Effective date: March 2026 · Version 1.2 · Governing law: England & Wales

Privacy Policy

This Privacy Policy explains how Tova collects, uses, stores, and protects your personal data when you use the Tova platform, whether as a consumer or as a business partner.

1. Who We Are

Tova is a drop culture marketplace platform operated by Tova (incorporated in England & Wales). This Privacy Policy explains how we collect, use, store, and protect your personal data when you use the Tova platform, whether as a consumer or as a business partner.

Our platform operates in Karachi, Pakistan, and is subject to UK data protection law (UK GDPR and the Data Protection Act 2018).

Contact us: support@tova.global

2. Data We Collect

2.1 Data You Provide

When you register and use Tova, we collect:

  • Full name
  • Email address
  • Mobile phone number (stored in E.164 international format, e.g. +923001234567)
  • Password (stored as a secure cryptographic hash — we never store your password in plain text)
  • Area or neighbourhood (for matching you to relevant drops)
  • WhatsApp opt-in preference
  • Referral source (how you heard about Tova)
  • Business name, address, and description (business partners only)

2.2 Data We Generate

Through your use of the platform we also collect:

  • Claim history (which drops you claimed, when, and the outcome)
  • No-show and strike records (consumers)
  • Commission records and transaction history (business partners)
  • Login activity and session data
  • Device type and browser information

2.3 Data We Do Not Collect

We do not currently process payment card data. When digital payments are introduced, payment processing will be handled by a certified third-party provider compliant with PCI DSS standards. Tova will not store card details.

3. How We Use Your Data

We use your data to:

  • Create and manage your Tova account
  • Match you with drops in your area
  • Process and track claims
  • Manage the no-show strike system (consumers)
  • Calculate and record platform commissions (business partners)
  • Send operational notifications including claim confirmations and pickup reminders
  • Send WhatsApp messages where you have opted in
  • Improve the platform based on usage patterns
  • Investigate complaints and disputes
  • Comply with legal obligations

We do not use your data for automated decision-making that produces legal effects, except for the automated application of the no-show strike system as described in the Consumer Terms. You have the right to request human review of any automated strike decision by contacting support@tova.global.

5. Data Sharing

We do not sell your personal data to third parties under any circumstances.

We may share your data with:

  • Supabase (database and authentication provider) — data stored in the EU (Frankfurt, Germany) under a Data Processing Agreement compliant with UK GDPR
  • Vercel (hosting provider) — for platform infrastructure
  • Future payment processing providers — transaction data only, for processing purposes
  • Law enforcement or regulatory authorities — only where required by law

Business partners can see consumer first name and claim/pickup status only. They cannot see your full contact details, email address, or phone number.

6. Communications & Notifications

6.1 WhatsApp

If you opt in to WhatsApp communications during signup, we may send you:

  • Drop alerts
  • Claim confirmations and pickup reminders
  • Account notices including strike warnings
  • Platform updates

You can opt out at any time by updating your preferences in your profile or by replying STOP to any Tova WhatsApp message. Opting out of marketing messages does not affect essential account notices (such as strike warnings), which we may still send via WhatsApp or email to fulfil our contractual obligations.

6.2 Push Notifications (PWA)

When you install the Tova app, you may be prompted to allow push notifications. If you accept, Tova stores your push subscription token to send claim reminders, drop alerts, and account notices.

You can withdraw permission at any time through your device settings. When you withdraw, we delete your push subscription token within 7 days. Withdrawing does not affect your ability to use Tova or your WhatsApp preferences.

7. Data Retention

We retain your data for as long as your account is active. If you close your account:

  • Your profile and personal details will be deleted within 30 days
  • Claim records and commission records may be retained for up to 3 years for legal and financial purposes, in anonymised form where possible
  • No-show records are deleted with your account
  • WhatsApp opt-in records are retained for 12 months as evidence of consent

8. Your Rights

Under UK GDPR you have the right to:

  • Access the personal data we hold about you (Subject Access Request)
  • Correct inaccurate or incomplete data
  • Request deletion of your data (right to erasure), subject to legal retention requirements
  • Object to processing based on legitimate interests
  • Request restriction of processing while a complaint is investigated
  • Data portability — receive your data in a structured, machine-readable format
  • Withdraw consent for WhatsApp communications at any time
  • Request human review of automated decisions (including no-show strikes)
  • Lodge a complaint with the ICO at ico.org.uk

To exercise any right, contact support@tova.global. We will respond within 30 days.

9. Data Security

We take reasonable technical and organisational measures to protect your data, including:

  • All data in transit is encrypted via HTTPS/TLS
  • Passwords are cryptographically hashed and never stored in plain text
  • Database access is governed by Row Level Security (RLS) policies
  • Authentication is managed via Supabase Auth with secure session handling
  • Access to production systems is restricted to authorised personnel only

In the event of a personal data breach, we will notify you and the ICO within 72 hours of becoming aware.

10. International Data Transfers

Your data is stored on Supabase infrastructure in the EU (Frankfurt, Germany). As our platform operates in Pakistan, your data may be accessed from Pakistan by Tova's operational team under appropriate security controls.

11. Cookies, Local Storage & App Caching

Tova uses essential session cookies to maintain your login state and deliver core platform functionality. We do not currently use tracking, analytics, or advertising cookies.

As a Progressive Web App, Tova also uses your browser's local storage and cache to store: recent listings for faster loading; your claim history for offline viewing; session and authentication data; app assets cached for faster loading and limited offline use.

This locally stored data remains on your device and is not transmitted to third parties. On shared or public devices, we recommend clearing Tova's local data after each session.

12. Children

Tova is not directed at children under 16. We do not knowingly collect personal data from anyone under 16. If we become aware that a user is under 16, we will close their account and delete their personal data promptly.

13. Changes to This Policy

Material changes will be communicated via email and, where opted in, via WhatsApp, before they take effect.

14. Contact & Complaints

Privacy queries and Subject Access Requests: support@tova.global

To make a formal complaint to the UK regulator:

Information Commissioner's Office (ICO) · ico.org.uk · 0303 123 1113

tova — bringing drop culture to the Global South

Also read:

Consumer Terms of ServiceBusiness Partner Terms