Founding rates available now — yours for life if you join early

Privacy policy

Effective Date: 20 July 2025

1. Who We Are (Data Controller) GDPR

Data Controller Responsibility

This section identifies the legal entity responsible for processing your personal data.

The data controller responsible for processing your personal data under this Privacy Policy is:

GXG TECHSOFT SRL

Strada Fildesului 4, Bl. B6, Sc. 1, Ap. 6, Bucharest, Romania

Email: privacy@turbobulls.com

We are a company established under the laws of Romania and operate in full compliance with the General Data Protection Regulation (EU 2016/679) and Romanian Law no. 190/2018 regarding data protection.

This Privacy Policy applies globally to all users of our services, regardless of location. However, it is specifically intended to meet the legal obligations for individuals located in the European Union (EU) or European Economic Area (EEA), in accordance with Article 3 of the GDPR.

We are not currently required to appoint a Data Protection Officer (DPO) under Article 37 of the GDPR. You may nonetheless contact us at privacy@turbobulls.com with any questions or requests related to the processing of your personal data.

If you are located in the EU/EEA and have concerns about how your data is handled, you have the right to lodge a complaint with your local data protection authority. Our lead supervisory authority is:

Autoritatea Națională de Supraveghere a Prelucrării Datelor cu Caracter Personal (ANSPDCP)

https://www.dataprotection.ro/

We also explain your rights under Section 7 of this Privacy Policy.

2. What Personal Data We Collect and Why

Privacy‑First by Design

We follow a privacy‑first, data‑minimizing approach and do not access or store user‑generated content.

Our platform is designed to be end-to-end encrypted — meaning we cannot read, decrypt, or process the actual content you upload, transmit, or create within the platform.

We only collect the minimum personal data necessary to operate and secure the Service. Below is a breakdown of what we collect and why.

a. Account and Authentication Data Security

What we collect:

Email address
Login metadata (e.g., timestamp, method)
Authentication info (Google OAuth or Magic Link)
A pseudonymous internal user ID

Why we collect it:

To create and manage your account, authenticate access securely, and prevent unauthorized use of the platform.

b. Billing and Subscription Data Billing

What we collect:

Name (for invoicing, if provided)
Billing address and country
VAT number (if applicable)
Payment metadata (via Stripe or Paddle)

Why we collect it:

To process payments, issue legally compliant invoices, meet tax obligations, and provide customer support for billing.

c. Technical and Security Data Monitoring

What we collect:

IP address
Browser type and version
Device and OS
Login attempts and access timestamps
CAPTCHA/bot check signals

Why we collect it:

To detect fraud, secure user accounts, optimize service performance, and protect against denial-of-service attacks or unauthorized access.

d. Operational Logs and Usage Metrics Analytics

What we collect:

Feature usage (e.g., dashboard interactions)
Timestamped system events
Error and exception logs

Why we collect it:

To monitor platform health, debug technical issues, and improve overall system reliability without tracking user behavior across services.

e. Support and Communication Data Support

What we collect:

Your email address and name (if provided)
Message content and attachments

Why we collect it:

To respond to your inquiries, troubleshoot issues, and provide support or legal documentation (e.g., invoices, data requests).

We Do Not Collect or Process:

Content you create or upload (we cannot decrypt it)
Sensitive personal data (e.g., health, biometrics, politics)
Location data (other than IP-based country detection)
Behavioral tracking for profiling or advertising
Data from or about minors

Third-Party Infrastructure External

We use trusted infrastructure and logging providers under GDPR-compliant agreements to support platform security and performance.

You can request a current list of our subprocessors by contacting privacy@turbobulls.com.

