Privacy Policy

1. Introduction

This Privacy Policy describes how Tuzzle ("we", "us", or "our") collects, uses, stores, and protects your personal information when you use our digital asset management and media delivery platform ("Service"). This policy applies to all users of the Tuzzle website, APIs, Dashboard, and related services.

By using the Service, you consent to the data practices described in this policy. If you do not agree, please do not use the Service. We recommend reviewing this policy periodically for any updates.

2. Information We Collect

Account Information

When you create an account, we collect your name, email address, organisation name (if applicable), and password. If you subscribe to a paid plan, we collect billing information including payment card details (processed and stored by our third-party payment provider) and billing address.

Usage Data

We automatically collect data about how you use the Service, including: API call logs (endpoints accessed, request/response metadata, timestamps), transformation counts and parameters, bandwidth consumption, storage usage, error logs and performance metrics, IP addresses and approximate geolocation (country/region level), browser type, operating system, and device information.

Your Content

When you upload files to Tuzzle, we store and process those files to provide the Service. We may extract and store metadata from your files, including image dimensions, format, colour profile, EXIF data, and file size. If you enable face detection features, we process images through AWS Rekognition to detect face coordinates for gravity-based cropping. We do not perform facial recognition or identity matching.

Communications

We collect information you provide when you contact our support team, submit feedback, or respond to surveys. This may include your name, email, and the content of your communications.

3. How We Use Your Information

We use your information for the following purposes:

Service Delivery: To provide, maintain, and improve the Tuzzle platform, including processing uploads, executing transformations, delivering media via CDN, managing your account, and providing customer support.

Billing and Payments: To process subscriptions, calculate usage-based charges, send invoices, and manage payment disputes.

Communication: To send transactional emails (account verification, password resets, billing receipts, usage alerts), service announcements, and, with your consent, product updates and marketing communications. You can opt out of marketing emails at any time.

Security and Fraud Prevention: To detect and prevent unauthorised access, abuse, and fraudulent activity. This includes monitoring API usage patterns, rate limiting, and investigating suspicious behaviour.

Analytics and Improvement: To analyse usage trends, measure performance, diagnose technical issues, and improve the Service. We use aggregated and anonymised data for these purposes wherever possible.

Legal Compliance: To comply with applicable laws, regulations, and legal processes, and to enforce our Terms of Service.

4. Your Content and Data Processing

When you upload Content to Tuzzle, we act as a data processor on your behalf. You are the data controller for any personal data contained in your Content. We process your Content only as necessary to provide the Service (storage, transformation, caching, and delivery).

We do not access, review, or analyse the content of your files for any purpose other than providing the Service, unless required by law or to investigate a violation of our Terms of Service.

Transformed (derivative) versions of your Content are cached at CDN edge nodes and in our modified storage bucket to improve delivery performance. Cached content is automatically purged based on cache policies or when you explicitly request invalidation.

5. Data Storage and Security

Your original files are stored in Cloudflare R2 object storage. Transformed files are stored in a separate R2 bucket for caching. Both buckets use server-side encryption at rest.

We implement industry-standard security measures to protect your data, including: encryption in transit (TLS 1.2+) for all API and CDN requests, encryption at rest for stored files and database records, role-based access controls within the Tuzzle infrastructure, regular security audits and vulnerability assessments, and isolated Space environments to prevent cross-tenant data access.

While we take reasonable precautions to protect your data, no method of electronic storage or transmission is 100% secure. We cannot guarantee absolute security.

6. Data Sharing and Disclosure

We do not sell your personal data to third parties. We share data only in the following circumstances:

Service Providers: We use third-party services to operate the platform, including Cloudflare (storage and CDN infrastructure), AWS (face detection via Rekognition), and payment processors. These providers process data on our behalf under contractual obligations to protect your data.

Legal Requirements: We may disclose your information if required by law, regulation, legal process, or government request. We will notify you of such requests unless prohibited by law.

Business Transfers: In the event of a merger, acquisition, or sale of assets, your data may be transferred as part of the transaction. We will notify you of any such transfer and any changes to this Privacy Policy.

With Your Consent: We may share your information with third parties when you explicitly consent to such sharing.

7. Cookies and Tracking

We use essential cookies that are strictly necessary for the Service to function, including authentication session cookies and CSRF protection tokens. These cookies cannot be disabled as the Service requires them.

We do not use advertising cookies, social media tracking pixels, or third-party behavioural tracking. We do not participate in cross-site tracking or ad networks.

We may use privacy-respecting analytics (without personal identifiers) to understand aggregate usage patterns. This data cannot be used to identify individual users.

8. Data Retention

We retain your account information for as long as your account is active. If you close your account, we will delete your personal data and Content within 30 days, except where we are required by law to retain certain records (such as billing records for tax purposes, typically retained for 7 years).

Usage logs and analytics data are retained in anonymised form for up to 24 months for service improvement purposes. API access logs containing IP addresses are retained for 90 days for security monitoring.

Cached transformations at CDN edge nodes are automatically purged based on cache TTL settings. You can request immediate cache invalidation through the Dashboard or API.

9. Your Rights

Depending on your jurisdiction, you may have the following rights regarding your personal data:

Access: You can request a copy of the personal data we hold about you. Most account and usage data is accessible through the Dashboard.

Correction: You can update your account information through the Dashboard or by contacting support.

Deletion: You can delete your account and all associated data at any time. You can also delete individual files, Spaces, or API keys through the Dashboard or API.

Data Portability: You can export your files and account data at any time through the API or Dashboard.

Objection: You can object to certain processing activities, such as marketing communications, by updating your notification preferences or contacting us.

Restriction: You can request that we restrict processing of your data in certain circumstances while we verify your concerns.

To exercise any of these rights, contact us at [email protected]. We will respond within 30 days.

10. International Data Transfers

Tuzzle operates globally, and your data may be processed in countries other than your own. Our CDN delivers content from edge nodes worldwide. We ensure that international data transfers comply with applicable data protection laws through appropriate safeguards, including standard contractual clauses where required.

By using the Service, you acknowledge that your data may be transferred to and processed in jurisdictions that may have different data protection standards than your home jurisdiction.

11. Children's Privacy

The Service is not directed to children under the age of 16. We do not knowingly collect personal data from children. If you believe that a child has provided us with personal data, please contact us at [email protected] and we will delete that data promptly.

12. Specific Regional Provisions

Nigeria (NDPR): If you are a Nigerian resident, your data is processed in accordance with the Nigeria Data Protection Regulation (NDPR). You have the right to access, rectify, and delete your personal data, and to lodge a complaint with the Nigeria Data Protection Commission (NDPC).

European Economic Area (GDPR): If you are in the EEA, our legal bases for processing are: contractual necessity (to provide the Service), legitimate interests (security, fraud prevention, service improvement), consent (marketing communications), and legal obligation (compliance with laws). You have the right to lodge a complaint with your local supervisory authority.

California (CCPA): If you are a California resident, you have the right to know what personal information we collect and how we use it, to request deletion, and to opt out of the sale of personal information. We do not sell personal information. To exercise your rights, contact [email protected].

13. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of material changes at least 30 days in advance via email or an in-app notification. Non-material changes (such as clarifications) may take effect immediately upon posting.

The "Last updated" date at the top of this page indicates when the policy was most recently revised. We encourage you to review this policy periodically.

14. Contact Us

For privacy-related questions, data access requests, or concerns about how we handle your data, contact our privacy team at [email protected].

For general support enquiries, contact [email protected] or visit our contact page. For security vulnerabilities, contact [email protected].