Privacy Policy
Last updated: April 2026
This policy explains what personal data we collect, why we collect it, and what we do with it. We've kept it short and clear because we think you should actually read it.
Who we are
TOMA Group Ltd is a company registered in England and Wales (company number 17129116). Our registered address is 71–75 Shelton Street, Covent Garden, London, WC2H 9JQ, United Kingdom. For any questions about your data, contact us at hello@toma.house.
TOMA Group Ltd is the data controller for the personal data described in this policy.
For any questions about this policy or your data, contact us at: hello@toma.house
How we collect data
We collect personal data when you submit a membership application, contact us by email, or interact with our website (e.g., via forms or essential cookies)
What we collect and why
When you apply for membership, we collect the following:
Data
Why
Lawful Basis
Name
To identify you and personalise communication
Legitimate interest
Email address
To process your application and contact you about membership
Legitimate interest
City
To place you in the correct city group
Legitimate interest
Instagram handle
To verify identity and understand your social presence. Optional.
Consent
Photo
To put a face to the application during review. Optional.
Consent
Written answers
To assess your application
Legitimate interest
We use "legitimate interest" where the processing is necessary to run our membership service and where your rights don't override that interest. For optional fields, you choose whether to provide them and can ask us to delete them at any time.
What we do with it
Legitimate interests means we process the data because it is necessary to run our membership service, and we have assessed that your rights are not overridden. For optional fields, you choose whether to provide the data and may withdraw consent at any time.
Who else handles your data
We use a small number of services to operate:
Service
Purpose
Location
Framer
Website hosting and form collection
EU / US
Google Workspace
Application storage and email
US
Resend (AWS SES)
Transactional email delivery
US
Supabase
Application data storage
US / EU
All processors are bound by data processing agreements. Where data is transferred outside the UK, we rely on standard contractual clauses or equivalent safeguards recognised under UK data protection law. We only share the minimum data each service needs.
Data security
We take reasonable technical and organisational measures to protect your personal data against unauthorised access, loss, or misuse
How long we keep it
Accepted members: for the duration of your membership, plus 12 months after it ends.
Rejected applicants: 12 months from the decision date, then deleted.
Waitlisted applicants: until you are admitted or 24 months, whichever is sooner.
Withdrawn applications: deleted within 30 days of your request.
Your rights
Under UK data protection law, you can:
Access your data - ask us what we hold
Correct anything that's wrong
Object to how we use it
Port your data - get a copy in a usable format
Withdraw consent for optional processing at any time
Cookies
Our website uses essential cookies to make the site function. We do not currently use analytics, advertising, or third-party tracking cookies. If this changes, we will update this policy and ask for your consent before activating them.
Complaints
If you're unhappy with how we handle your data, you can complain to the Information Commissioner's Office (ICO) at ico.org.uk or by calling 0303 123 1113.
Changes
If we make material changes to this policy, we'll update the date at the top and, where appropriate, notify you by email.