Compliance documents should say what they mean. This one does.
We help organisations turn regulations into clear, everyday work. We write our own documentation the same way: complete, accurate, and straightforward to read. This notice covers exactly what data we collect through this website and what we do with it. Our website data footprint is small. That is not a gap in this notice. It is an accurate reflection of how we operate.
1 Who we are
FynTun B.V. is the data controller responsible for personal data processed in connection with this website. We are a Dutch-incorporated RegTech company providing compliance platform software and expert support to regulated organisations across Europe and Southeast Asia.
Controller Details
FynTun operates across two jurisdictions. Our incorporated entity is FynTun B.V. in the Netherlands. We operate commercially in Thailand, where members of our founding team are based and where a Thai entity registration is in progress. This dual-jurisdiction structure means two data protection frameworks apply to our operations concurrently: the EU General Data Protection Regulation (GDPR) and the Thai Personal Data Protection Act B.E. 2562 (2019) (PDPA). PDPA applies not merely because Thai residents may visit this website, but because FynTun actively operates in Thailand as part of its ordinary business. Both frameworks are addressed throughout this notice.
We have not appointed a Data Protection Officer (DPO) at this time, as our current scale of processing does not trigger the mandatory DPO requirement under GDPR Article 37. The contact point for all privacy matters is .
2 What this notice covers
This notice applies to fyntun.com and to the limited personal data processing that occurs in connection with it. It does not cover data processed through the FynTun platform under a client agreement. Client-side processing is governed by a separate data processing agreement between FynTun and the relevant client, which defines all processing purposes, retention terms, and data subject rights mechanisms applicable to that relationship.
3 Browsing this website
No personal data is collected when you browse fyntun.com
Visiting this website does not result in FynTun collecting, receiving, or storing any personal data about you. There are no contact forms, login fields, sign-up flows, or any other mechanism through which personal data is submitted to FynTun by a website visitor. No server-side logging of IP addresses or user agents is performed by FynTun.
Because no personal data is collected from website visitors, GDPR Article 13 obligations do not arise for the act of browsing this site. This section is included for completeness and transparency, consistent with our own compliance standards.
5 Booking a call (Proton Calendar)
If you choose to book a discovery call or introductory meeting with us, we use Proton Calendar for scheduling. The following table sets out all processing associated with that booking in the format required by GDPR Article 13 and PDPA Section 23.
| Data collected | Name, email address, and preferred meeting time. Provided voluntarily by you when submitting a booking request. |
| How collected | Via a Proton Calendar booking link. Proton AG processes the booking form. FynTun receives the booking confirmation containing your name and email address. |
| Purpose | To confirm and conduct the scheduled call, and to follow up on the conversation where relevant. |
| Legal basis (GDPR) | Legitimate interest under Article 6(1)(f): responding to a meeting request you have initiated. Our interest is proportionate and not overridden by your privacy rights given the minimal data involved and the privacy-preserving infrastructure used. |
| Legal basis (PDPA) | Legitimate interest under Section 24(5) of the PDPA: the same proportionality assessment applies. |
| Legitimate interests | Enabling FynTun to conduct introductory conversations with prospective clients who have actively requested a meeting. No marketing use is made of booking data without a separate and explicit step. |
| Processor | Proton AG, Route de la Galaise 32, 1228 Plan-les-Ouates, Geneva, Switzerland. Proton processes booking data under its own privacy policy: proton.me/legal/privacy |
| International transfer | Proton AG is based in Switzerland. Switzerland holds a European Commission adequacy decision. No additional safeguard is required for this processing. |
| Retention | 12 months from the date of the booking. If no commercial engagement follows, the booking data is deleted at that point. See Section 8. |
| Voluntary or mandatory | Providing booking data is entirely voluntary. There is no statutory or contractual obligation to provide it. If you do not provide it, we cannot schedule a call, but there are no other consequences. |
| Marketing | FynTun does not add you to any mailing list, CRM system, or marketing programme solely on the basis of a booking. If a commercial relationship progresses and we intend to contact you for marketing purposes, we will inform you and provide the applicable basis at that stage. |
Proton is a Swiss privacy technology company. Its calendar product operates on end-to-end encryption and a zero-access architecture, meaning Proton itself cannot read the content of calendar events. We chose this infrastructure deliberately.
