Privacy Policy
1. Introduction
Sower Ventures Ltda. ("Toma", "we", "us", or "our") is responsible for processing personal data collected through the Toma app ("App") and the toma.app website ("Site").
This Privacy Policy describes what data we collect, how we use it, with whom we share it, and what your rights are as a data subject, in compliance with the Brazilian General Data Protection Law (LGPD — Law No. 13,709/2018).
By using the App or the Site, you acknowledge that you have read and understood this Policy. If you do not agree with any part, please do not use the service.
2. Data We Collect
2.1 Data you provide directly
Registration data:
- Full name
- Email address
- Apple account identifier (when using Sign in with Apple)
Travel preference data (provided during onboarding):
- Travel frequency per year
- Usual planning style (e.g., AI, Google, travel agency)
- Preferred travel pace (relaxed, moderate, intensive)
- Travel interests (culture, food, nature, etc.)
- Budget range
- Typical travel group (solo, couple, family, friends)
- Accessibility needs
App usage data:
- Destinations searched and itineraries created
- Activities added, edited, or removed
- Trip dates and duration
- Reviews and tips submitted
- Personal activity notes (stored locally and synced with your account)
2.2 Automatically collected data
Usage and behavior data:
We use PostHog to collect behavioral data within the App and on the Site, including:
- Screens viewed and navigation events
- Button clicks and feature interactions
- Session time and usage frequency
- Errors and technical failures
- Download source (when available)
Device data:
- Operating system and version
- Device language setting
- Device model (collected at an aggregate level, without individual identification)
- Installed App version
Location data:
We request location permission only when the User uses the Exploration Map, to display
nearby places. Location is not collected in the background.
2.3 Data we do NOT collect
- Credit card or banking information (managed exclusively by Apple)
- Documents stored locally (PDFs, tickets, images) — these remain only on the User's device and are not sent to our servers
- Content of private messages between users
3. Purpose of Processing
We process your data for the following purposes:
| Purpose | Legal basis (LGPD) |
|---|---|
| Create and manage your account | Contract performance (art. 7, V) |
| Generate personalized AI travel itineraries | Contract performance (art. 7, V) |
| Enable trip collaboration with others | Contract performance (art. 7, V) |
| Process subscription and verify premium access | Contract performance (art. 7, V) |
| Send service-related communications (e.g., registration confirmation) | Contract performance (art. 7, V) |
| Analyze usage behavior to improve the product | Legitimate interest (art. 7, IX) |
| Identify and fix technical errors | Legitimate interest (art. 7, IX) |
| Comply with legal obligations | Legal obligation (art. 7, II) |
| Understand user profiles for audience analysis | Legitimate interest (art. 7, IX) |
We do not use your data for:
- Selling personal data to third parties
- Targeted advertising by third parties within the App
- Automated decisions with legal effects without human review
4. Data Sharing
We share your data only in the situations described below and always with adequate protection guarantees:
4.1 Service providers (sub-processors)
| Provider | Purpose | Country |
|---|---|---|
| Apple Inc. | Authentication (Sign in with Apple), App Store payment processing | USA |
| PostHog Inc. | Behavioral analytics in the App and on the Site | USA |
| RevenueCat Inc. | Subscription management and purchase verification | USA |
| Google LLC | Places data via Google Places API (displayed in the App) | USA |
All providers are subject to data protection agreements and may only process your data as instructed by Toma.
4.2 Other users
When you invite someone to collaborate on a trip, the name and profile photo associated with your account become visible to that trip's collaborators. No other personal data is shared.
4.3 Legal obligations
We may share data when required by law, regulation, court order, or competent government authority.
4.4 International transfers
Some providers listed above operate in the United States. This international transfer is carried out with adequate safeguards, including standard contractual clauses for data protection compatible with the LGPD.
5. Storage and Retention
Your data is stored on secure servers while your account is active. After account deletion:
- Registration and preference data: deleted within 30 days
- Itinerary and trip data: deleted within 30 days
- Analytics data (PostHog): anonymized or deleted per PostHog's policy
- Financial transaction records: retained for the legally required period under Brazilian tax law (5 years)
Local documents (PDFs, images, .pkpass files) are stored exclusively on the User's device and are not sent to our servers. Deletion of these files is the User's responsibility.
6. Data Security
We adopt technical and organizational measures to protect your data against unauthorized access, loss, alteration, or disclosure, including:
- Encrypted communication (HTTPS/TLS) between the App and our servers
- Secure authentication via Sign in with Apple or encrypted credentials
- Restricted internal access to personal data, limited to those with an operational need
- Security incident monitoring
In the event of an incident that may affect your data, we will notify the Brazilian National Data Protection Authority (ANPD) and impacted users within the timeframe established by the LGPD.
7. Your Rights as a Data Subject
Under the LGPD, you have the following rights with respect to your personal data:
| Right | What it means |
|---|---|
| Confirmation and access | Know whether we process your data and obtain a copy of it |
| Correction | Request correction of incomplete, inaccurate, or outdated data |
| Anonymization, blocking, or deletion | Request anonymization or deletion of unnecessary or excessive data |
| Portability | Receive your data in a structured format for use in another service |
| Deletion | Request deletion of data processed based on your consent |
| Information | Be informed about with whom we share your data |
| Withdrawal of consent | Withdraw given consent at any time, without prejudice to prior processing |
| Objection | Object to processing carried out based on legitimate interest |
How to exercise your rights:
- Account deletion: directly through the App at Settings → Account → Delete account
- All other rights: send an email to privacidade@toma.app with the subject "Data Rights Request" and a description of your request. We will respond within 15 business days.
8. Cookies and Tracking Technologies
On the Site (toma.app):
The Site uses essential technical cookies for operation and PostHog for behavioral
analytics. We do not use third-party advertising cookies.
When you access the Site, you will be informed about the use of cookies and can manage your preferences. Refusing non-essential cookies does not prevent access to the Site's content.
In the App:
The App does not use cookies. We use internal identifiers and the PostHog SDK for
behavioral analysis, as described in the Analytics section.
9. Minors
Toma is not directed at individuals under 18 years of age and does not intentionally collect data from children or teenagers. If we become aware that we have collected data from a minor without authorization from a legal guardian, we will delete that information immediately. If you have concerns, please contact us at privacidade@toma.app.
10. Changes to this Policy
We may update this Policy periodically to reflect changes in the App, applicable law, or our practices. The last updated date will always be shown at the top of this document. Material changes will be communicated via in-app notification or email. Continued use of the App after such notice constitutes acceptance of the updated Policy.
11. Data Protection Officer (DPO)
In compliance with art. 41 of the LGPD, Toma designates a Data Protection Officer (DPO):
DPO contact: privacidade@toma.app
12. Contact and Support Channel
For questions, requests, or complaints related to privacy and data processing:
Email: privacidade@toma.app
Website: toma.app/suporte
You may also file a complaint with the Brazilian National Data Protection Authority (ANPD) at gov.br/anpd if you believe your rights have not been respected.