Privacy Policy

Last updated: 2026-06-02 · v2.0

1. Data Controller

turmo.dev (Turmo.dev), registered at turmo.dev, Norway, reachable at ola@turmo.dev, is the data controller for the processing described in this policy.

If you are located in the UK, the UK entity identified in turmo.dev's applicable terms is your data controller and is registered with the UK Information Commissioner's Office (ICO).

2. What We Collect

• Account data: email address, display name, and authentication tokens when you sign up. Company name, billing address, and VAT number if you are on a paid plan.
• Service data: content, files, prompts, configurations, and any other material you create or upload within turmo.dev's service.
• Usage data: timestamps, feature usage, clickstream events, and error logs necessary to operate, maintain, and improve the service. This does not include the content of your prompts or generated outputs unless you explicitly share it with us for support purposes.
• Billing data: handled by Stripe. We do not store your full payment card details. See Stripe's Privacy Policy.
• Communications: emails you send us, messages through our product interface, and any feedback you provide.

3. How We Use It

We use your data to:

• Provide the service and its core features, including AI processing where applicable.
• Respond to support requests and troubleshoot issues.
• Send transactional emails (receipts, security alerts, account notifications). Marketing emails are opt-in only; we never sell or rent your email list.
• Comply with legal obligations, including tax, accounting, and anti-fraud requirements.
• Detect, investigate, and prevent abuse, fraud, or security incidents.
• Improve our products through aggregated, anonymized analytics.

4. Legal Basis (EEA/UK)

For users in the EEA or UK, we process your data on the following lawful bases under GDPR Art. 6:

• Contract performance (Art. 6(1)(b)): processing necessary to provide the service you signed up for, including account management, AI processing, and billing.
• Legitimate interest (Art. 6(1)(f)): processing for security (fraud detection, access monitoring), service improvement (analytics, error logging), and marketing of our own products (where permitted by applicable law and with a right to opt out).
• Legal obligation (Art. 6(1)(c)): processing required to comply with applicable law, including tax retention, anti-fraud obligations, and government requests where legally required.
• Consent (Art. 6(1)(a)): processing for marketing emails, optional analytics, and any AI model training where you have explicitly opted in.

Where we rely on legitimate interest, we have conducted a balancing test and concluded that our interests are not overridden by your rights and freedoms. You may object to this processing at any time — see Section 9.

5. AI and Automated Processing

5.1 Third-Party AI Model Providers

When you use AI features, your inputs (prompts, uploaded content, files) may be processed by third-party large language model (LLM) providers such as OpenAI, Anthropic, Google, or others ("Model Providers") under their respective terms of service and privacy policies. turmo.dev is not responsible for the data practices of Model Providers.

We recommend reviewing the privacy policies of the Model Providers you use through our service:

• OpenAI: openai.com/privacy
• Anthropic: anthropic.com/privacy
• Google (Gemini): policies.google.com/privacy

5.2 EU AI Act Transparency (Art. 50)

Where turmo.dev uses AI systems that generate synthetic content (including text, images, audio, or video), we will mark outputs as artificially generated in a machine-readable format where technically feasible, in compliance with EU AI Act Art. 50(2). Deployers using our service to generate deepfakes or AI-manipulated content for public interest matters must comply with EU AI Act Art. 50(4) by disclosing that the content is AI-generated.

For artistic, satirical, or creative works, the disclosure obligation is limited to informing you that AI-generated content exists, without impeding the display or enjoyment of the work.

5.3 AI Model Training

turmo.dev does not use your private or personal data to train third-party AI models without your explicit, separate consent. This means we do not share your inputs with Model Providers for the purpose of training or improving their models, unless you have opted in to such use.

Where turmo.dev itself trains any AI models on user data, this will be done only on aggregated, anonymized datasets and you will be notified in advance.

5.4 Hallucination and Accuracy Disclaimer

AI-generated output may be inaccurate, incomplete, or inappropriate. Output may include factual errors, outdated information, or content that does not reflect your intent. You are responsible for reviewing all AI output before relying on it, particularly in contexts where accuracy is critical (legal, medical, financial, or safety-related decisions).

turmo.dev does not guarantee the accuracy, fitness for a particular purpose, or non-infringement of AI output.

6. Sharing and Sub-Processors

We do not sell your data. We share data only with:

• Infrastructure providers: Cloudflare (hosting, CDN, security), Stripe (payments), Resend (email delivery). See each provider's privacy policy for their data practices.
• Analytics providers: currently none active by default. If you enable optional analytics, the relevant provider's privacy policy applies.
• Legal authorities: we may share data where required by law, court order, or binding regulatory request, or where necessary to protect our legal rights or the safety of others.

A current list of our sub-processors (GDPR Art. 28(2)) is available at /sub-processors. This list is updated at least annually and whenever we engage a new sub-processor.

