Where the privacy policy lives — and why it's code-owned

Turtini's privacy policy lives at turtini.com/privacy. It's a static, code-owned page — not an editable CMS block — which means every change has a git commit attached to it, the diff is reviewable in the public-facing repo, and the deploy log is a permanent record of when the language actually went live.

Why we keep it code-owned:

• **Auditability** — a CMS-edited privacy policy can be silently rolled back. A code-owned one can't: the change shows in commit history, the deploy log shows the timestamp, and the prior version is one git checkout away. Your CO, auditor, or DPO can reconstruct exactly what the policy said on any date.
• **Single source of truth** — the same text renders on the web, in onboarding consent screens, and in the DPA template. No drift between "the policy you saw when you signed up" and "the policy on the website."
• **Versionable** — major changes carry a version stamp at the top of the page and a one-line "what changed" note. Minor wording fixes (typos, clarifications) don't bump the version.

What the policy covers:

• What data we collect and why
• How long we keep it
• What third parties we share it with (and for what purpose)
• How EU/UK/CA subjects exercise rights (access, correction, deletion, portability)
• The DPO contact
• How to request a Data Processing Addendum (DPA) signed by Turtini
• Cookie / tracking practices (the Cookie consent banner is the operative control)

Reading the version history:

The /privacy page footer carries the current version and effective date. For a complete history, the source file is part of the public-facing app at `src/pages/PrivacyPolicy.tsx` — a git log on that file is the record of every wording change going back to launch.

Where related rules live:

• **Cookie consent** — see "How cookies and tracking work on turtini.com." The consent banner is the binding control; the privacy policy describes the categories.
• **Acceptable Use Policy (AUP)** — separate document at /terms/aup; covers what you can and can't do on the platform.
• **Terms of Service** — /terms; the commercial agreement between you and Turtini.
• **DPA** — request through Settings → Compliance → "Request DPA"; the addendum cross-references the privacy policy by version.

Requesting changes:

For policy questions, email [email protected] (also listed on the page). For commercial customers who need a contractual amendment (industry-specific clauses, EU-only processing addenda), your account team works with legal on a per-org rider — the public policy itself stays the same.