Privacy Policy

This Privacy Policy describes how Tenanto Demo — the "Operator", "we", "us", or "our" — collects, uses, shares, and protects personal data when you access or use the services, applications, and websites we operate (the "Service"). It also explains the rights you have in relation to your personal data.

For the purposes of applicable data protection law, including the EU General Data Protection Regulation (GDPR) where it applies, the Operator is the data controller of the personal data described in this Policy, unless we act as a processor on your behalf under a separate data processing agreement.

1. Personal Data We Collect

We collect the following categories of personal data:

• Account data — name, email address, password (stored hashed), display name, profile picture, locale preference.
• Organization data — company or tenant name, roles and permissions, team memberships.
• Billing data — billing contact, VAT or tax ID, billing address, invoice history. Card and bank details are handled directly by our payment processor and are never stored on our servers.
• Service content — projects, tasks, files, messages, and any other content you create inside the Service.
• Usage data — log events, request identifiers, IP address, device and browser metadata, timestamps, and referring URLs.
• Support data — any information you share with us when contacting support.

2. How We Collect Personal Data

We collect personal data in the following ways:

• Directly from you when you register, subscribe, configure your account, or contact us;
• Automatically through cookies, local storage, and similar technologies when you use the Service;
• From third parties, such as payment processors, identity providers, or our sub-processors, strictly in connection with the operation of the Service.

3. Purposes of Processing

We process personal data for the following purposes:

• To provide, maintain, and improve the Service and develop new features;
• To authenticate users, enforce access controls, and protect the Service against fraud, abuse, and security incidents;
• To process payments, manage subscriptions, and issue invoices and receipts;
• To send operational notifications (such as service alerts, invoice notifications, and security advisories);
• To respond to support requests and handle complaints;
• To comply with legal, tax, accounting, and regulatory obligations;
• To establish, exercise, or defend legal claims.

4. Legal Bases for Processing (GDPR)

Where the GDPR applies, we rely on the following legal bases under Article 6 of the GDPR:

• Performance of a contract (Art. 6(1)(b)) — to provide the Service to you and handle billing and support;
• Legitimate interests (Art. 6(1)(f)) — to secure the Service, prevent fraud, analyze usage to improve reliability, and defend the Operator's legal interests, balanced against your fundamental rights and freedoms;
• Legal obligation (Art. 6(1)(c)) — to comply with tax, accounting, and other mandatory legal obligations;
• Consent (Art. 6(1)(a)) — where we rely on consent (for example, for optional marketing communications), you may withdraw your consent at any time without affecting the lawfulness of processing based on consent before its withdrawal.

5. Sharing and Disclosure

We do not sell personal data. We disclose personal data only to the following categories of recipients:

• Sub-processors who provide infrastructure, payments, email delivery, error monitoring, analytics, or customer support, under contracts that require them to protect personal data consistently with this Policy and applicable law;
• Professional advisors such as auditors, accountants, and lawyers acting under confidentiality;
• Public authorities when we are required to disclose personal data by law, court order, or other legal process;
• Successors in interest in connection with a merger, acquisition, or sale of all or substantially all of our assets, subject to the continued protection of personal data under this Policy.

Our current sub-processors include:

• Stripe (payments)
• Your hosting provider (infrastructure)
• Your transactional email provider (notifications)

6. International Transfers

Where personal data is transferred outside your country of residence or outside the European Economic Area, we rely on appropriate safeguards such as the European Commission's Standard Contractual Clauses, adequacy decisions, or other legally recognized transfer mechanisms. You may request a copy of the relevant safeguards by contacting us at [email protected].

7. Data Retention

We retain personal data for as long as your account is active, plus the period required by applicable law and tax regulations. When data is no longer needed for the purposes described in this Policy, we delete it or anonymize it. Invoices and other documents required by tax or accounting law are retained for the periods mandated by that law.

8. Your Rights

Subject to applicable law, you have the following rights in relation to your personal data:

• Access — to obtain confirmation of whether we process personal data about you and, if so, a copy of that data;
• Rectification — to have inaccurate or incomplete data corrected;
• Erasure ("right to be forgotten") — to request deletion of personal data, subject to legal retention obligations;
• Restriction — to request that we limit the processing of your personal data;
• Portability — to receive personal data you provided to us in a structured, commonly used, machine-readable format;
• Objection — to object to processing based on our legitimate interests;
• Withdrawal of consent — to withdraw any consent you have previously given, without affecting the lawfulness of processing based on consent before its withdrawal;
• Complaint — to lodge a complaint with the competent data protection authority in your jurisdiction or another competent data protection authority, particularly in the EU member state of your residence, workplace, or the alleged infringement.

To exercise any of these rights, contact us at [email protected]. We may ask you to verify your identity before responding to protect your data from unauthorized disclosure.

9. Cookies and Similar Technologies

We use cookies and similar technologies that are strictly necessary to deliver the Service (for example, to keep you signed in and to protect against cross-site request forgery). Where we use non-essential cookies — such as analytics or preference cookies — we ask for your consent before setting them and provide a mechanism to withdraw that consent.

10. Security

We apply technical and organizational measures designed to protect personal data against unauthorized access, loss, alteration, or disclosure. These measures include encryption in transit, access controls, auditing, and regular security reviews. No method of transmission or storage is 100% secure, and we cannot guarantee absolute security.

11. Children

The Service is not directed to children under the age at which minors may consent to data processing in their jurisdiction (16 in most EU member states, unless local law sets a lower threshold). We do not knowingly collect personal data from such children. If you believe a child has provided us with personal data, contact us and we will take steps to delete it.

12. Automated Decision-Making

We do not use personal data to make decisions solely by automated means that produce legal or similarly significant effects on you, unless we have your explicit consent or another lawful basis.

13. Changes to This Policy

We may update this Policy from time to time to reflect changes in our practices, legal obligations, or the Service. Material changes will be communicated by reasonable means — for example, by email to the address associated with your account or by an in-app notice. Continued use of the Service after the effective date of any revised Policy constitutes your acknowledgment of the changes.

14. Contact the Operator

For questions about this Privacy Policy or to exercise any of your rights, contact us at [email protected]. General inquiries can be directed to [email protected].