Privacy Policy

Last updated: April 2026

This policy explains what personal data we collect, why we collect it, and what we do with it. We've kept it short and clear because we think you should actually read it.

Who we are

TOMA Group Ltd is a company registered in England and Wales (company number 17129116). Our registered address is 71–75 Shelton Street, Covent Garden, London, WC2H 9JQ, United Kingdom. TOMA Group Ltd is the data controller for the personal data described in this policy.

For any questions about this policy or your data, contact us at hello@toma.house.

Who this policy covers

This policy covers personal data collected through:

  • Our website at toma.house

  • The Toma iOS app

  • Any emails or support conversations between you and us

Age requirement

The Toma app and membership are intended for people aged 18 and over. We do not knowingly collect personal data from anyone under 18. If you believe a child has provided us with personal data, please contact us at hello@toma.house and we will delete it.

How we collect data

We collect personal data when you submit a membership application, sign in to the Toma app, send us a message through the app or by email, or interact with our website.


What we collect and why

Website and membership application

When you apply for membership, we collect:

Data

Why

Lawful Basis

Name

To identify you and personalise communication

Legitimate interest

Email address

To process your application and contact you about membership

Legitimate interest

City

To place you in the correct city group

Legitimate interest

Instagram handle

To verify identity and understand your social presence. Optional.

Consent

Photo

To put a face to the application during review. Optional.

Consent

Written answers

To assess your application

Legitimate interest

The Toma iOS app

When you use the Toma app, we collect:

Data

Why

Lawful Basis

Email address

To sign you in via one-time code

Contract

Authentication session tokens

To keep you signed in securely

Contract

Messages you send through Ask Toma

To respond to your support requests and keep a history visible to you in-app

Contract

Photos you upload to your Passport

To let you build a personal record of dinners attended. Optional.

Consent

Device model, operating system version, app version

To diagnose problems and support the right devices

Legitimate interest

Crash and error diagnostics

To fix bugs and keep the app stable

Legitimate interest

Push notification tokens (when you enable notifications)

To send you dinner-related notifications you have opted into

Consent

We use "Contract" where the data is necessary to provide the Toma service you signed up for. We use "Legitimate interest" where processing is necessary to operate the service and your rights don't override that interest. For optional fields, you choose whether to provide them and can withdraw consent at any time.

Payments

Payments for dinners are currently processed by Stripe through a hosted checkout page that opens in your browser. Toma does not see or store your card details. In future we may process payments directly inside the app, in which case this policy will be updated.

Tracking

The Toma app does not track you across apps or websites owned by other companies. We do not use advertising identifiers, third-party analytics, or marketing trackers. If this ever changes, we will update this policy and ask for your permission through the standard iOS App Tracking Transparency prompt before any tracking begins.

Who else handles your data

We use a small number of services to operate:

Service

Purpose

Location

Framer

Website hosting and form collection

EU / US

Google Workspace

Application storage and email

US

Resend (AWS SES)

Transactional email delivery

US

Supabase

Application data storage

US / EU

Stripe

Payment processing

US / EU

Sentry

App crash and error diagnostics

US / EU

Apple Push Notification service

Delivery of push notifications (when you enable them)

US

All processors are bound by data processing agreements. Where data is transferred outside the UK, we rely on standard contractual clauses or equivalent safeguards recognised under UK data protection law. We only share the minimum data each service needs.

Data security

We take reasonable technical and organisational measures to protect your personal data against unauthorised access, loss, or misuse. The Toma app communicates with our servers over encrypted connections, and we follow current best practice for authentication and data storage.

How long we keep it

Accepted members: for the duration of your membership, plus 12 months after it ends.

Rejected applicants: 12 months from the decision date, then deleted.

Waitlisted applicants: until you are admitted or 24 months, whichever is sooner.

Withdrawn applications: deleted within 30 days of your request.

Support conversations: for the duration of your membership, plus 12 months.

Crash and diagnostic data: up to 90 days.

Deleting your data

You can delete your data in two ways:

  • Delete your app account from within the Toma iOS app (Settings → Delete app account). This removes your app sign-in and your support conversations. It does not cancel your Toma membership.

  • Cancel your membership by emailing hello@toma.house. We will close your membership and delete the associated personal data in line with the retention rules above.

Your rights

Under UK data protection law, you can:

  • Access your data - ask us what we hold

  • Correct anything that's wrong

  • Object to how we use it

  • Port your data - get a copy in a usable format

  • Delete your data - subject to the retention rules above

  • Withdraw consent for optional processing at any time

To exercise any of these rights, email us at hello@toma.house.

Cookies

Our website uses essential cookies to make the site function. We do not currently use analytics, advertising, or third-party tracking cookies. If this changes, we will update this policy and ask for your consent before activating them.

Complaints

If you're unhappy with how we handle your data, you can complain to the Information Commissioner's Office (ICO) at ico.org.uk or by calling 0303 123 1113.

Changes

If we make material changes to this policy, we'll update the date at the top and, where appropriate, notify you by email.

TOMA Group Ltd. Registered in England and Wales. Company number 17129116. Registered address: 71–75 Shelton Street, Covent Garden, London, WC2H 9JQ, United Kingdom