Privacy Policy

Last updated: June 1, 2026

1. General Provisions

This Privacy Policy ("Policy") defines the procedures for collecting, processing, storing, and protecting personal data of users of the Tutum Business SaaS platform (tutum.business).

The data controller is SP/IE Changylov Daniyar Saparbekovich, TIN: 20111199501384, registered at: Kyrgyz Republic, Bishkek, Pervomaysky district, Orozbekova str., 2/2, apt. 60 (hereinafter — the "Operator").

By using the Platform, you consent to the processing of your personal data in accordance with this Policy.

2. Data Processing Roles

The Platform operates under a dual legal arrangement:

— With respect to data of Platform business-customer accounts (registered Platform users) — registration data, billing, and admin-panel activity — the Operator acts as a controller.

— With respect to data of the Platform user's end customers (buyers who message the business via WhatsApp, Instagram Direct, Telegram, or comment under Instagram posts) — the Operator acts as a processor on behalf of the Platform user. The controller of such data is the Platform user (merchant) who connected the channel and determines the purposes of processing communications with their buyers.

This distinction is material for determining the scope of rights and obligations of the parties, as well as for the requirements of partner platforms (Meta Platforms).

3. Data We Collect

We collect the following categories of data:

Platform user (business customer) data: first name, last name, email address, phone number, company/store name and details, payment information.

Platform interaction data: activity logs, account settings, uploaded product catalogs, history of operations in the admin panel.

Technical data: IP address, browser and device type, cookie data, service usage statistics.

End-customer data of the Platform user: phone numbers in E.164 format, names and messenger profile identifiers, content of messages and comments, media files (images, audio, video), order history, quoted messages (replies), emoji reactions.

Data obtained via Meta Platforms integrations (see Section 5) — only to the extent necessary for the operation of connected channels.

4. Purposes of Data Processing

We process personal data for the following purposes:

— providing and supporting Platform services;

— ensuring the operation of AI assistants (processing catalogs, generating responses to customers, indexing knowledge bases for semantic search);

— receiving, processing, and delivering messages on WhatsApp Business, Instagram Direct, Telegram;

— receiving and processing comments under Instagram posts, automatic public replies, and private Direct messages in accordance with auto-reply rules configured by the Platform user;

— publishing content (posts, Stories, Reels) to the Platform user's Instagram account at their direction from the admin panel;

— processing orders and managing point-of-sale operations;

— improving service quality and developing new features (without combining data obtained from Meta with third-party data absent explicit consent);

— issuing invoices and processing payments;

— communicating with the Platform user regarding service matters;

— complying with the laws of the Kyrgyz Republic and the rules of partner platforms (Meta Platform Terms, WhatsApp Business Messaging Policy, WhatsApp Commerce Policy, Instagram Platform Policy).

5. Meta Platforms Integrations (WhatsApp Business and Instagram)

The Platform provides integrations with Meta Platforms products to support commercial communication between a business and its customers. Connection is performed by the Platform user (business) within Meta's standard authorization flows and requires that the user holds administrator rights to the relevant business assets.

5.1. WhatsApp Business Cloud API. Connection is performed via Meta's Embedded Signup procedure. Permissions requested: whatsapp_business_management, whatsapp_business_messaging, business_management. Data received and processed: end-customer phone numbers in E.164 format, WhatsApp profile names, inbound and outbound messages (text, images, audio/voice, video, documents, stickers, reactions, replies to messages), message identifiers (wamid), delivery statuses and error reasons (for display in the operator interface), WhatsApp Business Account identifiers (WABA ID) and phone numbers (phone_number_id), message templates and their moderation statuses.

5.2. Instagram (Instagram Login for business). Connection is performed via Instagram Login (graph.instagram.com), not via a personal Facebook account. Permissions requested: instagram_business_basic, instagram_business_manage_messages, instagram_business_manage_comments, instagram_business_content_publish. Data received and processed: business Instagram account identifiers (IGID), counterpart usernames (handles) and public profile metadata, content of Instagram Direct messages and comments under posts, media files, post and comment identifiers, metadata of posts/Stories/Reels published via the Platform.

