Privacy Policy

This Privacy Policy describes how TekToro Digital Solutions Ltd. (“TekToro,” “we,” “us,” or “our”) collects, uses, processes, stores, and protects information in connection with your access to and use of the TekToro Enterprise Management System platform (“EMS Platform” or “Platform”). This Policy applies to all customers, authorized users, and any party whose data is processed through the Platform.

By accessing or using the EMS Platform, you acknowledge that you have read, understood, and agree to the practices described in this Privacy Policy. If you do not agree, you must discontinue use of the Platform immediately.

1. Scope and Definitions

This Privacy Policy applies to:

• The TekToro EMS Platform, accessible at ems.tektoro.app and any related subdomains;
• All modules of the Platform, including the Core Platform, Financial Portal, and AI Enterprise Suite;
• All data submitted to, generated within, or processed through the Platform by customer organizations and their authorized users.

For purposes of this Policy:

• “Customer” means any organization that has executed a Master Application Agreement (MAA) or Order Form with TekToro for access to the Platform.
• “Customer Data” means all data, content, and materials submitted to or generated within the Platform by or on behalf of the Customer.
• “User” or “Authorized User” means any individual granted access to the Platform by a Customer administrator.
• “Personal Information” means any information that identifies or could reasonably identify a natural person.

2. Information We Collect

2.1 Information You Provide Directly

TekToro collects information that Customers and Users provide when setting up and using the Platform, including:

• Account registration details: organization name, administrator name, business email address, and billing information;
• User profile data: name, work email address, job title, role, and system access credentials;
• Customer Data entered into the Platform: project records, client information, financial records, invoices, contracts, time logs, HR records, and other operational data;
• Support and communication data: information provided when contacting TekToro for technical support, account management, or other inquiries.

2.2 Information Collected Automatically

When the Platform is accessed or used, TekToro and its service providers may automatically collect:

• Log data: IP addresses, browser type, operating system, access timestamps, session duration, and pages or features accessed;
• Device data: device identifiers, screen resolution, and connection type;
• Usage data: feature utilization patterns, workflow interactions, and system performance metrics;
• Cookies and similar technologies: session tokens, preference cookies, and security identifiers necessary for Platform operation.

2.3 Information from Third Parties

Where Customers configure integrations with third-party systems (such as ERP platforms, identity providers via SSO/SCIM, or payment gateways), TekToro may receive data transmitted through those integrations as necessary to provide the contracted services.

3. How We Use Information

TekToro uses collected information for the following purposes:

3.1 Service Delivery

• Platform Operation: To provision, maintain, and operate the EMS Platform and all licensed modules;
• User Authentication: To verify identity and manage Role-Based Access Control (RBAC) permissions across all user tiers (Full, Light, Client);
• Integration Enablement: To facilitate connections with authorized third-party systems as configured by the Customer administrator.

3.2 Security and Compliance

• Security Monitoring: To detect, prevent, and respond to unauthorized access, malicious activity, and platform vulnerabilities;
• Audit Logging: To maintain timestamped records of user actions for compliance, governance, and forensic purposes;
• Legal Compliance: To fulfill legal obligations, respond to lawful requests from regulatory or governmental authorities, and enforce our agreements.

3.3 Platform Improvement

• Performance Optimization: Aggregated and anonymized usage data is used to monitor system performance, identify bottlenecks, and improve reliability;
• Product Development: De-identified feature utilization data informs TekToro's product roadmap. Customer Data is never used for this purpose.

3.4 Communications

• Service Notices: To send transactional and operational notifications, including downtime alerts, security advisories, and billing notices;
• Customer Success: To provide onboarding support, training resources, and account management services as applicable to the Customer's subscription.

4. Customer Data Ownership and Control

TekToro operates on a strict data custody model. The following principles govern all Customer Data:

• Exclusive Ownership: The Customer retains full and exclusive ownership of all Customer Data at all times. TekToro does not claim any ownership interest in Customer Data.
• Restricted Access: TekToro personnel will only access Customer Data where strictly necessary to: (a) provide contracted technical support; (b) ensure platform security and integrity; or (c) comply with a valid legal order. TekToro will notify the Customer of any such access unless prohibited by law.
• No Unauthorized Use: TekToro will not use Customer Data for any purpose other than delivering the Platform services as described in the applicable agreement.
• Data Portability: Upon termination or expiration of the service agreement, TekToro will provide the Customer with a structured, machine-readable export of all Customer Data. Following a defined transition period, Customer Data will be securely deleted from TekToro systems.

