Data protection
Privacy Policy
Version 2026-06 · last updated 2026-06-01
This notice explains how Toka processes the personal data of the people who use Toka (agency staff, billing contacts, support requesters) and of visitors to our marketing site. The applicable legal framework is Albania's Law no. 124/2024, which mirrors the EU GDPR.
1. Who we are
Toka is operated by Data Max sh.p.k., a company based in Albania. We provide the Toka SaaS CRM platform for real estate agencies. For privacy questions, contact us at info@tokacrm.com.
2. Who this notice covers
- Agency users who sign up for and use Toka (admin, manager, agent)
- Billing contacts at subscribed agencies
- Visitors to our marketing site
- People who contact us for support, sales or partnership
This notice does notcover the personal data that agencies upload to Toka about their own clients, owners or leads. For that data the agency is the controller — consult the agency's own privacy notice.
3. What we collect and why
| Data | Purpose | Legal basis |
|---|---|---|
| Account: name, email, role | Providing the platform | Contract |
| Authentication: password hash, MFA, session token | Login security | Contract |
| Profile: phone, photo, agency | Operating the CRM | Contract |
| Usage logs: pages visited, actions | Product improvement, abuse detection | Legitimate interest |
| Billing: tax ID, VAT, payment token (via processor) | Tax legal obligation + contract | Legal obligation + contract |
| Support requests, sales conversations | Responding to your requests | Contract / legitimate interest |
| Marketing preferences | Sending updates if you opted in | Consent |
| Non-essential cookies on the marketing site | Analytics | Consent |
We do not process special-category data (health, biometrics, religion, political opinions, etc.) and we do not knowingly process children's data.
4. Where we store it
All Toka customer data is stored and processed within the European Union. Toka's infrastructure is pinned to AWS Frankfurt (eu-central-1). Our AI sub-processor (Black Forest Labs) is a German company operating within the EU.
5. AI features
Toka uses Anthropic Claude (via AWS Bedrock, EU region) to generate property descriptions, extract structured data from free text, and produce social-media copy. It also uses Black Forest Labs (EU) for photo enhancement and 3D rendering of floor plans. Every prompt passes through a layer that strips personal data (email, phone, national ID, tokens) before it is sent; each AI call is logged with a hash of the prompt — not the full text.
6. Facebook / Meta integration
Toka offers an optional integration with Facebook and Instagram (via Meta Platforms, Inc.) to help agencies manage property listings and social communications directly from the platform.
What Meta data we access
When you connect your Toka account to Facebook or Instagram, with your explicit permission, we may access:
- Your public name and Facebook profile ID
- The email address linked to your Facebook account (if permitted)
- The Facebook Pages and Instagram accounts you manage
- Post metrics and audience engagement for connected pages
- Page messages and comments (only if you enable the social communication module)
How we use Meta data
✓ We access it only to provide the CRM functionality you requested (e.g. publishing listings, managing messages).
✗ We do not sell Meta data to third parties.
✗ We do not use it for targeted advertising or building ad profiles.
✗ We do not share it with third parties beyond the service providers that help us run the platform (such as AWS).
Deleting Facebook data
You can revoke Toka's access to your Facebook data directly in Facebook Settings → Apps and Websites. After disconnecting, we will no longer access new data and existing data will be deleted within 30 days. You can also request deletion by email at info@tokacrm.com.
7. Sub-processors
- AWS — hosting and AI inference (eu-central-1, Frankfurt)
- Cloudflare — bot protection on the marketing site
- Black Forest Labs (BFL) — photo enhancement and 3D rendering (EU)
- Cognito (AWS) — identity provider, EU region
We do not sell personal data. The full list of sub-processors and the data each receives is documented and available on request.
8. International transfers
Toka does not transfer personal data outside the European Union / EEA. If a future sub-processor were to require such a transfer, we would rely on an adequacy decision or Standard Contractual Clauses (Commission Decision 2021/914) with a Transfer Impact Assessment.
9. How long we keep it
| Category | Retention |
|---|---|
| Active account data | While the subscription is active |
| Data after subscription ends | Up to 30 days, then deleted (or sooner on request) |
| Billing records | 10 years (Albanian tax law) |
| Application logs | Up to 18 months, then aggregated or deleted |
| Marketing preferences | Until consent is withdrawn |
| Backups | 35 days (DynamoDB PITR), then rotated |
| Facebook / Meta data | Deleted within 30 days of disconnecting the integration |
| Consent records | Kept for as long as the related processing lasts |
10. Your rights
Under Law no. 124/2024 and the GDPR (where applicable) you have the right to:
- Access the personal data we hold about you
- Correct inaccurate data — most fields are editable directly in the Toka UI
- Request deletion of your account and data
- Restrict processing or object to processing based on legitimate interest
- Receive an export of your data in a machine-readable format (portability)
- Withdraw any consent at any time — withdrawal does not affect the lawfulness of prior processing
- Lodge a complaint with the Commissioner for the Right to Information and Protection of Personal Data (IDP / idp.al)
11. How to exercise your rights
Email info@tokacrm.com from the address linked to your Toka account, describing what you want. We respond within 30 days under Law 124/2024 and the GDPR. We may ask for additional information to verify your identity.
12. Security
Encryption of data at rest and in transit, tenant isolation in the database, MFA available for staff accounts, audit logging of administrative actions, and detection alerts for abnormal access patterns. Personal identifiers (national ID and phone) are masked by default in the agent UI; full values are revealed only by an explicit operator action, which is recorded in the audit log with the operator's identity and stated reason.
13. Changes to this notice
We may update this notice when our processing changes. The version number and date at the top of this page reflect the latest revision. Material changes will be notified to you in-app.
Privacy questions? info@tokacrm.com. Complaints: IDP (idp.al).