Privacy Policy
Last updated: April 2026
This policy explains what personal data we collect, why we collect it, and what we do with it. We've kept it short and clear because we think you should actually read it.
Who we are
TOMA Group Ltd is a company registered in England and Wales (company number 17129116). Our registered address is 71–75 Shelton Street, Covent Garden, London, WC2H 9JQ, United Kingdom. TOMA Group Ltd is the data controller for the personal data described in this policy.
For any questions about this policy or your data, contact us at hello@toma.house.
Who this policy covers
This policy covers personal data collected through:
Our website at toma.house
The Toma iOS app
Any emails or support conversations between you and us
Age requirement
The Toma app and membership are intended for people aged 18 and over. We do not knowingly collect personal data from anyone under 18. If you believe a child has provided us with personal data, please contact us at hello@toma.house and we will delete it.
How we collect data
We collect personal data when you submit a membership application, sign in to the Toma app, send us a message through the app or by email, or interact with our website.
What we collect and why
Website and membership application
When you apply for membership, we collect:
Data
Why
Lawful Basis
Name
To identify you and personalise communication
Legitimate interest
Email address
To process your application and contact you about membership
Legitimate interest
City
To place you in the correct city group
Legitimate interest
Instagram handle
To verify identity and understand your social presence. Optional.
Consent
Photo
To put a face to the application during review. Optional.
Consent
Written answers
To assess your application
Legitimate interest
The Toma iOS app
When you use the Toma app, we collect:
Data
Why
Lawful Basis
Email address
To sign you in via one-time code
Contract
Authentication session tokens
To keep you signed in securely
Contract
Messages you send through Ask Toma
To respond to your support requests and keep a history visible to you in-app
Contract
Photos you upload to your Passport
To let you build a personal record of dinners attended. Optional.
Consent
Device model, operating system version, app version
To diagnose problems and support the right devices
Legitimate interest
Crash and error diagnostics
To fix bugs and keep the app stable
Legitimate interest
Push notification tokens (when you enable notifications)
To send you dinner-related notifications you have opted into
Consent
We use "Contract" where the data is necessary to provide the Toma service you signed up for. We use "Legitimate interest" where processing is necessary to operate the service and your rights don't override that interest. For optional fields, you choose whether to provide them and can withdraw consent at any time.
Payments
Payments for dinners are currently processed by Stripe through a hosted checkout page that opens in your browser. Toma does not see or store your card details. In future we may process payments directly inside the app, in which case this policy will be updated.
Tracking
The Toma app does not track you across apps or websites owned by other companies. We do not use advertising identifiers, third-party analytics, or marketing trackers. If this ever changes, we will update this policy and ask for your permission through the standard iOS App Tracking Transparency prompt before any tracking begins.
Who else handles your data
We use a small number of services to operate:
Service
Purpose
Location
Framer
Website hosting and form collection
EU / US
Google Workspace
Application storage and email
US
Resend (AWS SES)
Transactional email delivery
US
Supabase
Application data storage
US / EU
Stripe
Payment processing
US / EU
Sentry
App crash and error diagnostics
US / EU
Apple Push Notification service
Delivery of push notifications (when you enable them)
US
All processors are bound by data processing agreements. Where data is transferred outside the UK, we rely on standard contractual clauses or equivalent safeguards recognised under UK data protection law. We only share the minimum data each service needs.
Data security
We take reasonable technical and organisational measures to protect your personal data against unauthorised access, loss, or misuse. The Toma app communicates with our servers over encrypted connections, and we follow current best practice for authentication and data storage.
How long we keep it
Accepted members: for the duration of your membership, plus 12 months after it ends.
Rejected applicants: 12 months from the decision date, then deleted.
Waitlisted applicants: until you are admitted or 24 months, whichever is sooner.
Withdrawn applications: deleted within 30 days of your request.
Support conversations: for the duration of your membership, plus 12 months.
Crash and diagnostic data: up to 90 days.
Deleting your data
You can delete your data in two ways:
Delete your app account from within the Toma iOS app (Settings → Delete app account). This removes your app sign-in and your support conversations. It does not cancel your Toma membership.
Cancel your membership by emailing hello@toma.house. We will close your membership and delete the associated personal data in line with the retention rules above.
Your rights
Under UK data protection law, you can:
Access your data - ask us what we hold
Correct anything that's wrong
Object to how we use it
Port your data - get a copy in a usable format
Delete your data - subject to the retention rules above
Withdraw consent for optional processing at any time
To exercise any of these rights, email us at hello@toma.house.
Cookies
Our website uses essential cookies to make the site function. We do not currently use analytics, advertising, or third-party tracking cookies. If this changes, we will update this policy and ask for your consent before activating them.
Complaints
If you're unhappy with how we handle your data, you can complain to the Information Commissioner's Office (ICO) at ico.org.uk or by calling 0303 123 1113.
Changes
If we make material changes to this policy, we'll update the date at the top and, where appropriate, notify you by email.
TOMA Group Ltd. Registered in England and Wales. Company number 17129116. Registered address: 71–75 Shelton Street, Covent Garden, London, WC2H 9JQ, United Kingdom