3. Lawful Bases for Processing Your Data

GDPR-Compliant Processing

We process your personal data lawfully, fairly, and transparently in accordance with Article 6 of the General Data Protection Regulation (GDPR). Each type of data we collect is processed based on one or more lawful grounds, depending on the specific context and purpose.

a. Account and Authentication Data

Lawful basis:

Contractual necessity – to create and manage your account, authenticate your access, and deliver the services you request
Legitimate interest – to protect the security of the platform, detect fraud, and prevent unauthorized access

b. Billing and Subscription Data

Lawful basis:

Contractual necessity – to process your subscription and deliver paid features of the Service
Legal obligation – to comply with tax, accounting, invoicing, and financial reporting laws in the EU and Romania

c. Technical and Security Data

Lawful basis:

Legitimate interest – to ensure the performance, stability, and security of the platform, including protection against fraud, abuse, and malicious activity

d. Operational Logs and Usage Metrics

Lawful basis:

Legitimate interest – to monitor system health, debug technical issues, and improve the Service. This data is limited in scope, anonymized or pseudonymized where appropriate, and is never used for profiling, behavioral tracking, or advertising.

e. Support and Communication Data

Lawful basis:

Contractual necessity – when your inquiry relates to your use of the Service
Legitimate interest – to respond to general questions, collect feedback, and improve customer service

f. Optional Cookies and Analytics

Lawful basis:

Consent – where required by law, we will obtain your explicit consent before placing non-essential cookies or using analytics tools. You can withdraw this consent at any time through your cookie settings or browser preferences.

Some categories of personal data may be processed under more than one lawful basis, depending on the purpose. For example, billing data may be necessary to deliver your subscription (contractual necessity) and to meet legal accounting obligations (legal obligation).

When we rely on legitimate interest, we carefully assess whether our interest is balanced against your rights and freedoms, and we implement safeguards to protect your privacy. You have the right to object to any processing based on legitimate interest at any time, as described in Section 7.

4. How We Share or Disclose Personal Data

Privacy-Protective Sharing

We do not sell, rent, or trade your personal data. We only share your information with third parties when necessary to operate the Service, comply with legal obligations, or with your explicit consent. All third-party processors are contractually bound to process your data securely, lawfully, and only under our written instructions, as required by Article 28 of the GDPR.

a. Trusted Service Providers (Processors)Processors

We engage carefully selected third-party service providers to help us deliver, secure, and maintain the platform. These subprocessors may process limited categories of personal data strictly on our behalf.

Examples include:

Authentication and login providers (e.g., Google OAuth)
Payment processors (e.g., Stripe, Paddle)
Security and fraud prevention tools (e.g., Cloudflare)

All subprocessors are subject to written data processing agreements that require them to implement appropriate technical and organizational security measures under Article 32 of the GDPR.

You may request an up-to-date list of our authorized subprocessors by contacting us at privacy@turbobulls.com

b. Internal Access and ConfidentialityAccess Control

Access to your personal data is strictly limited to authorized personnel and contractors who require access to fulfill their job responsibilities. All such access is governed by confidentiality agreements and role-based access controls consistent with GDPR Article 32 and industry best practices.

c. Legal Obligations and Government RequestsLegal Compliance

We may disclose personal data when required to do so under applicable law, such as to comply with a valid subpoena, court order, or government investigation under Article 6(1)(c) of the GDPR.

We carefully review each request to verify its legal basis, necessity, and proportionality. If permitted, we will notify you of such disclosures.

Important

Disclosure may occur without your prior knowledge if we are legally required to do so.

d. Corporate TransactionsBusiness Continuity

In the event of a merger, acquisition, financing, restructuring, or sale of assets, your personal data may be transferred as part of that transaction. We will ensure confidentiality protections are maintained and notify you in advance of any material changes to the way your data is processed.

e. With Your ConsentUser Control

We may share your personal data with third parties for other purposes only with your explicit, informed consent—for example, when you voluntarily enable third-party integrations. You may withdraw this consent at any time.

