Some links on this page are affiliate links. If you buy, we may earn a commission — at no extra cost to you.
Home / Legal / GDPR

GDPR — your rights and how to use them.

Specific to readers in the EU and EEA. Lists the lawful basis behind every data category we process, names every sub-processor, and gives you a one-form way to file an Art. 15–22 request. 30-day response window — usually faster.

tuto.digital · Editorial Effective April 22, 2026 ~8 min read 0 open DSRs · last 30d
Regulation · EU 2016/679

General Data Protection Regulation

This page is the operational record we keep to comply with the GDPR — written for you to read, not for an auditor. Every claim links back to the Article number that backs it up.

Compliant · audited Apr 2026 Controller · TR & EU rep · DE DPO: Selin Aydın Last review: April 22, 2026

If you live in the EU, EEA, UK or Switzerland, the rules below are the floor — not the ceiling. We extend the same controls to every reader globally because operating two policies is harder than just running on GDPR for everyone.

01 — ScopeWho this applies to

GDPR applies whenever a "data subject" (you) is in the EU/EEA at the time of processing, regardless of where the data controller (us) is based. We are based in Türkiye, with a designated representative in the EU as required by Art. 27:

  • Data controller — tuto.digital, Istanbul, TR. Determines the purposes and means of processing.
  • EU representative — DataRep, Berlin, Germany. Acts as a point of contact for EU supervisory authorities and data subjects.
  • Data Protection Officer — Selin Aydın (not legally required at our scale, appointed voluntarily).

If you live outside the EU/EEA, you still have all the rights below — we apply them globally — but your local law (e.g. CCPA in California, KVKK in Türkiye, UK GDPR) governs the legal interpretation.

02 — RightsYour eight rights, with one-click actions

The GDPR grants every EU data subject these specific rights. Each card below shows the relevant Article and how to exercise it on tuto.digital — usually in under a minute.

Article 13–14 · Right to be informed Know what we collect.

We must tell you, in plain language, what data we collect, why, and on what lawful basis. That's what this page (and our Privacy Policy) is for.

ActionRead the policy →
Article 15 · Right of access Request a copy.

Ask for a full export of the personal data we hold about you, in a structured machine-readable format. Delivered as JSON + CSV, within 30 days.

SLA · 30 daysFile a request →
Article 16 · Right to rectification Fix what's wrong.

If we hold inaccurate data about you — wrong email, misspelled name on a newsletter — tell us and we correct it without delay.

SLA · 7 daysFile a request →
Article 17 · Right to erasure Delete everything.

"The right to be forgotten." We delete all personal data and confirm in writing — except where retention is legally required (e.g. tax records for affiliate payouts).

SLA · 30 daysFile a request →
Article 18 · Right to restrict processing Pause processing.

Keep the data on file but stop processing it while a dispute or correction is resolved. Common after a rectification request that we're still reviewing.

SLA · 7 daysFile a request →
Article 20 · Right to data portability Take it elsewhere.

Receive your data in a structured, commonly-used, machine-readable format (JSON) and transmit it to another controller. Useful if migrating from our newsletter to another.

SLA · 30 daysFile a request →
Article 21 · Right to object Object to processing.

Object to processing based on legitimate interest (e.g. affiliate attribution, analytics). We stop unless we can demonstrate compelling grounds that override your interests.

SLA · immediateFile a request →
Article 22 · Automated decisions No profiling.

You have the right not to be subject to a decision based solely on automated processing. We don't run profiling or automated decisions, so this is structurally guaranteed — confirmed in writing on request.

SLA · n/a · structuralConfirm →

03 — Art. 6Lawful basis matrix

Under Art. 6 GDPR, every act of processing must rest on one of six legal bases. Here's the full mapping — what we collect, why, and which Art. 6 paragraph authorizes it:

Data category & purpose Lawful basis Retention Opt-out?
Server logs · IP, UA, referrerSecurity, fraud prevention, debugging
Art. 6(1)(f)Legitimate interest
IP anonymized after 30d · full delete at 12m
No
Analytics · GA4Aggregate page views, session, country
Art. 6(1)(a)Consent
14 months · GA default
Yes
Affiliate click attributionAnonymized click ID, merchant, timestamp
Art. 6(1)(a)Consent
90 days post-conversion
Yes
Newsletter subscriptionEmail, opt-in timestamp, IP at signup
Art. 6(1)(a)Consent
Until unsubscribe
Yes
Contact form messagesEmail, optional name, message content
Art. 6(1)(b)Contract / pre-contract
24 months after last reply
No
Affiliate payout recordsTax-required transaction records
Art. 6(1)(c)Legal obligation
10 years · TR tax law
No

04 — Art. 28Sub-processors registry

A complete list of third parties that process personal data on our behalf, under a written Data Processing Agreement (DPA). We update this list 30 days before any addition.

Processor Purpose Location Transfer safeguard
HostingerWeb hosting
Site infrastructure, server logs
Lithuania · EU
EU-based
CloudflareCDN, DDoS, WAF
Traffic routing, security
United States
EU–US DPF
GoogleAnalytics 4
Aggregate site analytics
United States
EU–US DPF
MailchimpNewsletter ESP
Newsletter delivery (consent-only)
United States
EU–US DPF
Impact / ShareASale / CJAffiliate networks
Anonymized click attribution
United States
SCCs (2021)
DataRepArt. 27 EU representative
EU supervisory authority liaison
Berlin · Germany
EU-based

05 — Ch. VInternational transfers

Some of our processors operate outside the EU. Chapter V GDPR (Art. 44–49) requires us to apply specific safeguards. Here's how data physically flows:

EU
Data subject
You EU/EEA resident · browses tuto.digital
HTTPS
LT
Primary storage
Hostinger Kaunas, Lithuania · EU jurisdiction · no transfer
DPF / SCC
US
Processors
Google · Mailchimp Adequacy via EU–US Data Privacy Framework (Jul 2023)
Safeguards used: EU–US Data Privacy Framework (Commission Decision 2023/1795) for Google, Cloudflare, Mailchimp. Standard Contractual Clauses (2021/914 module 2) for affiliate networks not yet DPF-certified. No transfers to countries without an adequacy decision or supplementary safeguards.

06 — Art. 33 / 34If something goes wrong: breach policy

A "personal data breach" is any incident that leads to accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to personal data. Our internal runbook follows the GDPR timing precisely:

T+0h
Detection

Monitoring or human report triggers the runbook. On-call DPO is paged within 15 minutes.

T+0–24h
Containment & assessment

Affected systems isolated. Scope, categories of subjects, and likely impact are documented.

T+72h max
Authority notified

If risk to rights & freedoms is more than minimal, we file with the lead supervisory authority (Art. 33).

T+72h+
You are notified

If risk is high, every affected data subject is contacted directly, in plain language, with steps to take (Art. 34).

07 — ActionFile a Data Subject Request

This form goes to dpo@tuto.digital — a real human inbox monitored daily. We acknowledge within 48 hours and respond fully within the SLA for the request type. Free of charge unless requests are "manifestly unfounded or excessive" (we have never invoked this clause).

Data Subject Request

One form for all eight rights. We verify identity by replying to the address you provide — no ID upload required for basic requests.

Maximum response time
30 days
What happens next: you'll receive an acknowledgement within 48h with a ticket ID, then the response within the SLA above. All sent to the email you provide.

08 — Art. 77If you're not satisfied: complaints

If you believe we've mishandled your data or your request, you have the right to lodge a complaint with a supervisory authority — without going through us first. Under Art. 77, you can complain to:

  • Your home country's data protection authority — full list at edpb.europa.eu
  • The lead supervisory authority for our EU representative — Berlin Commissioner for Data Protection and Freedom of Information (Berliner Beauftragte für Datenschutz und Informationsfreiheit)
  • For UK readers — the Information Commissioner's Office, ico.org.uk

We always prefer to resolve issues directly — write to dpo@tuto.digital first if you can — but it is your unconditional right to go to the regulator without informing us.

Still have a question about your data?

For anything not covered above — including bulk requests, journalistic inquiries, or compliance questionnaires — write directly to our DPO. Real human inbox, responses within 48 hours on weekdays.

Email dpo@tuto.digital →