Privacy Policy

This policy is published by [OWNER: Legal entity name operating Tóg Studio / the Tóg Marketplace], trading as Tóg Studio (“Tóg”, “we”, “us”), at [OWNER: Registered business address] (company registration [OWNER: Company registration number]; VAT [OWNER: VAT number, if registered]). It governs the Tóg Marketplace at app.togs.ie and the plugins delivered through it.

For privacy questions, to exercise your rights, or to reach our data-protection contact, email support@togs.ie. Our designated data-protection contact is [OWNER: Data Protection contact / DPO name + email, or confirm support@togs.ie is the DP contact and no statutory DPO is appointed].

The Tóg Marketplace processes two distinct categories of data, with two distinct roles. It matters which one applies to you.

When Tóg is the processor (most plugin data)

When a merchant enables a plugin, that plugin may collect personal data about the merchant’s own customers (their “end-shoppers”) — for example a loyalty member’s email or a booking customer’s contact details. For this data the merchant is the controller (they decide why and how it is processed) and Tóg is the processor, handling it only to provide the plugin on the merchant’s instructions. Our processor commitments are set out in our Data Processing Addendum.

When Tóg is the controller (merchant accounts)

For the merchant’s own account — the people on the team, sign-in identities, billing relationship, configuration and audit history — Tóg is the controller. This policy describes how we process that data.

A. Merchant account data (Tóg is controller)

• Account identities. The email address, display name and a sign-in identifier for each member of a merchant’s team, held via Firebase Authentication; the organisation name; team roles; and the email addresses on pending or accepted team invitations.
• Configuration. The sites and origins a merchant registers, their plugin installations and settings (which can include a business contact or hand-off email), and usage counters (these counters hold no personal data).
• Billing. A Stripe customer identifier and subscription metadata. We never receive or store payment card numbers — card details are entered with and held by Stripe (see §8).
• Credentials we hold for you (encrypted). The API keys you mint are high-entropy random tokens stored only as a SHA-256 hash plus the last four characters — never the key itself. The third-party provider keys you supply (“bring your own key”) and any connected-platform access token are stored encrypted at rest; we keep only the encrypted value plus the last four characters, never the plaintext (see §9 and our Security page).
• Audit log. An append-only record of sensitive account actions — the acting member’s identifier and email, the action, and a short non-secret summary. The audit log never contains secret material.

B. End-shopper data, per plugin (Tóg is processor)

The plugins a merchant switches on collect different personal data about the merchant’s customers. We process this strictly on the merchant’s behalf:

• Loyalty. A loyalty member’s email address (required), and optionally their name and business, together with a referral code and a points balance. Members can be created automatically from a merchant’s paid Shopify orders when the loyalty plugin is enabled (the customer email on a paid order is enrolled so points can be awarded).
• Reviews. A reviewer’s name and email address, their rating, title and review text, and any business response. A reviewer’s email is stored for the merchant’s use but is never shown in the public reviews list — it is readable only via the merchant’s secret key.
• Bookings. A booking customer’s name, email and optional phone number, the requested service and time, and any notes (which may include an on-site address the merchant collects).
• AI chat. The end-shopper’s chat messages, and any image they attach, are sent to the configured AI model provider to generate a reply (see §7 and our AI Data Handling disclosure). If the conversation is handed off to a human, the shopper’s name and contact details and a summary of their request are emailed to the merchant’s hand-off address.

We do not intentionally collect special-category data (such as health, or political or religious data). Merchants should not configure free-text fields (e.g. booking notes) to gather it, and remain the controller for whatever their customers submit.

As controller of merchant account data, we rely on the following legal bases under the EU/UK General Data Protection Regulation (GDPR):

• Performance of a contract — to create and operate your account, sign you in, provide the plugins you enable, and bill your subscription.
• Legitimate interests — to secure the service (the audit log, encryption, abuse and rate-limiting), to maintain and improve reliability, and to communicate operational notices. We balance these against your interests.
• Legal obligation — to keep records required by tax, accounting and company law, and to respond to lawful requests.
• Consent — where it applies, for example a loyalty member’s marketing-consent flag, which the relevant person can withdraw at any time.

For end-shopper data we process as a processor, the legal basis is the merchant’s (the controller’s) responsibility; we act only on their documented instructions under the Data Processing Addendum.

We keep personal data only as long as needed for the purpose it was collected, then delete or anonymise it. In practice:

• Account data is retained while the account is open. When an owner closes the account, we delete the tenant’s data across all collections and keep only a minimal, non-personal tombstone (an internal identifier and a closure timestamp) for our own records (see §6).
• End-shopper plugin data (loyalty members, reviews, bookings) is retained while the merchant’s programme exists. It is erased on a valid redaction request — including the automated Shopify customer-redaction webhook — and it is fully deleted when the account is closed. Disabling or uninstalling a single plugin, or deleting a site, does not by itself purge the programme’s stored records; a merchant who wants that data removed without closing the whole account can request it from us. [OWNER: Confirm the plugin/site teardown behaviour and the retention period for end-shopper plugin data so the wording is exact]
• Billing records may be retained longer where tax and accounting law requires.

The specific retention periods per category are being finalised with our advisers: [OWNER: Concrete retention durations per data category — account data after close, plugin end-shopper data, audit logs, and billing records under tax/accounting law].

