Privacy Policy
Effective date: May 19, 2026 · Last updated: May 19, 2026
This Privacy Policy explains how Tumban collects, uses, shares, and protects information when you visit our website, contact us, book a demo, or use our services.
Tumban is operated by ShareData Inc., a Delaware C-corporation. References to "Tumban," "we," "our," and "us" mean ShareData Inc.
Tumban is a B2B service. We provide a payout compliance API to creator economy platforms. We handle two kinds of personal information in two different roles:
• As a controller, we handle information about our website visitors, demo bookers, and the personnel at platforms that subscribe to our service.
• As a processor, we handle creator profile information that our platform customers send us so we can evaluate it against payment processor policies. For that data, the platform is the controller. Creators should direct privacy requests about their data to the platform they use.
If something is unclear, email privacy@tumban.com and we'll explain.
1. Who we are
ShareData Inc. A Delaware C-corporation, USA. Doing business as Tumban.
Registered office: 131 Continental Drive, Suite 305, Newark, DE 19702, USA.
For privacy matters, reach us at privacy@tumban.com or hello@tumban.com.
2. Scope
This policy applies to:
• tumban.com and any subdomains we operate
• Demo bookings made through cal.com/tumban/demo
• Email correspondence with us
• The Tumban API and platform when used by our customers
• Creator profile data we process on behalf of our customers (limited disclosures below; the controlling platform's policy governs)
This policy does not apply to third-party sites we link to (Stripe, PayPal, processor documentation, our customers' platforms, etc.). Their privacy policies apply to them.
3. Information we collect
3.1 Information from website visitors
When you visit tumban.com or tumban.com/briefing, we automatically collect:
• IP address (truncated for analytics where supported)
• Browser type, device type, operating system
• Referring URL and pages viewed
• Date and time of visit
If you book a demo or contact us, we collect what you provide: name, work email, company name, role; platform type (creator patronage, marketplace, MoR, other) and current payment processors, when you provide them during booking; the contents of any message or attachment you send us.
3.2 Information from prospective and current customers
If your company evaluates or subscribes to Tumban, we collect: business contact details for your team (name, work email, role, phone where provided); account credentials, API keys, and authentication metadata; billing and tax information (company name, billing address, VAT/GST identifiers; payment is processed by our payment provider — we do not store full card numbers); communications with our sales, support, and engineering teams; integration metadata: endpoints configured, API call volumes, error logs, latency metrics.
3.3 Information processed on behalf of customers (creator profile data)
When a platform sends us a creator profile to evaluate, we process the data the platform chooses to send. Typically this includes: a creator identifier supplied by the platform (we do not require legal names); storefront, listing, and product content (descriptions, prices, categories); public off-platform signals the platform asks us to evaluate (for example, publicly accessible social media handles or links the creator has associated with their account); inbound and outbound link information the platform shares with us.
For this data, the platform is the controller and we are the processor. We process it only on the platform's documented instructions, as set out in our Data Processing Agreement (DPA) with that platform. We do not use this data to train models for other customers, and we do not share it across customers.
If you are a creator and have questions about how a platform uses Tumban, please contact that platform directly. They are responsible for telling you how creator data is handled and for honoring your rights under applicable law.
3.4 Information from cookies and similar technologies
We use Google Analytics to understand aggregate website traffic and improve the site. Google Analytics sets cookies that record information about how visitors use tumban.com — pages viewed, session duration, approximate location derived from IP, referring source. IP addresses are truncated where supported.
We do not use cookies for advertising, retargeting, cross-site tracking, or building profiles about you. We do not share Google Analytics data with third parties for their own purposes.
You can opt out of Google Analytics by installing Google's opt-out browser add-on (tools.google.com/dlpage/gaoptout) or by blocking analytics cookies through your browser settings. Blocking analytics cookies does not affect your ability to use the site.
If you book a demo, our scheduling provider (cal.com) operates on its own domain and sets its own cookies; cal.com's privacy policy governs that interaction.
4. How we use information
We use information for the following purposes:
• To run the website — serve pages, route forms, prevent abuse, debug errors
• To respond to inquiries — reply to your email, schedule and run demos, send technical briefings you request
• To provide the Tumban service — authenticate customers, evaluate creator profiles per our customers' instructions, return decisions and audit records, maintain service availability
• To improve the service — analyze aggregate, de-identified usage patterns to improve performance, detection quality, and product design
• To handle billing and accounting — invoice customers, collect payment, meet tax and accounting obligations
• To communicate about the service — send service notices, security alerts, material changes to this policy, and (with appropriate opt-out) occasional product updates
• To meet legal obligations — respond to lawful requests, defend legal claims, prevent fraud, and comply with applicable laws
• To enforce our agreements — investigate suspected misuse of the service
We do not sell personal information. We do not share personal information with third parties for their own marketing purposes.
If you are in the European Economic Area or the United Kingdom, we rely on the following legal bases under the GDPR and UK GDPR:
Responding to your inquiry, booking your demo
Performance of pre-contractual steps at your request; legitimate interest
Providing the service to a customer
Performance of a contract with the customer
Processing creator data on a customer's instructions
The platform's lawful basis under its DPA with us
Running and securing the website
Legitimate interest in operating our business
Marketing communications
Consent, or legitimate interest where permitted
Meeting tax, accounting, legal obligations
Legal obligation
You can withdraw consent at any time. Withdrawing consent does not affect processing carried out before the withdrawal.
