Tatoma B.V. Privacy Policy

Last updated: April 2026

Tatoma B.V. ("Tatoma", "we", "us", or "our") is committed to protecting your personal data and respecting your privacy. This privacy policy explains how we collect, use, store, and protect the personal data you provide when using our platform and services.

Who We Are
What Data We Collect
How We Collect Your Data
How We Use Your Data
Legal Basis for Processing
How We Store Your Data
Artificial Intelligence and Automated Processing
Data Sharing and Third Parties
International Data Transfers
Your Data Protection Rights
Cookies
Third-Party Links
Changes to This Policy
Contact Us
Supervisory Authority

Who We Are

Tatoma B.V. is the data controller responsible for your personal data. We provide a multi-tenant SaaS platform that includes client portals, educational resources, AI-powered tools, and team collaboration features.

What Data We Collect

We collect the following categories of personal data:

Account and Identity Data

Full name
Email address
Profile information
Organization/company name

Authentication Data

Single Sign-On (SSO) identifiers (when an integration exists)
Session tokens from our Identity Provider

Usage Data

Pages and features accessed
Actions performed within the platform
Timestamps of activity
Device and browser information
IP address

Content Data

Files you upload to the platform
Documents and pages you create
Team member information you add
Prompts and inputs submitted to AI features
Weekly check-in scores and optional comments submitted through our mobile applications
AI-generated outputs and responses

Technical Data

Browser type and version
Operating system
Referral source
Length of visit and page views

How We Collect Your Data

We collect data through the following methods:

Directly from you when you:

Register for an account or are invited to an organization
Use our platform features
Upload files or create content
Submit prompts to our AI-powered features
Complete forms or surveys
Contact our support team
Subscribe to communications

Automatically when you:

Visit and navigate our platform
Use features that require authentication
Interact with AI-powered tools

From third parties:

Your organization administrator (when inviting you to their workspace)
Authentication providers (WorkOS) for SSO/SAML login
Connected integrations (Notion, Google Drive) when you authorize access

How We Use Your Data

We use your personal data to:

Provide our services

Create and manage your account
Authenticate your access to the platform
Enable organization-based access control
Deliver features across our applications

Process AI features

Analyze and structure prompts you submit
Generate AI-powered responses and suggestions
Improve AI model outputs and accuracy based on usage patterns but not on your data

Improve our services

Analyze usage patterns to enhance user experience
Debug technical issues
Develop new features

Communicate with you

Send service-related notifications
Respond to support requests
Provide updates about your account or our services

Legal and security purposes

Comply with legal obligations
Protect against fraud and unauthorized access
Enforce our terms of service

Legal Basis for Processing

Under GDPR, we process your personal data based on:

Purpose	Legal Basis
Account management and authentication	Contract performance
Providing platform features	Contract performance
AI feature processing	Contract performance / Legitimate interest
Usage analytics	Legitimate interest
Security and fraud prevention	Legitimate interest
Legal compliance	Legal obligation
Marketing communications (if applicable)	Consent

How We Store Your Data

Storage locations

We use separate systems to store different types of data:

Data Type	Storage Provider	Location	Purpose
User identity data	WorkOS	EU/US (with SCCs)	Account credentials, profile information, organization membership, SSO identifiers
Application data	Supabase	European Union	Files, documents, content, team information, platform settings

Security measures

Encryption in transit (TLS/HTTPS)
Encryption at rest for all stored data
Role-based access control
Regular security assessments
Secure authentication via WorkOS (SAML/SSO ready)
Row-level security policies on application data

Retention period

Active accounts: Data is retained for the duration of your account and your organization's subscription
Deleted accounts: Personal data is deleted within 30 days of account closure or deletion request
Backup data: May be retained in encrypted backups for up to 90 days for disaster recovery purposes
Legal requirements: Some data may be retained longer if required by law or for legitimate business purposes (e.g., billing records)

Artificial Intelligence and Automated Processing

Our platform includes AI-powered features that process your data. We are committed to transparency about how these features work.

AI features we offer

Feature	Purpose	Data Processed
Prompt Structuring	Analyze and structure prompts into components (role, context, task, format, tone)	Text prompts you submit
AI Cards	Execute customizable AI workflows	Card inputs, queries, and parameters
Content Generation	Generate suggestions and responses	Your instructions and context provided

How AI processing works

Input: When you use an AI feature, your input (prompts, queries, instructions) is sent to our AI service providers
Processing: The AI model processes your input to generate a response
Output: The generated response is returned to you through our platform
No persistent storage by AI providers: Our AI providers process data in real-time and do not retain your inputs or outputs after processing (see the full list of providers below)

Data usage and model training

Your data is NEVER used for AI model training: Tatoma does not use your prompts, inputs, generated outputs, or any other customer data to train or fine-tune AI models — neither our own models nor those of any third-party provider. This is a firm commitment, not a default that can be changed. We have contractual agreements with all our AI providers ensuring that your data is not used for model training.
No cross-user data sharing: Your AI interactions are completely isolated and are never shared with other users or organizations
No data retention by AI providers: Our AI providers process your data in real-time only and do not retain your inputs or outputs after processing is complete

Aggregated and anonymised data

We may collect and use aggregated, anonymised data to improve our platform and services. This includes:

Feature usage analytics (e.g., which features are most popular, how often they are used)
Performance metrics (e.g., response times, error rates)
General usage patterns (e.g., peak usage times, common workflows)

This data is fully anonymised and cannot be used to identify any individual user or organisation. It is never linked back to your personal data or content. We use this information solely to improve the reliability, performance, and usability of our Services.

