Torok ("Torok," "we," "us") is a marketing-analytics platform operated by Levy Strategies LLC. This policy explains what we collect, how we use and protect it, and the choices you have. Questions: privacy@torok.ai.
01Who we are
Torok is operated by Levy Strategies LLC, an Illinois limited liability company based in Highland Park, Illinois, USA. Torok is a product of Levy Strategies LLC — a Levy Strategies company.
Torok lets businesses connect their advertising and commerce accounts (such as Google Ads, Meta, Microsoft Advertising, and Amazon Ads), loads that data into a secure data warehouse, and provides AI-assisted analysis and recommendations on top of it. This policy applies to our website at torok.ai, our web application, and related services (together, the "Services").
02Scope and our two roles
Torok handles two broad categories of data, and our role differs for each:
- As a controller. For information about you as an account holder — your name, email, login credentials, billing details, and how you use the Services — Levy Strategies LLC decides how and why that data is processed, and acts as the data controller.
- As a processor / service provider. When you connect an advertising or commerce account, we access advertising, campaign, and performance data from that platform on your behalf ("Connected Account Data"). For this data we act as a processor (a "service provider" under U.S. law) that processes the data only on the instructions of the business customer who connected the account, which remains the controller of that data.
If you are an individual whose personal data may appear within a business customer's Connected Account Data, please direct any privacy requests to that business; we will support them in responding.
03Information we collect
a. Account and profile information. Your name, business name, email address, password (stored only as a secure hash), role, and preferences.
b. Connected Account Data (via authorized OAuth). When you connect a platform, you authorize us — through that platform's official OAuth consent flow — to access data needed to provide the Services. Depending on the platform, this may include advertising campaigns, ad groups, ads and creatives, keywords/search terms, spend, impressions, clicks, conversions, revenue and performance metrics, account and campaign settings, and (where you connect commerce or analytics sources) order, product, and website-analytics data. We only request the access scopes necessary to provide the features you use, and we access this data strictly to provide and improve those features.
c. Authentication tokens. To keep your data current, we store the OAuth refresh tokens issued by each connected platform. These are encrypted at all times (see Section 10) and are used solely to retrieve your data on your behalf.
d. Payment information. Subscription and prepaid-credit payments are processed by Stripe. We do not store full payment-card numbers; Stripe handles card data as a PCI-DSS-compliant payment processor. We retain limited billing records (e.g., plan, transaction history, last four digits).
e. Usage, log, and device data. Standard technical data such as IP address, browser and device type, pages viewed, feature usage, timestamps, and diagnostic/error logs, used to operate, secure, and improve the Services.
f. Cookies and similar technologies. We use cookies to keep you signed in, remember preferences, and understand product usage. See our Cookie Policy for details and controls.
04How we use your information
We use the information above to:
- Provide, maintain, and secure the Services, including connecting your accounts, refreshing your data, and running the AI analysis you request;
- Meter usage and administer billing, prepaid credits, and plan limits;
- Communicate with you about your account, support requests, security notices, and service updates;
- Detect, prevent, and investigate fraud, abuse, and security incidents;
- Improve and develop features and analytics; and
- Comply with legal obligations and enforce our Terms of Service.
We do not sell your personal information, and we do not use Connected Account Data to serve advertising, build cross-customer profiles, or for credit, lending, or eligibility decisions.
05How the AI analysis works
Torok's analysis is powered by a third-party large language model provider. When you ask Torok a question, we assemble the relevant, tenant-scoped context from your own data warehouse and send it to the model to generate an answer. Key safeguards:
- The AI has access to your data only through a read-only, per-tenant query interface — it cannot reach another customer's data, and it is never given a database credential.
- We call the provider's API under our own commercial terms. Your data is not used to train third-party foundation models.
- We meter the actual processing of each request to administer your credit balance.
06How we share information — sub-processors
We share information only with service providers who help us operate the Services, under contractual confidentiality and data-protection obligations, and only as needed. Our current sub-processors include:
| Category | Purpose | Location |
|---|---|---|
| Cloud hosting & key management | Application hosting, infrastructure, and encryption key management | USA |
| Analytical data warehouse | Storage of your connected-account data | USA |
| AI model processing | Generating the AI analysis you request | USA |
| Payment processing | Billing, subscriptions, and prepaid credits | USA |
| Transactional & business email | Receipts, notifications, and communications | USA |
An up-to-date list is maintained on our Sub-processors page. We may also disclose information (i) to comply with law, legal process, or lawful government requests; (ii) to protect the rights, safety, and security of Torok, our customers, or the public; and (iii) in connection with a merger, acquisition, or sale of assets, subject to this policy. We do not transfer or sell user data to advertising platforms or data brokers.
07Google API Services — Limited Use disclosure
Torok's use and transfer of information received from Google APIs will adhere to the Google API Services User Data Policy, including the Limited Use requirements. We request only the Google account scopes necessary to provide our features, use that data solely to provide or improve those user-facing features, do not transfer or sell it for advertising or other prohibited purposes, and do not allow humans to read it except with your consent, for security or legal reasons, or as necessary to operate the Services.
