Privacy Policy
Last updated: 2026-05-03
Introduction
This Privacy Policy details how the operator of the Tuulus-branded services (“Tuulus”, “us”, “our”, “we”) processes personal information collected through our website at https://www.tuulus.com and our AI-powered application building platform (the “Website” and “Platform” respectively).
Contact: admin@tuulus.com
Tuulus is currently operated by an individual developer; no corporate entity has been formed at the time of this draft. We may update this Privacy Policy from time to time by posting the new version on this page and updating the “Last updated” date.
What Information We Collect
Account information you provide
When you sign up and use the Platform, we collect:
- Email address — required to create and manage your account.
- Password — stored as a salted hash (never in plaintext) by our authentication provider, Supabase.
- Display name + profile picture — when you sign in via Google or GitHub OAuth, the provider shares your name, email, and profile photo (per the scopes you authorize).
Content you create
When you use the Platform to build apps, we collect:
- Prompts and inputs you submit to the AI build models.
- Generated code, files, and applications produced by the Platform on your behalf.
- Story Mode narration audio generated by text-to-speech for your physics simulations.
- Project metadata — titles, descriptions, ratings you give to templates, etc.
Usage and connection details
We collect technical information automatically when you use the Platform:
- IP address (used for rate limiting, abuse prevention, and approximate geolocation).
- Browser type, device type, and operating system.
- Pages visited, features used, and time spent on the Platform.
- Build events and credit usage — recorded in our
usage_eventstable for accounting and rate-limiting purposes. - Error logs — including stack traces and request details when something fails.
Cookies and authentication
We use first-party cookies set by our authentication provider (Supabase) to keep you signed in. These cookies are essential — disabling them will prevent you from signing in to the Platform. We do not use third-party advertising or marketing cookies at this time.
How We Use Your Information
We use the information we collect for the following purposes:
- To provide you with Platform access and support;
- To process your prompts through AI models (Anthropic Claude, OpenAI, Groq) and return generated output;
- To rate-limit usage and enforce credit limits;
- To send you transactional emails (signup confirmation, password reset, magic links);
- To investigate violations and enforce our policies;
- To detect and prevent fraudulent or abusive activity;
- To respond to inquiries you send us;
- To generate anonymized and aggregated analytics that help us improve the Platform;
- To comply with legal obligations or respond to lawful requests from authorities;
- To establish or exercise our legal rights and to defend against legal claims.
Third-Party Service Providers (Subprocessors)
We rely on the following third-party service providers to operate the Platform. Each has its own privacy policy that governs how they handle data shared with them:
| Service | Purpose | Privacy Policy |
|---|---|---|
| Supabase | Authentication, database, file storage | supabase.com/privacy |
| Anthropic | AI build engine (Claude models) | anthropic.com/legal/privacy |
| OpenAI | Text-to-speech for Story Mode and voice chat | openai.com/policies/privacy-policy |
| Groq | Free chat / polish AI calls | groq.com/privacy-policy |
| Cloudflare R2 | Hosted file storage for built apps | cloudflare.com/privacypolicy |
| Resend | Transactional and authentication email delivery | resend.com/legal/privacy-policy |
| Railway | Application hosting | railway.com/legal/privacy |
| Upstash | Redis-based rate limiting | upstash.com/privacy |
| Google / GitHub | OAuth sign-in (only when you choose to use it) | Google · GitHub |
We do not rent or sell your personal information. We only share information with the providers above to operate the Platform, and with auditors, advisers, or potential acquirers of the Platform’s business.
How We Protect Your Information
We implement commercially reasonable technical, administrative, and organizational measures designed to protect your information from loss, misuse, and unauthorized access, disclosure, alteration, or destruction. These measures include encryption in transit (TLS), encryption at rest (via Supabase and Cloudflare R2), authentication via salted-hash passwords or OAuth, row-level security policies on the database, rate limiting, and isolated build sandboxes for AI-generated code.
However, no method of transmission over the Internet or electronic storage is 100% secure or error-free. You should take care in deciding what information you provide to the Platform. Sensitive information protected under special legislation (such as protected health information or payment-card data) should not be shared with the Platform.
International Data Transfers
Because we operate globally, it may be necessary for us (or our subprocessors) to transfer information to countries other than the country in which the information was collected. Our primary infrastructure regions are us-west-1 (Cloudflare R2 + Supabase) and us-west-2 (Anthropic, OpenAI, Groq, Railway). By using the Platform, you acknowledge that your information may be transferred to and processed in the United States and other countries where our subprocessors operate.
Data Retention
We retain the information we collect from you for as long as it is necessary based on the purpose it was collected for, taking into account compliance with legal obligations, dispute resolution, and enforcement of our rights. Account data is retained for the duration of your active account; after deletion, residual copies may persist in backups for up to 30 days before being purged.
Anonymized usage and analytics data may be retained indefinitely. We may rectify, replenish, or remove incomplete or inaccurate information at any time at our discretion.
Your Privacy Rights
Certain jurisdictions provide you with statutory rights regarding your personal information. Subject to applicable exemptions and identity verification, you may have the right to:
- Access the personal information we hold about you;
- Correct personal information that is inaccurate or incomplete;
- Delete your personal information (subject to other legal obligations that may require us to retain it);
- Object to certain processing activities where our lawful basis is legitimate interest;
- Restrict our processing of your personal information;
- Export your personal information in a portable format.
To exercise any of these rights, contact us at admin@tuulus.com. We may ask for additional information to confirm your identity. Note that these rights are not absolute and may be subject to legitimate interests and regulatory requirements.
If you wish to raise a complaint about how we have handled your personal information, please contact us directly. If you are not satisfied with our response, you may file a complaint with the applicable data-protection authority in your jurisdiction.
Children
The Platform is not directed at children under 13 years of age (or under 16 in the European Union). We do not knowingly collect personal information from children below these ages. If you believe a child has provided us with personal information, please contact us at admin@tuulus.com and we will delete it.
Changes to This Privacy Policy
We may update this Privacy Policy from time to time. The most current version will always be posted at /privacy, and the “Last updated” date will reflect when changes took effect. We encourage you to review this page periodically.
Contact
For questions about this Privacy Policy or our privacy practices, contact us at admin@tuulus.com.