We Never Do This:

Share your personal data with advertisers, data brokers, or social media platforms
Access or disclose any user-generated content (we cannot read encrypted content)
Transfer your personal data abroad without appropriate safeguards (see Section X)

5. International Data Transfers

We are based in the European Union and prioritize hosting and processing all personal data within the European Economic Area (EEA) whenever possible.

However, some of our trusted service providers may process or access personal data from jurisdictions outside the EEA, including countries that do not benefit from an adequacy decision under Article 45 of the GDPR—such as the United States.

a. Transfers to Third CountriesGDPR Articles 46–49

Where personal data is transferred outside the EEA, we implement appropriate legal safeguards as required by GDPR Articles 46–49, including:

Standard Contractual Clauses (SCCs) issued by the European Commission
Supplemental technical and organizational safeguards, such as end-to-end encryption, pseudonymization, and strict access controls
Vendor due diligence and contractual restrictions to ensure GDPR-level protection

We regularly assess these safeguards to ensure their effectiveness and adequacy, especially for any transfers to countries subject to conflicting laws (e.g., surveillance regimes).

b. U.S. Service Providers and the Data Privacy FrameworkEU–U.S. DPF

Some of our infrastructure, payment, or authentication providers may be located in or subject to U.S. jurisdiction. In such cases, we:

Ensure your personal data is hosted in EU data centers where applicable
Require the use of Standard Contractual Clauses as a legal basis for transfer
Limit access to only what is necessary for secure operation
Monitor eligibility for and participation in the EU–U.S. Data Privacy Framework (DPF), and may rely on this mechanism where applicable

c. Fallback Measures and Transfer SuspensionContinuity Measures

If any data transfer safeguard we rely on is invalidated or no longer provides adequate protection, we will:

Implement an alternative lawful transfer mechanism where available, or
Suspend the transfer until such safeguards are re-established

This ensures your personal data is never transferred internationally without a lawful basis under the GDPR.

d. Your Rights Regarding TransfersAccess Rights

You have the right to request more information about our cross-border transfer safeguards, including a copy of the Standard Contractual Clauses we rely on, by contacting us at privacy@turbobulls.com.

Key Points:

Hosting is based in the EEA by default
Any transfer outside the EEA is protected by SCCs or equivalent safeguards
We do not transfer decrypted user content (end-to-end encrypted and inaccessible to us)
We monitor legal frameworks like Schrems II and DPF continuously

6. Data Retention and Deletion

We retain personal data only for as long as necessary to fulfill the purposes for which it was collected, in accordance with Article 5(1)(e) of the GDPR, and subject to any legal obligations that require longer retention.

a. Retention Periods by Data CategoryGDPR Art. 5(1)(e)

Data Type	Retention Period
Account & Authentication Data	Retained until account deletion or 12 months of inactivity, whichever comes first*
Billing & Payment Records	Retained for up to 10 years to comply with tax, audit, and legal obligations
Technical & Security Logs	Retained for up to 180 days, unless required longer for security or investigation
Support Communications	Retained for up to 2 years, unless legal or support follow-up requires longer
User Content	Never retained or accessible – encrypted end-to-end and unreadable by us

*Inactive accounts may be scheduled for deletion after a 30-day notice is sent to the associated email address.

We may retain anonymized or aggregated data for analytics or service improvement, provided it can no longer be linked to an identifiable individual.

b. Account Deletion

You may delete your account at any time through your account settings or by contacting privacy@turbobulls.com. Upon verified deletion:

Your personal data is promptly removed from active systems
Associated identifiers are deleted or anonymized
Billing records may be retained where legally required
End-to-end encrypted user content becomes permanently inaccessible and is removed during scheduled secure cleanup

c. Right to Erasure (Article 17 GDPR)Your Rights

You have the right to request deletion of your personal data where:

The data is no longer necessary for its original purpose
You withdraw consent (where consent was the basis)
You object to processing based on legitimate interest
The data was unlawfully processed or collected
Erasure is required to comply with a legal obligation

We respond to verified erasure requests within 30 days, unless retention is required by law.

d. Data Portability Before Deletion (Article 20 GDPR)Portability

Before deletion, you may request a copy of your account metadata, billing records, or other portable personal data in a structured, commonly used, machine-readable format, in accordance with Article 20 of the GDPR.

e. Backup and Archival Systems

Personal data may remain in encrypted backups for up to 30 days after deletion, solely for disaster recovery purposes. These backups are automatically deleted after expiration and are not used for any operational processing.

