The General Data Protection Regulation (GDPR) grants individuals in the European Union and European Economic Area (EU/EEA) specific rights over their personal data. This page explains how TumaFlow complies with the GDPR and how you can exercise your rights.

1. Who Is the Data Controller?

When you use TumaFlow as a customer, you are the data controller for the personal data of your end-users (e.g., the phone numbers of people you message). TumaFlow acts as a data processor on your behalf, processing that data only as instructed by you and as necessary to provide the service.

TumaFlow is also the data controller for personal data we collect directly from you (e.g., your account information, billing data, and usage logs).

2. Legal Bases for Processing

We rely on the following legal bases under GDPR Article 6:

• Contract performance (Art. 6(1)(b)): Processing your account data, message logs, and billing information is necessary to provide the TumaFlow service.
• Legitimate interests (Art. 6(1)(f)): We process technical usage data and error logs to maintain security, improve the platform, and detect fraud.
• Legal obligation (Art. 6(1)(c)): We retain billing records for 7 years to comply with financial regulations.
• Consent (Art. 6(1)(a)): We rely on consent for optional marketing communications (you can opt out at any time).

3. Your Rights as a Data Subject

If you are an EU/EEA resident, you have the following rights under the GDPR:

Right of Access (Art. 15)

You have the right to obtain a copy of the personal data we hold about you, along with information about how we process it.

Right to Rectification (Art. 16)

You have the right to request correction of inaccurate or incomplete personal data we hold about you.

Right to Erasure — "Right to Be Forgotten" (Art. 17)

You may request deletion of your personal data when it is no longer necessary for the purposes for which it was collected, or when you withdraw consent. Note that we may retain certain data where required by law (e.g., billing records).

Right to Restrict Processing (Art. 18)

You may request that we restrict the processing of your personal data in certain circumstances, for example while a dispute about accuracy is being resolved.

Right to Data Portability (Art. 20)

You have the right to receive your personal data in a structured, commonly used, machine-readable format (JSON or CSV), and to transmit that data to another controller where technically feasible.

Right to Object (Art. 21)

You may object to processing based on legitimate interests or for direct marketing purposes. We will cease processing unless we can demonstrate compelling legitimate grounds that override your interests.

Rights Related to Automated Decision-Making (Art. 22)

TumaFlow does not make decisions that produce legal or similarly significant effects solely through automated means. All account suspension or fraud decisions involve human review.

4. How to Exercise Your Rights

To exercise any of the above rights, please send a request to our Data Protection Officer:

• Email: dpo@tumaflow.io
• Subject line:"GDPR Data Subject Request — [Your Name]"

We will respond within 30 days. We may ask you to verify your identity before processing the request. There is no charge for reasonable requests.

5. Data Processing Agreement (DPA)

If you use TumaFlow to process personal data of EU/EEA individuals on behalf of your customers, you may require a Data Processing Agreement (DPA) to comply with GDPR Article 28. You can request a standard DPA by emailing dpo@tumaflow.io.

6. Sub-Processors

We use the following sub-processors to deliver the Service. All sub-processors are GDPR-compliant and bound by data processing agreements:

SCCs = Standard Contractual Clauses (EU Commission approved mechanism for international transfers).

7. International Data Transfers

Some of our sub-processors are located in the United States. Where we transfer personal data outside the EEA, we ensure appropriate safeguards are in place — primarily through the EU Standard Contractual Clauses (SCCs) approved by the European Commission.

8. Data Breach Notification

In the event of a personal data breach that is likely to result in a risk to your rights and freedoms, we will notify the relevant supervisory authority within 72 hours of becoming aware of the breach, and will notify affected individuals without undue delay where required.

9. Right to Lodge a Complaint

If you believe we are processing your personal data unlawfully, you have the right to lodge a complaint with your local supervisory authority. In the EU, you can find your national data protection authority at edpb.europa.eu.

10. Contact our DPO

Our Data Protection Officer can be reached at dpo@tumaflow.io for any GDPR-related enquiries.