7. International Transfers

Data may be processed in the EU/EEA, the UK, the US, and other jurisdictions where our sub-processors operate. For transfers outside the EEA/UK, we rely on the following legal mechanisms:

• Standard Contractual Clauses (SCCs): 2021/914/EU, Module 2 (Controller-to-Processor) and Module 3 (Processor-to-Processor), as published by the European Commission on 4 June 2021.
• EU-US Data Privacy Framework (DPF): where our US sub-processors are certified under the DPF (adequacy decision of 10 July 2023), transfers to those sub-processors rely on the DPF adequacy finding rather than SCCs.
• UK adequacy: transfers to the UK rely on the UK adequacy regulations unless a specific transfer mechanism is required.

You may request a copy of the relevant SCCs by contacting ola@turmo.dev.

8. Retention

We retain data for the following periods, subject to applicable law:

We may retain data longer than the above where required by law, regulatory obligation, or ongoing legal proceedings. We will always notify you if a legally required retention period affects your data.

9. Your Rights

You have the following rights under GDPR, subject to applicable limitations:

• Access (Art. 15): request a copy of the personal data we hold about you.
• Rectification (Art. 16): request correction of inaccurate or incomplete data.
• Erasure (Art. 17): request deletion of your data, subject to retention exceptions (see Section 8).
• Portability (Art. 20): receive your data in a structured, commonly used, machine-readable format, or request we transmit it directly to another controller where technically feasible.
• Restriction (Art. 18): request we restrict processing in certain circumstances.
• Objection (Art. 21): object to processing based on legitimate interest or public tasks. We will assess whether our compelling legitimate interest overrides your rights.
• Withdraw consent: where processing is based on consent, you may withdraw at any time without affecting the lawfulness of processing before withdrawal.

To exercise any of these rights, email ola@turmo.dev. We respond within 30 days, which is the deadline under GDPR.

You also have the right to lodge a complaint with your local supervisory authority. For EEA users, you can contact your national Data Protection Authority or the lead authority in the country where turmo.dev's EU representative is established. A full list is available at: https://edpb.europa.eu/about-edpb/about-edpb/members_en. UK users can contact the ICO at ico.org.uk.

10. Automated Decision-Making (GDPR Art. 22)

If turmo.dev makes solely automated decisions that have legal or similarly significant effects on you, you have the right:

• To request human intervention or review of the decision.
• To express your point of view.
• To contest the decision.

This right does not apply where the automated decision is (a) necessary for a contract between you and us (e.g., fraud detection), (b) authorized by EU or national law, or (c) based on your explicit consent.

If you are subject to an automated decision that significantly affects you, contact ola@turmo.dev to exercise your rights.

11. Security

We implement appropriate technical and organizational security measures, including:

• TLS 1.3 encryption for all data in transit.
• AES-256 encryption for data at rest.
• Access controls restricted to authorized personnel on a least-privilege basis.
• Multi-factor authentication required for production system access.
• Regular security audits and penetration testing.
• Vendor security reviews for all sub-processors.

No security measure is absolute; we cannot guarantee 100% security. If you have questions about our security practices, contact ola@turmo.dev. See our Security page for more detail.

12. Data Breach Notification

If we become aware of a personal data breach that is likely to result in a risk to your rights and freedoms, we will notify you without undue delay and at the latest within 72 hours of becoming aware, in accordance with GDPR Art. 33. Where appropriate, we will provide: a description of the nature of the breach, the categories and approximate number of data subjects affected, the categories and approximate number of personal data records affected, our DPO or contact point for further inquiries, and the likely consequences of the breach and measures taken or proposed to address it.

We will also notify the relevant supervisory authority within 72 hours unless the breach is unlikely to result in a risk to individuals' rights.

13. Children

turmo.dev is not directed to children under 16 years of age. We do not knowingly collect data from children. If you believe a child has provided us with personal data, contact ola@turmo.dev and we will promptly delete it.

Note for Norwegian users: under Datatilsynet's guidance, the age of digital consent in Norway is 13 for certain contexts. If you are under 16 (or under 13 for Norwegian-specific services), you should not use this service without verifiable parental consent. We reserve the right to request age verification.

14. Changes to This Policy

We will notify you of material changes to this policy by email or in-product notice at least 30 days before they take effect. Material changes include changes to the legal basis for processing, the categories of data collected, the purposes of processing, or the identities of sub-processors. You may review the current version at any time at https://turmo.dev/privacy.html. Previous versions are available at /privacy/previous.

Continued use of the service after the effective date of a change constitutes acceptance of the updated policy.

15. Contact

For privacy questions, data subject requests, or breach notifications:

turmo.dev
Email: ola@turmo.dev
Address: turmo.dev, Norway

If we are required to have a Data Protection Officer (DPO) under GDPR Art. 37, the DPO's contact details are available at the above email address.

For EEA users, our EU representative (if applicable) is: turmo.dev, c/o ola@turmo.dev