Privacy policy

Our services are built with strict privacy principles.

This privacy policy applies to the Tuurio Identity and Authentication Service (hereinafter "service" or "portal"), unless otherwise stated.

A minimum age of 16 is required for independent use.

All servers on which we store primary user data are located in Germany and encrypted.

1. Name and address of the controller

Controller in the sense of GDPR is:

Tuurio GmbH
Muehlenstr. 8a
14167 Berlin
Email: info@tuurio.com
Website: www.tuurio.com

2. Information we collect

Information you provide

Account information. To use Tuurio Identity, you or your organization register via email or an external provider (e.g. Google, Microsoft). We store this data (email, name, profile picture if applicable) to provide the authentication process.
Organization and tenant data. We store configuration data of your tenants, such as custom domains, security settings, and MFA configuration.

Automatically collected information

Security and log information. To ensure security and diagnose errors, we collect log files. This includes IP addresses, times of login attempts, browser versions used, and information about failed authentications (brute-force protection).
Device and connection data. We collect information about the accessing device (operating system, time zone, language) to display login screens correctly and detect security risks (e.g. unknown devices).

3. Payment processing via Paddle (Merchant of Record)

For processing paid subscriptions, we use Paddle.com Market Ltd (Judd House, 18-29 Mora Street, London, EC1V 8BT, UK).

Paddle acts as "Merchant of Record". When you upgrade, your payment data (card data, billing address) is collected directly by Paddle. We only receive payment confirmation plus your email address and organization ID to unlock features.

Legal basis: Transfer and collection are required for contract performance under Art. 6 para. 1 lit. b GDPR. Paddle is responsible for tax-compliant processing worldwide. Privacy information: https://paddle.com/privacy/.

Other third-party services

Infrastructure: We use Google Cloud Platform (Frankfurt region, eu-west3) to provide databases, compute, and backup services with high availability. All primary data remains within the EU.
Availability monitoring: We use UptimeRobot to monitor the availability of our services and provide a public status page. Only URLs are monitored; no personal data is processed.

Web analytics (PostHog), cookies and consent

We use PostHog (EU hosting) for web analytics to understand website usage and improve our public pages.

By default, analytics runs in a cookieless mode without persistent analytics cookies.

Only after active consent in the cookie banner we switch to persistent browser storage for analytics (for example localStorage and cookies).

You can change or revoke this consent at any time via cookie settings.

Legal bases are Art. 6 para. 1 lit. f GDPR (legitimate interest for cookieless measurement) and, after consent, Art. 6 para. 1 lit. a GDPR.

More details about the provider: https://posthog.com/privacy.

Complete list of sub-processors

A complete list of all sub-processors is available at /public/legal/sub-processors.

4. Your rights as a data subject

You have the following rights regarding your personal data:

Right of access (Art. 15 GDPR)
Right to rectification or erasure (Art. 16 and 17 GDPR)
Right to restriction of processing (Art. 18 GDPR)
Right to data portability (Art. 20 GDPR)
Right to object to processing (Art. 21 GDPR)

You can send requests at any time to info@tuurio.com.

5. Retention and deletion

We store your data only as long as necessary to provide the service or required by legal retention periods (e.g. tax records for Paddle transactions). After account termination, identity data of your tenants is irreversibly deleted after a 30-day safety period unless legal obligations prevent deletion.

6. Supervisory authority

You have the right to lodge a complaint with a supervisory authority (Art. 77 GDPR). The competent supervisory authority for Tuurio GmbH is the Berliner Beauftragte fuer Datenschutz und Informationsfreiheit, Alt-Moabit 59-61, 10555 Berlin.

Version 2.0, March 9, 2026