GDPR Compliance

Last updated: January 27, 2026

GDPR Compliance Statement

Tuco.ai is committed to compliance with the General Data Protection Regulation (GDPR) (EU) 2016/679. This page explains your rights under GDPR and how we protect and process your personal data in accordance with these regulations.

1. What is GDPR?

The General Data Protection Regulation (GDPR) is a comprehensive data protection law that came into effect on May 25, 2018. It applies to all organizations that process personal data of individuals located in the European Economic Area (EEA), regardless of where the organization is based.

GDPR strengthens data protection rights for individuals and imposes strict obligations on organizations that process personal data. It aims to give individuals more control over their personal data and ensure that organizations handle data responsibly and transparently.

2. Our Role Under GDPR

2.1 Data Controller

Tuco.ai acts as a data controller when we determine the purposes and means of processing your personal data, such as:

  • Managing your account and providing our services
  • Processing payments and billing
  • Communicating with you about our services
  • Marketing and promotional activities (with your consent)
  • Legal compliance and security

2.2 Data Processor

Tuco.ai acts as a data processor when we process personal data on behalf of our customers (data controllers) in connection with our iMessage automation services. In this capacity, we:

  • Process data only as instructed by our customers
  • Implement appropriate technical and organizational measures
  • Assist customers in fulfilling their GDPR obligations
  • Maintain records of processing activities

3. Legal Basis for Processing

Under GDPR, we process your personal data based on one or more of the following legal bases:

3.1 Contractual Necessity

We process your data to fulfill our contract with you, such as providing our services, processing payments, and delivering customer support.

3.2 Legitimate Interests

We process your data for our legitimate business interests, such as improving our services, preventing fraud, ensuring security, and conducting analytics. We always balance our interests against your rights and freedoms.

3.3 Consent

We process your data based on your explicit consent, such as for marketing communications, newsletters, and optional features. You can withdraw consent at any time.

3.4 Legal Obligations

We process your data to comply with legal obligations, such as tax laws, financial regulations, and law enforcement requests.

4. Your Rights Under GDPR

As a data subject under GDPR, you have the following rights:

4.1 Right of Access (Article 15)

You have the right to obtain confirmation as to whether we process your personal data and, if so, access to that data and the following information:

  • The purposes of processing
  • The categories of personal data concerned
  • The recipients or categories of recipients
  • The retention period or criteria for determining it
  • Your rights regarding the data
  • The source of the data (if not collected from you)

How to exercise: Contact us at privacy@tuco.ai or use our data export feature in account settings.

4.2 Right to Rectification (Article 16)

You have the right to have inaccurate personal data corrected and incomplete data completed.

How to exercise: Update your information in account settings or contact us at privacy@tuco.ai.

4.3 Right to Erasure ("Right to be Forgotten") (Article 17)

You have the right to request deletion of your personal data when:

  • The data is no longer necessary for the original purpose
  • You withdraw consent and there is no other legal basis
  • You object to processing and there are no overriding legitimate grounds
  • The data has been unlawfully processed
  • Deletion is required to comply with legal obligations

How to exercise: See our Data Deletion Instructions page.

4.4 Right to Restrict Processing (Article 18)

You have the right to restrict processing of your personal data in certain circumstances, such as when you contest the accuracy of the data or object to processing.

How to exercise: Contact us at privacy@tuco.ai with your request.

4.5 Right to Data Portability (Article 20)

You have the right to receive your personal data in a structured, commonly used, and machine-readable format and to transmit that data to another controller.

How to exercise: Request a data export from account settings or contact us at privacy@tuco.ai.

4.6 Right to Object (Article 21)

You have the right to object to processing of your personal data based on legitimate interests or for direct marketing purposes.

How to exercise: Unsubscribe from marketing emails using the link in the email or contact us at privacy@tuco.ai.

4.7 Rights Related to Automated Decision-Making (Article 22)

You have the right not to be subject to decisions based solely on automated processing, including profiling, that produce legal or similarly significant effects.

Note: We do not use fully automated decision-making that produces legal or similarly significant effects without human intervention.

