Want to know where your supply chain is being thrown? Let's talk.

TORO Supply Chain Solutions

Privacy Policy

Effective Date: March 19, 2026 Last Updated: March 19, 2026

TORO Supply Chain Solutions ("TORO SCS," "we," "us," or "our") is committed to protecting the privacy of individuals and organizations that interact with us. This Privacy Policy explains how we collect, use, disclose, store, and protect personal data when you visit our website at toroscs.com (the "Site"), use our services, or otherwise engage with us.

This Privacy Policy applies to all visitors, clients, prospective clients, business partners, and other individuals whose personal data we process in connection with our business operations.

We operate globally with offices in New York, USA (Headquarters), Dublin, Ireland (EU HQ), and Shanghai, China (APAC HQ). This Privacy Policy addresses our obligations under applicable data protection laws, including the General Data Protection Regulation (GDPR), the California Consumer Privacy Act (CCPA) as amended by the California Privacy Rights Act (CPRA), and other relevant privacy legislation.

1. Data Controller

For the purposes of applicable data protection laws:

  • For users in the European Economic Area (EEA) and the United Kingdom: The data controller is TORO Supply Chain Solutions, operating through our EU office in Dublin, Ireland.
  • For all other users: The data controller is TORO Supply Chain Solutions, headquartered in New York, USA.

For all privacy-related inquiries, please contact us at: business@toroscs.com

2. Personal Data We Collect

We collect personal data through various channels, depending on how you interact with us. The categories of personal data we may collect include:

2.1 Information You Provide Directly

When you complete our contact form, submit an inquiry, request a consultation, or engage with us through the RFP or tender process, we may collect:

  • Contact Information: First name, last name, work email address, phone number.
  • Professional Information: Job title, company name, company website.
  • Business Information: Service interest (manufacturing, logistics, consultancy, AI and technology), estimated annual revenue, monthly order volume.
  • Engagement Details: How you heard about us (referral source), description of your supply chain challenges or requirements.
  • Correspondence: Any messages, documents, or communications you send to us via email, contact forms, or during business discussions.

2.2 Information Collected Automatically

When you visit our Site, we automatically collect certain technical data through cookies and similar technologies, including:

  • Device and Browser Information: IP address, browser type and version, operating system, device type, screen resolution.
  • Usage Data: Pages visited, time spent on pages, clickstream data, referring and exit URLs, date and time of access.
  • Location Data: Approximate geographic location derived from your IP address.
  • Cookie Data: Information collected via cookies and similar tracking technologies as described in our Cookies Policy.

2.3 Information from Third Parties

We may receive personal data from third-party sources, including:

  • Business Partners and Referrals: Contact details and professional information shared by mutual business contacts or referral sources.
  • Publicly Available Sources: Information from public business directories, company websites, professional networking platforms, and government tender databases.
  • Service Providers: Analytics data and insights from third-party service providers who assist us in operating our Site and Services.

2.4 Information Collected Through Our Technology Platforms

If you are a client using our proprietary technology platforms (ChargebackIQ, TestIQ, AuditIQ, ItemSetupIQ, or Optimize), we may process additional data as specified in your Service Agreement. This may include:

  • User login credentials and access logs.
  • Supply chain operational data uploaded to or generated by the platforms.
  • Transaction and order data.
  • Quality control, audit, and compliance data.

The processing of such data is governed by the applicable Service Agreement and any associated Data Processing Agreement (DPA) between TORO SCS and your organization.

3. How We Use Your Personal Data

We process your personal data for the following purposes and on the following legal bases:

3.1 To Respond to Inquiries and Provide Services

  • Processing contact form submissions and business inquiries.
  • Evaluating your supply chain requirements and preparing proposals.
  • Responding to RFPs, RFQs, and tender submissions.
  • Delivering contracted services under a Service Agreement.
  • Legal basis (GDPR): Performance of a contract or steps taken at your request prior to entering a contract; legitimate interests in conducting our business.

3.2 To Operate and Improve Our Site

  • Ensuring the technical functionality and security of the Site.
  • Analyzing usage patterns to improve the user experience.
  • Monitoring and preventing fraud, unauthorized access, and other security threats.
  • Legal basis (GDPR): Legitimate interests in maintaining and improving our Site and ensuring its security.