7. Your Rights Under the GDPR

As a data subject under the General Data Protection Regulation (GDPR), you have the following rights regarding your personal data. These rights are available to all users whose personal data we process, regardless of location.

Transparency Commitment

We are committed to honoring these rights in a timely, transparent, and lawful manner, in accordance with Articles 12–23 of the GDPR.

a. Right of Access Article 15

You have the right to request confirmation of whether we process your personal data and, if so, to receive a copy of that data along with relevant information about how and why we process it.

b. Right to Rectification Article 16

You may request correction of inaccurate or incomplete personal data that we hold about you.

c. Right to Erasure (Right to be Forgotten) Article 17

You have the right to request the deletion of your personal data where there is no compelling reason for us to continue processing it, such as when:

The data is no longer needed
You withdraw consent (where consent was the legal basis)
You object to processing and no overriding legitimate interest exists
Processing was unlawful or must be erased to comply with legal obligations

d. Right to Restriction of Processing Article 18

You may request that we restrict the processing of your personal data in certain circumstances, such as while we verify a correction request or assess an objection.

e. Right to Data Portability Article 20

You have the right to request your personal data in a structured, commonly used, machine-readable format, and to have it transferred to another controller, where technically feasible and where processing is based on consent or contract.

f. Right to Object Article 21

You have the right to object to processing based on legitimate interest, including profiling. If you object, we will stop processing your data unless we can demonstrate compelling legitimate grounds.

You also have the right to object to the use of your data for direct marketing, in which case it will be stopped immediately.

g. Right Not to Be Subject to Automated Decision-Making Article 22

You have the right not to be subject to a decision based solely on automated processing, including profiling, which significantly affects you. We do not use any such automated decision-making in our Service.

h. Right to Withdraw Consent Article 7

Where processing is based on your consent, you may withdraw it at any time. Withdrawal does not affect the lawfulness of prior processing.

i. Right to Lodge a Complaint Article 77

You have the right to lodge a complaint with your local data protection authority. Our lead supervisory authority is:

Autoritatea Națională de Supraveghere a Prelucrării Datelor cu Caracter Personal (ANSPDCP)

https://www.dataprotection.ro

How to Exercise Your Rights

You may exercise any of the rights above by contacting us at privacy@turbobulls.com. We may need to verify your identity before fulfilling certain requests.

We will respond within 30 days, or explain if more time is needed due to complexity.

8. Children’s Privacy

Our Service is intended exclusively for individuals who are at least 16 years of age, or the minimum age of digital consent applicable in their country of residence.

No Data from Children

We do not knowingly collect, use, or process personal data from children under the age of 16, or under the applicable legal age in their jurisdiction, in accordance with Article 8 of the General Data Protection Regulation (GDPR).

By using this Service, you affirm that:

You are at least 16 years old, or
You meet the minimum age of digital consent in your country, and
You have full legal capacity to enter into this agreement and use our services

If we become aware that we have inadvertently collected personal data from a child under the age of 16 (or under the applicable age threshold), without verified parental or guardian consent, we will:

Promptly delete the data from our active systems
Restrict any further processing
Take steps to secure and erase any backup or residual records, where technically feasible

Regional Variations in Digital Consent Age

We apply the default GDPR minimum age of 16, unless a specific EU/EEA Member State has legally lowered it to no less than 13 under Article 8(1) GDPR.