6. Sharing and disclosure
We share personal information only where necessary, and only with the following categories of recipients:
• Sub-processors and service providers that help us run the service (hosting, email, analytics, scheduling, customer support, billing). They are bound by contract to use the data only for the purposes we've authorized.
• Personnel, contractors, and service providers acting on our behalf, including team members who may be located outside the United States. They are bound by confidentiality and data protection obligations.
• Professional advisers (lawyers, accountants, auditors) under confidentiality obligations.
• Authorities when required by law, court order, or to protect our rights, the rights of our customers, or public safety.
• A successor in connection with a merger, acquisition, financing, or asset sale, subject to a confidentiality agreement.
For data we process on behalf of a customer, we share it only as the customer instructs us in writing.
7. Sub-processors
We use the following sub-processors to operate the Tumban service. We notify customers before adding or replacing a sub-processor that processes their data, in line with the DPA.
Microsoft Azure
Cloud hosting and infrastructure
United States
MongoDB
Database for application and customer data
United States
Google Workspace (Gmail)
Business email and internal communication
United States
Google Analytics
Aggregate website analytics for tumban.com
United States
cal.com
Demo booking and scheduling
United States
An up-to-date version of this list is available on request to privacy@tumban.com and is referenced in the DPA we sign with each customer.
8. International data transfers
Tumban is a US company. Personal information we collect is primarily processed in the United States. Some of our personnel and service providers are located outside the United States, which means data may be accessed from or transferred to those locations.
When we transfer personal information from the European Economic Area, the United Kingdom, or Switzerland to a country that has not received an adequacy decision, we rely on:
• Standard Contractual Clauses approved by the European Commission (and the UK International Data Transfer Addendum for UK transfers), and
• Supplementary technical and organizational measures where appropriate.
You can ask for a summary of the safeguards in place by emailing privacy@tumban.com.
9. Data retention
We keep personal information only as long as we need it for the purposes set out in this policy, and then we delete or de-identify it.
Website analytics (aggregated)
Up to 26 months
Demo booking records
Up to 24 months from last contact, unless you become a customer
Sales and prospect correspondence
Up to 36 months from last contact
Customer account data
Duration of the contract, plus up to 7 years where required for tax and accounting
API logs and audit trails
As specified in the customer contract; typically 12–24 months
Creator data processed for a customer
As specified in the customer's instructions and the DPA
Billing records
As required by US tax law — typically 7 years
When you ask us to delete your data and we are not required to keep it, we will delete it from active systems and remove it from backups in line with our backup rotation.
10. Security
We protect personal information using technical and organizational measures appropriate to its sensitivity. These include:
• Encryption in transit (TLS) and at rest for data we store
• Role-based access controls, audit logging, and least-privilege principles for internal access
• Multi-tenancy controls so customer data is isolated
• Regular review of our infrastructure, dependencies, and access patterns
• Background checks and confidentiality obligations for personnel with data access
No system is perfectly secure. If we become aware of a breach affecting your personal information, we will notify you and the relevant authorities as required by law.
11. Your rights
Depending on where you live, you may have rights regarding your personal information. We honor these rights regardless of where you are based, to the extent we can verify your identity and confirm the request is yours.
11.1 Rights under the GDPR and UK GDPR
If you are in the EEA or the UK, you have the right to:
• Access — get a copy of the personal information we hold about you
• Rectification — correct inaccurate information
• Erasure — delete information, subject to legal exceptions
• Restriction — limit how we process your information
• Objection — object to processing based on our legitimate interests
• Portability — receive your information in a structured, machine-readable format
• Withdraw consent — where processing is based on consent
• Complain — lodge a complaint with your local data protection authority
11.2 Rights under the California Consumer Privacy Act (CCPA / CPRA)
If you are a California resident, you have the right to:
• Know what personal information we collect about you, how it's used, and who we share it with
• Request deletion of your personal information
• Correct inaccurate personal information
• Opt out of any "sale" or "sharing" of personal information (we do not sell or share personal information as those terms are defined under the CCPA)
• Be free from discrimination for exercising these rights
We do not knowingly process the personal information of minors under 16 for sale or sharing.
11.3 How to exercise your rights
Email privacy@tumban.com with your request. We will respond within the timeframe required by the law that applies to you (typically 30 days under the GDPR; 45 days under the CCPA).
If you are a creator and your request relates to data a platform sent us about you, please contact the platform first. We will redirect your request to them and assist them in responding.
12. Children's privacy
Tumban is a B2B service. It is not directed to children, and we do not knowingly collect personal information from anyone under 16. If you believe a child has provided personal information to us, email privacy@tumban.com and we will delete it.
13. Changes to this policy
We may update this policy from time to time. When we make material changes, we will update the "Last updated" date at the top and, where appropriate, notify customers by email or service notice. Continued use of the website or service after a change means you accept the updated policy.
A history of material changes is available on request.
14. Contact us
For any privacy question, request, or concern:
Email: privacy@tumban.com
General: hello@tumban.com
ShareData Inc.
131 Continental Drive, Suite 305
Newark, DE 19702
USA
For EU-based individuals, you may also lodge a complaint with your local Data Protection Authority. For UK individuals, the ICO (ico.org.uk). For California residents, the California Privacy Protection Agency.