TUNABEAR INC. — DATA PRIVACY POLICY

Effective Date: March 23, 2026
Last Updated: March 23, 2026
Approved by: Benjamin Dai (CEO) — 2026-03-23

1. Overview

Tunabear Inc. (“Tunabear,” “we,” “us,” or “our”) is committed to protecting the privacy and security of personal data entrusted to us by our clients and their end users. This policy describes how we collect, use, store, share, and protect information in connection with the technology solutions and consulting services we provide.

2. Scope

This policy applies to all software solutions, platforms, and consulting services delivered by Tunabear Inc. to institutional clients, including cloud-hosted applications, AI-powered tools, and integration services.

3. Data We Collect

Depending on the solution deployed, Tunabear may process the following categories of data on behalf of our clients:

a) Identity & Directory Data
Name, email address, role/title, and institutional affiliation — typically received via SSO (SAML 2.0 / OIDC) from the client’s identity provider.

b) Usage & Interaction Data
User queries, chat session content, page interactions, feature usage, and session metadata (timestamp, browser type, IP address) for the purpose of service delivery, quality assurance, and analytics.

c) Administrative Data
Account configuration settings, access logs, and audit trail data generated by administrative users of the platform.

Tunabear does NOT collect, process, or store:

  • Social Security Numbers or government-issued IDs
  • Financial account or payment card information
  • Protected Health Information (PHI) under HIPAA
  • Biometric data

4. How We Use Data

Data collected is used exclusively for the following purposes:

  • Delivering contracted services to the client institution
  • Authenticating and personalizing the user experience
  • Providing technical support and troubleshooting
  • Monitoring system performance and security
  • Fulfilling legal and compliance obligations
  • Improving service quality (aggregate/anonymized only)

Tunabear does NOT sell, rent, or trade personal data to any third party. Data is never used for advertising or marketing purposes without explicit client consent.

5. Data Sharing and Third Parties

Tunabear shares data only with sub-processors necessary to deliver contracted services. All sub-processors are bound by data processing agreements (DPAs) that prohibit unauthorized use of institutional data.

Current sub-processors for cloud-hosted solutions:

  • Amazon Web Services (AWS) — Cloud infrastructure hosting (US regions only). SOC 2 Type II certified. AWS Data Processing Addendum governs all data handling.
  • AI/LLM Service Provider — Natural language processing for AI-powered features. Only the minimum necessary query data is transmitted; no persistent personal data storage by the LLM provider. Governed by provider DPA.
  • TeamDynamix (where applicable) — Read-only knowledge base content retrieval. No personal data is written to or stored in TeamDynamix by Tunabear systems.

A current list of sub-processors is available to clients upon request.

6. Data Location and Transfer

All institutional data is stored and processed exclusively within the United States on AWS infrastructure (us-east-1 and/or us-west-2 regions). Tunabear does not transfer institutional data outside the United States.

7. Data Retention

Data is retained only for as long as necessary to deliver contracted services and meet applicable legal obligations. Upon contract termination:

  • A full data export will be provided to the client within 30 days of request.
  • All institutional data will be deleted from Tunabear systems and sub-processor environments within 30 days of confirmed export.
  • Deletion is performed in accordance with NIST SP 800-88 standards.
  • Written confirmation of deletion is provided upon request.

8. Security

Tunabear implements industry-standard technical and organizational measures to protect personal data, including:

  • Encryption in transit: TLS 1.2 / 1.3
  • Encryption at rest: AES-256
  • Access control: Role-based access (RBAC), MFA for administrative accounts
  • Audit logging: All access and administrative actions are logged and retained for 12 months
  • Vulnerability management: Severity-based patch SLAs
  • Annual security awareness training for all staff

9. Breach Notification

In the event of a confirmed data breach involving personal or institutional data, Tunabear will:

  • Notify affected clients within 72 hours of discovery
  • Provide details of the incident, data affected, and remediation actions taken
  • Comply with all applicable breach notification laws, including FERPA and Texas Business and Commerce Code §521

10. Individual Rights

Where applicable under law, individuals may have the right to access, correct, or request deletion of their personal data. Requests should be directed to the client institution’s privacy officer in the first instance. Tunabear will cooperate with client institutions to honor valid data subject requests within 30 days.

11. FERPA Compliance

For solutions deployed at educational institutions, Tunabear acts as a “school official” under FERPA (20 U.S.C. § 1232g) with a legitimate educational interest in accessing education records solely to perform services for the institution. Tunabear does not disclose education records to any third party except as directed by the institution or as required by law.

12. Changes to This Policy

Tunabear reserves the right to update this policy to reflect changes in our services or legal obligations. Clients will be notified of material changes at least 30 days prior to the effective date.

13. Contact

For privacy-related inquiries, data requests, or to report a concern:

Tunabear Inc.
Privacy Officer: Benjamin Dai, CEO
Email: privacy@tunabear.com
Phone: 888-882-7988
Address: 11711 Hillcrest Rd., Dallas, TX 75230

Empowering businesses with

innovative IT solutions since 2010. A

minority-owned small business and

HUB Vendor.

Services

Technology

Quick Links

© 2026 Tunabear. All Rights Reserved.