Privacy Policy (Toma Spanish Gourmet)
Effective date: 10 February 2026
1) Who we are (Controller)
This website is operated under the brand Toma Spanish Gourmet (“Toma”, “we”, “us”, “our”).
Data controller: James Joseph Keaney (NIF: ESX9507103F).
Address: Calle de Blascomillan 35, Portal 9, 1B, Colmenar Viejo, Madrid 28770, Spain.
Email: customers@toma.ie.
This policy explains how we collect and use personal data when you browse our website, create an account, subscribe to our newsletter, or buy products from our online shop.
We provide this information to meet our transparency obligations under GDPR Article 13.
2) Personal data we collect
We collect personal data in the following categories (depending on what you do on the site).
A. Data you provide
Account and contact data: name, email address, phone number, delivery and billing address, and account details when you create or use an account.
Order data: products ordered, quantities, prices, order ID, delivery instructions, and order history.
Customer support data: the content of messages you send us and our replies (for example, email or contact requests).
Newsletter data: email address and subscription preferences when you sign up for marketing updates.
Age/eligibility data (if applicable): if we offer age-restricted products, we may ask for information needed to confirm eligibility (for example, age confirmation and, only where necessary, date of birth).
B. Data collected automatically
Device and log data: IP address, browser type, pages viewed, approximate location derived from IP, and standard server/security logs.
Cookie and similar technology data: identifiers and settings stored on your device and information about how you interact with the site, depending on the cookie choices you make via our consent controls.
Payment data
We offer payment methods that may include Stripe and PayPal (as indicated on our site).
Card details are handled by the payment provider; we receive confirmation and transaction references necessary for accounting, refunds and dispute handling.
3) How we use your data (purposes)
We use personal data for these purposes:
To provide the online shop and fulfil orders: create/maintain accounts, process purchases, prepare orders, and deliver products.
To process payments and manage disputes/refunds: confirm payment, handle refunds and chargebacks, and prevent fraudulent transactions.
To communicate with you: send order and service messages (e.g., order status, delivery issues, important service notices).
To run, protect and improve the website: troubleshooting, analytics, performance monitoring and security.
To send marketing (where your permission has been given expressly): newsletters and offers to subscribers, and similar-product updates to existing customers where allowed, with an easy opt-out.
To comply with law: tax, accounting, and responding to lawful requests from authorities.
4) Legal bases (GDPR Article 6)
We rely on the following legal bases, depending on the context.
Contract (Art. 6(1)(b)): to take payment (via our payment providers), fulfil orders, deliver products, and provide account functionality.
Legal obligation (Art. 6(1)(c)): to keep records required by tax/accounting rules and to comply with applicable legal requirements.
Legitimate interests (Art. 6(1)(f)): to keep our website secure, prevent fraud, and improve our services (we balance these interests against your rights).
Consent (Art. 6(1)(a)): for non-essential cookies and for marketing subscriptions where we ask for consent; you can withdraw consent at any time.
5) Who we share personal data with
We share personal data only where needed to operate the store and provide services:
Payment providers (e.g., Stripe and/or PayPal) to process payments, refunds and disputes.
Delivery and logistics providers to deliver your order (typically name, address, phone number, and delivery instructions).
Service providers (processors) supporting our website (such as hosting, email delivery, analytics, security and customer support tools), acting under our instructions.
Authorities and advisers (e.g., tax authorities, courts, accountants, lawyers) where required by law or necessary for legal claims.
6) International transfers
Some of our providers may process personal data outside the European Economic Area (EEA).
Where personal data is transferred outside the EEA, we use appropriate safeguards such as an adequacy decision or Standard Contractual Clauses (and additional measures where required).
7) Data retention
We keep personal data only as long as necessary for the purposes described above and for legal compliance.
Typical retention criteria include:
Orders/invoices/accounting records: retained for the period required by tax and accounting rules.
Account data: retained while your account is active; if you request deletion, we delete or anonymise data where possible and keep only what we must for legal compliance and dispute handling.
Marketing subscriptions: kept until you unsubscribe/withdraw consent.
Cookies/analytics: retained according to cookie lifetimes and your consent choices (see Cookie Policy/consent controls).
8) Your rights
You have rights under the GDPR, including: access, rectification, erasure, restriction, portability, and the right to object (including an absolute right to object to direct marketing).
To exercise your rights, email us at customers@toma.ie; we may need to verify your identity before responding.
9) Cookies and consent controls
We use cookies and similar technologies to run the site and (if you choose) to measure performance and personalise content.
You can manage cookie choices using the “Consent Preferences” control on the website and via your browser settings.
For details of each cookie/provider, purposes and durations, please see our Cookie Policy (or the cookie settings interface if that’s where you list them).
10) Complaints (AEPD)
If you believe our processing infringes data protection law, you have the right to lodge a complaint with a supervisory authority, including the Spanish Data Protection Agency (Agencia Española de Protección de Datos – AEPD).
11) Changes to this policy
We may update this Privacy Policy from time to time.
When we do, we will post the updated version on this page and change the effective date at the top.