Legal

Privacy notice

This notice covers personal data we collect through our marketing website at tuinapp.co.uk and tuinapp.com. Last updated 27 May 2026. Effective 27 May 2026.

On this page

  1. Scope of this notice
  2. Who we are (the controller)
  3. What personal data we collect
  4. Why we collect it and our lawful basis
  5. Who we share it with
  6. International transfers
  7. How long we keep it
  8. Your rights
  9. Cookies and tracking
  10. Automated decisions and profiling
  11. How we protect your data
  12. Changes to this notice
  13. How to contact us

1. Scope of this notice

This notice describes how Verlox Ltd (trading as TuinApp) processes personal data that you provide to us through our public-facing marketing website at tuinapp.co.uk and tuinapp.com (together, the "Site"). It covers waitlist sign-ups, trial sign-ups, the contact form, server logs, and any other data captured by the Site.

When TuinApp SaaS goes live and you become a paying customer, a separate Data Processing Agreement (DPA) and Customer Privacy Notice will apply to the data your organisation processes through our platform; we act as a processor for that data, not a controller. This notice does not cover that scenario.

2. Who we are (the data controller)

The data controller for personal data collected through the Site is:

Verlox Ltd (trading as TuinApp)

Registered in England and Wales.

Companies House number: 17103731. Registered office is on the public Companies House register at find-and-update.company-information.service.gov.uk/company/17103731.

ICO data-controller registration: ZC108946. Searchable on the ICO public register at ico.org.uk/ESDWebPages/Search.

Data-protection point of contact: [email protected] (use the subject line "Data Subject Request").

We are not currently required to appoint a Data Protection Officer (DPO) under UK GDPR Article 37 because our core processing does not include large-scale monitoring or special-category data. We will appoint a DPO once our platform goes live and the thresholds are reached.

3. What personal data we collect

3.1 Data you give us directly

When you fill in a form on the Site we collect the fields you submit. Specifically:

  • Waitlist form: email address, optionally your name, company, role, company size, country, and which features you are most interested in (HR, scheduling, accounting, ATS, safety, AR, mobile, white-label, reseller).
  • Trial sign-up form: email address, name, company name, optionally phone and company size.
  • Contact form: your name, email address, message, and any context you choose to add (such as topic, company, deadline).
  • Footer newsletter capture: email address only.

We do not request, and we do not knowingly collect, any special-category data (race, ethnicity, health, religion, sexual orientation, trade union membership, biometric or genetic data) or criminal-offence data through the Site. Please do not include such data in free-text fields.

3.2 Data we collect automatically

  • Server logs: your IP address, the page you requested, the date and time, the HTTP status, the user-agent string of your browser, and the page that referred you. These are kept for short-term security and abuse-detection purposes (see retention table).
  • Spam-protection metadata: a SHA-256 hash of your IP address is briefly retained alongside form submissions to rate-limit abusive activity (typically two submissions per ten minutes per IP).
  • Strictly necessary cookies: see the Cookie notice.

We do not run third-party analytics (no Google Analytics, no Hotjar, no Mixpanel) on the Site at this time. We do not place advertising cookies. We do not fingerprint browsers.

4. Why we collect it and our lawful basis

Under UK GDPR every act of processing must have one of the six lawful bases set out in Article 6. The table below maps each processing purpose to its lawful basis.

Purpose Lawful basis (UK GDPR Art 6)
Reply to your contact-form enquiryArt 6(1)(b) Contract / pre-contract steps at your request
Set up your free trial when you sign upArt 6(1)(b) Contract / pre-contract steps
Keep you informed about waitlist progress and launch datesArt 6(1)(f) Legitimate interest (you opted in by joining the waitlist)
Send occasional product updates and feature announcementsArt 6(1)(a) Consent (you can withdraw at any time)
Detect spam, abuse, fraud, and security threatsArt 6(1)(f) Legitimate interest (operating a secure service)
Meet our legal, tax and accounting obligationsArt 6(1)(c) Legal obligation
Defend or pursue legal claimsArt 6(1)(f) Legitimate interest

Where we rely on legitimate interest, we have performed (and documented) a Legitimate Interests Assessment (LIA). You can request a copy at any time. You have the right to object to processing based on legitimate interest; see section 8.

5. Who we share your data with

We do not sell your personal data. We share it only with the following categories of recipient, and only as needed to provide the Site.

  • Hosting provider: Contabo (Germany, EU). Stores the Site and the encrypted CSV files containing form submissions.
  • Email delivery: Brevo (Sendinblue SA, France, EU). Sends transactional and notification emails on our behalf using authenticated SMTP. Recipient email addresses pass through Brevo systems.
  • DNS, CDN and DDoS protection: Cloudflare (United Kingdom and United States). Routes Site traffic; minimal log data (IP, country, request URL) is processed for caching, rate-limiting and threat detection.
  • Domain registrar and email forwarding: NameSilo / Cloudflare Registrar (United States) for domain registration; aaPanel (China-developed software, deployed on our own EU server) for mailbox forwarders.
  • Professional advisers: legal, accounting and audit firms instructed by us under written confidentiality undertakings.
  • Regulators and law-enforcement: where required by law or in response to a valid legal request.

