Legal · Privacy

Privacy Policy

Effective date: 14 April 2026 · REGO360 Company Limited (RC 7265838) · legal@tunaa.app

1. Introduction

REGO360 Company Limited (RC 7265838) ("tunaa", "we", "us", or "our") operates the tunaa platform — an AI-powered commerce and customer support service delivered through Telegram, WhatsApp, and Instagram. This Privacy Policy explains how we collect, use, store, and protect your personal information when you interact with tunaa-powered bots or use our vendor dashboard.

By using tunaa, you agree to the practices described in this policy. If you do not agree, please stop using the service.

2. Who This Policy Applies To

This policy applies to:

Customers — individuals who interact with a tunaa-powered bot to browse products, place orders, or ask questions.
Vendors — businesses that register on tunaa to sell products or services through the platform.
Visitors — anyone who visits tunaa.app or any subdomain.

3. Information We Collect

3.1 Information You Provide Directly

Name — provided during checkout or vendor registration.
Phone number — used for order confirmation, delivery, and channel identification on WhatsApp and Telegram.
Email address — used for vendor accounts, receipts, and support. Not required for customers using Telegram.
Delivery address — provided during checkout for fulfilment purposes.
Payment and bank account details — vendors only, collected during Paystack subaccount setup. We do not store card details. All payment processing is handled by Paystack.

3.2 Conversation Data

When you interact with a tunaa-powered bot, your messages are processed by our AI systems. Please do not share sensitive personal information (such as passwords, ID numbers, or financial credentials) in chat.

All messages sent to tunaa bots — including text, product enquiries, and responses.
Intent signals inferred by our AI (e.g. browsing intent, purchase interest, language preference).
Conversation history retained to support follow-up reminders, order tracking, and customer support.
Cart contents and checkout state.

3.3 Transaction Data

Orders placed, including items, quantities, and amounts.
Payment status (paid, pending, failed) — not card numbers, which are handled entirely by Paystack.
Purchase history and fulfilment records.
Delivery tracking information where courier integration is enabled (ShipBubble).

3.4 Technical and Device Data

IP address and approximate location.
Device type and operating system (for mobile app interactions).
Server logs for security monitoring and debugging.
Usage analytics (page views, feature usage) collected via PostHog.

3.5 Vendor-Provided Data

Business name, category, and operational information.
Product catalogues, pricing, images, and inventory data.
ShipBubble API credentials (stored encrypted; used solely to create delivery shipments on the vendor's behalf).

4. How We Use Your Information

We process personal data only for the purposes listed below, in accordance with the Nigeria Data Protection Act 2023 (NDPA) and applicable regulations.

4.1 Core Service Delivery

To process and fulfil orders placed through tunaa bots.
To enable real-time conversations between customers and vendor bots.
To generate and send payment links via Paystack.
To arrange delivery via ShipBubble where the vendor has enabled this.
To send order confirmations, receipts, and delivery updates.

4.2 AI and Personalisation

To classify customer intent and route enquiries to the correct bot response.
To personalise product recommendations and upsell suggestions.
To improve the accuracy of our AI models over time using anonymised interaction data.
To detect language preference and respond accordingly.

4.3 Business Operations

To prevent fraud and detect abuse.
To provide customer support and resolve disputes.
To generate analytics and reports for vendors (aggregated, not individual profiles).
To comply with legal and regulatory obligations.

4.4 Marketing Communications

To send reminders about abandoned carts or deferred purchase intent — only where the customer has engaged with a vendor bot and not opted out.
To notify vendors of platform updates and new features.

We do not send unsolicited marketing messages to customers. Bot messages are only sent in response to prior customer interaction or explicit follow-up consent.

5. AI and Automated Processing

tunaa operates primarily through AI-powered bots. You may not always be speaking with a human. This section explains how automated processing works.

When you interact with a tunaa bot:

Your message is processed by our AI classification system to determine intent (e.g. browse, add to cart, checkout, ask a question).
Responses may be generated automatically by AI language models, including models provided by Anthropic (Claude).
Your conversation may be used to improve AI accuracy, subject to anonymisation and aggregation.
You can request to speak with a human agent at any time by typing 'agent' in any bot conversation.

Automated decisions that affect you materially (such as fraud flagging) are subject to human review upon request. Contact us at legal@tunaa.app to request a review.

6. Data Sharing

6.1 Vendors

When you place an order or interact with a bot, the vendor operating that bot can see:

Messages relevant to their store — including your enquiries, order details, name, phone number, and delivery address.
Order history and fulfilment status for their business.

Vendors cannot see data from other vendors, platform-wide customer data, or your interactions with other vendor bots.

