Privacy Policy of Tuyo

1. Legal framework, roles and scope of processing

This policy applies to personal data processing carried out by Tuyo in connection with this website, sales care, contracting, support and service delivery. Where applicable, processing is governed by Regulation (EU) 2016/679 (GDPR), Spanish Organic Law 3/2018 on personal data protection and digital rights, and Law 34/2002 on information society services and electronic commerce for cookies, local storage and electronic communications.

• Web3 Ops, S.L. acts as controller for the website, the commercial relationship, contract management, billing, first-party support, platform security and compliance.
• When a customer uses Tuyo to host, consult or process documents, prompts, files, transcripts or other materials containing personal data, the customer will generally act as controller and Web3 Ops, S.L. as processor, under Article 28 GDPR and the applicable contractual documentation.
• If a contract, order form or specific agreement assigns or qualifies processing roles differently for a particular service, that document prevails for that scope.

2. Data we may process

• Identification and contact data you provide when writing to us, requesting a proposal, a call or support.
• Professional, firm-related or legal-commercial context data needed to assess fit, deployment or service delivery.
• Website usage data, form interaction, navigation, basic technical device information and preferences related to cookies or local storage.
• Contractual, administrative, billing, support, audit and security data when a commercial relationship exists or is being negotiated.
• Documents, files, prompts, notes, audio, transcripts and other materials that the customer adds to the Tuyo environment for processing within the service.

If the customer adds special categories of data or especially sensitive information, Tuyo will process them only as necessary to provide the service, following the customer's documented instructions and the applicable technical and contractual safeguards.

3. Purposes of processing

• Responding to information, contact, demo or proposal requests.
• Preparing offers, completing contracting, deploying the service and providing operational, technical and administrative support.
• Processing, within the Tuyo SaaS environment, the documents and materials the customer adds to the service, according to the applicable configuration and instructions.
• Protecting the security, integrity, traceability and technical continuity of the platform, including abuse prevention, monitoring, incident logging and defence against claims.
• Improving the browsing experience, analysing traffic and offering specialised content where there is sufficient legal basis, especially consent for non-essential cookies.
• Complying with applicable legal, regulatory, tax, corporate or contractual obligations.

4. Legal basis

• Performance of pre-contractual measures and of a contract when you request information, a proposal, support or contract Tuyo.
• Compliance with legal obligations applicable to Web3 Ops, S.L.
• Legitimate interest in security, fraud or abuse prevention, service continuity, support, traceability and reasonable product improvement.
• Consent where required for non-essential cookies, certain measurements or communications not covered by another legal basis.

When Tuyo acts as processor for customer content and documents, the main legal basis for processing those data belongs to the customer controller. In that scenario, Web3 Ops, S.L. processes data following the customer's documented instructions and the applicable data processing agreement.

5. SaaS processing of customer documents and materials

Tuyo is designed as a SaaS service with strict separation between customer environments. Documents, files, prompts, notes, transcripts and other materials processed in the service reside in storage exclusive to each customer and logically segregated from other customers.

• We do not share document storage between customers or mix repositories, document bases or legal contexts from different customers.
• Access to those materials is limited by role and operational need, under least-privilege and access-control principles.
• That storage is encrypted both in transit and at rest.
• Customer documents are not used for purposes outside service delivery, security, controlled support or service compliance, nor for general model training outside the expressly contracted or documented framework.

6. European infrastructure, European servers and ZDR

Tuyo is delivered with an architecture designed to keep information processing in Europe. Tuyo servers are hosted in Europe. The AI providers we use to provide the service are also hosted in Europe and subject to a ZDR (zero data retention) requirement.

In practical terms, this means the operating design of the service seeks to ensure integrated providers do not retain processed content beyond what is strictly necessary to process the relevant request and do not reuse that content for general model training.

If an exceptional technical, contractual or legal requirement made it necessary to depart from that scheme, it will be expressly documented in the applicable contractual relationship.

7. Data retention

• Contact data and sales requests are kept for the time needed to handle the conversation, conduct reasonable commercial follow-up and, where applicable, formalise the relationship.
• Administrative, contractual, billing, support and security data are kept during the relationship and for any additional periods required by legal obligations, defence of claims or technical continuity.
• Documents and materials added by the customer to the service are retained according to the contract, customer instructions, support and security cycles and applicable legal obligations.
• Data processed by cookies or local storage are retained according to their purpose and to the user's chosen configuration.

8. Recipients, subprocessors and access to data

Personal data may be accessed by providers strictly necessary to operate Tuyo, always within a logic of minimisation, necessity and sufficient safeguards. Where appropriate, such access is covered by written contracts and processing or subprocessing clauses compatible with GDPR.

• Infrastructure, hosting, storage, security, monitoring and technical-support providers.
• AI providers hosted in Europe and operated under a ZDR requirement for functional service processing.
• Communication, analytics or customer-care providers where necessary for service delivery or to answer user requests.

We do not sell personal data, do not authorise its use for purposes unrelated to service delivery, controlled improvement or service security, and do not share one customer's document content with other customers.

9. International transfers

As a general rule, Tuyo is designed to operate with infrastructure and processing in Europe. International data transfers are therefore not expected in ordinary service delivery.

If an international transfer were exceptionally necessary, appropriate safeguards would be adopted under applicable law, including adequacy decisions, standard contractual clauses or other valid mechanisms where relevant, and information would be provided when legally required.

10. Cookies, local storage and LSSI-CE

The website uses cookies and equivalent technologies, including browser local storage, to remember your cookie choice and to support experience functions, traffic measurement and specialised content. Their use is also interpreted under Spanish Law 34/2002 on information society services and electronic commerce.

• Necessary cookies: enable basic site functions and remember your preference regarding the cookie notice.
• Analytics and measurement cookies: help understand traffic, use and navigation, always under the relevant legal basis.
• Cookies or technologies aimed at specialised content: allow us to better adapt the experience or information shown.

You can accept or decline these purposes from the cookie notice. Your preference is stored locally in your browser.

11. User rights

You may exercise your rights of access, rectification, erasure, objection, restriction and portability under the terms provided by applicable law. You may also withdraw consent granted for cookies or other consent-based processing.

When Tuyo acts as processor for documents or materials added by a customer, rights requests should generally be channelled through the customer acting as controller, without prejudice to the cooperation Web3 Ops, S.L. must provide under GDPR and the applicable contract.

If you believe the processing does not comply with the law, you may lodge a complaint with the Spanish Data Protection Agency or the competent supervisory authority.

12. Security, privacy by design and SaaS compliance

We apply appropriate technical and organisational measures to protect information against unauthorised access, loss, alteration or improper disclosure, in line with privacy by design and by default and with GDPR security requirements for SaaS digital services.

• Customer segregation, access control, least privilege, encryption in transit and at rest, and monitoring, logging and technical-continuity measures.
• Transparent information on processing, identification of legal bases, data minimisation and review of subprocessors with sufficient safeguards.
• Data processing agreements when Tuyo processes data on behalf of the customer, as well as reasonable assistance on rights, security, assessments or incidents where appropriate.
• Internal protocols for containment, analysis, documentation and notification of personal-data breaches under Articles 33 and 34 GDPR and the applicable contractual relationship.

13. Changes to this policy

This policy may be updated to reflect legal, contractual, operational or technical changes. The version published on this website will be the version in force at any given time.