Privacy Policy

1. Introduction

This Privacy Policy explains how Touchly ("Touchly", "we", "us") collects, uses, discloses and protects personal data when you use our website, mobile applications, APIs and related services (the "Service").

2. Who we are

Touchly is operated by Sole Proprietor Oleksii Poliakov, registered in Ukraine, individual taxpayer ID (РНОКПП) 3797501018, registered at 7 Shkilna St., apt. 20, Zaporizhzhia, Zaporizka oblast, Ukraine. Phone: +380 99 967 1973. We act as a data controller for personal data of our website visitors, account holders and other prospects. For personal data of your end-customers that you process through the Service, we act as your processor under the terms of our Data Processing Agreement.

3. Data we collect

Account data: name, email, organization, role, password hash, billing address, tax identifiers.

Usage data: pages visited, features used, IP address, device identifiers, browser type, language, referrer, timestamps.

Customer content: messages, contact lists, segments, templates and campaign data you upload to the Service. Customer content is processed on your behalf and is governed by the DPA.

Communications: emails, support tickets and chat messages you exchange with us.

4. How we use your data

To provide, secure and improve the Service; to authenticate users; to bill subscriptions; to deliver messages through messenger and SMS providers; to send service announcements and (with consent where required) marketing; to comply with law and to detect abuse.

5. Legal bases (EEA / UK)

We rely on (a) performance of a contract — to deliver the Service you signed up for; (b) legitimate interests — to secure, debug and improve the Service and to prevent abuse; (c) consent — for non-essential cookies and electronic marketing where required; and (d) legal obligation — for tax, accounting and compliance with valid legal requests.

6. Sharing and subprocessors

We share data with vetted subprocessors that help us run the Service: AWS (hosting), Resend (transactional email), Google (analytics), Meta (WhatsApp message delivery) and TikTok (TikTok message delivery). The current list — including any future changes — is published at /subprocessors. We do not sell personal data.

7. International transfers

Touchly is operated from Ukraine, which the European Commission has not recognised as providing an adequate level of data protection. Transfers of personal data from the EEA, UK or Brazil to Touchly therefore rely on the European Commission's Standard Contractual Clauses (Module 2: controller-to-processor), the UK International Data Transfer Addendum or equivalent safeguards. Personal data is hosted with AWS in Frankfurt (EEA); some subprocessors (Google, Resend) operate from the United States and EU. We carry out transfer impact assessments where required.

8. Retention

Account profile data is retained for the life of your account. Invoicing and tax-accounting records are retained for up to 10 years as required by Ukrainian law. Customer Content (messages, contact lists and segments you upload) is deleted or returned within 60 days of subscription termination, as set out in the DPA. Backup copies expire on a rolling basis within 35 days, save for cross-region disaster-recovery snapshots which expire within 90 days.

9. Your rights

Subject to your local law (including GDPR, UK GDPR and Brazil's LGPD) you may request access, correction, deletion, portability, restriction of processing, or to object to processing. You may also withdraw consent and lodge a complaint with your supervisory authority. Email [email protected] to exercise these rights.

10. Security

We use TLS in transit, encryption at rest, role-based access control, logged admin actions, secret rotation and periodic vulnerability scans. No method of transmission is 100% secure. We will notify you of personal-data breaches affecting your data without undue delay, and in any event in time to enable us to meet our 72-hour notification obligation under Article 33 GDPR where applicable.

11. Children

The Service is not directed to children under 16. We do not knowingly collect personal data from children. If you believe a child has provided us data, contact [email protected] and we will delete it.

12. Changes to this policy

We may update this policy. Material changes will be announced in-app or by email at least 30 days before they take effect. The "Last updated" date at the top of this page reflects the current version.

13. Contact

Privacy questions and rights requests: [email protected]. Postal address: 7 Shkilna St., apt. 20, Zaporizhzhia, Zaporizka oblast, Ukraine.