Tutuo.ai Privacy Policy

1. Scope

This Privacy Policy applies to:

• The Tutuo.ai products and related features;
• Our website and related pages (e.g., tutuo.ai);
• Our backend services/APIs and customer support provided for the Product.

This Privacy Policy does not apply to third-party websites/services. When you access third-party services through Tutuo.ai, their privacy policies apply.

2. Our Principles

We process information based on the following principles:

• Data minimization: collect only what is necessary;
• Purpose limitation: use data only for purposes described here and reasonably expected by you;
• Security: apply reasonable technical and organizational safeguards;
• Transparency & control: provide clear settings and choices whenever possible.

3. Information We Collect

Depending on features you use, we may collect the following (we do not collect data for features you do not use):

3.1 Information you provide

• Account information: email (global users) or phone number (China-region users), username, password (stored as a hash), verification codes (for verification only).
• Profile & preferences: avatar (may be stored as a URL), language/timezone, sync/notification/privacy settings.
• Content you create/upload/generate: documents, notes, tags, exports, and communications with support.
• Audio transcription text (if applicable): Certain products (such as Fighting?) use the device microphone for real-time speech transcription. We do not store raw audio; only the transcribed text is processed and temporarily stored for AI analysis and feedback. Transcription text is handled per our data retention policy after sessions end. You are responsible for obtaining informed consent from all participants before using this feature.
• Reading & learning data (if applicable): Certain products (such as YYTR) may collect your reading progress, vocabulary learning records, and learning preferences to provide a personalized learning experience.
• Subscription & billing (if applicable): subscription status, order identifiers, payment time, amount/currency, and invoice/billing details (if provided). We typically do not store full card numbers or payment passwords; payments are processed by third-party payment providers.

3.2 Information collected automatically

• Device & log data (security & reliability): browser/OS type and version, language, timezone, IP address (for anti-abuse and security), error codes, crash stacks, request latency, etc.
• Usage data (product improvement): feature usage frequency, interactions, performance metrics, mostly analyzed in aggregated form.
• Local storage data (stored in your browser): preferences, feature toggles, cache, temporary tokens, etc.

3.3 Sensitive personal information

We generally do not ask you to provide sensitive personal information (e.g., government ID, precise location, financial account passwords). However, content you submit may contain sensitive information. Please be cautious; we only process it to provide the service you requested and apply stricter safeguards where appropriate.

4. How We Use Information

We use information to:

• Provide and maintain core features;
• Account registration/login, verification, and session/device security;
• Cross-device sync and backup (if you enable it);
• Subscription management and billing support (if applicable);
• Security, anti-abuse, troubleshooting, and audits;
• Customer support;
• Analytics and product improvement.

If we need to use information for purposes not described here, we will notify you in advance and obtain consent where required.

5. Storage and Security

5.1 Where and how long we store data

• Location: Our primary infrastructure uses AWS (for example, us-west-2 / US West). Your data may be processed outside your country/region (see Section 9).
• Retention (high-level):
  • Account data and user content: generally for the life of your account; after deletion/account closure, we delete or anonymize within a reasonable period (typically within 30 days, unless required otherwise by law).
  • Billing/financial records: may be retained longer to meet legal/tax requirements.
  • Logs and security records: kept for the shortest period necessary; some compliance/audit logs may be retained longer.

5.2 Security measures

We apply reasonable safeguards, such as:

• Encryption in transit (TLS/HTTPS);
• Access control and least-privilege;
• Infrastructure-level encryption capabilities;
• Monitoring, patching, backups, and recovery processes.

No system is 100% secure. If a security incident occurs, we will take remediation measures and notify you and regulators where required by law.

6. Sharing, Transfers, and Disclosure

We do not sell your personal information. We only share it in the following cases:

6.1 Service providers (processors)

Depending on features you use, we may use:

• Cloud provider: AWS (hosting, storage, avatar/file storage, email delivery such as AWS SES, etc.).
• Payments: Stripe (subscription and payment processing; we typically receive only necessary identifiers/status).
• AI/model providers (when you use AI features): such as OpenAI, Anthropic, etc. (processing only content you submit for AI tasks).
• Analytics (if enabled): such as Snowplow (minimized configuration and with opt-out options).
• Messaging/notifications (as applicable): email delivery for verification/notifications; phone-based verification may involve SMS providers.

We require service providers to process data only as necessary to deliver services and to use reasonable security measures.

6.2 Legal and security reasons

We may disclose information to comply with law/court orders/regulatory requests, to protect rights and safety, or to investigate fraud/abuse/attacks.

6.3 Merger, acquisition, or asset transfer

If a merger/acquisition/asset transfer occurs, we may transfer relevant information. The successor must continue to be bound by this policy; if material changes occur, we will notify you and obtain consent where required.

7. Limits on Human Access to User Content

We do not allow personnel to proactively access your content except when:

• You explicitly request support and consent to access specific data;
• Data is aggregated/anonymized for internal analytics and permitted by law;
• Necessary for security investigations (abuse/attacks);
• Required to comply with law.

8. Your Rights and Choices

Subject to applicable law, you may have rights to:

• Access, correct, and delete your data;
• Export your data;
• Withdraw consent;
• Object to certain processing;
• File complaints.

You can use in-product settings where available, or contact us at privacy@tutuo.ai / support@tutuo.ai.

9. Cross-Border Transfers (if applicable)

If we store/process data outside your country/region, we will:

• Take required compliance steps (e.g., standard contractual clauses, impact assessments);
• Apply reasonable security safeguards;
• Notify/seek consent where required.

10. Children's Privacy

Tutuo.ai is not intended for children under 13 (or other age as required by local law). If we learn we have collected personal information from a minor, we will delete or anonymize it promptly.

11. Third-Party Links and Services

Tutuo.ai may include links/integrations with third-party services (payments, login, AI services). Those third parties process information under their own policies; we recommend reviewing them.

12. Updates to This Policy

We may update this policy from time to time. If changes are material, we will notify you via in-app notice, email, or other reasonable means. Continued use indicates acceptance unless re-consent is required by law.

13. Contact Us

If you have any questions about this Privacy Policy, please contact:

• Operator: Tutuo.ai
• Privacy email: privacy@tutuo.ai
• Support email: support@tutuo.ai
• Contact page: https://tutuo.ai/contact