Back to Tootela

GDPR Compliance

A short overview of how Tootela meets the requirements of the EU General Data Protection Regulation. For the full detail, see our Privacy Policy and DPA.

Last updated 2026-04-25
If you only read one paragraph: Tootela is a French company with EU-resident infrastructure by default. We sign a GDPR-compliant DPA with every paying customer. We do not use customer content to train AI. We give you self-service tools to fulfil any data subject request.

What is the GDPR?

The General Data Protection Regulation (Regulation (EU) 2016/679) is the EU's framework for personal data protection. It applies whenever an organisation processes personal data of people in the EU, regardless of where the organisation is based.

How Tootela complies

1. Lawful basis for processing

For each processing activity, we identify a legal basis under Article 6 of the GDPR : contract, legitimate interest, consent, or legal obligation. The mapping is in our Privacy Policy.

2. Transparency

Our Privacy Policy describes, in plain language, what data we collect, why, who we share it with, and how long we keep it. No dark patterns, no buried clauses.

3. Data subject rights

Every right granted by the GDPR is supported : access, rectification, erasure, restriction, portability, objection, and the right to withdraw consent. Most of them are one click in the app (Settings → Privacy). For the rest, email privacy@tootela.net and we respond within 30 days. You can also lodge a complaint with the CNIL (cnil.fr).

4. Data minimisation

We collect only what we need to run the product. We don't ask for date of birth, social security numbers, or other sensitive identifiers unless the feature genuinely requires them (e.g. payslips in the HR module).

5. Storage limitation

We have explicit retention periods for every category of data. See the retention table.

6. Security

Encryption in transit and at rest, MFA, SSO on Enterprise, audit logs, row-level tenant isolation, vendor reviews, incident response. Full picture on the Security page.

7. Data Processing Agreement (Article 28)

Every paying customer has a GDPR-compliant DPA in place by default : the online DPA is incorporated into our Terms of Service. A counter-signed PDF is available on request.

8. International transfers

Default storage is in the EU (eu-west-3 (Paris, France)). When we use non-EEA subprocessors, we rely on EU Standard Contractual Clauses (SCCs) plus supplementary measures (encryption, pseudonymisation, access controls).

9. No training on customer data

We do not use customer content to train AI models. Our AI subprocessors (Google, Anthropic) operate on paid API tiers that contractually do not train on inputs. AI is opt-in per workspace.

10. Breach notification

If a personal data breach affects you, we notify you within 48 hours of discovery, and the CNIL within 72 hours, as required by Article 33-34.

11. Privacy by design and default

New features go through a privacy review. Defaults err on the side of less sharing, less collection, more user control.

12. Data Protection Officer

Our DPO can be reached at dpo@tootela.net for any data protection concern.

Documents you can request

  • Counter-signed DPA (PDF)
  • List of subprocessors (live version on this page)
  • Security questionnaire response (SIG, CAIQ, custom)
  • Standard Contractual Clauses (Module 3, processor-to-processor)
  • Subprocessor SCCs and adequacy attestations
  • Penetration test summary (under NDA, when available)

Send requests to privacy@tootela.net.

Questions about your specific use case?

If you're processing sensitive data (health, financial, biometrics, children) or operating in a regulated industry (healthcare, banking, public sector), we're happy to talk through the specifics. Email privacy@tootela.net.