Privacy Policy
Last updated: December 23, 2025
Cuti-E ("we", "our", or "us") is committed to protecting your privacy. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our character-driven feedback platform.
1. Information We Collect
1.1 Information You Provide
- Account Information: When you create an account, we collect your email address and password (securely hashed).
- Feedback Content: Messages, text, and attachments (images, screenshots) submitted through the feedback system.
- App Configuration: App names, mascot images, and branding settings you configure.
1.2 Automatically Collected Information
- Device Identifier: A unique, anonymous device ID to track conversation threads. This is NOT your Apple IDFA or Google Advertising ID.
- App Information: App version, platform (iOS/Android), and device type for context.
- Usage Data: Timestamps of interactions, conversation status, and response times.
1.3 Information We Do NOT Collect
- Personal names (unless voluntarily provided in feedback)
- Phone numbers
- Location data
- Contacts or address book
- Advertising identifiers
- Browsing history outside our service
2. How We Use Your Information
We use the collected information for:
- Service Delivery: Processing feedback, enabling conversations between users and app developers.
- Service Improvement: Analyzing usage patterns to improve our platform.
- Communication: Sending service-related notifications and updates.
- Security: Detecting and preventing fraud, abuse, and security threats.
- Legal Compliance: Meeting legal obligations and responding to lawful requests.
3. Data Retention
We retain your data for the following periods:
| Data Type | Retention Period | Justification |
|---|---|---|
| Active conversations | While account is active | Service delivery |
| Deleted conversations | 30 days | Recovery window |
| Audit logs | 2 years | Security and compliance |
| Analytics data | 1 year | Service improvement |
| Account after deletion | 30 days | Grace period for recovery |
| Attachments | Same as parent conversation | Tied to conversation lifecycle |
4. Your Rights (GDPR)
Under the General Data Protection Regulation (GDPR) and similar laws, you have the following rights:
- Right to Access: Request a copy of all personal data we hold about you.
- Right to Rectification: Request correction of inaccurate personal data.
- Right to Erasure: Request deletion of your personal data ("right to be forgotten").
- Right to Data Portability: Receive your data in a structured, machine-readable format.
- Right to Object: Object to processing of your personal data.
- Right to Withdraw Consent: Withdraw consent at any time where processing is based on consent.
To exercise your rights: Contact us at [email protected]. We will respond within 30 days as required by GDPR.
5. Data Security
We implement appropriate technical and organizational measures to protect your data:
- Encryption: AES-256-GCM encryption for sensitive data at rest.
- Transport Security: TLS 1.3 for all data in transit.
- Access Controls: Role-based access with audit logging.
- Multi-Tenant Isolation: Strict data separation between customers.
- Regular Security Reviews: Periodic security assessments and updates.
6. Data Processors (Sub-processors)
We use the following third-party services to process your data:
| Service | Purpose | Location |
|---|---|---|
| Cloudflare Workers | Application hosting and API | Global (edge network) |
| Cloudflare R2 | File storage (attachments) | EU/US regions |
| Cloudflare D1 | Database storage | EU/US regions |
| Apple Push Notification Service | iOS push notifications | United States |
7. International Data Transfers
Your data may be transferred to and processed in countries outside your residence. We ensure appropriate safeguards are in place, including:
- Standard Contractual Clauses (SCCs) approved by the European Commission
- Data Processing Agreements with all sub-processors
- Cloudflare's participation in approved data transfer frameworks
8. Children's Privacy
Cuti-E is not directed at children under 13 (or 16 in the EU). We do not knowingly collect personal information from children. If you believe we have collected data from a child, please contact us immediately.
9. Cookies and Tracking
Our website uses minimal cookies:
- Essential Cookies: Required for authentication and security (session management).
- Analytics: We do not currently use third-party analytics cookies on our website.
The mobile SDKs do not use cookies.
10. Changes to This Policy
We may update this Privacy Policy from time to time. We will notify you of significant changes by:
- Posting the new policy on this page with an updated date
- Sending an email notification for material changes (if you have an account)
11. Contact Us
For privacy-related inquiries or to exercise your data rights:
Data Controller:
Invotek AS
Org.nr: 931 930 354
Postboks 1 Bjørndal
1214 Oslo, Norway
Email: [email protected]
12. Legal Basis for Processing (GDPR)
We process your personal data based on the following legal grounds:
- Contract Performance: Processing necessary to provide the feedback service you requested.
- Legitimate Interests: Service improvement, security, and fraud prevention.
- Legal Obligation: Compliance with applicable laws and regulations.
- Consent: Where you have given specific consent for optional features.