Privacy Policy

Effective Date: 19 April 2025

  1. Introduction

This Privacy Policy describes how Toma (hereinafter referred to as “we,” “us,” or “our”) collects, uses, and shares personal data of users who visit our website and purchase food products via distant selling within the European Union (EU). Pur business address is Calle de Blasomillán 35, Local 9, 1B, 28770 Colmenar Viejo, Spain. This policy is designed to comply with the General Data Protection Regulation (GDPR).

We are committed to protecting your privacy and ensuring the security of your personal data. This policy explains your rights regarding your personal data and how we aim to uphold them. Please read this policy carefully to understand our practices.

  1. Data Controller

The data controller responsible for your personal data can be contacted cusomters@toma.ie

  1. Personal Data We Collect

We collect various types of personal data from you when you use our website and services, including:

  • Account Data: When you create an account, we collect your name, email address, phone number, and saved delivery and billing addresses. If you order age-restricted items, we may collect your date of birth.
  • Order and Delivery Data: When you place an order, we collect your delivery address, special delivery instructions, order history (including dates, times, items ordered, quantities, and prices), and order IDs.
  • Payment Data: We use third party payment processors (Stripe) to process payments. We do not collect payment card details (card type, number, expiration date, CVV), but we do collect the billing address, and transaction history. 
  • Device Data: We collect information about the device you use to access our website, including your IP address, device ID, hardware model, operating system, browser type and version, unique device identifiers (UUIDs and advertising IDs), device vendor name, app version (if applicable), carrier and manufacturer identity, and preferred languages.
  • Location Data: With your permission, we may collect precise or approximate geolocation data from your device using GPS or IP addresses, particularly for delivery purposes.
  • Usage Data: We track how you interact with our website, including your login history, pages you view, time spent on pages, links you click, and features you use.
  • Marketing and Communication Data: We collect your preferences for receiving newsletters and promotional emails, and the content of any communications you have with our customer support, including emails and chat logs. If you participate in surveys, we collect your responses.
  • Cookies and Tracking Technologies Data: We use cookies and similar technologies to collect data about your browsing activities, preferences, and device.
  • Data from Other Sources: We may collect data when you connect to our platform via third-party services (like social media), through referrals, or if you use our service through an employer’s business account. We may also, where legally permitted, obtain data from public databases.
  1. Purposes of Processing Customer Data

We process your personal data for the following purposes:

  • Order Fulfilment: To process your orders, manage your account, arrange food preparation, and coordinate delivery. This includes communicating with you about your order status and delivery.
  • Payment Processing: To securely process your payments, handle refunds, and manage payment disputes. We also use this data for fraud detection and prevention.
  • Account Management: To create and maintain your user account, personalize your experience, ensure the accuracy of your details, and provide technical support.
  • Marketing and Promotional Activities: With your consent, we send you promotional emails and newsletters about new products, special offers, and updates. We may personalize marketing communications based on your purchase history and preferences. We also administer loyalty programs and promotions.
  • Service Improvement: To analyse website and app usage, understand customer behaviour and preferences, develop new services and features, personalize website content and product recommendations, and improve website functionality and security.
  • Legal and Regulatory Compliance: To comply with tax reporting requirements, food safety regulations, and respond to requests from law enforcement or regulatory authorities. We may also process data for the establishment, exercise, or defence of legal claims.
  • Business Development and Service Enhancement: To conduct research, testing, and analytics on aggregated and anonymized data to improve our business and services.
  • Platform Security: To monitor application security, maintain platform availability, personalize security features, and prevent violations of our terms and conditions.
  1. Legal Bases for Processing under GDPR

We process your personal data based on the following legal bases as permitted by Article 6 of the GDPR:

