This policy applies to all users of our Services. Additional terms, notices, or agreements may supplement this Privacy Policy, such as in service-specific terms or data processing agreements.

We collect personal and usage information necessary to deliver and improve our Services. This includes:

• Contact Information: Name and email address
• Authentication Details: Usernames and passwords
• Organizational Information: Your company name, logo and website URL
• Usage and Technical Data: Log data, IP addresses, browser information, device types, and general, non-identifiable analytics
• User-Generated Input: Any data you voluntarily submit or process through our tools and platforms
• Support Interactions: Communications with support, including chat, email, and tickets
• Third-party payment processors, where applicable, for handling transactions. These providers are PCI DSS compliant, and we do not collect, store, or process any payment or cardholder data directly.

We do not knowingly collect or process Protected Health Information (PHI) unless contractually required, and in those cases, we do so in compliance with HIPAA and appropriate Business Associate Agreements (BAAs).

We use your information to:

• Provide and manage access to our Services
• Deliver user support and respond to inquiries
• Improve and personalize our Services based on usage patterns
• Notify you of updates, new features, or policy changes
• Comply with legal and regulatory obligations
• Monitor, detect, and prevent misuse, fraud, or abuse of our Services
• Fulfill contractual obligations with you or your organization

Under GDPR, we process your personal data on the following lawful bases:

• Your consent (where applicable)
• Contractual necessity (to provide the Services you’ve requested)
• Legitimate interest (e.g., to secure and improve our Services)
• Legal obligations (to comply with applicable laws and regulations)

We may share your personal information with:

• Authorized personnel within your organization
• Trusted third-party service providers who help us deliver, secure, and support our Services (under strict confidentiality and data processing agreements)
• Regulatory or legal authorities when required by law
• Successors or acquirers, in the event of a corporate merger, acquisition, or sale

Data retention by service providers: Usage and Technical Data may be retained by certain service providers for up to 90 days, solely for monitoring and abuse detection purposes.

We do not sell your personal data to third parties.

We implement robust technical and organizational measures aligned with ISO 27001, SOC 2 Type II, and HIPAA standards to ensure the confidentiality, integrity, and availability of your data. These include:

• Data encryption at rest and in transit
• Role-based access controls
• Regular security audits and vulnerability assessments
• Incident response and breach notification protocols

While we do not process or store payment card data ourselves, we ensure that any payment processing is handled exclusively through PCI-certified providers.

We retain personal information only as long as necessary to fulfill the purposes for which it was collected, or to comply with legal, regulatory, or contractual obligations. Data may be anonymized or securely deleted after the retention period.

Depending on your jurisdiction, you may have rights to:

• Access, correct, or delete your personal data
• Access, correct, or delete your authorized company data
• Object to or restrict certain types of processing
• Withdraw consent at any time (without affecting prior processing)
• Lodge a complaint with a supervisory authority

To exercise these rights, please contact us at support@tutaki.com.

Some of our analytics and service providers may process your data in countries outside the European Economic Area (EEA), including the United States. If we transfer your data outside of your country or the European Economic Area (EEA), we ensure appropriate safeguards are in place (e.g., Standard Contractual Clauses, adequacy decisions).

We may update this Privacy Policy from time to time to reflect changes in our practices or legal requirements. We will notify you of any material changes via our website or direct communication.