This document provides an overview of Turtl’s approach to data security, privacy, and compliance with GDPR. It covers the platform’s data storage practices, encryption methods, privacy policies, and the use of AI, ensuring client information, including the personal information of their readers, is handled carefully and in line with best practices.

Turtl is an HTML5 technology and all functionality is delivered through the web browser.

All data is stored in secure, redundant, highly available databases on the Amazon Web Services in Dublin, Ireland (eu-west-1) and is encrypted using AES256.

All core application components reside within a single Amazon Web Services VPC, eliminating the possibility of packet sniffing through the use of Amazon’s internal network controls.

All data transferred between the client and server over the public internet is encrypted with 256-bit SSL / TLS v1.2 and above.

Turtl is a multi-tenant system with each customer’s information stored in separate databases. Controls are in place within the application to prevent any cross-contamination or leakage of data.

Turtl is ISO27001 certified and is registered as a Data Controller with the ICO with reference number ZA086894.

Turtl respects your privacy and is committed to protecting your personal data. Our Privacy Policy will inform you as to how we look after your personal data and tell you about your privacy rights and how the law protects you.

Turtl collects personal information (PII) data – names and email addresses – from the platform users to allow them to log into the app, create content, personalize Docs, view analytics, and more.

If Turtl isn't able to match your email address with any of the users on the platform, you will log in via SSO as a Guest. We do collect analytics events for Guests. This applies specifically to Docs with the access control policy set to "Anyone at my company" and tenants that have SSO enabled. For these Docs, we collect email addresses and analytics events of users. However, capturing readers' email addresses via SSO can be turned OFF on request.

If you submit your email address via a form in a Turtl Doc, we will register and count you as a sign-up, regardless of whether we are collecting your analytics events or not.

Turtl collects any personal information that customers choose to include in their Turtl Docs or input while using Personalization. Regardless of how Docs are personalized (via public personalization forms, in batch, via API, etc.), if PII information is used, it will be shown as part of the content. The data is stored in Turtl's MongoDB and is managed in accordance with the terms of our DPA.

The content studio allows you to type text directly into the editor (or paste from a text source), upload images in a JPG, PNG format or from the URL, upload videos from numerous online video hosting platforms (for more information please see this article here), and embed PDF files from trusted sources. For more information on the widgets, please refer to this section here.

There are a couple of ways to make a Doc private.

One of them is restricting access to email authentication by selecting Specific people only policy, providing a list of people (their emails) who can access your Doc. This is stored in Turtl’s MongoDB. As this requires personally identifiable information (PII) from individual readers, your company must have a privacy policy in place; otherwise, this option will not be available on your account.

Another way to restrict access to your Turtl Docs is with the setting "Anyone at my company", which will require readers to sign in via your company's SSO in order to access the Doc. Once the reader has logged into the SSO and navigates the Doc, they will be displayed in the Known Readers section of your Dashboard and have "Authentication" under the "Source" column. Guests in the customer’s SSO directory can visit Turtl Docs, and their emails are stored at Turtl; this (storing guest’s email addresses as known readers) can be turned OFF on request.

You can also control the access settings of your personalized Turtl Docs. Read more about this here.

When a reader accesses your personalized Turtl Doc via email authentication, their information will appear in two places: the "Known readers" section of the Turtl Doc analytics dashboard and the analytics dashboard for that specific personalization. In both locations, their email address will be displayed, indicating that they accessed the personalization using email authentication.

Regardless of how Docs are personalized (via public personalization forms, in batch, via API, etc.) if PII information is used, it will be shown as part of a content. Data is stored in Turtl’s Mongo DB.

The main reason why we collect IP addresses is to enhance the security and functionality of our services. IP addresses help us monitor and analyze website traffic, detect and prevent malicious activities, and troubleshoot technical issues. Additionally, we use IP addresses for aggregate analytical purposes, such as understanding user demographics and preferences to improve our website's user experience.
Turtl can block analytics data from specific IP addresses or CIDR IP groups. When an IP is blocked, any data associated with it will not be shown on the dashboard during the time it is blocked. Additionally, blocking an IP also removes any previously recorded analytics data from that IP. Turtl supports blocking up to 525,000 IP addresses by request.

Third-party forms are embedded in Turtl Doc using iFrames. This means Turtl is not involved in the data flow process because data collected via forms is sent directly to the third-party endpoint. These forms are hosted on third-party servers, so Turtl cannot control the form or its contents.
Turtl may apply JavaScript code to support embedding, including styling and detecting form submissions, upon which an anonymized IDs (such as submission ID, lead ID, or a cookie value) is stored in our database. This anonymized ID allows us to identify Known Readers (see below) if integration with the form provider (typically a CRM) and Turtl is set up.

There are several ways in which Turtl identifies known readers (and displays their name and email on the readers’ dashboards).

A lead capture URL is a link to your content that includes a unique identifier, usually a contact ID. This allows Turtl to match the reader’s ID (a pseudonymized string of letters and numbers) with a contact in your CRM. Lead capture URLs are designed for use with your existing CRM contacts.

This involves adding CRM and contact ID information to the Turtl Doc URL, for example:

When a visitor interacts with this URL, Turtl stores the ID (uniqueContactID) and displays it on the "Known Reader" dashboard. With an integration between Turtl and the CRM, name and email associated with that ID are displayed in the dashboard (we store this data for faster loading).

Turtl supports integrating third-party tracking tools like HubSpot’s tracking code, Marketo’s Munchkin Tracking Code, and others, to enhance your marketing strategies.

When these third-party scripts are embedded in Turtl Docs, we do not collect or store any data from them. The tracking codes work independently, with all data being processed by the third-party platforms. No data is transmitted to or stored by our systems.

The type of customer personal data that Turtl uses is non-sensitive, low risk and only used to the extent required to deliver the service. All internal and customer-facing policies/agreements are in line with GDPR standards.

To ensure compliance, it's important to obtain consent from individuals whose information you collect. Turtl allows you to add links to your policies: a cookie policy, a privacy policy, and terms of service.

By default, Turtl supplies a banner, which informs the visitor of the cookies we set, which can be found here. However, to provide more thorough coverage and tailor the consent experience to better fit your needs, we recommend integrating with your own cookie consent solution service. This also allows you to manage preferences more effectively, and ensure compliance to the specific legal requirements.

Turtl uses third-party AI tools only for converting PDFs into Turtl Docs. The only data processed by third-party AI tools is the content of the uploaded PDF. No customer configuration or information outside the PDF content is shared. For more details, refer to Turtl sub-processors.

Although AI is used, it is not a core feature. Turtl employs general AI, such as OpenAI, to enhance PDF conversion by adding interactive elements like quotes and polls. This AI feature is optional and can be turned off under the ‘AI content enrich’ setting before converting your PDF.

The AI tools are used solely for this add-on service and do not interact with customer data, ensuring that sensitive information remains unaffected.