Privacy Policy

1. Data Controller

Signal Core s.r.o., Rybná 716/24, 110 00 Prague 1, Czech Republic · Reg. No: 24460354 · VAT ID: CZ24460354

Registered: Municipal Court in Prague, section C, file 198765

GDPR queries: [email protected] · general support: [email protected]

2. Data Protection Officer (DPO)

We have appointed a Data Protection Officer responsible for GDPR compliance. The DPO is independent and reports directly to management.

Contact: [email protected] · post: Signal Core s.r.o., for the attention of DPO, Rybná 716/24, Prague 1

3. What data we process

Depending on user type and purpose, we process the following categories:

Identification and contact

• First and last name (Creator) / company name (Brand)
• Email address, phone (optional)
• Address (billing, registered office)
• Reg. No, VAT ID, bank account number (IBAN, BIC)
• Tax Identification Number (TIN) for DAC7

Profile data

• Avatar, bio, social profiles (IG, TikTok, YouTube), follower counts
• Content categories (lifestyle, gaming, fashion, etc.)
• References, prior results

Transactional data

• History of campaigns, conversions, payouts
• Invoices, tax documents
• Login logs, IP address, user agent

Tracking and measurement

• Cookies (functional only by default — see Cookies)
• Click ID, Conversion ID, fraud score
• IP geolocation (country, region) — for reporting and anti-fraud, no precise location stored

KYC and tax data

• ID document (passport / national ID) — via Stripe Identity; we don’t store the image, only verification status
• Selfie biometrics — kept by Stripe / Sumsub, not by us
• VAT VIES check log

4. Purposes and legal bases (GDPR Art. 6)

For each data category we know clearly why we process it and under which clause of GDPR Art. 6:

You may withdraw consent anytime (email, in-app settings) without affecting processing performed before withdrawal.

5. Recipients and processors

We share data with carefully selected processors, all under DPA per GDPR Art. 28:

• Stripe (Ireland/USA) — payments, KYC; SCC + adequacy for USA
• Polygon.io (USA) — market data; SCC
• Cloudflare (USA) — CDN, anti-DDoS; SCC + ENISA
• DigitalOcean (USA/EU regions) — hosting; SCC, EU servers in Frankfurt
• Sumsub (UK) — KYC fallback; UK adequacy decision
• Twilio / SendGrid (USA) — transactional emails; SCC
• Anthropic (USA) — Claude AI for content analysis (optional, metadata only, no personal data)
• Accounting firm (CZ) — invoicing, taxes; contractual relationship

List is public and updated in Settings → Privacy → Subprocessors.

6. International transfers

Some data flows outside the EU/EEA (USA — Stripe, Cloudflare, Polygon, etc.). For each transfer we have:

• Standard Contractual Clauses (SCC) — version 2021/914
• Data Privacy Framework (DPF) — for certified partners (Stripe, Cloudflare)
• Supplementary measures — encryption at rest and in transit (TLS 1.3, AES-256)
• TIA (Transfer Impact Assessment) — completed for each non-EU transfer

7. Retention periods

8. Your rights (GDPR Art. 15–22)

You have the right to:

• Access (Art. 15) — a free copy of your data; export via Settings → Privacy → Download data
• Rectification (Art. 16) — correct inaccurate data
• Erasure / Right to be forgotten (Art. 17) — delete data (subject to statutory archival duties)
• Restriction (Art. 18) — pause processing during a dispute
• Portability (Art. 20) — export data in structured, machine-readable format (JSON / CSV)
• Object (Art. 21) — object to processing based on legitimate interest
• Complaint to supervisory authority — Czech ÚOOÚ, uoou.gov.cz

We respond within 30 days of the request. Complex cases may extend by 60 days with notice.

9. Automated decision-making and profiling

We use automated decision-making only in a limited scope:

• Anti-fraud scoring — algorithm assigns a fraud score 0–100. Score ≥ 80 means automatic non-authorisation of the conversion. You may request human review via support
• Campaign recommendations — algorithm matches Creators to campaigns based on audience, niche, anti-fraud score. No legal effect, you can ignore

We do not use automated decision-making with legal effects under Art. 22 GDPR.

10. Children and minors

Tandemio is not intended for children under 18. We verify age at registration via KYC (Creator) or company ID (Brand).

If we detect a minor’s registration, we close the account and delete data immediately. Parents who discover their child uses Tandemio should email [email protected].

11. Security

We implement technical and organisational measures per GDPR Art. 32:

• Encryption at rest — AES-256 for databases and backups
• Encryption in transit — TLS 1.3 + HSTS, no fallback
• Password hashing — Argon2id (memory-hard)
• 2FA — optional for users, mandatory for admins
• Rate limiting + WAF — Cloudflare
• Penetration testing — external audit annually
• ISO 27001 alignment — uncertified but processes aligned
• Background checks — for staff with access to production data

12. Breach notification

In case of a data breach:

• Supervisory authority (CZ ÚOOÚ) within 72 hours of detection (GDPR Art. 33)
• Affected users without undue delay, where high risk arises (GDPR Art. 34)
• Notification includes: nature of breach, categories and number affected, likely consequences, measures

Public status: tandemio.app/security (planned).

13. Changes to this Policy

We may amend this Policy. For material changes (new data categories, new recipients) we notify you at least 30 days in advance by email.

The current version is always on this page with effective date. Historical versions are archived.

14. Contact and complaints

DPO: [email protected] · General: [email protected]

Post: Signal Core s.r.o., for the attention of DPO, Rybná 716/24, 110 00 Prague 1

Authority complaint: Czech Office for Personal Data Protection (ÚOOÚ), Pplk. Sochora 27, 170 00 Prague 7, uoou.gov.cz