We have not sold personal information and have not shared personal information for cross-context behavioral advertising, as those terms are defined under the CCPA.

Retention. We retain each category of personal information for the periods described in Section 3a.

Your California privacy rights. If you are a California resident, you have the following rights under the CCPA:

  • Right to know. You may request that we disclose the categories and specific pieces of personal information we have collected about you, the categories of sources, the business or commercial purposes for collection, and the categories of third parties with whom we have disclosed your personal information.
  • Right to delete. You may request that we delete the personal information we have collected from you, subject to certain exceptions.
  • Right to correct. You may request that we correct inaccurate personal information we maintain about you.
  • Right to opt out of sale or sharing. You may direct us not to sell or share your personal information. Because we do not sell or share personal information as defined by the CCPA, there is no need to submit such a request at this time. If our practices change, we will update this notice and provide a mechanism to opt out.
  • Right to limit use of sensitive personal information. You may direct us to limit our use of your sensitive personal information to purposes permitted by the CCPA. We use sensitive personal information only for such permitted purposes.
  • Right to non-discrimination. We will not discriminate against you for exercising any of your CCPA rights. We will not deny you goods or services, charge you different prices, provide a different level or quality of service, or suggest that you will receive any of these as a consequence of exercising your rights.

How to submit a request. You may submit a request to know, delete, or correct your personal information by:

  • Emailing us at info@todata.com with "California Privacy Request" in the subject line, or
  • Writing to us at: Todata Analytics, LLC, 3555 Farnam Street, Suite 303, Omaha, NE 68131.

Verification. When we receive a request, we will verify your identity before processing it. We may ask you to provide information that matches information we already have on file, such as your name, email address, and company. If you use an authorized agent to submit a request on your behalf, we may require that the agent provide written proof of authorization and that you verify your identity directly with us.

Response timing. We will acknowledge receipt of your request within ten (10) business days and provide a substantive response within forty-five (45) calendar days. If we need additional time, we will notify you of the extension and the reason for it. We may take up to an additional forty-five (45) calendar days to respond, for a maximum total of ninety (90) calendar days.

Financial incentives. We do not offer financial incentives or price or service differences in exchange for the retention or sale of personal information.

9. Security

We use technical, administrative, and physical safeguards designed to protect personal data against unauthorized access, loss, misuse, or alteration. These measures include:

  • encrypting personal data in transit and at rest using industry-standard technologies,
  • access controls and role-based permissions,
  • secure disposal of paper and electronic media, and
  • staff training and internal policies on data protection and information security.

No method of transmission or storage is completely secure, and we cannot guarantee absolute security; however, we strive to protect your personal data using commercially reasonable measures.

10. Children's privacy

Our websites, products, and services are not directed to children under the age of 16, and we do not knowingly collect personal data from children under 16. We do not knowingly sell or share the personal information of consumers under 16 years of age. If we become aware that we have collected personal data from a child under 16 without appropriate consent, we will take steps to delete it.

11. Data Protection Officer

Todata Analytics, LLC has appointed a Data Protection Officer (DPO).

Data Protection Officer (DPO) Name: Michael Demman
Title: Legal Counsel
Phone: +1 402-871-4971
Email: info@todata.com (please reference "Data Protection Officer" in the subject line)

You may contact our DPO with questions or concerns about this Privacy Policy or our handling of your personal data.

12. EU and UK GDPR representatives

For individuals in the European Union and the United Kingdom, Todata has appointed local representatives in accordance with Article 27 of the GDPR. You may contact these representatives on matters related to the processing of your personal data under the GDPR.

EU – Ireland representative
Company name: Instant EU GDPR Representative Ltd
Contact person: Adam Brogden
Email: contact@gdprlocal.com
Tel: +353 15 549 700
EU Dublin address: INSTANT EU GDPR REPRESENTATIVE LIMITED, Office 2, 12A Lower Main Street, Lucan, Co. Dublin K78 X5P8, Ireland
EU GDPR reporting link: todataanalyticsllc.gdprlocal.com/eu

UK representative
Company name: GDPRLocal Ltd.
Contact person: Adam Brogden
Email: contact@gdprlocal.com
Tel: +44 1772 217 800
UK address: GDPRLocal Ltd., 1st Floor Front Suite, 27–29 North Street, Brighton, England BN1 1EB, United Kingdom
UK GDPR reporting link: todataanalyticsllc.gdprlocal.com/uk

13. How to contact us

If you have any questions about this Privacy Policy, our data practices, or if you would like to exercise any of the rights described above, you can contact us at:

Todata Analytics, LLC
3555 Farnam Street, Suite 303
Omaha, NE 68131
United States

Email: info@todata.com

You may also contact our Data Protection Officer or, if you are located in the EU or UK, our respective GDPR representative using the contact information above.

14. Changes to this Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technologies, or legal requirements. When we make material changes, we will update the "Effective date" at the top of this page and, where required, provide additional notice, such as by posting a notice on our website or by sending you a notification.

Your continued use of our websites, products, or services after any changes become effective signifies your understanding of and agreement to the updated Privacy Policy.