Privacy Policy

1. Introduction

Toma, Inc. ("Toma," "we," "our," or "us") provides (a) a voice-AI platform and dashboard for automobile dealerships, (b) public web demos at toma.com, and (c) an AI-powered Web Chat widget embedded on participating dealer websites (the "Web Chat") (collectively, the "Services").

This Privacy Policy explains how we collect, use, disclose, and protect personal information from: (i) authenticated dealership users such as service advisors, managers, receptionists, and owners ("Dealer Users"); (ii) unauthenticated visitors who browse the Site or try voice/chat demos without creating an account ("Visitors"); and (iii) end-user consumers who interact with the Web Chat on a dealer's website ("Chat Users").

By using the Services, you agree to the practices described in this Privacy Policy. If you do not agree, please do not use the Services.

2. Information We Collect

2.1 Information You Provide Directly

From Dealer Users:

• Account identifiers: name, business email, phone number, profile picture, username, and hashed password
• Google OAuth token (if single sign-on is used)
• Business details: dealership name, address, hours of operation, pricing data, and inventory information

From Chat Users (via the Web Chat):

• Contact information: name, email address, and phone number, when voluntarily provided
• Vehicle interest: make, model, year, stock number, or description of the vehicle you are inquiring about
• Conversation content: the full text of your Web Chat conversation, including any questions, preferences, or information you share
• Payment and affordability inquiry details: information you provide when requesting payment estimates, such as desired monthly payment, down payment amount, or trade-in details

From Visitors:

• Contact information submitted via the Site's contact form or email inquiries
• Demo interaction content: voice or text inputs during a public demo session

2.2 Information Collected Automatically

When you use the Services (including the Web Chat on a dealer's website), we may automatically collect:

• Device and browser information: IP address, device type, operating system, browser type and version, screen resolution, and language preferences
• Usage data: pages viewed, links clicked, time spent on pages, referring URL, and the dealer website from which you accessed the Web Chat
• Chat metadata: timestamps, session duration, and interaction patterns within the Web Chat
• Cookies and similar technologies: as described in Section 7 below

2.3 Information from Third Parties

We may receive information from third-party sources, including dealer management systems (DMS), customer relationship management (CRM) platforms, OEM systems, and data providers that dealers integrate with the Toma platform. This may include vehicle inventory data, customer records (where the dealer has obtained appropriate consent), and transaction history.

3. How We Use Your Information

We use the information we collect for the following purposes:

• Providing and operating the Services: powering Web Chat conversations, generating AI responses, providing payment and affordability estimates, facilitating dealer follow-up, and delivering chat transcripts and analytics to the applicable dealer
• Communications: sending you SMS messages or initiating phone calls if you have opted in or requested such communications through the Web Chat; sending appointment reminders, follow-up messages, and service-related notifications
• Improvement and development: training and improving Toma's AI models using conversation data that has been de-identified and aggregated prior to any use for model training, in accordance with the business purposes disclosed to and agreed upon by the applicable dealer; analyzing usage patterns to enhance the Services; and developing new features
• Dealer operations: sharing Chat User information with the applicable dealer for customer relationship management, sales follow-up, and service operations
• Security and compliance: detecting and preventing fraud, abuse, or security incidents; enforcing our Terms of Service; and complying with legal obligations
• Analytics and reporting: generating aggregated, de-identified reports and benchmarks for dealers and for Toma's internal business purposes

We collect, use, retain, and share personal information only to the extent reasonably necessary and proportionate to achieve the purposes described above. We do not use Chat User personal information for purposes incompatible with those disclosed to the applicable dealer in our service agreement.

4. How We Share Your Information

We share personal information in the following circumstances:

With the applicable dealer.

When you interact with the Web Chat on a dealer's website, your contact information, vehicle interest, conversation transcript, and related data are shared with that dealer for the purposes of customer service, sales follow-up, and dealer operations. The dealer is the data controller with respect to personal information collected through the Web Chat on its website. You should review the dealer's own privacy policy for information about how the dealer processes your data.

With service providers.

We share information with trusted third-party service providers who perform services on our behalf, such as cloud hosting (e.g., AWS), analytics, SMS delivery, telephony, and customer support. These providers are contractually obligated to use your information only for the purposes of providing services to Toma and to maintain appropriate security measures.

With dealer-integrated systems.

For Dealer Users and at the dealer's direction, we may share information with the dealer's DMS, CRM, OEM systems, or other integrated platforms to support the dealer's business operations.

For legal and safety purposes.

