Privacy Policy

1. Data Controller

The data controller responsible for personal data processed through the CustPortal365 website (custportal365.com) and marketing activities is:

Tutsin Consulting sp. z o.o.
Marszałkowska 107, 00-110 Warsaw, Poland
Email: sales@tutsin.co

For data processed within the CustPortal365 Service on behalf of a business Customer, Tutsin acts as a data processor and the Customer is the data controller. Those processing activities are governed by a separate Data Processing Agreement (DPA).

2. Scope

This Privacy Policy applies to:

Visitors to the custportal365.com marketing website.
Prospects who submit contact or demo-request forms.
Contacts of business Customers who communicate with Tutsin for support or sales purposes.

This Policy does not govern data processed within the deployed CustPortal365 application on behalf of a Customer's own end users. That processing is described in the applicable DPA.

3. Data We Collect

3.1 Data you provide directly

Contact form submissions: name, email address, company name, and message content.
Email correspondence: the content of emails sent to Tutsin and associated metadata.

3.2 Data collected automatically

Usage data: pages visited, time on site, referrer URL, browser type, operating system, and device type — collected via Google Analytics.
IP address: collected automatically by our hosting infrastructure for security and abuse-prevention purposes.
Cookies: see Section 11 for details.

3.3 Data we do not collect

We do not collect payment card data, government-issued identification numbers, biometric data, or special categories of personal data as defined in Article 9 GDPR through this website.

4. How We Use Data

Respond to enquiries: to process and respond to contact form submissions and demo requests.
Sales and marketing: to send relevant information about CustPortal365 to prospects who have expressed interest, where permitted by law.
Service improvement: to analyse website traffic and understand how visitors interact with our site, using aggregated and anonymised analytics.
Security: to detect and prevent fraudulent or abusive activity.
Legal compliance: to comply with applicable legal obligations, including record-keeping requirements.

5. Legal Basis (GDPR)

Under Regulation (EU) 2016/679 (GDPR), we rely on the following legal bases:

Legitimate interests (Article 6(1)(f)): responding to business enquiries, website analytics, and security monitoring. We have assessed that these interests are not overridden by your rights and freedoms.
Consent (Article 6(1)(a)): for marketing communications where required. You may withdraw consent at any time by emailing sales@tutsin.co.
Legal obligation (Article 6(1)(c)): where processing is necessary to comply with Polish or EU law.

6. Data Sharing

We do not sell personal data. We may share data with the following categories of recipients:

Hosting & infrastructure: Microsoft Azure (hosting, email services) — subject to Microsoft's data processing terms.
Analytics: Google LLC (Google Analytics) — data is anonymised/pseudonymised before transmission where possible.
Email tools: email service providers used to manage correspondence.
Professional advisers: lawyers or accountants, under confidentiality obligations, when required.
Law enforcement / regulators: if required to do so by applicable law or a court order.

7. International Transfers

Some of our service providers (including Google Analytics and Microsoft Azure) are based outside the European Economic Area (EEA). Where personal data is transferred to third countries, we ensure appropriate safeguards are in place, including:

Standard Contractual Clauses (SCCs) approved by the European Commission.
Adequacy decisions where applicable.

8. Data Retention

Contact form submissions: retained for up to 3 years from last contact, or until you request deletion.
Analytics data: retained in Google Analytics for 26 months.
Email correspondence: retained for up to 5 years for business record-keeping purposes.
Security logs: retained for up to 12 months.

After the applicable retention period, data is securely deleted or anonymised.

9. Your Rights

As a data subject under GDPR, you have the following rights regarding your personal data:

Access Request a copy of the personal data we hold about you.

Rectification Request correction of inaccurate or incomplete data.

Erasure Request deletion of your data ("right to be forgotten"), subject to legal retention obligations.

Restriction Request that we restrict processing in certain circumstances.

Portability Receive your data in a structured, machine-readable format.

Objection Object to processing based on legitimate interests or for direct marketing.

Withdraw consent Withdraw consent at any time where processing is consent-based.

Lodge a complaint File a complaint with the Polish supervisory authority (UODO) or your local EU DPA.

To exercise any of these rights, email us at sales@tutsin.co. We will respond within 30 days. Identity verification may be required.

The Polish supervisory authority is the Urząd Ochrony Danych Osobowych (UODO), ul. Stawki 2, 00-193 Warsaw — uodo.gov.pl.

10. Security

We implement appropriate technical and organisational measures to protect personal data, including:

HTTPS (TLS 1.2+) for all data in transit.
Access controls and authentication for internal systems.
Regular security reviews and patching.
Incident response procedures for data breaches.

In the event of a personal data breach likely to result in a risk to your rights and freedoms, we will notify the relevant supervisory authority within 72 hours and affected individuals without undue delay, as required by GDPR Article 33–34.

11. Cookies & Analytics

11.1 What we use

The custportal365.com website uses:

Google Analytics (GA4) — to measure website traffic and usage. GA4 uses cookies to distinguish visitors and sessions. Analytics data is aggregated and used to improve the website.
Google Maps — an embedded map in our footer loads resources from Google and may set cookies related to Google's services.

11.2 Cookie types

Analytics cookies (Google Analytics): _ga, _ga_* — expire after 2 years and 13 months respectively.
Google Maps cookies: set by Google when interacting with the embedded map.

11.3 Your choices

You can opt out of Google Analytics tracking by installing the Google Analytics Opt-out Browser Add-on. You can also manage cookies through your browser settings.

We do not use advertising or profiling cookies.

12. Children's Privacy

CustPortal365 is a business-to-business service and is not directed at individuals under 16 years of age. We do not knowingly collect personal data from children. If you believe we have inadvertently collected such data, please contact us immediately.

13. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices or applicable law. The updated policy will be published at custportal365.com/privacy.html with a revised effective date. For material changes, we will take reasonable steps to inform affected individuals.

14. Contact & DPO

For any privacy-related questions, requests, or concerns, please contact us: