tutti beartutti bear← Back

Privacy Policy

Last updated: 4 May 2026

This Privacy Policy explains how DAT SUPPLY LTD ("we", trading as tutti bear) collects and uses personal data through the tutti bear partner programme available at partners.tuttibear.com. We are the data controller within the meaning of the UK GDPR and the EU GDPR (Regulation (EU) 2016/679).

1. Controller and contact

DAT SUPPLY LTD (company number 16756227, incorporated in England and Wales). Registered office: 128 City Road, London EC1V 2NX, United Kingdom. Contact for any privacy matter: privacy@tuttibear.pt.

2. Data we collect

  • Account: name, email, phone, country, language, profile photo.
  • Partner profile: social handles, audience size, primary platform, content categories, website.
  • Tax/payout: payout method, IBAN/PayPal/Wise reference, country of tax residence.
  • Programme activity: signed contracts, IP address and user agent at the moment of signature, coupon usage, commissions, payouts, shipping deliveries, content deliverables, dispute history.
  • Communications: emails sent through Resend, support tickets, in-app messages.
  • Technical: cookies and similar identifiers (see section 8) and Cloudflare Turnstile bot-protection signals on public forms.

3. Why we use it (legal bases)

  • Performance of contract — running the programme, calculating commissions, processing payouts.
  • Legal obligation — accounting, tax and AML record-keeping (we keep transactional records for at least 7 years).
  • Legitimate interest — fraud prevention, attribution analytics, securing the platform with Cloudflare/Turnstile, improving the product. You can object at any time.
  • Consent — non-essential cookies and any direct marketing newsletter. You can withdraw at any time.

4. Sharing

We share personal data only with processors acting on our behalf, under written contracts:

  • Supabase Inc. — managed Postgres, authentication, file storage.
  • Cloudflare, Inc. — application hosting (Workers), DNS, CDN, Turnstile bot protection.
  • Resend Inc. — transactional email.
  • Sentry — application error monitoring (no payload bodies).
  • Shopify Inc. — order attribution data exchange when you have an active coupon.
  • Our payment partners (bank, Wise, PayPal) for the strict purpose of paying you.

We do not sell personal data and we do not transfer it for advertising purposes. Where a processor is outside the UK/EEA we rely on the Standard Contractual Clauses or the UK IDTA.

5. Retention

  • Active partner account: for as long as the relationship continues.
  • Signed contracts and signature audit (IP, UA, checksum): 10 years from termination.
  • Commission and payout records: 7 years for tax and accounting.
  • Marketing consent records: until withdrawn plus 3 years.
  • Server logs and Sentry events: 90 days.

6. Your rights

Subject to applicable law you have the right to access, rectify, erase, restrict and port your personal data, to object to processing based on legitimate interests, and to withdraw consent without affecting prior processing. You can exercise these rights by emailing privacy@tuttibear.pt. You also have the right to lodge a complaint with the UK ICO (ico.org.uk) or your local supervisory authority — in Portugal, the CNPD (cnpd.pt).

7. Security

We use TLS in transit, AES at rest, row-level security on every database table, JWT authentication, role-based admin access, HMAC-verified webhooks, and Cloudflare Turnstile to protect public forms from automated abuse. Access to production data is limited and audited.

8. Cookies

We use a minimal set of strictly necessary cookies for the session and a Turnstile challenge cookie. Any analytics or marketing cookie is loaded only after you give consent through the cookie banner — you can change your choices at any time from the banner footer link.

9. Changes

When we materially change this policy we will notify active partners by email and show the new effective date here at least 14 days in advance.