We may disclose information if we believe in good faith that disclosure is necessary to: (a) comply with applicable law, regulation, legal process, or governmental request; (b) enforce our Terms of Service; (c) detect, prevent, or address fraud, security, or technical issues; or (d) protect the rights, property, or safety of Toma, our users, or the public.

In connection with corporate transactions.

If Toma is involved in a merger, acquisition, reorganization, sale of assets, or bankruptcy, your information may be transferred as part of that transaction. We will provide notice if your information becomes subject to a different privacy policy.

Aggregated and de-identified data.

We may share aggregated or de-identified data that cannot reasonably be used to identify you for benchmarking, research, marketing, or other business purposes.

5. SMS and Phone Communications

5.1 Consent

We will only send you SMS text messages or initiate phone calls if you have affirmatively opted in through the Web Chat (for example, by providing your phone number and clicking "Let's go!" or "Request a call") or if you have otherwise provided your express consent. Consent is not a condition of any purchase.

5.2 Types of Messages

Messages may include: responses to your Web Chat inquiries continued via SMS, appointment confirmations and reminders, vehicle availability updates, follow-up communications related to your expressed vehicle interest, and service-related notifications.

5.3 Message Frequency and Rates

Message frequency varies based on your interactions. Standard message and data rates from your wireless carrier may apply.

5.4 Opt-Out

You may opt out of SMS messages at any time by replying STOP to any message from Toma. After opting out, you will receive a single confirmation message. To resume messages, text START. You may also contact us at support@toma.com to manage your communication preferences.

5.5 TCPA Compliance

Toma's SMS and calling practices are designed to comply with the Telephone Consumer Protection Act (TCPA) and applicable state telemarketing and communication laws. Dealers that use the Web Chat are responsible for ensuring that their use complies with all applicable laws and for obtaining any additional consents required under federal, state, or local law.

6. Data Retention

We retain personal information for as long as necessary to fulfill the purposes described in this Privacy Policy, unless a longer retention period is required or permitted by law. Specifically:

• Web Chat conversations and associated contact information are retained for up to thirty-six (36) months from the date of the interaction, or longer if required by the applicable dealer's data-retention requirements or applicable law.
• Dealer User account information is retained for the duration of the dealer's active subscription and for a reasonable period thereafter for legal and business purposes.
• Automatically collected data (usage data, cookies) is retained for up to twenty-four (24) months.

After the applicable retention period, personal information is deleted or de-identified in accordance with our data-retention policies.

When we receive a verified deletion request (either directly from a consumer or forwarded by the applicable dealer), we will delete the relevant personal information from our systems and instruct our service providers and sub-processors to delete that information as well, unless retention is required by applicable law or falls within a recognized exception.

7. Cookies and Tracking Technologies

The Web Chat and the Site use cookies and similar technologies (such as local storage and pixel tags) for the following purposes:

• Essential functionality: maintaining your chat session, remembering your preferences, and enabling the Web Chat to function properly.
• Analytics: understanding how the Web Chat and Site are used, measuring performance, and identifying areas for improvement.
• Personalization: tailoring the Web Chat experience based on your browsing context (such as the vehicle page you are viewing).

We do not use cookies for cross-site behavioral advertising. You may manage cookie preferences through your browser settings. Disabling cookies may affect the functionality of the Web Chat.

8. Data Security

Toma maintains administrative, technical, and physical safeguards aligned with SOC 2 standards to protect your personal information. These safeguards include:

• Encryption of data in transit (TLS) and at rest
• Least-privilege access controls and role-based permissions
• Continuous security monitoring and incident response procedures
• Regular security assessments and audits
• Employee security training and access management

While we take reasonable measures to protect your information, no method of transmission over the Internet or method of electronic storage is completely secure. We cannot guarantee absolute security.

The following is provided as a notice at collection pursuant to the California Consumer Privacy Act, as amended by the California Privacy Rights Act (CCPA/CPRA).

When you interact with the Web Chat on a participating dealer's website, we collect the following categories of personal information at or before the point of collection:

• Identifiers (e.g., name, email address, phone number, IP address)
• Commercial information (e.g., vehicle interest, payment and affordability inquiry details, trade-in information)
• Internet or other electronic network activity information (e.g., browsing history on the dealer's site, chat metadata, interaction patterns)
• Geolocation data (inferred from IP address)
• Sensitive personal information, if voluntarily provided (e.g., financial information related to payment estimates)

This information is collected for the business purposes described in Section 3 of this Privacy Policy. We do not sell or share your personal information for cross-context behavioral advertising. For information about your rights regarding this data, see Section 9 below.