  • Performance of a Contract (Article 6(1)(b)): Processing is necessary to fulfil our contractual obligations to you, such as processing your orders and arranging delivery. This includes processing your name, contact details, delivery address, and order details. Payment processing is also based on this legal basis.
  • Consent (Article 6(1)(a)): We rely on your freely given, specific, informed, and unambiguous consent for marketing communications and the use of non-essential cookies. You have the right to withdraw your consent at any time.
  • Legitimate Interests (Article 6(1)(f)): We may process your data based on our legitimate interests, provided that these interests do not override your fundamental rights and freedoms. This includes processing for service improvement, fraud detection, website security, and potentially direct marketing to existing customers for similar products (subject to ePrivacy Directive regulations).
  • Compliance with a Legal Obligation (Article 6(1)(c)): We process your data when necessary to comply with legal obligations, such as retaining payment records for tax purposes and adhering to food safety regulations.
  1. Recipients of Personal Data

We may share your personal data with the following categories of recipients:

  • Payment Processors: We share payment details with third-party payment processors to facilitate secure online transactions.
  • Delivery Companies: We share your name, delivery address, and phone number with third-party delivery companies to ensure the delivery of your food orders.
  • Marketing Platforms: With your consent, we may share your contact information with marketing platforms for sending promotional communications.
  • Service Providers: We may engage other third-party service providers to perform functions on our behalf, such as website hosting, data analysis, and customer support. These providers will have access to your personal data only to the extent necessary to perform their services and are obligated to maintain its confidentiality and security.
  • Legal Authorities: We may disclose your personal data to legal authorities if required by law or in response to a valid legal request, such as a court order or government inquiry.

We ensure that these third parties have appropriate data protection measures in place and process your data in accordance with GDPR requirements. We may enter into Data Processing Agreements (DPAs) with these processors to define their responsibilities regarding your personal data.

  1. Data Retention Periods

We will retain your personal data only for as long as necessary to fulfil the purposes for which it was collected, or as required by applicable laws and regulations. The specific retention period will depend on the type of data and the purpose of processing.

  • Account Data: We typically retain account data as long as your account is active and for a period thereafter to address potential legal or administrative needs.
  • Order Data: We retain order data for a period necessary to fulfil the order and comply with tax and accounting regulations (e.g., 5-10 years as per Spanish law).
  • Payment Data: Payment transaction records are retained for accounting purposes as legally required. We do not directly store your full payment card details.
  • Delivery Data: Delivery-related data is usually kept for a short period after delivery to handle customer service inquiries.
  • Usage Data: We may retain usage data for a limited period for website analytics and service improvement, after which it is often anonymized or aggregated.
  • Marketing Data (Consent): We retain data used for marketing purposes based on your consent until you withdraw that consent.
  • Communication Data: Records of customer support interactions may be kept for a period necessary to address your inquiries and for internal purposes like training.
  • Cookies Data: Retention periods for cookies vary depending on the type and purpose of the cookie. Session cookies expire when you close your browser, while persistent cookies have defined lifespans (generally up to 12 months).

Once the retention period expires, we will securely delete or anonymize your personal data in accordance with our data retention policy and applicable laws.

  1. Your Rights under GDPR

Under the GDPR, you have several rights regarding your personal data:

