TOMMY

Privacy Policy

Last updated: April 24, 2026

This Privacy Policy explains how TOMMY ("we", "us", "our") collects, uses, stores, shares, and protects personal data when you use TOMMY (the "Service") at office.tommysense.com.

This policy applies only to the Service. Our separate self-hosted product is covered by a different privacy policy on tommysense.com.

1. Who we are

TOMMY is a Danish company headquartered in Denmark. We are the data controller for personal data processed in connection with the Service. You can reach us at privacy@tommysense.com for any privacy-related inquiry, including exercising your rights described below.

We are not required to appoint a Data Protection Officer under Article 37 GDPR. Privacy matters are handled directly by the contact above.

2. What data we collect

The Service collects the following categories of data:

  • Account data. Name, work email, company name, and role, provided when you create an account or are invited to join a location.
  • Authentication data. Sign-in sessions, password hash (if you sign in with a password), and minimal device/browser metadata required to keep you signed in securely.
  • Location & zone configuration. Information about your office, such as zone names, floor-plan layout, sensor calibration, and similar operational settings.
  • Sensor signals. TOMMY presence sensors detect whether a zone is occupied or empty. They do not capture audio, video, images, or any biometric or personally identifying signal.
  • Booking data. Bookings you create through TOMMY, including start time, end time, the zone, and the identifier of the user who booked it.
  • Meeting room calendar data. When the calendar integration is enabled for your location, we read and write events on the specific meeting-room calendars your organisation has shared with the Service. See Section 5.
  • Product and usage analytics (with your consent). If you accept analytics in our cookie banner, we use PostHog (PostHog Cloud in the EU) on both the authenticated dashboard and our public marketing pages (for example the home, privacy, and terms pages). We collect events such as sign-in and key actions you take in the dashboard, page or screen context on those surfaces, and technical metadata such as browser type and device class. When you are signed in, we associate those events with a user identifier, the role assigned to your account (for example renter, staff, or admin), and your location identifier, so we can understand how organisations use the Service. We do not send your name, email, or other directly identifying details to PostHog. Client errors and exceptions may be reported to PostHog to help diagnose faults. Requests are sent from our domain to PostHog via a first-party path (reverse-proxied to PostHog's EU infrastructure) for reliability.
  • Operational telemetry. Minimal server logs (IP addresses, request paths, timestamps) used to operate, secure, and debug the Service.

3. How we use data

We use the data described above only for the following purposes:

  • To provide the Service: detect occupancy, render dashboards, and process bookings.
  • To keep the Service secure: prevent abuse, detect fraud, and fix bugs.
  • To measure and improve the Service (only if you have accepted analytics): understand feature usage and navigation patterns, prioritise development, reproduce and fix defects (including via error reports), and monitor reliability.
  • To measure how visitors use our public marketing pages (only if you have accepted analytics): traffic volumes, acquisition channels, and aggregate engagement, so we can improve the site.
  • To communicate with you about the Service (transactional email only).
  • To comply with our legal obligations and enforce our Terms of Service.

4. Legal bases (GDPR)

If you are in the European Economic Area, the United Kingdom, or Switzerland, our legal bases for processing under the GDPR are:

  • Contract. We process account, booking, and calendar data to deliver the Service that your organisation has signed up for, or that you have signed up for directly.
  • Legitimate interest. We process operational telemetry and minimal server logs to run, secure, and debug the Service. You may contact us if you wish to object to or discuss this processing.
  • Consent. We rely on your consent (Article 6(1)(a) GDPR and the ePrivacy Directive as implemented in Denmark) for product analytics via PostHog (including on public marketing pages), and any other non-essential cookies or similar technologies. You can withdraw consent at any time through our cookie preferences.
  • Legal obligation. We process data to comply with Danish and EU law (tax, accounting, response to lawful authority requests).

5. Calendar integration

To show meeting-room availability and create bookings, TOMMY integrates with your meeting-room calendars. Your organisation grants TOMMY access by sharing the specific room calendars it wants TOMMY to manage with our service account. TOMMY only ever sees calendars that have been explicitly shared in this way, and only reads and writes events as needed to display availability and create, modify, or cancel bookings through the Service.