08Meta, Microsoft, and Amazon platform data
Data obtained through Meta (Facebook/Instagram) Marketing API, Microsoft Advertising, and Amazon Ads is handled in accordance with each platform's developer and platform terms. We access this data only to provide the features requested by the customer who connected the account, retain it only as described in this policy, and delete it when the customer disconnects the platform or closes their account.
09Data retention
"Retention" means how long we keep your data after you stop actively using Torok. Our approach:
- While your account is active, we retain your information to provide the Services.
- If your trial ends or you close your account, we keep your account data and previously synced Connected Account Data for up to 365 days, so you can restart your trial or reactivate your account without having to reconnect and re-import everything. After 365 days of inactivity, we permanently delete it.
- You can have your data deleted sooner, at any time. Send a written request to privacy@torok.ai or support@torok.ai and we will delete your data promptly, ahead of the 365-day period.
- Access credentials are handled more strictly than data. When you disconnect a platform or close your account, we promptly delete the stored OAuth tokens for that platform and stop syncing new data — we do not retain live credentials to your advertising accounts during the retention period. If you reactivate, you simply reconnect the platform.
- Backups. Residual copies in encrypted backups are purged within 90 days of deletion.
- We may retain limited records longer where required for legal, tax, accounting, or fraud-prevention purposes.
10How we protect your data
Security is central to Torok. Our measures include:
- Encryption in transit and at rest. All data is encrypted in transit (TLS) and at rest.
- Encrypted token vault. OAuth refresh tokens are protected with envelope encryption using per-customer data keys wrapped by a master key in a managed Key Management Service (KMS). Tokens are decrypted only in memory, at the moment of an authorized data refresh, and are never logged.
- Tenant isolation. Each customer's connected-account data lives in its own isolated database; queries are structurally scoped so one customer cannot reach another's data.
- Access controls and 2FA. Administrative access is least-privilege, and two-factor authentication is enforced on privileged accounts.
- Audit logging and monitoring. Access to sensitive data and administrative actions are logged and monitored.
- Incident response. We maintain an incident-response process and will notify affected customers of a personal-data breach without undue delay, consistent with applicable law.
No system is perfectly secure, but we work continuously to protect your information and align our practices with recognized standards (with SOC 2 on our roadmap as we grow).
11International data transfers
Torok is operated from, and stores data in, the United States. If you access the Services from outside the U.S., you understand that your information will be processed in the U.S. Where required for transfers of personal data from the EEA, UK, or Switzerland, we rely on appropriate safeguards such as the European Commission's Standard Contractual Clauses.
12Your rights and choices
Depending on where you live, you may have some or all of the following rights regarding your personal data:
- Access — request a copy of the personal data we hold about you.
- Rectification — request correction of inaccurate data.
- Erasure — request deletion of your personal data, subject to certain conditions.
- Restriction / objection — request that we limit or stop certain processing.
- Portability — request your data in a portable format, or that we transmit it to another provider.
- Opt out of "sale"/"sharing" — we do not sell or share personal information as those terms are defined under California and other U.S. state privacy laws; you may still submit a request.
- Non-discrimination — we will not discriminate against you for exercising your rights.
To exercise any of these, email privacy@torok.ai. We will verify your request and respond within the time required by law (generally one month for GDPR and 45 days for California requests). If your request concerns data we process on behalf of a business customer (Connected Account Data), we will refer you to, and assist, that customer.
California (CCPA/CPRA) and EEA/UK (GDPR) residents have the specific statutory rights described above; this section is intended to satisfy those disclosure requirements.
13Deleting your data
You are always in control of your data. You can disconnect any platform at any time, which deletes that platform's access tokens and stops further syncing. Your previously synced data is then kept for the 365-day restart window described in Section 9. To have your stored data deleted immediately — rather than held for that window — send a written deletion request to privacy@torok.ai or support@torok.ai, and we will promptly erase your tenant data and remove residual copies from backups.
14Cookies and tracking
We use strictly necessary, preference, and analytics cookies. You can control cookies through your browser and, where applicable, our cookie-consent banner. See our Cookie Policy for details.
15Children's privacy
Torok is a business tool intended for users 18 years and older. It is not directed to children, and we do not knowingly collect personal data from anyone under 18 (or under 16 in the EEA). If you believe a child has provided us data, contact privacy@torok.ai and we will delete it.
16Changes to this policy
We may update this policy from time to time. When we make material changes, we will update the "Last updated" date and, where appropriate, notify you by email or in-app. Your continued use of the Services after changes take effect constitutes acceptance of the updated policy.
17Contact us
Levy Strategies LLC (operating Torok)
Highland Park, IL, USA
Privacy: privacy@torok.ai
Support: support@torok.ai
This policy and any dispute relating to it are governed by the laws of the State of Illinois, without regard to its conflict-of-laws rules.
← Back to torok.ai