Privacy Policy

Tuninbits is a digital product studio. The data controller for information you provide while using the Services is Tuninbits Pvt Ltd (the “Company”, “we”, “us”).

Registered office

[Office address — to be filled before launch]

Data protection contact

privacy@tuninbits.com

Account information

When you create an account we collect your name, email address, password (hashed with Argon2id — we never see the plaintext), role (client or expert), and the OAuth identifiers if you sign in via Google or GitHub.

Profile and project information

For clients: organization name, country, billing email, default currency, and the contents of any briefs or projects you submit. For experts: bio, skills, portfolio links, payout details, and tax identifiers required for payment compliance.

Payments

Payment instrument data (card numbers, bank details) is collected directly by our payment processors (Stripe, Razorpay, Wise) and never touches our servers. We retain transactional metadata — amounts, currencies, invoice numbers, payment status, FIRC numbers — for accounting and tax compliance.

Communications

Messages you send through project channels, support emails, and meeting metadata (start time, duration). Meeting recordings are only stored when you explicitly opt in.

Technical data

IP address, browser type, device type, pages visited, and event timestamps. We use this to keep the Services secure and to improve them.

We process personal information for these purposes:

• To provide the Services — sign you in, match you to projects, send notifications, generate invoices, route payouts.
• To comply with the law — KYC, tax, anti-money laundering, and sanctions screening where applicable.
• To protect users — fraud detection, anti-circumvention scans, rate limiting, audit logging.
• To improve our Services — anonymized usage analytics, A/B testing, performance monitoring.
• With your consent — marketing emails, optional features.

If you are in the UK, EU, or EEA, our legal bases are:

• Contract — to deliver the Services you signed up for.
• Legitimate interests — security, fraud prevention, basic analytics, defending legal claims.
• Legal obligation — tax, accounting, AML, and similar statutory requirements.
• Consent — marketing, optional cookies, and sensitive features. You can withdraw consent at any time.

We do not sell personal information. We share it only with processors who help us deliver the Services, and only the data they need:

• Cloud infrastructure — DigitalOcean, AWS, Cloudflare. Hosting and storage.
• Payments — Stripe, Razorpay, Wise. Card and bank data.
• Email + comms — Resend, Daily.co, DocuSeal.
• Analytics + observability — PostHog, Sentry.
• AI — Anthropic Claude, where AI features are enabled. We do not use your data to train third-party models.

A live list of subprocessors is maintained at /legal/subprocessors.

We may also disclose information if required by law (subpoena, court order, regulatory request) or to defend our rights — and where lawful, we will notify you.

Tuninbits is incorporated in India and operates services globally. Personal information may be transferred to and processed in countries that do not have the same data protection rules as your country of residence. Where required, we rely on Standard Contractual Clauses (SCCs) and equivalent safeguards published by relevant supervisory authorities.

We retain personal information for as long as we need it:

• Active accounts — for the life of your account.
• Closed accounts — basic identity records and transactional history for up to 7 years to satisfy tax and accounting laws.
• Logs and security data — typically 30–180 days, longer for incidents under investigation.
• Marketing data — until you unsubscribe or withdraw consent.

You can ask us to:

• Access the personal information we hold about you.
• Correct inaccurate or incomplete information.
• Delete your account and data, subject to legal retention duties.
• Restrict or object to certain processing (e.g. analytics, marketing).
• Receive your data in a portable format.
• Lodge a complaint with your local data protection authority.

Email privacy@tuninbits.com to exercise any of these rights. We respond within 30 days.

We hash passwords with Argon2id, encrypt data in transit (TLS 1.2+) and at rest (provider-managed encryption), apply per-IP rate limits, and rotate refresh tokens with reuse detection. Access to production systems is restricted to a small number of staff and audit-logged.

No system is perfectly secure. If we detect a breach affecting your personal information, we will notify you and the competent supervisory authority within the timeframes required by law.

We use cookies for authentication (a session cookie, necessary for the Services to work) and, with your consent, for analytics and marketing. See our Cookie policy for the full list and how to manage your preferences.

The Services are not directed to anyone under 18 and we do not knowingly collect personal information from children. If you believe a child has given us personal information, please email privacy@tuninbits.com and we will delete it.

We may update this policy from time to time. Material changes will be notified via email or an in-product banner at least 14 days before they take effect. The current version is always available at tuninbits.com/legal/privacy.