3.3 To Communicate With You

  • Sending business communications related to your inquiry or engagement.
  • Providing updates about our services, capabilities, and industry developments where you have expressed interest.
  • Responding to your questions and support requests.
  • Legal basis (GDPR): Legitimate interests in maintaining business relationships; consent where required.

3.4 To Comply With Legal Obligations

  • Fulfilling regulatory, tax, customs, and compliance requirements across our operating jurisdictions.
  • Responding to lawful requests from government authorities.
  • Maintaining records as required by applicable laws.
  • Legal basis (GDPR): Compliance with legal obligations.

3.5 To Protect Our Rights and Interests

  • Enforcing our Terms of Service and other agreements.
  • Protecting against fraud, security incidents, and unauthorized use of our systems.
  • Pursuing or defending legal claims.
  • Legal basis (GDPR): Legitimate interests in protecting our business, rights, and property.

4. How We Share Your Personal Data

We do not sell your personal data to third parties. We may share your personal data in the following circumstances:

4.1 Within TORO SCS

Your data may be shared between our offices in New York, Dublin, and Shanghai as necessary to respond to your inquiry, deliver services, or support our business operations.

4.2 Service Providers

We engage trusted third-party service providers who process personal data on our behalf, including:

  • Website hosting and infrastructure providers.
  • Analytics and performance monitoring services.
  • Customer relationship management (CRM) systems.
  • Email and communication platforms.
  • Cloud storage and IT security providers.

All service providers are contractually obligated to process personal data only on our instructions and in accordance with applicable data protection laws.

4.3 Business Partners and Clients

In the context of supply chain engagements, limited personal data (such as contact details of key personnel) may be shared with manufacturing partners, logistics carriers, customs brokers, and other supply chain participants as necessary to deliver services. Such sharing is governed by applicable Service Agreements and confidentiality obligations.

4.4 Legal and Regulatory Disclosures

We may disclose personal data where required or permitted by law, including:

  • In response to lawful requests by public authorities, including law enforcement, customs, and regulatory agencies.
  • To comply with legal processes such as subpoenas, court orders, or government investigations.
  • To protect the rights, property, or safety of TORO SCS, our clients, or the public.

4.5 Business Transfers

In the event of a merger, acquisition, reorganization, bankruptcy, or sale of all or a portion of our assets, personal data may be transferred to the acquiring entity. We will provide notice of any such transfer and any choices you may have regarding your data.

5. International Data Transfers

Given our global operations, your personal data may be transferred to and processed in countries other than the one in which it was collected, including the United States, Ireland, and China.

5.1 Transfers from the EEA and UK

When transferring personal data from the European Economic Area or the United Kingdom to countries that have not received an adequacy decision from the European Commission, we implement appropriate safeguards, including:

  • Standard Contractual Clauses (SCCs) as approved by the European Commission.
  • Additional technical and organizational measures as necessary to ensure the security of your data.

5.2 Transfers from Other Jurisdictions

For transfers of personal data from other jurisdictions, we comply with applicable local data transfer requirements and implement appropriate contractual and security measures.

You may request a copy of the safeguards we use for international data transfers by contacting us at business@toroscs.com.

6. Data Retention

We retain personal data only for as long as necessary to fulfill the purposes for which it was collected, including to satisfy legal, regulatory, accounting, or reporting requirements.

Our general retention periods are as follows:

  • Inquiry and contact form data: Retained for up to three (3) years from the date of last interaction, unless a business relationship is established.
  • Client and Service Agreement data: Retained for the duration of the engagement plus seven (7) years thereafter, or as required by applicable law.
  • RFP and tender submission data: Retained for up to five (5) years from the date of submission.
  • Website analytics data: Retained for up to twenty-six (26) months.
  • Technology platform data: Retained in accordance with the applicable Service Agreement and Data Processing Agreement.

When personal data is no longer required, we securely delete or anonymize it in accordance with our data retention procedures.

7. Data Security

We implement appropriate technical and organizational measures to protect personal data against unauthorized access, alteration, disclosure, or destruction. These measures include:

  • Encryption of data in transit and at rest.
  • Access controls and authentication mechanisms.
  • Regular security assessments and vulnerability testing.
  • Employee training on data protection and security practices.
  • Incident response and breach notification procedures.
  • Secure development practices for our proprietary technology platforms.

While we take reasonable steps to protect your data, no method of transmission over the internet or electronic storage is completely secure. We cannot guarantee absolute security.