AI service providers

Provider	Services	Data Processing Location	Retention
OpenAI	Language model inference	United States	No retention (real-time processing only)
Anthropic	Language model inference	United States	No retention (real-time processing only)
Groq	Language model inference	United States	No retention (real-time processing only)
Mistral	Language model inference and embeddings	European Union	No retention (real-time processing only)
Google (Gemini)	Language model inference	United States	No retention (real-time processing only)
Perplexity	AI-powered research and search	United States	No retention (real-time processing only)
Tavily	AI-powered web search	United States	No retention (real-time processing only)

Your rights regarding AI processing

You have the right to:

Opt out: You can choose not to use AI-powered features
Human review: Request human review of any AI-assisted decisions that significantly affect you
Explanation: Request an explanation of how AI features process your data
Object: Object to automated processing under GDPR Article 22

Limitations and accuracy

AI-generated content:

May contain errors or inaccuracies
Should be reviewed before use in critical applications
Does not constitute professional advice (legal, medical, financial, etc.)
Is provided "as is" without warranties of accuracy or completeness

Data Sharing and Third Parties

We share your data with the following categories of third parties. For a complete list of our current sub-processors, please see our Sub-processors page.

Service providers

Provider	Purpose	Data Shared
WorkOS	Identity management, authentication, and SSO	Email, name, profile data, organization membership
Supabase	Application database hosting	Application data: files, documents, content, settings (encrypted)
Vercel	Application hosting	Technical/usage data, server logs
OpenAI	AI language processing	Prompts and inputs (real-time, no retention)
Anthropic	AI language processing	Prompts and inputs (real-time, no retention)
Groq	AI language processing	Prompts and inputs (real-time, no retention)
Mistral	AI language processing	Prompts and inputs (real-time, no retention)
Google (Gemini)	AI language processing	Prompts and inputs (real-time, no retention)
Perplexity	AI-powered research	Queries and context (real-time, no retention)
Tavily	AI-powered web search	Search queries (real-time, no retention)

Connected integrations (when authorized by you)

Integration	Purpose	Data Shared
Notion	Content import and display	Page content, access tokens
Google Drive	File management	File metadata, access tokens

Mobile applications

Our mobile apps (including The Number) communicate exclusively with Tatoma platform servers. No data is shared with third-party services through our mobile applications. For details, see our Mobile Apps Privacy Policy.

Other disclosures

We may also disclose your data:

To comply with legal obligations or court orders
To protect our rights, privacy, safety, or property
In connection with a merger, acquisition, or sale of assets (with notice to you)

We do not sell your personal data to third parties.

International Data Transfers

Your data may be transferred to and processed in countries outside of the European Economic Area (EEA). When this occurs, we ensure appropriate safeguards are in place:

Standard Contractual Clauses (SCCs) approved by the European Commission
Data processing agreements with all service providers
Verification that recipients maintain adequate data protection standards

Your Data Protection Rights

Under GDPR, you have the following rights:

Right to access

You can request a copy of the personal data we hold about you.

Right to rectification

You can request correction of inaccurate or incomplete data.

Right to erasure ("Right to be forgotten")

You can request deletion of your personal data, subject to legal retention requirements. We offer a self-service "Delete My Account" feature accessible from your Manage Data page. Account deletion includes a 14-day grace period during which you can cancel the request.

Right to restrict processing

You can request that we limit how we use your data in certain circumstances.

Right to object

You can object to processing based on legitimate interests, including profiling.

Right to data portability

You can request your data in a structured, machine-readable format. We offer a self-service "Export My Data" feature accessible from your Manage Data page. This allows you to download all your personal data as a structured ZIP file containing JSON exports organised by category.

Right to withdraw consent

Where processing is based on consent, you can withdraw it at any time.

How to exercise your rights

Self-service options: You can exercise your right to erasure and right to data portability directly from your Manage Data page without needing to contact us.

For all other requests: Contact us using the details below. We will respond within one month of receiving your request.

Cookies

What are cookies?

Cookies are small text files placed on your device to collect standard internet log information and visitor behavior data.

How we use cookies

We use cookies to:

Keep you signed in to your account
Remember your preferences and settings
Understand how you use our platform
Ensure security of your session

Types of cookies we use

Type	Purpose
Essential	Required for authentication and core platform functionality
Functional	Remember your preferences (language, organization selection)
Analytics	Help us understand usage patterns and improve our services

Managing cookies

You can configure your browser to refuse cookies or alert you when cookies are being sent. Note that some platform features may not function properly without essential cookies.

For more information about cookies, visit allaboutcookies.org.

Third-Party Links

Our platform may contain links to external websites or services (e.g., Notion pages, Google Drive files). This privacy policy applies only to our platform. We encourage you to review the privacy policies of any third-party services you access.

Changes to This Policy

We may update this privacy policy from time to time to reflect changes in our practices or legal requirements. We will notify you of significant changes by:

Posting the updated policy on our platform
Updating the "Last updated" date
Sending an email notification for material changes (where appropriate)

Contact Us

If you have questions about this privacy policy or wish to exercise your data protection rights, please contact us:

Email: gdpr@tatoma.eu

Postal Address: Tatoma B.V. Willemstraat 1 5611 HA, Eindhoven The Netherlands

Data Protection Officer (if applicable): Israel Roldán (gdpr@tatoma.eu)

Supervisory Authority

If you are not satisfied with how we handle your personal data or respond to your requests, you have the right to lodge a complaint with a supervisory authority.

For the Netherlands: Autoriteit Persoonsgegevens (Dutch Data Protection Authority) Website: https://autoriteitpersoonsgegevens.nl

For other EU/EEA countries, you may contact your local data protection authority.

This privacy policy is effective as of the "Last updated" date above.