Privacy Policy
Last updated: 26 April 2026
This Privacy Policy explains how the Operator of TuMCP (see our Legal page) ("we", "us") processes personal data when you visit the website, create an account, use the product, or contact us. It is written to align with the EU General Data Protection Regulation (GDPR). If you are in the UK, similar rights apply under the UK GDPR.
1. Data controller
The controller for personal data processed through TuMCP is the Operator identified on the Legal page. Contact for privacy matters: dtricoma@gmail.com. We have not appointed a Data Protection Officer (DPO); you can exercise your rights at the same address.
2. What we collect
2.1 Account and identity
When you sign up (e.g. via our authentication provider), we may process your name, email address, profile image, identifiers, and session data as needed to operate accounts and security.
2.2 Billing
If you subscribe to a paid plan, our payment processor may process payment method details, transaction records, and billing address. We receive limited billing metadata needed to manage your subscription.
2.3 Integration credentials
To connect third-party services you enable, you provide API keys or OAuth tokens. We store and use them only to perform the integrations you configure, using appropriate technical measures (including encryption where applicable).
2.4 Usage, security, and diagnostics
We process technical data such as IP address, user agent, timestamps, request metadata, error logs, and abuse-prevention signals to run, secure, and improve the Service and to enforce rate limits and quotas.
2.5 Support and contact
If you email us or use the contact form, we process the content of your message and contact details you provide.
3. Purposes and legal bases (GDPR)
We process personal data on the following bases:
- Contract (Art. 6(1)(b) GDPR): providing the Service, authentication, subscription management, and support you request.
- Legitimate interests (Art. 6(1)(f) GDPR): securing the platform (fraud prevention, abuse detection, stability), improving reliability of the Service, internal analytics that does not rely on intrusive profiling, and communicating with you about similar services where permitted. We balance these interests against your rights; you may object to processing based on legitimate interests where GDPR gives you that right by contacting dtricoma@gmail.com, and we will respond in line with applicable law.
- Legal obligation (Art. 6(1)(c) GDPR): compliance with tax, accounting, or lawful requests.
- Consent (Art. 6(1)(a) GDPR): where processing is based on consent (for example preferences you set for cookies or measurement), you may withdraw it at any time via Cookie preferences or your browser.
4. Recipients and processors
We use carefully selected service providers ("processors"), including:
- hosting and infrastructure providers (which may process data in the EU and elsewhere);
- authentication and identity (e.g. Clerk);
- database and backend (e.g. Supabase);
- payment processing (e.g. Dodo Payments or as shown at checkout);
- email delivery if you configure contact or transactional email;
- analytics/measurement (e.g. Google Analytics), subject to the opt-out described in our Cookie Policy.
We enter into data processing terms where required. Third-party products you connect are independent controllers or processors under their own policies.
5. International transfers
Your data may be processed in the European Economic Area (EEA) and in other countries, including the United States, where our subprocessors operate. Where data is transferred outside the EEA/UK, we rely on appropriate safeguards such as Standard Contractual Clauses (SCCs) approved by the European Commission, UK international data transfer agreements where applicable, or adequacy decisions. Further detail is available in subprocessors' privacy documentation (for example Clerk, Supabase, Google, hosting providers).
6. Retention
We retain personal data only as long as necessary for the purposes described:
- Account profile: for the life of your account and a short period afterward for recovery or legal defence where permitted.
- Billing and tax: as required by applicable accounting and tax law (often several years).
- Security and operational logs: for a limited period consistent with investigation of incidents and abuse prevention (typically rolling retention).
- Support emails: long enough to resolve your request and any follow-up, unless a longer retention is justified or required.
You may request deletion subject to legal exceptions—see our Data deletion instructions.
7. Your rights
Where GDPR applies, you may have the right to: access, rectification, erasure, restriction, portability, objection to processing based on legitimate interests, and to withdraw consent. You may lodge a complaint with a supervisory authority; in Spain, the AEPD.
To exercise rights, contact dtricoma@gmail.com. We may need to verify your identity.
Step-by-step instructions for deleting your account and associated data—including paid subscriptions—are on our Data deletion instructions page.
8. Automated decision-making
We do not use automated decision-making that produces legal effects concerning you or similarly significantly affects you in the sense of GDPR Article 22. We do not sell your personal information for monetary consideration.
9. Providing your data
Where processing is necessary to perform a contract or provide the Service (for example, creating an account), failure to provide required information may mean we cannot offer certain features.
10. Cookies and similar technologies
We use cookies, local storage (including for consent preferences), and similar technologies as described in our Cookie Policy. You can manage measurement cookies and opt out via Cookie preferences.
11. Security
We apply technical and organizational measures appropriate to the risk, including encryption, access control, and monitoring. No system is 100% secure; report suspected incidents to dtricoma@gmail.com.
12. Children
The Service is not directed at children under 16. We do not knowingly process their personal data. If you believe we have, contact us and we will delete it.
13. Changes
We may update this policy; the "Last updated" date will change. Material changes will be communicated as required by law.
14. Notice for California and other US residents
Depending on our business activities and thresholds, California privacy laws (CCPA/CPRA) may or may not apply to our processing of personal information. This section describes how we generally handle requests from consumers in the United States and is intended to satisfy typical transparency expectations.
Categories collected (past 12 months, illustrative): identifiers (such as name, email, account IDs); commercial information (subscriptions); internet or network activity (usage metadata); and records you provide when contacting support. Sources: directly from you, automatically when you use the Service, and from subprocessors as described above.
Sale / sharing: we do not sell your personal information for monetary consideration. We do not share personal information for cross-context behavioural advertising in the sense of California law as part of our core Service; Google Analytics and similar measurement technologies are used with our cookie controls and Consent Mode, including an opt-out choice as described in our Cookie Policy.
Your rights (where applicable under state law): you may have the right to know what personal information we collect, to delete or correct certain information, and to opt out of sale or certain sharing—none of which limits lawful processing required to provide the Service. Submit requests by emailing dtricoma@gmail.com. We will verify your request as required by law and respond within the statutory timeframe where the law applies to us.