← Blog

How Toma handles your data under GDPR

Toma is built to comply with GDPR. Here's how we handle the data dealerships trust us with, and how to get it deleted.

By Anthony · April 2026

When a dealership uses Toma, we process personal data on its behalf: a caller's name, their phone number, what they asked for, and the recording of the call. The EU's General Data Protection Regulation sets the rules for handling that kind of data, and Toma is built to follow them.

Most of our customers are US dealerships. The principles behind GDPR are good practice anywhere: collect less, protect what you hold, and let people control their own data. We apply them across the board.

What GDPR asks of us

Two ideas sit at its core. Collect only the data you need for a clear purpose. Give people real control over the data you hold, including the right to see it, correct it, and have it deleted. Both shape how Toma is built.

How it works at Toma

We collect the minimum. Toma takes only what the job needs: contact details, appointment information from your dealer management system, and call recordings and transcripts. Nothing more.

One contract, one processor. You sign a Master Service Agreement and a Data Processing Addendum with Toma, and that's it. We act as the single processor of record. The AI vendors behind Toma are bound by our terms, including a ban on keeping or training on your data, so you never have to manage them yourself.

We keep it only as long as needed. Customer data lives for the length of our relationship. If an account closes, we hold the data for 30 days in case you come back, then delete it, unless the law requires us to keep it longer.

It's protected the whole time. Data is encrypted at rest and in transit, isolated per customer, and stored on AWS in US data centers. The same controls that earned our ISO 27001 certificate and SOC 2 Type 2 report apply here.

Your data, your rights

If someone whose data we process wants to see it or have it removed, we honor that. Email support@toma.com and we delete everything we have no legal reason to keep, within 30 days.

Get our DPA

Our Data Processing Addendum and security reports are available through our trust center at trust.toma.com. Your privacy and procurement teams can review them before you sign.