5. AI Features and Data Governance

The TekToro AI Enterprise Suite (optional module) provides policy-aware intelligence capabilities. The following governance framework applies to all AI features:

5.1 Zero-Training Guarantee

TekToro does not use Customer Data, including financial records, client identities, project data, or any other proprietary Customer information, to train, fine-tune, or improve foundational AI models or any model used by other Customers. Each Customer's AI environment is isolated and scoped exclusively to that Customer's private data environment.

5.2 Human-in-the-Loop (HITL)

All AI-generated outputs within the Platform are advisory in nature. No AI output automatically triggers a financial transaction, high-impact project action, or system configuration change without explicit authorization from an authorized Full Seat holder.

5.3 RBAC Enforcement

The AI layer fully respects all Role-Based Access Control permissions configured by the Customer administrator. Users cannot query the AI for data or insights beyond their authorized access scope.

5.4 Explainability and Audit Trails

All AI-generated insights include an auditable rationale summary and are recorded in the Platform's audit log to support full traceability and governance review.

6. Data Sharing and Disclosure

TekToro does not sell, rent, or trade Customer Data or Personal Information to third parties. Disclosure occurs only in the following limited circumstances:

• Subprocessors: TekToro engages carefully vetted subprocessors (cloud infrastructure providers, monitoring services) to deliver the Platform. All subprocessors are bound by data protection obligations consistent with this Policy. A list of current subprocessors is available upon request.
• Professional Services Partners: Where implementation or integration services require third-party involvement, any engagement is governed by a formal Statement of Work and confidentiality obligations.
• Legal Requirements: TekToro may disclose information where required by applicable law, court order, or regulatory authority. TekToro will provide reasonable notice to affected Customers unless legally prohibited from doing so.
• Business Transfers: In the event of a merger, acquisition, or sale of substantially all assets, Customer Data may be transferred to the successor entity subject to the same data protection obligations as this Policy.

7. Data Security

TekToro implements administrative, technical, and physical safeguards designed to protect Customer Data and Personal Information against unauthorized access, disclosure, alteration, or destruction. Key measures include:

• Enterprise-grade encryption in transit (TLS 1.2+) and at rest (AES-256);
• Multi-Factor Authentication (MFA) enforced for all administrative and Full Seat access;
• Role-Based Access Control (RBAC) limiting data access to authorized users only;
• SCIM-based automated user provisioning and deprovisioning;
• Continuous security monitoring, vulnerability scanning, and annual penetration testing;
• Incident response procedures with defined notification timelines.

While TekToro employs industry-standard security controls, no system is entirely immune to risk. TekToro will promptly notify affected Customers of any confirmed data breach affecting their Customer Data in accordance with applicable legal requirements.

8. Data Retention

TekToro retains Customer Data for the duration of the active subscription term. Upon termination:

• Customer Data export is made available within thirty (30) days of termination request;
• Customer Data is purged from production systems within sixty (60) days following the termination date;
• Backup copies are deleted in accordance with TekToro's standard backup rotation schedule, not to exceed ninety (90) days following production deletion;
• Aggregated, anonymized operational data (e.g., system latency records) may be retained indefinitely as it does not identify the Customer or any individual user.

9. International Data Transfers

The EMS Platform is hosted in the geographic region selected by the Customer at onboarding. TekToro's registered offices are in the Cayman Islands. If Customer Data is transferred across international borders for purposes of technical support or infrastructure resilience, TekToro ensures appropriate legal mechanisms are in place, such as contractual data transfer agreements, consistent with the requirements of applicable data protection laws.

10. Cookies and Tracking Technologies

The Platform uses cookies and similar session technologies strictly for operational purposes, including:

• Authentication cookies: Maintain secure session state and user identity between page loads;
• Preference cookies: Store user interface preferences to improve usability;
• Security tokens: Prevent cross-site request forgery and other session-based attacks.

TekToro does not use advertising cookies or behavioral tracking cookies. The Platform does not serve third-party advertising.

11. Data Subject Rights

To the extent applicable under relevant data protection laws, Authorized Users and other natural persons whose Personal Information is processed through the Platform may have rights including:

• The right to access copies of Personal Information held about them;
• The right to request correction of inaccurate Personal Information;
• The right to request deletion of Personal Information, subject to applicable legal obligations;
• The right to object to or restrict certain processing activities;
• The right to data portability.

Requests relating to Personal Information held in Customer Data should be directed to the relevant Customer administrator, as TekToro acts as a processor of that data on the Customer's behalf. All other privacy inquiries may be directed to TekToro using the contact information below.

12. Changes to This Privacy Policy

TekToro reserves the right to update this Privacy Policy periodically. In the event of material changes, TekToro will provide Customers with not less than thirty (30) days' prior written notice via the email address on file for the Customer's account. Continued use of the Platform following the effective date of the updated Policy constitutes acceptance of the changes.

13. Contact Information

For privacy-related inquiries, data subject requests, or to report a security concern, please contact: