← kat · effective april 4, 2026
This Privacy Policy describes how Toasted Inc. ("Toasted," "we," "us," or "our") collects, uses, discloses, and retains information when you use kat, including the website at kat.ai, the kat AI assistant and companion product delivered via web, iMessage, or any other interface, connected third-party integrations, autonomous agent features, and any related products, software, or services we make available (collectively, the "Service").
By using the Service, you agree to the collection and use of information in accordance with this Privacy Policy. If you do not agree, do not use the Service.
Kat is operated by Toasted Inc., a Delaware corporation. For the purposes of the EU General Data Protection Regulation ("GDPR") and UK GDPR, Toasted Inc. is the data controller of your personal data. If you have questions about this Privacy Policy or our privacy practices, you may contact us at legal@kat.ai.
We collect information you provide directly, information generated through your use of the Service, and information from third-party integrations you choose to connect. The categories below describe the types of data we may process.
When you create an account, join a waitlist, or sign in, we collect your name, email address, phone number, profile photo, and authentication credentials (including OAuth tokens for third-party sign-in providers such as Google or Apple).
When you interact with kat, we collect your prompts, messages, files, images, feedback, and kat's responses. This includes conversations across all interfaces (web, iMessage, integrations).
Kat maintains a persistent memory of facts, preferences, and context you share across conversations. Memory entries are stored separately from conversation logs and are used to personalize future interactions. You can view, edit, and delete memory entries at any time through the Service.
If you connect your email account, kat may access, read, and draft emails on your behalf. For Gmail users, this includes access to message content, metadata (sender, recipient, subject, timestamps), labels, and attachments via the Gmail API. Kat accesses only the messages and threads necessary to fulfill your requests. See the "Google API Services User Data Policy" section below for additional terms that apply to Gmail data.
If you connect your calendar (e.g., Google Calendar), kat may read, create, update, and delete calendar events on your behalf, including event titles, times, locations, attendees, and descriptions. See the "Google API Services User Data Policy" section below for additional terms that apply to Google Calendar data.
If you connect an Oura Ring or other health integration, kat may access sleep scores, readiness scores, activity data, heart rate, heart rate variability, body temperature, and related wellness metrics. See the "Health Data" section below for additional terms.
If you connect Spotify or another music service, kat may access your listening history, playlists, liked songs, and playback state to provide recommendations or control playback on your behalf.
Kat may process location information you share in conversation or through connected integrations (e.g., calendar event locations, weather queries). We do not continuously track your GPS location.
If you interact with kat via iMessage or SMS, we process message content, phone numbers, and delivery metadata as necessary to operate the Service.
If you ask kat to search the web, visit a URL, or summarize a webpage, we process the URLs, search queries, and retrieved page content necessary to fulfill your request.
If you subscribe to a paid tier, we collect billing information through our payment processor (e.g., Stripe), including payment method, billing address, and transaction history. Toasted does not store full credit card numbers on its servers. If kat initiates transactions on your behalf (e.g., placing an order), we process the transaction details necessary to complete the action.
If you ask kat to write or run code, we process the code, execution environment metadata, inputs, and outputs in a sandboxed environment.
If you use voice features, we collect audio recordings and transcriptions to process your requests. Audio recordings are retained only as long as necessary to complete transcription unless you opt in to longer retention for quality improvement.
We automatically collect device type, operating system, browser type, IP address, referring URL, pages visited, feature usage, session duration, crash logs, and performance diagnostics.
We collect IP addresses, timestamps, user agents, Turnstile challenge tokens, and related signals to protect the Service and prevent spam, fraud, and abuse.
We do not sell your personal information. We may share information with the following categories of recipients, subject to appropriate contractual protections:
We retain personal information for as long as reasonably necessary to provide the Service, maintain your account, and comply with our legal obligations. Conversation history and long-term memory are retained for the duration of your account. If you delete your account, we will delete or de-identify your personal information within 90 days, except where retention is required by law or necessary to resolve disputes. Specific integration data (e.g., cached emails or calendar events) may be deleted sooner based on the integration's requirements.
We may need to verify your identity before fulfilling certain requests. We will not discriminate against you for exercising your privacy rights.
If you are a California resident, the California Consumer Privacy Act, as amended by the California Privacy Rights Act ("CCPA"), provides you with additional rights regarding your personal information:
To exercise your rights, contact legal@kat.ai. We will respond to verified requests within 45 days. You may designate an authorized agent to make a request on your behalf.
If you are located in the European Economic Area ("EEA"), the United Kingdom, or Switzerland, the following additional terms apply:
To exercise your rights, contact legal@kat.ai.
Kat can connect to health and wellness platforms like Oura to surface insights about your sleep, activity, and readiness. Health data is used solely to provide the features you request and is not sold or shared for advertising purposes. Toasted Inc. is not a HIPAA-covered entity or business associate, and the Service is not intended to be used as a medical device or for clinical decision-making. Health data is treated as sensitive personal information under applicable privacy laws. You can disconnect health integrations at any time to stop further data collection.
Kat's use and transfer of information received from Google APIs to any other app adheres to the Google API Services User Data Policy, including the Limited Use requirements.
When you connect your Google account, kat may request access to:
gmail.modify or equivalent).calendar.events or equivalent).Kat accesses only the data necessary to fulfill your explicit requests (e.g., "summarize my unread emails," "schedule a meeting for Thursday").
Kat's use of data received from Google APIs complies with Google's Limited Use requirements. Specifically:
Google user data accessed by kat is processed in real time or cached temporarily to fulfill your request. Cached Google data is encrypted at rest and is not retained beyond the active session unless stored as part of your conversation history or long-term memory at your direction. If you delete a memory entry or conversation that contains Google data, it is deleted in accordance with our standard data retention practices.
You can revoke kat's access to your Google account at any time by:
After revocation, kat will no longer be able to access your Gmail or Calendar data. Previously stored data (e.g., in conversation history or memory) will be deleted upon your request.
The Service may contain links to or interact with third-party websites and services. We are not responsible for the privacy practices or content of those third parties. We encourage you to read the privacy policies of any third-party services you access.
We use reasonable administrative, technical, and organizational measures to protect personal information. Data transmitted to kat.ai uses HTTPS. Data at rest is encrypted where supported by our infrastructure providers. OAuth tokens for connected integrations are stored encrypted. Code execution occurs in sandboxed environments isolated from other users and system infrastructure. No method of transmission or storage is completely secure, and we cannot guarantee absolute security.
The Service is intended for users who are at least 18 years old. We do not knowingly collect personal information from anyone under 18. If we learn that we have collected personal information from a user under 18, we will take steps to delete that information promptly. If you believe a child under 18 has provided us with personal information, please contact legal@kat.ai.
We may update this Privacy Policy from time to time. If we make material changes, we will notify you by email (to the address associated with your account) or by posting a prominent notice on the Service at least 30 days before the changes take effect. Your continued use of the Service after the updated Privacy Policy becomes effective constitutes your acceptance of the revised policy.
Toasted Inc. — legal@kat.ai