5.3. Comments and automation. If the Platform user creates auto-reply rules for comments under their posts, the Platform processes inbound comments, matches them against configured rules (keywords), and on behalf of the Platform user posts a reply comment and/or sends a private message to the comment author via the Instagram Private Replies API. The content of auto-replies is determined solely by the Platform user; the Operator does not moderate or edit auto-reply texts and is not responsible for their content.

5.4. Use of Meta data. Data obtained from Meta Platforms via the listed APIs is used by the Operator solely for the purposes described in Section 4 and in strict accordance with Meta Platform Terms and Developer Policies. The Operator does not sell Meta data, does not share it with advertising networks or data brokers, does not use it to build profiles outside the context of the Platform user's business account, and does not combine it with third-party data absent an explicit legal basis.

5.5. Storage of access tokens. Meta access tokens are stored encrypted at the database level. Upon disconnection of the integration by the user or revocation of permissions by Meta, tokens are invalidated.

6. AI Model Processing

To enable the operation of AI assistants, message content and other dialog context are transmitted to large-language-model (LLM) providers selected by the Platform user in store settings. Supported providers: OpenAI (USA), Anthropic (USA), Google (Gemini) (USA).

For semantic search across the product catalog and knowledge base (RAG), product texts, descriptions, and customer queries are transmitted to the embeddings provider: Voyage AI (USA). Vector representations are stored on our servers in PostgreSQL/pgvector.

When voice messages are used, their audio fragments may be transmitted to speech-recognition service providers (ElevenLabs Scribe and/or other providers specified in Platform settings).

Data transmission to AI providers is performed over a secure channel (TLS) and is governed by the relevant privacy policies and data processing terms of those providers. The Operator selects providers that contractually undertake not to use transmitted data to train their own models by default (or such option is disabled in the API configuration).

7. Third-Party Sharing and International Data Transfers

We do not sell or share your personal data with third parties for marketing purposes.

Data may be shared with the following categories of recipients (sub-processors) solely for the purpose of delivering Platform services:

— Meta Platforms, Inc. (USA/Ireland) — for the operation of WhatsApp Business Cloud API and Instagram Business API;

— Telegram FZ-LLC (UAE) — for the operation of Telegram Bot API;

— OpenAI (USA), Anthropic (USA), Google LLC / Google Ireland Ltd (USA/EU) — LLM providers at the Platform user's choice;

— Voyage AI (USA) — vector embeddings provider;

— ElevenLabs (USA) — speech recognition (where applicable);

— Cloudflare, Inc. (USA) — CDN, DDoS protection, traffic proxying;

— The hosting provider on whose infrastructure the Platform servers (including the PostgreSQL database and Redis) are deployed;

— Payment systems and acquirers — for processing subscription payments.

International data transfers to the indicated jurisdictions are carried out on the basis of the necessity to perform the contract between the Operator and the Platform user and/or such user's direction as the controller of end-customer data. The Operator selects sub-processors that provide an adequate level of data protection and enters into agreements with them containing confidentiality and data processing terms.

The current list of sub-processors may be updated. The Operator will notify users via the Platform or by email of material changes to the composition of sub-processors.

8. Data Storage and Protection

Data is stored on secure servers with the following security measures in place:

— data encryption in transit (TLS/SSL);

— encryption of sensitive data, including Meta and Telegram access tokens, at the application and database levels;

— access control at the application and database levels, tenant isolation (multi-tenant) by store identifier;

— regular backups;

— security monitoring, rate limiting, and access logging.

Retention periods:

— Platform user account data — for the duration of the account and 90 (ninety) days after its deletion, unless otherwise required by law;

— messages and comments received through Meta integrations — for the duration of the connection and until disconnection of the integration or receipt of a deletion request;

— Meta access tokens — until the integration is disconnected by the user or revoked by Meta, after which tokens are invalidated;

— records of data deletion requests — at least 90 days from completion, as required by Meta for the public status page.