We do not persist event details as a general rule; they are fetched on demand to render the UI and discarded once the response is returned to your browser. A minimal record of bookings TOMMY itself created (event ID, start, end, zone, user) is stored so we can track booking state independently of the calendar. Your organisation can revoke access at any time by unsharing the calendars from our service account.

6. Cookies and similar technologies

We use a small number of cookies and similar storage technologies. They fall into two groups:

  • Strictly necessary. Required to run the Service: session cookies for authentication, CSRF protection, and storing your cookie preferences. These do not require consent.
  • Analytics (optional). Set by PostHog. These are only loaded after you accept analytics in our cookie banner. They help us understand how the Service and the marketing site are used.

You can change or withdraw your choice at any time via the "Cookie preferences" link in the site footer. Withdrawing consent does not affect the lawfulness of processing that happened before withdrawal.

7. Data retention

We keep personal data only as long as we need it for the purposes described in this policy.

  • Account data and bookings: deleted or anonymised within 90 days of account closure, unless we have a legal obligation to retain them longer.
  • Operational server logs: up to 90 days.
  • Sensor signals: raw occupancy readings are aggregated and discarded after 90 days. Aggregated utilization data (for example hourly occupancy per zone) is retained for up to 24 months to support reporting.
  • PostHog analytics: event data is retained for up to 12 months.

8. Security

We apply industry-standard technical and organisational measures: encryption in transit (HTTPS/TLS), encryption at rest for the database, least-privilege access controls for TOMMY staff, audit logging of privileged actions, and regular review of sub-processors. Access to production systems is limited to personnel with a strict need to know. If we ever become aware of a personal-data breach that presents a risk to you, we will notify you in line with our GDPR obligations.

9. Sub-processors

We rely on the following sub-processors to deliver the Service. They process data only on our instructions and under contractual data-protection obligations:

  • Supabase (managed Postgres, authentication, storage), hosted in the EU region.
  • Cloudflare(edge network, DDoS protection). Cloudflare operates globally; transfers outside the EEA are covered by Cloudflare's data-processing addendum and, for transfers to the United States, the EU-US Data Privacy Framework (Cloudflare is DPF-certified).
  • PostHog (product and marketing-site analytics, event capture, error reporting), PostHog Cloud hosted in the European Union, acting as a processor under our instructions and data-processing terms. Loaded only with your consent.

We will update this list when our sub-processors change. Material changes will be notified in accordance with Section 13.

10. International transfers

Primary processing for the Service takes place in the European Union. Where our processors transfer personal data outside the EEA or UK, we rely on the following mechanisms:

  • EU-US Data Privacy Framework (DPF). For onward transfers to the United States (including Cloudflare Inc., and Google LLC where our calendar integration processes data through Google), we rely on the DPF adequacy decision where the recipient is DPF-certified.
  • Standard Contractual Clauses (SCCs).Where the DPF does not apply, or as a fallback mechanism, we rely on the European Commission's Standard Contractual Clauses, together with any supplementary measures required by law. For transfers involving UK personal data, we use the UK International Data Transfer Agreement or Addendum.

11. Your rights

Subject to applicable law, including the GDPR, you have the right to access, rectify, erase, restrict, or object to the processing of your personal data, the right to data portability, and the right to withdraw consent at any time. To exercise any of these rights, email privacy@tommysense.com. You also have the right to lodge a complaint with your local supervisory authority. In Denmark this is Datatilsynet; if you are based elsewhere in the EEA, you may contact your national authority.

12. Children

The Service is intended for business users and is not directed to children under 16. We do not knowingly collect personal data from children.

13. Changes to this policy

We may update this policy from time to time. The date at the top of the page reflects the most recent material revision. If changes materially affect how we handle your personal data we will notify you in the Service and/or by email before the changes take effect.

14. Contact

For any privacy question, including access or deletion inquiries, contact privacy@tommysense.com.