  • The Right to Be Informed (Article 13 & 14): You have the right to receive clear and transparent information about the collection and use of your personal data. This Privacy Policy serves to fulfil this right.
  • The Right of Access (Article 15): You have the right to request access to the personal data we hold about you and to receive a copy of it.
  • The Right to Rectification (Article 16): You have the right to request the correction of any inaccurate or incomplete personal data we hold about you.
  • The Right to Erasure (Right to Be Forgotten) (Article 17): You have the right to request the deletion of your personal data under certain circumstances, such as when the data is no longer necessary for the purpose for which it was collected, or if you withdraw your consent.
  • The Right to Restrict Processing (Article 18): You have the right to request the restriction of the processing of your personal data under specific conditions, such as when you contest the accuracy of the data or object to the processing.
  • The Right to Data Portability (Article 20): You have the right to receive your personal data in a structured, commonly used, and machine-readable format and to transmit that data to another controller without hindrance from us, where the processing is based on consent or contract and carried out by automated means.
  • The Right to Object (Article 21): You have the right to object to the processing of your personal data under certain circumstances, including for direct marketing purposes. This right to object to direct marketing is absolute and can be exercised at any time.
  • Rights Related to Automated Decision-Making and Profiling (Article 22): You have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning you or similarly significantly affects you, unless the decision is necessary for entering into or performance of a contract, authorized by law, or based on your explicit consent.
  • The Right to Withdraw Consent (Article 7(3)): If we rely on your consent to process your personal data, you have the right to withdraw your consent at any time. The withdrawal of consent does not affect the lawfulness of processing based on consent before its withdrawal.
  • The Right to Lodge a Complaint with a Supervisory Authority (Article 77): You have the right to lodge a complaint with a supervisory authority, particularly in the Member State of your habitual residence, place of work, or place of the alleged infringement, if you believe that the processing of your personal data infringes the GDPR. In Spain, the supervisory authority is the Spanish Data Protection Agency (Agencia Española de Protección de Datos – AEPD). You can find their contact details in Section 11 below.

To exercise any of these rights, please contact us using the contact details provided in Section 2. We will respond to your request in accordance with the GDPR. We may need to verify your identity before processing your request.

  1. Cookies and Tracking Technologies

Our website uses cookies and other tracking technologies to enhance your browsing experience, analyse website traffic, and personalize content and advertisements.

  • What are Cookies? Cookies are small text files that are placed on your device when you visit a website. They store information about your browsing activities.

    Types of Cookies We Use:
  • Strictly Necessary Cookies: These cookies are essential for the operation of our website and enable you to use its features, such as accessing secure areas and adding items to your shopping cart. These cookies do not require your consent.
  • Performance/Analytics Cookies: These cookies collect information about how you use our website, such as which pages you visit and if you experience any errors. This helps us to improve the performance of our website. We generally require your consent for these cookies.
  • Functional Cookies: These cookies allow our website to remember choices you make (such as your language preference) and provide enhanced, more personal features. We generally require your consent for these cookies.
  • Targeting/Advertising Cookies: These cookies are used to deliver advertisements that are more relevant to you and your interests. They may also be used to limit the number of times you see an advertisement and measure the effectiveness of advertising campaigns. These cookies require your explicit consent.
  • Third-Party Cookies: We may also use third-party cookies placed by our partners for analytics and advertising purposes.
  • Cookie Consent: We will obtain your explicit consent for the use of all non-essential cookies through a cookie consent banner when you first visit our website You can manage your cookie preferences at any time by. You can also adjust your browser settings to block or delete cookies, but this may affect your ability to use certain features of our website.

For more detailed information about the cookies we use, their purposes, and how you can manage your preferences, please refer to our separate cookie policy.

  1. Compliance with Spanish Law

As our e-commerce business is based in Spain, we comply with the GDPR and any specific national laws applicable in Spain. You have the right to lodge a complaint with the Spanish Data Protection Agency (Agencia Española de Protección de Datos – AEPD) if you believe that our processing of your personal data violates the GDPR or Spanish data protection laws. The contact details for the AEPD are:

Agencia Española de Protección de Datos
C/ Pintor de la Hijas, 3
28036 Madrid
Spain

In compliance with Article 10 of Act 34/2002 of July 11 of the Information Society and Electronic Commerce Services (LSSI-CE), our company identification details are provided in Section 2 of this Privacy Policy.

  1. Contact Information

If you have any questions, concerns, or requests regarding this Privacy Policy or our data processing practices, please contact us at customers@toma.ie

  1. Updates to this Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our data processing practices or legal obligations. We will post any changes on our website and update the “Effective Date” at the beginning of this policy. We encourage you to review this policy periodically to stay informed about how we are protecting your personal data. If we make significant changes to this policy, we will provide you with a more prominent notice, such as by email or a notice on our website.