Privacy notice

1. Who we are

Toka is operated by Data Max sh.p.k., a company established in Albania. We provide the Toka SaaS CRM platform to real-estate agencies. For privacy questions, contact us at privacy@datamax.ai.

2. Whose data this notice covers

It does NOT cover personal data that agencies upload to Toka about their own clients, leads, owners, or properties. For that data the agency is the data controller — you should consult the agency's own privacy notice.

• ·Agency users who sign up and use Toka (admins, managers, agents)
• ·Billing contacts at agencies that subscribe
• ·Visitors to our marketing website
• ·People who contact us for support, sales, or partnership inquiries

3. What we collect and why

Account data (name, email, role), authentication (password hash, MFA), profile (phone, photo, agency affiliation), usage logs, billing (VAT, invoicing), support tickets, marketing preferences. Lawful bases: contract (Art. 6(1)(b)), legitimate interest for product improvement (Art. 6(1)(f)), consent for marketing (Art. 6(1)(a)), legal obligation for tax records (Art. 6(1)(c)). We do NOT process special-category data (health, biometric, religion, etc.) and do NOT knowingly process children's data.

4. Where we keep it

All Toka customer data is stored and processed within the European Union. Toka-controlled infrastructure is pinned to AWS Frankfurt (eu-central-1). Our AI sub-processor (Black Forest Labs) is a German company operating within the EU. The applicable framework is Albanian Law no. 124/2024, which mirrors the EU GDPR (Regulation 2016/679).

5. AI features

Toka uses Anthropic Claude (via AWS Bedrock, EU region) to generate property descriptions, extract structured data from free text, and produce social-media copy. It also uses Black Forest Labs (EU) for image enhancement and 3D floor-plan rendering. Prompts pass through a server-side redaction layer that strips personal data (emails, phones, national IDs, tokens) before egress; every AI call is logged with a hash of the prompt — never the raw text.

6. Sub-processors

• ·AWS — hosting and AI inference (eu-central-1, Frankfurt)
• ·Cloudflare — Turnstile bot protection on the marketing site and inquiry forms
• ·Black Forest Labs (BFL) — image enhancement and 3D floor-plan rendering (EU)
• ·Cognito (AWS) — identity provider, EU region

7. Cookies

We use only essential cookies without your consent (session, language preference). Analytics and marketing cookies fire only after you grant consent via the cookie banner. You can change your choice at any time by clearing the stored preference and refreshing the page.

8. How long we keep it

Active account data: while the agency subscription is active. After subscription ends: up to 30 days, then deleted (or earlier on request). Billing records: 10 years (Albanian tax law). Application logs: up to 18 months. Backups: 35 days (DynamoDB PITR). Consent records: kept as long as the underlying processing.

9. Your rights

Under Albanian Law 124/2024 and the EU GDPR (where applicable) you have the right to: access your data; correct it; request its deletion; restrict or object to processing; receive a machine-readable export; withdraw any consent at any time; lodge a complaint with the Information and Data Protection Commissioner (IDP / idp.al).

10. How to exercise your rights

Email us at privacy@datamax.ai from the address associated with your Toka account, briefly describing what you want done. We respond within 30 days as required by Albanian Law 124/2024 and the EU GDPR. We may ask for additional information to verify your identity before acting on the request.