6.2 Third-Party Service Providers

We share data with the following service providers under data processing agreements where required:

Provider	Purpose	Data Shared
Paystack	Payment processing	Order amount, customer name, email, phone. No card data stored by tunaa.
Anthropic (Claude)	AI response generation	Conversation messages, anonymised context. No additional personally identifying data.
Telegram / Meta (WhatsApp, Instagram)	Message delivery	Message content, customer ID, channel metadata. Governed by their respective privacy policies.
ShipBubble	Delivery fulfilment	Customer name, phone, delivery address, order details. Only where vendor has enabled delivery integration.
Hetzner / Coolify	Infrastructure	Encrypted data at rest. No direct access to application data.
PostHog	Analytics	Anonymised usage events. No personally identifiable data.

6.3 Legal Disclosure

We may disclose personal data where required by law, court order, or lawful request from Nigerian regulatory authorities including NITDA and the Nigeria Data Protection Commission (NDPC).

We do not sell your personal data. We do not share personal data with advertisers or data brokers.

7. Vendor Access to Customer Data

Vendors using the tunaa platform are independent businesses. They are responsible for how they use customer data shared with them through their bot. Vendors must have a lawful basis to process customer data and must comply with applicable NDPA obligations.

As the tunaa platform operator, REGO360 acts as a data processor in relation to customer data flowing through vendor bots. Each vendor acts as a data controller for their customers.

Vendors may access: customer name, phone number, delivery address, order history, and bot conversation content related to their store.
Vendors may not: access data from other vendors, export bulk customer data without restriction, or use customer data for purposes unrelated to fulfilling orders placed on their bot.
Vendors agree to tunaa's Vendor Agreement, which includes data handling obligations, when they register on the platform.

8. Data Security

All data is transmitted over encrypted HTTPS connections.
Data at rest is stored on Hetzner servers with disk encryption.
Access to production systems is restricted to authorised personnel only, using key-based authentication.
API keys (including ShipBubble and Paystack credentials) are stored encrypted in the database.
We conduct periodic security reviews and monitor for unusual access patterns.

Despite these measures, no system is completely secure. In the event of a data breach that poses significant risk to individuals, we will notify affected users and the NDPC within 72 hours as required by the NDPA.

9. Data Retention

Data Type	Retention Period
Conversation history	12 months from last interaction, unless an active order is associated
Order records	7 years (legal and tax compliance requirement)
Payment records	7 years (financial records requirement)
Vendor account data	Duration of account plus 2 years after closure
Security logs	90 days
Analytics data	Anonymised after 30 days; aggregates retained indefinitely

10. Your Rights Under the NDPA

As a data subject under the Nigeria Data Protection Act 2023, you have the following rights:

Right of access — Request a copy of the personal data we hold about you.
Right to rectification — Request correction of inaccurate or incomplete data.
Right to erasure — Request deletion of your data where it is no longer necessary for the purpose collected, subject to legal retention obligations.
Right to data portability — Request your data in a structured, machine-readable format.
Right to object — Object to processing based on legitimate interests or direct marketing.
Right to restrict processing — Request that we limit processing of your data in certain circumstances.
Right to withdraw consent — Where processing is based on consent, withdraw it at any time without affecting prior processing.

To exercise any of these rights, contact us at legal@tunaa.app. We will respond within 30 days. We may need to verify your identity before processing requests.

If you are not satisfied with our response, you have the right to lodge a complaint with the Nigeria Data Protection Commission (NDPC) at ndpc.gov.ng.

11. Cross-Border Data Transfers

tunaa uses third-party services (including Anthropic, Telegram, and Meta) whose servers are located outside Nigeria. Where personal data is transferred internationally, we ensure appropriate safeguards are in place, including contractual clauses with service providers requiring equivalent data protection standards.

By using tunaa, you consent to data being processed in jurisdictions outside Nigeria where necessary to deliver the service.

12. Children's Privacy

tunaa is not intended for use by persons under the age of 18. We do not knowingly collect personal data from minors. If you believe a minor has used the service and provided personal information, contact us at legal@tunaa.app and we will delete the data promptly.

13. Marketing and Communications

We may send the following types of messages through bot channels:

Order confirmations and delivery updates — transactional, cannot be opted out of while an order is active.
Cart abandonment reminders — sent once, only if enabled by the vendor.
Follow-up reminders — only where you explicitly asked the bot to remind you.

You can stop receiving non-transactional messages at any time by sending "stop" to the relevant bot or contacting the vendor directly.

14. Updates to This Policy

We may update this Privacy Policy from time to time. Material changes will be notified via a notice on tunaa.app and a message to registered vendor accounts. Continued use of the platform after the effective date of a revised policy constitutes acceptance. The current version is always available at tunaa.app/privacy.

15. Contact Us

For privacy-related enquiries, data subject requests, or complaints:

CompanyREGO360 Company Limited (RC 7265838)

Emaillegal@tunaa.app

Websitehttps://tunaa.app

AddressLagos, Nigeria