Privacy Policy

Last updated: April 9, 2026

    Short version: TossIt sets zero tracking cookies on your visitors.
    IP addresses are hashed with a daily rotating salt — we never store raw IPs.
    Your visitor data never leaves your server environment.
  

1. Who we are

TossIt.link ("TossIt", "we", "us") is a privacy-first social sharing button service operated at tossit.link.

2. Data we collect from website publishers

When you register a TossIt account we collect:

Your name and email address
A bcrypt-hashed password (we never store the plain-text password)
The domain(s) of websites you register as properties

We store this in MariaDB hosted on your own server. We never transmit it to third parties.

3. Data collected from your website visitors

When a visitor clicks a TossIt share button on your website, we record:

Which network was clicked (e.g. "facebook")
Which URL was shared (the page URL)
A hashed IP — we compute SHA-256(ip_address + date + daily_salt). The raw IP address is never written to disk at any point.
Widget type — inline or sticky
Timestamp of the event

We do not set any cookies on your visitors' browsers. We do not use localStorage for tracking. Share events are anonymous.

4. Share counts

Share counts are stored in Redis (in-memory) and periodically synced to MariaDB. Counts are associated with URL hashes, not individual visitors.

5. Analytics (Matomo)

If you connect a Matomo site ID to your property, TossIt fires a Matomo event when a visitor shares. Matomo is self-hosted on your own subdomain (e.g. analytics.tossit.link) and subject to your own Matomo privacy configuration. We recommend enabling IP anonymisation in Matomo settings.

6. Data retention

Share event rows are automatically deleted after 90 days by nightly cron
Aggregated share counts are kept indefinitely
User accounts are kept until you request deletion

7. Your rights

You may request deletion of your account and all associated data at any time by emailing privacy@tossit.link. We will action requests within 30 days.

8. Cookies

TossIt.link uses one session cookie (tossit_sess) for logged-in dashboard users only. This cookie is HttpOnly, Secure, and SameSite=Lax. It is never set on websites that embed the TossIt share buttons — only on the tossit.link dashboard itself.

9. Changes to this policy

We will update the "Last updated" date at the top of this page when changes are made. Continued use after changes constitutes acceptance.

10. Contact

Questions about this policy: privacy@tossit.link