8. Your Rights

Depending on your jurisdiction, you may have the following rights regarding your personal data:

8.1 Rights Under the GDPR (EEA and UK Residents)

  • Right of Access: Request a copy of the personal data we hold about you.
  • Right to Rectification: Request correction of inaccurate or incomplete personal data.
  • Right to Erasure: Request deletion of your personal data where there is no compelling reason for continued processing.
  • Right to Restriction of Processing: Request that we restrict the processing of your data in certain circumstances.
  • Right to Data Portability: Receive your personal data in a structured, commonly used, machine-readable format.
  • Right to Object: Object to processing based on legitimate interests, including direct marketing.
  • Right to Withdraw Consent: Where processing is based on consent, withdraw your consent at any time.
  • Right to Lodge a Complaint: File a complaint with a supervisory authority. For our EU operations, the relevant authority is the Data Protection Commission of Ireland (dataprotection.ie).

8.2 Rights Under the CCPA/CPRA (California Residents)

  • Right to Know: Request information about the categories and specific pieces of personal data we have collected, the sources, purposes, and third parties with whom we share data.
  • Right to Delete: Request deletion of personal data we have collected from you, subject to certain exceptions.
  • Right to Correct: Request correction of inaccurate personal data.
  • Right to Opt-Out of Sale/Sharing: We do not sell or share personal data for cross-context behavioral advertising. If this changes, we will provide an opt-out mechanism.
  • Right to Non-Discrimination: We will not discriminate against you for exercising your privacy rights.

8.3 Exercising Your Rights

To exercise any of your rights, please contact us at:

Email: business@toroscs.com

We will respond to your request within the timeframes required by applicable law (generally within 30 days for GDPR requests and 45 days for CCPA/CPRA requests). We may need to verify your identity before processing your request. If we are unable to fulfill your request, we will provide you with an explanation.

9. Children's Privacy

Our Site and Services are not directed to individuals under the age of 18. We do not knowingly collect personal data from children. If we become aware that we have inadvertently collected personal data from a child, we will take steps to delete such data promptly. If you believe a child has provided personal data to us, please contact us at business@toroscs.com.

10. Third-Party Links

Our Site may contain links to third-party websites or services. This Privacy Policy does not apply to those third-party sites. We encourage you to review the privacy policies of any third-party sites you visit. TORO SCS is not responsible for the privacy practices or content of third-party websites.

11. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technologies, legal requirements, or other factors. When we make material changes, we will update the "Last Updated" date at the top of this page and, where appropriate, provide additional notice.

We encourage you to review this Privacy Policy periodically to stay informed about how we protect your data.

12. Data Processing for B2B Engagements

12.1 Service Agreements and Data Processing Agreements

Where TORO SCS processes personal data on behalf of a client in the course of delivering services (for example, data processed through our technology platforms or logistics operations), the terms of such processing are governed by the applicable Service Agreement and, where required, a separate Data Processing Agreement (DPA).

12.2 Client Responsibilities

Our clients are responsible for ensuring they have obtained all necessary consents and have a lawful basis to share personal data with TORO SCS for the purposes of receiving our services. Clients must inform their data subjects about the processing of their data by TORO SCS as described in the applicable DPA.

12.3 Sub-Processors

In delivering our services, we may engage sub-processors to assist with specific processing activities, including manufacturing partners, logistics carriers, warehousing operators, and technology service providers. A list of our sub-processors is available upon request and is included in applicable DPAs.

13. Automated Decision-Making

Our AI and technology platforms (including ChargebackIQ, TestIQ, AuditIQ, ItemSetupIQ, and Optimize) may use automated processing to analyze supply chain data, categorize transactions, flag anomalies, and generate recommendations. These automated processes are used to support business decision-making and do not produce decisions with legal or similarly significant effects on individuals without human oversight.

If you believe that automated processing has produced an outcome that significantly affects you, please contact us at business@toroscs.com to request human review.

14. Contact Us

If you have questions, concerns, or requests regarding this Privacy Policy or our data processing practices, please contact us at:

TORO Supply Chain Solutions Email: business@toroscs.com Headquarters: New York, USA EU Office: Dublin, Ireland APAC Office: Shanghai, China

For GDPR-related inquiries concerning our EU operations, you may also contact the Data Protection Commission of Ireland at dataprotection.ie.