Privacy policy

Our services are built with strict privacy principles.

This privacy policy applies to the Tuurio Identity and Authentication Service (hereinafter "service" or "portal"), unless otherwise stated.

A minimum age of 16 is required for independent use.

All servers on which we store primary user data are located in Germany and encrypted.

1. Name and address of the controller

Controller in the sense of GDPR is:

Tuurio GmbH
Muehlenstr. 8a
14167 Berlin
Email: info@tuurio.com
Website: www.tuurio.com

2. Information we collect

Information you provide

Account information. To use Tuurio Identity, you or your organization register via email or an external provider (e.g. Google, Microsoft). We store this data (email, name, profile picture if applicable) to provide the authentication process.
Organization and tenant data. We store configuration data of your tenants, such as custom domains, security settings, and MFA configuration.

Automatically collected information

Security and log information. To ensure security and diagnose errors, we collect log files. This includes IP addresses, times of login attempts, browser versions used, and information about failed authentications (brute-force protection).
Device and connection data. We collect information about the accessing device (operating system, time zone, language) to display login screens correctly and detect security risks (e.g. unknown devices).

3. Payment processing via Mollie (Germany and Austria) and Paddle (other countries)

For paid subscriptions, Tuurio currently uses two billing routes. For organizations with billing country Germany (DE) or Austria (AT), payment method setup and recurring charges are processed via Mollie B.V. in the Netherlands. For organizations in other countries, we continue to use Paddle.com Market Ltd (Judd House, 18-29 Mora Street, London, EC1V 8BT, UK) as Merchant of Record.

For German (DE) and Austrian (AT) self-service subscriptions, Mollie receives the payment method data required to process recurring charges on our behalf. Tuurio remains the contractual provider, receives payment confirmations, and stores your organization ID plus billing references. Prices are defined net in EUR and statutory VAT is added based on the billing country. For subscriptions in other countries, Paddle collects payment and billing data directly as Merchant of Record and sends us the payment confirmation plus your email address and organization ID to unlock features.

Legal basis: Transfer and collection are required for contract performance under Art. 6 para. 1 lit. b GDPR. For Germany (DE) and Austria (AT), Mollie acts as payment service provider for Tuurio. Privacy information: https://www.mollie.com/legal/privacy. For organizations in other countries, Paddle acts as Merchant of Record. Privacy information: https://www.paddle.com/legal/privacy.

Other third-party services

Infrastructure: We use STACKIT (Germany) to provide databases, compute, and backup services with high availability. All primary data remains within the EU.
Availability monitoring: We use UptimeRobot to monitor the availability of our services and provide a public status page. Only URLs are monitored; no personal data is processed.

Web analytics (PostHog), cookies and consent

We use PostHog (EU hosting) for web analytics to understand website usage and improve our public pages.

By default, analytics runs in a cookieless mode without persistent analytics cookies.

Only after active consent in the cookie banner we switch to persistent browser storage for analytics (for example localStorage and cookies).

You can change or revoke this consent at any time via cookie settings.

Legal bases are Art. 6 para. 1 lit. f GDPR (legitimate interest for cookieless measurement) and, after consent, Art. 6 para. 1 lit. a GDPR.

More details about the provider: https://posthog.com/privacy.

Complete list of sub-processors

A complete list of all sub-processors is available at /public/legal/sub-processors.

4. Your rights as a data subject

You have the following rights regarding your personal data:

Right of access (Art. 15 GDPR)
Right to rectification or erasure (Art. 16 and 17 GDPR)
Right to restriction of processing (Art. 18 GDPR)
Right to data portability (Art. 20 GDPR)
Right to object to processing (Art. 21 GDPR)

You can send requests at any time to info@tuurio.com.

5. Retention and deletion

We store your data only as long as necessary to provide the service or required by legal retention periods (e.g. tax and billing records for Mollie or Paddle transactions). After account termination, identity data of your tenants is irreversibly deleted after a 30-day safety period unless legal obligations prevent deletion.

6. Supervisory authority

You have the right to lodge a complaint with a supervisory authority (Art. 77 GDPR). The competent supervisory authority for Tuurio GmbH is the Berliner Beauftragte fuer Datenschutz und Informationsfreiheit, Alt-Moabit 59-61, 10555 Berlin.

Version 2.0, March 9, 2026