9. Data Deletion and Meta Callbacks

The Operator implements the data deletion mechanisms required by Meta Platform Terms:

— Deauthorize Callback: POST https://api.tutum.business/api/v1/webhooks/meta/deauthorize. Upon receipt of a callback from Meta indicating that a user has revoked the application's permissions, the Operator immediately ceases use of the relevant tokens and marks the connection as revoked.

— Data Deletion Request Callback: POST https://api.tutum.business/api/v1/webhooks/meta/data-deletion. Upon receipt of a signed request, the Operator registers it, deletes the corresponding end-user data from active stores, and returns to Meta a status-page URL of the form https://api.tutum.business/api/v1/data-deletion/status/{confirmation_code} with a unique confirmation code.

Meta end users may also request deletion of their data directly via the instructions at: https://tutum.business/data-deletion (instructions and contact channel page).

The Platform user (business) may disconnect the integration at any time from the admin panel; this will invalidate tokens and stop the reception of new data through the channel. Deletion of previously received messages and comments is performed upon an additional request from the Platform user or upon deletion of the account.

10. End-Customer Data of Platform Users

In the course of providing Platform services, the Operator processes data of Platform users' end customers (buyers contacting the business via messengers and Instagram comments).

The Platform user acts as the controller of their customers' data and undertakes to:

— have a legal basis for processing their customers' data (including obtaining the necessary consents, in particular opt-in for WhatsApp messages in accordance with the WhatsApp Business Messaging Policy);

— respond in a timely manner to their customers' requests for access, correction, and deletion, forwarding the relevant instructions to the Operator where necessary;

— refrain from using the Platform to distribute spam, fraudulent, or otherwise prohibited content.

The Operator processes such data solely on behalf of the Platform user and for the purpose of providing the services described in this Policy.

11. Cookies

The Platform uses cookies and similar technologies to ensure proper service functionality (authentication, persistence of locale and UI settings) and to collect analytical data about usage. You may disable cookies in your browser settings; however, this may affect the functionality of the Platform.

12. Children

The Platform is a B2B service intended for entrepreneurs and legal entities. The Platform is not intended for use by children and does not knowingly collect personal data of minors. If you become aware that the Platform has received a child's data without appropriate consent, please notify us at support@tutum.business.

13. Your Rights

In accordance with the laws of the Kyrgyz Republic and applicable international data-protection standards (in particular, GDPR for users in the EEA/United Kingdom, if any), you have the right to:

— obtain information about your personal data processed by the Operator;

— request correction of inaccurate data;

— request deletion of your personal data;

— restrict or object to processing;

— withdraw your consent to data processing;

— receive a copy of your data in a machine-readable format (portability);

— lodge a complaint with the competent data protection supervisory authority.

To exercise these rights, please send a request to support@tutum.business. We will process your request within 30 (thirty) days. If the request concerns data processed by the Operator as a processor on behalf of a Platform user (merchant), we will forward the request to the relevant controller.

14. Security Incidents

In the event of an incident resulting in a breach of confidentiality, integrity, or availability of personal data, the Operator will notify affected Platform users without undue delay and, where applicable, the relevant supervisory authorities and partner platforms within the timeframes established by them.

15. Policy Changes

We reserve the right to update this Policy. We will notify you of material changes via email or through the Platform at least 14 (fourteen) days before the changes take effect. The current version of the Policy is always available on this page.

16. Contact Information

For questions regarding the processing of personal data, please contact:

SP/IE Changylov Daniyar Saparbekovich

TIN: 20111199501384

Address: Kyrgyz Republic, Bishkek, Pervomaysky district, Orozbekova str., 2/2, apt. 60

Email: support@tutum.business

Phone: +996 708 440 114

Data-subject rights requests and security incidents: support@tutum.business.