9. Your Rights and Choices

9.1 California Residents (CCPA/CPRA)

If you are a California resident, you may have the following rights under the California Consumer Privacy Act (CCPA) and the California Privacy Rights Act (CPRA):

• Right to know: You may request that we disclose the categories and specific pieces of personal information we have collected about you, the sources, the purposes, and the categories of third parties with whom we share it.
• Right to delete: You may request that we delete personal information we have collected from you, subject to certain exceptions. Upon receiving a verified deletion request, we will also instruct our service providers and sub-processors to delete the relevant information.
• Right to correct: You may request that we correct inaccurate personal information.
• Right to opt out of sale/sharing: Toma does not sell your personal information. We do not share personal information for cross-context behavioral advertising. We honor Global Privacy Control (GPC) browser signals. Because we do not sell or share personal information for cross-context behavioral advertising, no further action is required when we detect a GPC signal.
• Right to limit use of sensitive personal information: You may direct us to limit the use and disclosure of sensitive personal information (such as financial details provided during payment estimate requests) to what is necessary to perform the Services you have requested.
• Right to data portability: You may request that we provide your personal information in a structured, commonly used, machine-readable format, and where technically feasible, transmit it to another entity at your direction.
• Right to non-discrimination: We will not discriminate against you for exercising your privacy rights.

You may designate an authorized agent to submit a request on your behalf by providing the agent with written, signed permission. We may require the authorized agent to provide proof of authorization and may verify your identity directly before processing the request.

To exercise these rights, please submit a request to support@toma.com. We will verify your identity before processing your request. We will acknowledge receipt of your request within 10 business days and will respond substantively within 45 calendar days. If we require additional time (up to an additional 45 days), we will notify you of the extension and the reason for it.

Where Toma acts as a service provider on behalf of a dealer with respect to Chat User data, consumers should direct rights requests to the applicable dealer, who will coordinate with Toma to fulfill the request. Toma will assist the dealer in responding to verified consumer requests in accordance with our contractual obligations and applicable law.

9.2 Other State Privacy Rights

Residents of other states with applicable privacy laws (such as Virginia, Colorado, Connecticut, Utah, and others) may have similar rights. Please contact us at support@toma.com to exercise any applicable rights.

10. Children's Privacy

The Services are not intended for anyone under the age of 13. We do not knowingly collect personal information from children under 13. If you believe that a child under 13 has provided us with personal information through the Web Chat or otherwise, please contact us at support@toma.com and we will promptly delete it.

For consumers between the ages of 13 and 16, we will not sell or share personal information without affirmative opt-in consent. If a minor declines to provide consent, we will wait at least 12 months before requesting consent again, as required by the CPRA.

11. Geographic Scope

Toma's infrastructure and support teams are located in the United States. The Services are intended for use within the United States. We do not intentionally market to or knowingly collect data from residents of the European Economic Area (EEA) or the United Kingdom. If you are located outside the United States and choose to use the Services, you understand that your information will be transferred to and processed in the United States, where data-protection laws may differ from those in your jurisdiction.

12. Dealer as Data Controller

With respect to personal information collected from Chat Users through the Web Chat embedded on a dealer's website, the dealer (not Toma) acts as the data controller. Toma processes this personal information on behalf of, and at the direction of, the applicable dealer as a service provider (or "processor"). As a service provider under the CCPA/CPRA, Toma is contractually prohibited from retaining, using, or disclosing Chat User personal information for any purpose other than the specific business purposes set forth in our agreement with the dealer, or outside the direct business relationship between Toma and the dealer. Toma does not combine Chat User personal information received from one dealer with personal information received from other dealers or from other sources, except as permitted by applicable law. Dealers are responsible for complying with all applicable data-privacy and data-protection laws, including providing required notices and obtaining required consents from Chat Users. Chat Users should refer to the privacy policy of the applicable dealer to understand how their personal information is processed by the dealer.

13. Changes to This Privacy Policy

We may update this Privacy Policy from time to time. When we make material changes, we will post the revised policy on this page and update the "Last updated" date above. For Dealer Users with active accounts, we may also provide notice by email or in-app notification. Your continued use of the Services after any changes constitutes your acceptance of the updated Privacy Policy.

14. Contact Us

If you have questions or concerns about this Privacy Policy, our data practices, or wish to exercise your privacy rights, please contact us at:

Toma, Inc.

277 Carolina St., San Francisco, CA 94103

support@toma.com