← Back to home

Privacy Policy

TOC Offers Privacy Policy

This Privacy Policy explains how The Origami Corporation ("we", "us", "our") processes personal data when you view and interact with offers powered by TOC Offers, in accordance with Regulation (EU) 2016/679 (General Data Protection Regulation, "GDPR").

Last updated: March 16, 2026

1. Who we are (data controller)

The Origami Corporation is the provider of TOC Offers, a B2B platform for composing, sending, and tracking commercial offers.

For the purposes of the GDPR, we generally act as:

  • Data processor when we process personal data contained in or generated by offers on behalf of our customers (the organizations that send you the offers).
  • Data controller for certain technical and security-related processing that is necessary to operate and protect the TOC Offers platform.

Our contact details are:

The Origami Corporation
Sofia, Bulgaria
Email: legal@theorigamicorporation.com

2. Scope of this policy

This policy applies when you access a public offer page hosted on TOC Offers (for example, via a link sent to you by one of our customers) and when you submit an acceptance through that page. It does not cover how our customers process your data in their own systems outside of TOC Offers.

3. Data we collect when you visit an offer

When you open an offer link, our systems automatically record a visit. In connection with that visit, we may collect information such as:

  • Network information, such as your IP address and basic connection details.
  • Browser and device information (for example, the type of browser and operating system you use).
  • Technical request details, including configuration and preference information your browser or network provides (such as language and referrer data).
  • Timing and interaction data, such as when you accessed the offer and basic information about how it was reached.
  • Password information (if applicable) when an offer is protected by a password and you successfully unlock it.

This information is linked to the specific offer you are viewing and to the customer account that controls that offer.

4. Data we collect when you accept an offer

When you submit an acceptance through TOC Offers, we capture an immutable snapshot of what was accepted so that both parties have a clear audit trail. This may include:

  • Selections of items and add-ons that form part of the offer.
  • Calculated totals, including discounts and final cost.
  • Details of the payment method option you selected from those configured by our customer in the offer.
  • Information needed to reflect how the offer was accepted (for example, which password-protected link was used, where applicable).

Additional context about the acceptance (such as the exact items and totals) is also recorded in an internal event log so that our customer has a complete record of what was agreed.

5. Email addresses and recipients

Email addresses used for offer notifications (for example, approvers or stakeholders who receive an acceptance email) are configured by our customer inside the offer itself. TOC Offers stores these addresses as part of the offer configuration and uses them only to send the relevant transactional emails (such as acceptance confirmations).

We do not collect additional email addresses directly from offer visitors unless the offer owner includes custom components that explicitly ask you to provide them. In those cases, the information you submit is controlled by the offer owner and processed by us on their behalf.

6. Legal bases for processing

Under the GDPR, we must have a legal basis for each way in which we process personal data. For the public offer pages, we rely on the following legal bases:

  • Providing and securing the offer pages (visit data such as network information, browser details, technical request data, and timing/interaction data) is processed on the basis of our legitimate interests (Art. 6(1)(f) GDPR) in operating a secure and reliable platform, preventing abuse of offer links, and giving our customers basic insight into access to their offers.
  • Offer acceptance data (your selections, totals, and related acceptance details) is processed where necessary for the performance of a contract or to take steps at the request of the data subject prior to entering into a contract (Art. 6(1)(b) GDPR), namely to record what has been agreed between you and our customer.
  • Transactional email notifications related to offers (such as acceptance confirmations to configured recipients) are processed on the basis of legitimate interests (Art. 6(1)(f) GDPR) in keeping the relevant stakeholders informed about the status of offers they are involved in.

7. Cookies and tracking technologies

The public offer pages operated by TOC Offers do not use cookies, browser localStorage, or third-party analytics scripts (such as ad pixels or behavior tracking tools) to profile visitors.

In some cases, offers may be protected by access credentials (for example, a password or specially generated link). These credentials are treated as part of the offer's access control and may be stored together with the offer configuration so that recipients can be notified of or reminded about the access details.

8. How we use this information

We use the data described above to:

  • Serve offer pages reliably and securely.
  • Provide an auditable history of views and acceptances to our customers.
  • Help detect abuse, fraud, or misuse of offer links (for example, suspicious access patterns).
  • Operate and improve the platform, including troubleshooting, monitoring, and security.

9. Who we share data with

We do not sell personal data and we do not share it with third-party advertisers. We may share personal data with:

  • Email delivery providers that we use to send transactional emails on behalf of our customers.
  • Our customers (the organizations that sent you the offer), who can access visit and acceptance information for their own offers via the TOC Offers backoffice.

10. International data transfers

Some of our service providers may process personal data outside the European Economic Area (EEA). Where this is the case, we take steps to ensure that appropriate safeguards are in place, such as using the European Commission's Standard Contractual Clauses or relying on other lawful transfer mechanisms under the GDPR.

11. Data retention and storage

Offer data, visit logs, and acceptance records are stored in our production infrastructure, with logical isolation by tenant so that each customer only has access to their own offers and associated records.

In general, we retain personal data for as long as the relevant offer or customer account remains active on the platform and for a reasonable period afterwards, where necessary to comply with legal obligations, resolve disputes, enforce agreements, or maintain accurate business and audit records. Our customers may have their own retention policies that govern how long they keep offers and related records in their accounts.

12. Your rights

Depending on your location and subject to certain conditions and exceptions under applicable law, you may have the following rights in relation to your personal data:

  • Right of access – to obtain confirmation as to whether we process personal data about you and to receive a copy of that data.
  • Right to rectification – to have inaccurate or incomplete personal data corrected.
  • Right to erasure – to request deletion of your personal data in certain circumstances (for example, where it is no longer needed for the purposes for which it was collected).
  • Right to restriction of processing – to request that we restrict the processing of your personal data in certain cases.
  • Right to data portability – to receive the personal data you have provided to us in a structured, commonly used, and machine-readable format, and to transmit it to another controller where technically feasible.
  • Right to object – to object, on grounds relating to your particular situation, to processing that we base on our legitimate interests.

Where we process personal data as a processor on behalf of our customers, you should normally direct your request to the organization that sent you the offer, as they are the primary data controller for that processing.

13. Right to lodge a complaint

If you believe that your data protection rights have been infringed, you have the right to lodge a complaint with your local data protection authority or with the Bulgarian supervisory authority:

Commission for Personal Data Protection (CPDP)
2 Prof. Tsvetan Lazarov Blvd.
1592 Sofia
Bulgaria
Website: www.cpdp.bg

14. Automated decision-making

TOC Offers does not use your personal data on the public offer pages for automated decision-making or profiling that produces legal effects concerning you or similarly significantly affects you.

15. Changes to this policy and contact

We may update this Privacy Policy from time to time to reflect changes in our processing activities, legal requirements, or business practices. When we do so, we will update the "Last updated" date at the top of this page.

If you have questions about this Privacy Policy or how TOC Offers handles personal data, you can contact us at:

legal@theorigamicorporation.com