Each processor listed above operates under a written processing agreement that includes Article 28 obligations (security, sub-processor controls, audits, breach notification, data return / deletion).

6. International transfers

Personal data we collect on the Site is hosted in the European Union by default (Contabo, Germany). Some of our processors operate from the United Kingdom (Cloudflare UK) or transfer limited operational data to the United States (Cloudflare US backbone, NameSilo registrar). The UK has been recognised as adequate by the European Commission, and the EU has been recognised as adequate by the UK Government, so transfers within UK/EU do not require additional safeguards.

Where data is transferred to the United States, the recipient is either:

  • certified under the EU-US and UK-US Data Privacy Framework (DPF), or
  • covered by the UK International Data Transfer Agreement (IDTA) / EU Standard Contractual Clauses (SCCs) plus appropriate supplementary measures (encryption in transit and at rest, contractual restrictions on government access).

7. How long we keep your data

Data Retention
Waitlist submissions24 months from last interaction, or until withdrawal of consent (whichever is sooner)
Trial sign-up forms24 months if you do not convert; for converting customers, governed by the customer DPA
Contact-form messages12 months after the matter is closed
Newsletter / footer email capturesUntil you unsubscribe; reviewed every 24 months for engagement
Server access logs30 days, rolling
Hashed IP for spam rate-limiting10 minutes
Email-delivery metadata at BrevoAs per Brevo retention (typically 6 months)
Records needed for legal, tax or accounting obligations7 years from the end of the relevant accounting period (UK HMRC requirement)

8. Your rights

Under UK GDPR you have the following rights regarding your personal data. To exercise any of them, email us at [email protected] with the subject line "Data Subject Request". We will respond within one month of verifying your identity.

  • Right of access (Art 15): ask for a copy of the personal data we hold about you.
  • Right to rectification (Art 16): correct inaccurate or incomplete data.
  • Right to erasure (Art 17): ask us to delete your data, subject to legal exemptions.
  • Right to restriction (Art 18): ask us to stop processing while a dispute or request is being resolved.
  • Right to data portability (Art 20): receive your data in a machine-readable format (CSV or JSON) and transmit it to another controller.
  • Right to object (Art 21): object to processing based on legitimate interest or for direct marketing.
  • Right to withdraw consent (Art 7(3)): where processing is based on consent, withdraw it at any time. This does not affect the lawfulness of processing before withdrawal.
  • Right not to be subject to automated decisions (Art 22): see section 10.
  • Right to lodge a complaint: with the UK Information Commissioner's Office (ICO) at ico.org.uk/make-a-complaint, or by calling 0303 123 1113. We would appreciate the chance to address your concern directly first.

We provide these rights free of charge. Where a request is manifestly unfounded or excessive (for example repetitive), we may charge a reasonable administrative fee or refuse to act on it, as permitted by Article 12(5).

9. Cookies and tracking

The Site sets only strictly necessary cookies. We do not currently use analytics or advertising cookies. Full details, including names, purposes, durations and opt-out, are on the Cookie notice.

10. Automated decisions and profiling

We do not take any automated decisions that produce legal or similarly significant effects about you based solely on data you submit through the Site (UK GDPR Art 22). Inside the future TuinApp SaaS platform, our AI assistant Carina performs drafting and recommendation tasks but the final decision is always taken by a human operator; the customer DPA and the Carina AI Use Policy describe this in detail.

11. How we protect your data

  • TLS 1.2+ on every public connection (Let's Encrypt certificates managed via Cloudflare).
  • Form data is stored as CSV files outside the web root, with file-system locks to prevent concurrent corruption, and mode 0640 (group-readable only).
  • Honeypot fields, time-of-submission checks, content-pattern filtering, and per-IP rate limiting (two submissions per ten minutes) protect against spam and abuse.
  • Server access requires SSH key with passphrase; password authentication is disabled.
  • Cloudflare DDoS protection, bot detection and managed WAF rules are enabled at the edge.
  • Daily off-site backups of the form CSV files (encrypted at rest).
  • Vulnerability disclosure goes to [email protected] (see Security for our disclosure policy).

12. Changes to this notice

We may update this notice from time to time. The "Last updated" date at the top of the page shows when the most recent change took effect. If we make a material change (for example adding a new processor or a new processing purpose) we will notify you by email if we hold your address, or by a banner on the Site.

13. How to contact us

For any privacy question, request, or concern: [email protected]. For security incidents or vulnerability reports: [email protected].

You also have the right to lodge a complaint with the Information Commissioner's Office (ICO), the UK supervisory authority for data protection, at ico.org.uk or by calling 0303 123 1113.

Last updated: 27 May 2026. Effective: 27 May 2026.