Privacy Policy

This document is product copy for the Euvyra prototype and must be reviewed by a qualified lawyer before production use.

It should not be read as a final legal notice, certification, or guarantee of compliance.

Euvyra is designed for adults who use the service to create profiles, follow people, publish posts, comment, send messages, submit reports, and manage privacy requests.

The beta uses Supabase-backed beta accounts while Euvyra remains architected for a future EU-owned migration path. The current product direction is direct-to-consumer, which means Euvyra will usually act as controller for account, content, safety, and platform operations data.

The expected legal bases are contract for operating the account and platform, consent for optional analytics or product measurement, legitimate interests for safety and abuse prevention, and legal obligation for required moderation, incident, and compliance records.

The final legal basis mapping must be confirmed in a GDPR record of processing activities and, where needed, a DPIA.

Euvyra's beta position is EU-region hosting by default, with selected international subprocessors where they are needed for speed, cost, security, or product maturity.

Any future EU-owned migration path, such as Scaleway and Keycloak, remains a technical hardening option rather than a current legal claim.

Euvyra presents the beta as EU-first and GDPR-first. It does not present the current beta vendor stack as a sovereign cloud implementation.

Public materials should stay clear that selected international technology partners may be used until a future EU-owned migration is funded and completed.

The beta may use providers such as Supabase for Auth and Postgres, Vercel for app hosting, Cloudflare for DNS/CDN/WAF, and Sentry-compatible or job-processing providers if enabled.

These providers must be documented in a subprocessor register before production launch, including purpose, hosting region, transfer mechanism, and whether the provider is active or optional.

Euvyra should have Data Processing Agreements in place with processors that handle personal data on its behalf.

The DPA review should confirm processor instructions, confidentiality, security measures, subprocessors, audit rights, deletion or return of data, and assistance with data subject requests.

Where personal data may be accessed from outside the EEA or processed by a non-EEA provider, Euvyra should review Standard Contractual Clauses and any supplementary safeguards before production use.

The final transfer mechanism depends on the chosen vendors, their regions, subprocessors, and contractual terms.

Euvyra should maintain a transfer risk assessment for selected international subprocessors. This should cover what data is processed, where it is hosted, who may access it, applicable legal safeguards, and any residual risk accepted by the operator.

This draft page records the product requirement only; the final assessment must be completed and approved outside the codebase.

Euvyra is operated from the Netherlands. Euvyra may respond to valid legal requests from competent authorities, including Dutch courts, police, public prosecutors, EU or EEA regulators, and, where applicable, international law-enforcement requests received through recognised legal channels.

Euvyra reviews requests for legal validity, scope, necessity, and proportionality. Where required by law, Euvyra may preserve, restrict, remove, or disclose limited account or content data to comply with binding legal orders, investigate illegal content, or help prevent imminent harm.

Euvyra does not provide voluntary bulk access, informal user-data sharing, backdoors, or unrestricted access to user accounts. Where legally permitted and safe, Euvyra aims to notify affected users about requests concerning their account.

The Settings page provides the product surface for cookie choices, data export requests, account deletion requests, and retention visibility.

In production, users should also be able to request export, deletion, access, correction, objection, restriction, and portability where those rights apply.

Privacy requests should be routed to Euvyra@tuta.com until dedicated role mailboxes and company contact details are approved.

Users may also contact their local EU or EEA data protection authority where applicable.