Privacy Policy

This policy applies to the Google connection flow at whynottoth.com/connect/google, where a signed-in user can grant Toth Labs access to one or more of their Google services. It does not create any obligation to connect a Google account — connecting is entirely optional and is something you do deliberately through Google’s own consent screen.

When you connect a Google service, we collect and store only what that requires:

• A Google OAuth refresh token for each service you explicitly grant. A refresh token is a credential that lets us request short-lived access tokens from Google so we can act on your behalf for the services you approved — and nothing else.
• The email address of the connected Google account, stored as a human-readable label so you and our team can tell which account a connection belongs to.
• The email address you sign in with on this site, which identifies the connection as yours.

We do not collect your Google password, and we do not copy the contents of your Drive, Calendar, or YouTube account into our own storage. We read that information from Google only when there is work to do, using the access you granted.

You choose which services to connect, and each one maps to a single, narrowly scoped Google permission:

• Google Drive — drive.file. This is the most limited Drive permission: it grants access only to the specific files that Toth Labs creates with you or that you explicitly open through Toth Labs. It does not allow access to the rest of your Drive.
• Google Calendar — calendar.readonly. Read-only access to your calendar events. We can read events; we cannot create, edit, or delete them.
• YouTube — youtube.readonly. Read-only access to your YouTube channel details and statistics. We can read channel and stats information; we cannot post, change, or delete anything.

You can grant any combination of these, and you can connect just one. Calendar and YouTube use sensitive Google scopes.

The refresh token is encrypted at rest using libsodium secretbox (XSalsa20-Poly1305 authenticated encryption) with a master key held separately from the stored data. It is never written to logs and never displayed in our interface.

We use the stored token for one purpose: to mint short-lived access tokens that let Toth Labs call Google’s APIs on your behalf, within the exact scopes you granted, to deliver the work you asked us to do. We use your Google data only to provide and improve the service you requested. We do not sell your Google data, and we do not use it for advertising.

Access is limited to the Toth Labs studio operators (Kathleen and Michael Toth) and the studio’s own agent tooling acting on their behalf, solely to carry out the work you authorized. We do not share your Google data or the stored token with third parties, except infrastructure providers that host our application strictly to keep the service running, and only where required by law.

We keep the encrypted refresh token and its account label for as long as your connection is active and you want Toth Labs to be able to do this work. When you revoke a connection, the stored token is no longer valid for Google’s APIs; we delete the corresponding stored credential on revocation or on your request, and within a reasonable period once a connection is no longer needed.

You are in control of this connection at all times. To disconnect:

• Revoke Toth Labs’ access directly from your Google Account at myaccount.google.com/permissions. This immediately invalidates the stored token at Google.
• And / or email us at [email protected] to ask us to delete the stored credential and any associated label. We will confirm once it is removed.

Toth Labs’ use and transfer of information received from Google APIs adheres to the Google API Services User Data Policy, including its Limited Use requirements. Google user data is used only to provide the service you requested, is not sold, and is not used for advertising.

Toth Labs is not directed to children under 13, and we do not knowingly collect data from them.

If we change how we handle connected Google data, we will update this page and revise the effective date above.

Questions about this policy or your data? Email [email protected].

Toth Labs operates as a studio run by Kathleen and Michael Toth; the formal operating entity name is being finalized.