5. How to Exercise Your Rights

To exercise any of your GDPR rights, you can:

  • Email us: privacy@tuco.ai
  • Contact our DPO: dpo@tuco.ai
  • Use self-service features: Access your account settings for data export, deletion, and preferences
  • Write to us: Tuco.ai, 8 The Green, STE R, Dover, DE 19901, USA, Attn: Data Protection Officer

We will respond to your request within one month (or two months for complex requests). We may ask you to verify your identity before processing your request.

6. Data Processing Principles

We adhere to GDPR's core data processing principles:

  • Lawfulness, Fairness, and Transparency: We process data lawfully, fairly, and transparently.
  • Purpose Limitation: We collect data for specified, explicit, and legitimate purposes.
  • Data Minimization: We only collect data that is necessary for our purposes.
  • Accuracy: We keep data accurate and up-to-date.
  • Storage Limitation: We retain data only for as long as necessary.
  • Integrity and Confidentiality: We implement appropriate security measures to protect data.
  • Accountability: We are responsible for demonstrating compliance with GDPR.

7. Data Security Measures

We implement appropriate technical and organizational measures to protect your personal data, including:

  • Encryption: Data is encrypted in transit (TLS/SSL) and at rest (AES-256)
  • Access Controls: Role-based access controls and authentication mechanisms
  • Regular Audits: Security assessments and vulnerability testing
  • Data Backup: Regular backups with secure storage
  • Employee Training: Regular training on data protection and security
  • Incident Response: Procedures for detecting, reporting, and responding to data breaches
  • Secure Infrastructure: Hosting in secure, compliant data centers

8. Data Breach Notification

In the event of a personal data breach that is likely to result in a high risk to your rights and freedoms, we will:

  • Notify the relevant supervisory authority within 72 hours of becoming aware of the breach
  • Notify affected individuals without undue delay if the breach poses a high risk
  • Provide clear information about the nature of the breach, likely consequences, and measures taken
  • Document all breaches and our response

9. International Data Transfers

Your personal data may be transferred to and processed in countries outside the EEA. We ensure adequate protection through:

  • Standard Contractual Clauses (SCCs): Approved by the European Commission
  • Adequacy Decisions: Transfers to countries with adequacy decisions
  • Binding Corporate Rules: Where applicable
  • Other Safeguards: Additional measures as required by GDPR

You can request information about the specific safeguards we use for international transfers by contacting us.

10. Data Protection Officer (DPO)

We have appointed a Data Protection Officer (DPO) to oversee our GDPR compliance. You can contact our DPO for:

  • Questions about our data processing activities
  • Exercising your GDPR rights
  • Reporting concerns about data protection
  • Requesting information about our compliance measures

Data Protection Officer

Email: dpo@tuco.ai

Address: Tuco.ai, 8 The Green, STE R, Dover, DE 19901, USA

Company: Tuco.ai is owned by Foxwell & Pierce Group, Inc., 8 The Green, STE R, Dover, DE 19901, USA, which is owned by Crewcharge Technologies Private Limited.

11. Supervisory Authority

If you are located in the EEA, you have the right to lodge a complaint with your local supervisory authority if you believe we have violated GDPR. You can find your supervisory authority at:

We encourage you to contact us first at privacy@tuco.ai so we can address your concerns.

12. Data Processing Records

As required by GDPR Article 30, we maintain records of our processing activities, including:

  • Purposes of processing
  • Categories of data subjects and personal data
  • Categories of recipients
  • Transfers to third countries
  • Retention periods
  • Security measures

13. Updates to This Page

We may update this GDPR compliance page from time to time to reflect changes in our practices or legal requirements. We will notify you of any material changes by updating the "Last updated" date and, where appropriate, notifying you via email or through our services.

14. Contact Us

For questions, concerns, or requests regarding GDPR compliance, please contact us:

General Privacy Inquiries: privacy@tuco.ai

Data Protection Officer: dpo@tuco.ai

Support: support@tuco.ai

Address: Tuco.ai, 8 The Green, STE R, Dover, DE 19901, USA

Company: Tuco.ai is owned by Foxwell & Pierce Group, Inc., 8 The Green, STE R, Dover, DE 19901, USA, which is owned by Crewcharge Technologies Private Limited.

Response Time: We aim to respond to all GDPR-related requests within 30 days

15. Additional Resources