Here are examples of national thresholds:

Country	Age of Digital Consent
Germany	16
France	16
Netherlands	16
Romania	16
Ireland	16
Spain	14
Italy	14
Sweden	13

You are responsible for complying with your country’s applicable age threshold when accessing or registering for the Service.

Parental Involvement

If you are a parent or legal guardian and believe that your child has provided us with personal data in violation of this policy, please contact us immediately at privacy@turbobulls.com. We will verify your request, investigate, and take all appropriate steps in accordance with GDPR and applicable law.

9. Data Security

We implement appropriate technical and organizational measures to protect your personal data from unauthorized access, disclosure, alteration, or destruction, in accordance with Articles 5(1)(f), 24, 25, and 32 of the GDPR.

a. Encryption and Data Isolation

End-to-End Encryption (E2EE)

All user-generated content is protected with end-to-end encryption (E2EE). This means we cannot access, view, or decrypt your content, even for support or analytics purposes.

Communication between your device and our servers is secured using TLS (HTTPS) encryption.
Stored personal data (such as account email or billing metadata) is protected using encryption-at-rest and access controls.

b. Access Controls and Internal Security

Access to personal data is strictly limited to authorized personnel, on a need-to-know basis, under strict confidentiality obligations.
We use role-based access control (RBAC), audit logging, and secure credential management.
All systems are protected by multi-factor authentication (MFA) and secure deployment practices.

c. Infrastructure and Subprocessors

We use trusted cloud providers with strong security reputations, including Supabase (database & auth), Vercel (frontend hosting), Cloudflare (network & bot protection), and Sentry (error logging).
All vendors are subject to data processing agreements (DPAs) and must meet our minimum security requirements under Article 28 GDPR.
Infrastructure is primarily located in the European Union, with safeguards in place for any cross-border access (see Section 5).

d. Monitoring and Threat Detection

We continuously monitor our systems for potential security incidents using tools such as Sentry, Cloudflare analytics, and server-side logs.
We have automated alerts and mitigation procedures to detect and contain threats, including abuse, misuse, and anomalous behavior.

e. Data Minimization and Privacy-by-Design

We apply data minimization, purpose limitation, and privacy-by-design principles in how we collect, store, and process data.
No behavioral profiling, ad tracking, or unnecessary third-party cookies are used.
Optional data (e.g., crash diagnostics) is collected only with your awareness and consent, if applicable.

f. Incident Response and Breach Notification

In the event of a data breach involving personal data, we will:
- Notify affected users and relevant authorities without undue delay, as required under Article 33 and 34 GDPR
- Investigate the incident promptly and implement corrective actions
- Maintain records in accordance with Article 30 (Records of Processing Activities)

10. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in the law, our services, or data handling practices.

Notification of Changes

When we make material changes, we will notify users by email, through the Service, or via an in-app notice.

We encourage you to review this Privacy Policy periodically to stay informed about how we protect your personal data.

The “Effective Date” date at the top of this page indicates when this policy goes into effect.

11. Contact Us

If you have any questions about this Privacy Policy, your rights under GDPR, or our data protection practices, you may contact us at:

GXG TECHSOFT SRL

Strada Fildesului 4, Bl. B6, Sc. 1, Ap. 6, Bucharest, Romania

Email: privacy@turbobulls.com

We will respond to privacy-related inquiries within 30 days, or sooner if required by law.

12. Supervisory Authority

You have the right to lodge a complaint with a supervisory authority if you believe our processing of your personal data violates applicable data protection laws.

Our lead supervisory authority is:

Autoritatea Națională de Supraveghere a Prelucrării Datelor cu Caracter Personal (ANSPDCP)

B-dul G-ral Gheorghe Magheru 28-30, Sector 1, București, România

Website: https://www.dataprotection.ro

We use cookies

We use cookies and similar technologies to enhance your experience and protect against abuse. For more information, please see the Cookies section of our Privacy Policy.

By clicking "Accept", you agree to our use of cookies.

Learn more