Privacy Policy

Toma, Inc. (“Toma,” “we,” “our,” or “us”) provides an AI-powered communication platform and public web demos available at https://www.toma.com (the “Services”).

This Privacy Policy explains how we collect, use, and share information from:

• Authenticated dealership users – service advisors, managers, receptionists, owners, and other staff who log in to the Toma platform; and
• Unauthenticated visitors – anyone who browses our website or tries our voice / chat demos without creating an account.

By accessing or using the Services, you acknowledge this Privacy Policy. This Privacy Policy is available at https://www.toma.com/privacy and is linked from our homepage and relevant sign-up or contact flows.

1. Information We Collect

We collect information about you when you use the Services. This may include:

• Account Identifiers
  Name, business email, phone number, profile picture, username and hashed password, and Google OAuth token (if used).
• Business Details
  Dealership name, address, hours, pricing or inventory data, and other configuration data used to set up and manage the AI and related workflows.
• Usage & Interaction Data
  Call audio, call transcriptions, chat logs, in-app actions, support tickets, and log files related to your use of the Services.
• Demo Inputs
  Email (if entered), voice recordings, and any text or content you type or speak into demo widgets or public demos.
• Device / Technical Data
  IP address, browser type, operating system, referring URLs, pages visited, timestamps, and cookies and similar analytics identifiers.
• SMS / Messaging Preferences
  Your communication preferences, such as explicit consent to receive text messages or other notifications through verified messaging campaigns, and records of your opt-in and opt-out actions.

2. How We Use Information

We use the information described above to:

• Provide & Improve the Services
  Authenticate users, route and handle calls and messages, generate transcripts, personalize responses, configure and operate AI agents, and refine existing or new product features.
  • We do not train public or third-party foundation models on Customer Data without explicit written permission from the customer.
• Analytics
  Understand feature adoption, measure performance, troubleshoot issues, and improve user experience using tools such as Google Analytics, Mixpanel, or similar platforms (subject to their privacy terms).
• Security & Abuse Prevention
  Detect, investigate, and prevent fraud, abuse, or security incidents; secure accounts; and protect the integrity of the Services.
• Customer Support & Communications
  Respond to inquiries, provide product or account support, and send important service-related notifications (for example, changes to features, security alerts, or system status updates).
• Marketing & Product Updates
  Send product updates, newsletters, or promotional messages about Toma that may be of interest to you, where permitted by law. You can unsubscribe from marketing emails at any time.
• Legal & Compliance
  Comply with applicable laws; respond to lawful requests and legal processes; enforce our agreements; and protect the rights, property, or safety of Toma, our users, or others.

3. Cookies & Similar Technologies

We use first-party and third-party cookies, pixels, and local storage (“Cookies”) to:

• keep you signed in and maintain session state;
• remember your preferences and configuration;
• measure site traffic, usage patterns, and campaign effectiveness; and
• show relevant Toma ads or content on other sites and services.

Most browsers allow you to delete or block Cookies. If you disable Cookies, certain features of the Services may not function properly.

4. How We Share Information

We do not sell personal information. We also do not share personal information with our affiliates or subsidiaries for their own independent marketing or commercial purposes. We disclose information only as follows:

• Service Providers
  With trusted third-party vendors that perform services on our behalf, such as cloud hosting (e.g., AWS), email delivery, analytics, telephony and messaging providers, and similar vendors that process data strictly under our instructions and in accordance with this Policy.
• Dealer-Integrated Vendors
  With systems that a dealership already uses and explicitly connects to Toma (for example, DMS, CRM, or OEM systems) so that the Services can synchronize information or support the dealership’s existing workflows.
• Professional Advisers
  With our accountants, auditors, insurers, and legal counsel who need access to information to provide their services and who are bound by confidentiality obligations.
• Legal or Safety Requirements
  When we believe disclosure is reasonably necessary to comply with law, court order, or other legal process; enforce our agreements or policies; or protect the rights, property, or safety of Toma, our users, or the public.
• Corporate Transactions
  In connection with a merger, financing, acquisition, due-diligence process, restructuring, bankruptcy, or sale of all or part of our business or assets. Personal data may be shared with and transferred to the parties involved (including prospective buyers and their advisers) and will remain subject to this Privacy Policy or a successor policy that provides equal or greater protection.
• Aggregated / De-Identified Data
  We may share aggregated or de-identified information that cannot reasonably be used to identify you for analytics, benchmarking, research, or similar purposes.

5. Data Retention

We retain information for as long as reasonably necessary to provide the Services, comply with our legal obligations, resolve disputes, and enforce our agreements, subject to the categories below:

• Account & Business Data
  Retained while the account is active and for up to 12 months after account closure, then deleted or archived unless a longer period is required by law or requested by the customer.
• Call Audio, Demo Recordings, Transcripts & Text
  Retained as needed to provide the Services and for legitimate business purposes. We honor verified deletion requests within approximately 30 days, unless retention is required by law or necessary for the establishment, exercise, or defense of legal claims.
• Logs & Analytics Data
  Typically retained for up to 3 months, after which it may be aggregated, de-identified, or deleted.

6. Your Choices & Rights

Depending on your location and your relationship with us, you may have certain rights regarding your personal information. In particular:

• Update or Delete Account Data
  Dealership users can contact support@toma.com to correct, update, or request deletion of profile details or other account-related information.
• Opt-Out of Marketing Emails
  You can unsubscribe from marketing emails at any time by clicking the “unsubscribe” link in the message. We may still send you non-promotional, service-related communications.
• Request Deletion of Call Recordings or Demo Inputs
  You may request deletion of certain call recordings, demo recordings, transcripts, or related inputs by emailing support@toma.com with sufficient detail for us to locate the data.
• California Residents
  If you are a California resident, you may have additional rights under the California Consumer Privacy Act (CCPA) or similar laws, including rights of access, deletion, and non-discrimination. To exercise these rights, contact support@toma.com or use the mailing address below. We will verify your request as required by applicable law.

We will not discriminate against you for exercising any privacy rights available to you under applicable law.

7. Security

We maintain administrative, technical, and physical safeguards designed to protect personal information, including controls aligned with SOC 2 standards (see https://trust.toma.com), such as encryption in transit, least-privilege access controls, and continuous monitoring.

No security program is perfect, and we cannot guarantee absolute security. If you believe your account or interaction with us has been compromised, please contact us immediately at support@toma.com.

8. International Users

Toma’s infrastructure and primary support teams are located in the United States. The Services are currently intended for use by U.S.-based businesses, and we do not intentionally market to or target residents of the European Economic Area (EEA) or the United Kingdom. If you access the Services from outside the United States, you acknowledge that your information may be transferred to, stored in, and processed in the United States and other countries where our service providers are located.

9. Children

The Services are not intended for anyone under 13 years old. We do not knowingly collect personal information from children under 13. If you believe a child has provided us with personal information, please contact support@toma.com and we will take appropriate steps to delete such information.

10. Changes to This Policy

We may update this Privacy Policy from time to time. When we make material changes, we will update the “Last updated” date at the top of this page and may notify active account holders by email or in-app message. Your continued use of the Services after any changes become effective signifies your acceptance of the updated Policy.

11. Contact Us

If you have questions, concerns, or requests regarding this Privacy Policy or our practices, you can contact us at:

Toma, Inc.
277 Carolina St.
San Francisco, CA 94103
Email: support@toma.com