6 No automated decision-making
FynTun does not use automated decision-making or profiling of any kind in connection with this website or the booking process. No decision that produces legal or similarly significant effects for you is made automatically. This includes no AI-driven scoring, risk profiling, or behavioural analysis.
7 International transfers
EEA → Switzerland (Proton AG)
Proton AG is based in Switzerland. Switzerland holds a European Commission adequacy decision under GDPR, meaning transfers to Switzerland are lawful without any additional safeguard. For PDPA purposes, Switzerland's recognised adequacy at EU level is the relevant reference point pending formal Thai designation.
EEA → Thailand (FynTun team)
FynTun operates as a dual-jurisdiction team with members in the Netherlands and Thailand. Booking data received by FynTun is accessible to team members in Thailand as part of normal operations. Thailand does not hold an EU adequacy decision.
This transfer is covered by the GDPR Article 49(1)(b) derogation: the transfer is necessary to take the pre-contractual steps you requested when booking a call. The same necessity basis applies under PDPA Section 28(2). FynTun does not use this basis to transfer data beyond what is operationally necessary for that purpose. As FynTun's Thai entity registration is completed, intra-group transfer arrangements will be formalised accordingly.
FynTun does not transfer booking data to any other third country. If this changes, this notice will be updated before any such transfer occurs.
8 Retention
GDPR Article 13(2)(a) and PDPA Section 23 require us to state how long we keep personal data, or the criteria used to determine that period. For this website, only one category of personal data applies.
| Data | Period | Reason |
|---|---|---|
| Call booking data (name + email received via Proton Calendar) | 12 months from date of call | Sufficient to manage follow-up to a meeting request. Deleted if no commercial engagement arises within this period. |
When data reaches the end of its retention period it is deleted. If you have asked us not to contact you, we retain only a minimum suppression record of that preference to ensure it is respected.
9 Your rights
GDPR Art. 13(2)(b)-(e) | PDPA S. 23 and Chapter 5
The rights below apply to the personal data we hold about you in connection with this website (i.e. your booking data, if you have booked a call). To exercise any right, contact us at . We will respond within 30 days. We do not charge for rights requests unless a request is manifestly unfounded or excessive. We may ask you to verify your identity before processing a request.
Right of Access
Ask us to confirm whether we hold personal data about you and provide a copy, along with information about how we use it. Art. 15 GDPR | PDPA s. 30
Right to Rectification
Ask us to correct inaccurate data or complete data that is incomplete. Art. 16 GDPR | PDPA s. 35
Right to Erasure
Ask us to delete your data where we no longer have a lawful basis to keep it, or where you have successfully objected to processing. Art. 17 GDPR | PDPA s. 33
Restrict Processing
Ask us to pause processing while a dispute about accuracy or lawfulness is resolved. Art. 18 GDPR | PDPA s. 34
Data Portability
Where processing is based on legitimate interest and carried out by automated means, request your data in a structured, machine-readable format. Art. 20 GDPR | PDPA s. 31
Right to Object
Object to processing based on legitimate interest at any time. We will stop unless we can demonstrate compelling legitimate grounds that override your interests. Art. 21 GDPR | PDPA s. 32
Withdraw Consent
Booking data is processed on legitimate interest, not consent. No consent withdrawal applies to this processing. Art. 7(3) GDPR | PDPA s. 19
Right to Complain
Lodge a complaint with the Autoriteit Persoonsgegevens (NL) or the PDPC (TH) at any time, without prejudice to other remedies. Art. 77 GDPR | PDPA s. 73
If we cannot fulfil a rights request, we will explain why in writing. For PDPA purposes, Thai residents have the same rights as described above under the equivalent PDPA provisions cited in each card.
10 Changes to this notice
We update this notice when our website practices change, when applicable law or regulatory guidance changes, or when we add new functionality to this website that affects data processing. The effective date shown in the header reflects the current version.
Material changes will be indicated by an updated effective date. Previous versions are available on request by emailing .
11 Contact and complaints
For any question about this notice, to exercise a data subject right, or to raise a concern about how we handle personal data, contact us directly. Privacy questions at FynTun reach a founder.
Get in touch
Privacy questions reach a founder directly. We respond to all enquiries.