ToolStash Privacy Policy
Last updated: May 25, 2026
ToolStash is built by Statio.Faith LLC ("we", "us"). This policy
explains what data we collect, how we use it, and what control you have
over it. We wrote it to be readable — if anything is unclear, email
[email protected]
and we'll fix it.
What we collect
| Data | Source | Why |
| Email address | You provide it at sign-up | Account login, password reset |
| Display name | You provide it (optional) | Shown to friends inside the app |
| Avatar selfie + generated cartoon avatar | You take the selfie; we render the cartoon | Profile picture inside the app |
| Tool photos | You take them or pick from gallery | Inventory entries |
| Tool metadata (brand, model, serial, notes, location, loan status) | You enter or scan | Your tool inventory |
| Contact email addresses | Read from your device's address book only when you tap "Find friends from contacts" | Match against existing ToolStash users so we can show you who's already on the app |
| Friend connections + borrow requests | You + your friends create them | Friend graph, borrow flow |
| Push notification token | Generated by Firebase on your device | Send the notifications you've opted into |
We do not collect: precise location, browsing history, financial information, contacts beyond email addresses, phone numbers, or biometric data.
How we use the data
- Account management. Email + display name + auth tokens.
- App functionality. Your tools, photos, loan history, friend graph, notification preferences.
- Friend matching. When you tap "Find friends from contacts," we upload the email addresses from your address book to our server, match them against existing ToolStash users, return matches to your phone, then discard the rest. Non-matching emails are not stored.
- Avatar generation. Your selfie is sent to Azure OpenAI (our service provider for image generation) once per avatar render. Azure processes the selfie ephemerally and does not retain it. We never share the selfie with any other party.
- Push notifications. When opted in, we send notifications to the Firebase Cloud Messaging token registered for your device.
What we share
Nothing with advertisers. We do not sell, rent, or share your personal data with third-party advertisers or data brokers. There are no ads in ToolStash.
Service providers we use:
- Supabase — hosts our backend (database, auth, storage).
- Azure OpenAI — renders the cartoon avatar from your selfie.
- Firebase Cloud Messaging — delivers push notifications.
- Google Sign-In — optional sign-in method.
Each of these processes only the minimum data needed to perform their function and acts as a data processor on our behalf.
Friends + visibility
- Tools you've added are private by default — only you can see them until you accept a friend request.
- Once you accept a friend, that friend can see the tool names, photos, brand/model, and availability status of any tool you've added to your garage. They cannot see your serial numbers, notes, or loan history.
- You can remove a friend at any time from the Friends screen, which immediately revokes their access.
Your controls
- See your data. Profile screen shows everything tied to your account.
- Edit your data. Every field is editable. Tools can be deleted individually from the tool detail page.
- Delete your account. Email [email protected] from the address associated with your account, subject line "Delete my account." We process deletions within 30 days, after which all your tools, photos, friend connections, and account metadata are removed from our database and storage.
- Opt out of notifications. Profile → Notifications has per-event toggles.
- Revoke contact access. Android Settings → Apps → ToolStash → Permissions → Contacts → Deny. The app keeps working; only "Find friends from contacts" stops.
Children
ToolStash is intended for users 13 and older. We do not knowingly collect data from anyone under 13. If you believe a child under 13 has created an account, email us and we will delete it.
Security
- All network traffic is HTTPS (TLS 1.2+).
- Passwords are hashed and salted on the server (Supabase auth).
- Database access is governed by row-level security policies pinned to your user ID — no app code can see another user's rows.
- Signing keys and service-account credentials live in a managed secrets store, not in our repo.
We do not currently undergo independent security audits.
Changes to this policy
We'll update this page when we add or change how we handle data. The "Last updated" date at the top will change accordingly. Material changes (new categories of data, new third-party sharing) trigger an in-app notice before they take effect.
Contact
[email protected]
Statio.Faith LLC
2010 N 123rd Dr
Avondale, AZ 85392
This policy is plain English by design. It is not legal advice. If you need a lawyer's read for compliance, talk to one.