Subject to the GDPR, you have the right to access, rectify, erase, restrict, port, and object to the processing of your personal data, and to withdraw consent where we rely on it. Where Tóg is the processor for end-shopper data, a data subject should first contact the merchant (the controller); we assist the merchant in responding, and we have built the data-subject paths below.

For merchant accounts — export and delete are built in

• Export. An account owner can download a complete JSON export of everything the marketplace holds for the account — the organisation, team (with emails), invitations, sites, installations, usage, overrides, the audit trail, and real billing data from Stripe. The export is secret-safe by construction: API keys appear as last-four only, and provider secrets as provider name plus last-four only — never any plaintext, hash or ciphertext.
• Delete. An account owner can permanently close the account. This cancels active Stripe subscriptions, signs every member out of every device, deletes the tenant’s account data and configuration across every collection, and recursively deletes the per-site plugin programmes — including the end-shopper data that loyalty, reviews and bookings collect (members, reviews and bookings, with their email addresses, names, phone numbers and notes). Only a minimal, non-personal tombstone remains (the internal identifier and the closure timestamp described in §5). The free-text account name is deliberately not retained in the tombstone, because a sole trader may have entered their own name.

For end-shopper data — the GDPR paths we implement

The marketplace registers and handles the three mandatory data-protection webhooks when a merchant connects a Shopify store. Each is cryptographically verified before any processing:

• Customer data request — we acknowledge the request. The customer personal data we may hold for a Shopify store is a loyalty member created from a paid order (when loyalty is enabled), plus any review or booking that customer left through an enabled plugin; the merchant can export this data from the Tóg portal.
• Customer redaction — we perform a real erasure across every plugin that may hold the customer’s data on that store. A matching loyalty member is anonymised in place (email, name and business cleared, access token rotated, record marked deleted, email index removed); a matching review has its author name and email cleared; and a matching booking has its customer name, email, phone and notes cleared and its self-cancel token rotated. Content that carries no personal data once those fields are cleared — a review’s rating and text, a booking’s slot and service — is retained. The operation is idempotent.
• Shop redaction — we erase the stored connection token for the store and mark the installation removed.

To make a request, email support@togs.ie. You also have the right to lodge a complaint with a supervisory authority — for us, [OWNER: Lead supervisory authority — confirm the Irish Data Protection Commission (DPC) and the complaint route].

When a merchant enables the AI-chat plugin, an end-shopper’s chat messages (and any image they attach) are sent to the configured AI model provider to generate a reply. The provider depends on the merchant’s configuration: a merchant’s own OpenAI key (their provider relationship and terms), or a Tóg-paid path served via the Vercel AI Gateway (Anthropic Claude) or Google Vertex AI (Gemini). When no provider is configured, the plugin gives an honest “briefly unavailable” reply rather than a fabricated one. Whether content is used to train a model depends on the configured provider’s terms — it is not a guarantee Tóg makes on the provider’s behalf. The full detail is in our AI Data Handling disclosure.

Our primary data store — Cloud Firestore, holding account data, configuration and the personal data plugins collect — is hosted in the European Union (the eur3 EU multi-region). Our Tóg-paid Vertex AI path runs in an EU region (europe-west1) by default. We disclose EU residency for transparency: it is a benefit for EU merchants, and where a non-EU merchant’s data therefore resides in the EU, this section is your notice of it.

Some of our sub-processors are located outside the EU/EEA (for example in the United States) — including our hosting and AI-gateway provider, payment processor, AI model providers, and our email provider. Where personal data is transferred to them, the transfer is governed by appropriate safeguards, intended to be the European Commission’s Standard Contractual Clauses (and any applicable UK or Swiss addendum): [OWNER: Confirm reliance on the EU Standard Contractual Clauses (and UK Addendum / Swiss adequacy if relevant) and who signs them]. The full, dated list is on our Sub-processors page (currently v1.0, effective 19 June 2026).

We protect data in transit with TLS and at rest with Google Cloud’s encryption. Beyond that, the sensitive credentials you give us — your bring-your-own-key provider secrets and connection tokens — are envelope-encrypted with AES-256-GCM, and the API keys you mint are stored only as a SHA-256 hash. Every plugin API call passes through a single authenticated gateway, tenants are isolated from one another, and sensitive actions are recorded in an append-only audit log. We are not currently SOC 2 or ISO 27001 certified, and we do not claim to be. The full, honest detail — including our certification posture — is on our Security page.

We use a small set of vetted third parties to provide the service — hosting, the database and authentication, payments, AI models, and email/SMS. Each is listed, with its purpose, the data it processes and its region, on our Sub-processors page, and we commit to notifying merchants of additions or changes as set out in the Data Processing Addendum.

The Tóg Marketplace is a business-to-business product and is not directed at children. We do not knowingly process children’s personal data through the marketplace account; a merchant remains responsible for the personal data its own customers submit through a plugin.

We may update this policy as the service evolves. We will revise the effective date and version above, and for material changes we will take reasonable steps to notify merchants. The current version is v1.0, effective 19 June 2026 ([OWNER: Confirm/adjust the effective date and version at publish]).

Questions, requests or complaints about this policy or your personal data: email support@togs.ie, or write to us at [OWNER: Registered business address]. If you are in the EU/EEA or UK and we are required to appoint a representative, their details will appear here: [OWNER: EU/UK Article 27 representative — confirm whether one is required/appointed].