Back to Tootela

Privacy Policy

This policy explains what personal data Tootela collects, how we use it, who we share it with, and the rights you have over it. We've kept it short and in plain language.

Last updated 2026-04-25
The short version. We collect the minimum we need to run the product. We don't sell your data. We don't use customer content to train AI models. You can export or delete your data at any time. Questions: privacy@tootela.net.

1. Who we are

This Privacy Policy applies to the website tootela.net and the Tootela application. The data controller is Tootela SAS, registered office TODO_STREET_ADDRESS, TODO_POSTCODE Bordeaux, France, registered in France under TODO_RCS_NUMBER.

If you have any question about how we handle your data, contact privacy@tootela.net. For data protection requests specifically, you can reach our DPO at dpo@tootela.net.

2. What we collect

We only collect what's needed to operate the service. There are five categories:

Account data

  • Name, email address, password (stored as a salted hash, never in clear)
  • Company name, role, country (used to localise the product)
  • Profile picture if you upload one

Customer content

The data you create or upload while using Tootela : messages, documents, files, contacts, deals, tickets, projects, calendar events, etc. You own this content. We process it on your behalf to make the product work. We do not access it for any other purpose.

Usage data

Information about how you use the product : pages visited, features used, errors encountered, approximate location derived from your IP address, browser and OS type. We use this to improve the product and to debug issues.

Billing data

If you subscribe to a paid plan, we collect billing details : company name, billing address, VAT number. Card numbers are handled directly by our payment processor (Stripe) and never touch our servers.

Support data

When you contact us, we keep a record of the conversation so we can help you and improve the product over time.

3. How we use it

  • Provide the service: create your account, sync your data, deliver messages, generate invoices, etc.
  • Operate and improve: understand which features are used, fix bugs, monitor performance.
  • Communicate: respond to support requests, send transactional emails (account confirmation, password reset, billing receipts, security alerts), send service announcements.
  • Marketing: if you opted in, send a low-volume product newsletter. You can unsubscribe with one click.
  • Legal and security: prevent fraud and abuse, comply with legal obligations, enforce our terms, protect our rights and the rights of others.

We do not use your customer content to train AI models. We do not sell your data. We do not share your data with advertisers.

Under the GDPR we need a legal basis for each processing activity. Here's how it maps:

ActivityLegal basis
Running your account, processing your customer contentPerformance of contract (Art. 6(1)(b))
Billing and tax recordsLegal obligation (Art. 6(1)(c))
Product analytics, improving the service, securityLegitimate interest (Art. 6(1)(f))
Marketing emails, non-essential cookiesConsent (Art. 6(1)(a))
AI features that send content to a third-party modelConsent (Art. 6(1)(a))

5. Who we share data with

We use a small number of vetted subprocessors, each under a written data processing agreement with appropriate GDPR safeguards:

SubprocessorPurposeRegion
Supabase Inc.Database, authentication, storageEU (Paris)
Vercel Inc.Application hosting, CDN, edge computeGlobal edge
Stripe Inc.Payment processingIreland (EU) + USA
Resend Inc.Transactional email deliveryUSA (with EU SCCs)
Google LLCGenerative AI (Gemini API) for the AI assistant : opt-in onlyUSA (with EU SCCs)
Anthropic PBCGenerative AI fallback : opt-in onlyUSA (with EU SCCs)

We update this list when it changes. If you have a Tootela DPA in place, we notify you 30 days before adding a new subprocessor so you can object.

Beyond that, we share data only:

  • With your explicit instruction (e.g. when you connect a third-party integration)
  • If required by law, court order, or to protect against fraud or imminent harm
  • In the context of a business transfer (merger, acquisition), with continuity of these privacy commitments

6. International transfers

Tootela is a French company and our database lives in the EU (eu-west-3 (Paris, France)). Some of our subprocessors operate from outside the EU (notably the United States). When that happens, the transfer is covered by Standard Contractual Clauses (SCCs) approved by the European Commission, plus the supplementary technical and organisational measures recommended by the EDPB.

For AI features, content is sent to the chosen model provider (e.g. Google, Anthropic) only when you use the feature, and only the strict minimum needed to answer the prompt. AI providers in our subprocessor list contractually do not train on inputs from paid API tiers.

7. How long we keep data

DataRetention
Account and customer content (active subscription)For the lifetime of the account
Account and customer content (after deletion)Permanently deleted within 30 days of deletion request, except for content covered by legal hold
BackupsUp to 35 days, then overwritten
Billing records10 years (French tax law)
Server access logs12 months
Marketing dataUntil you unsubscribe, then 6 months for proof of consent

8. Security

We follow security best practices : encryption in transit (TLS 1.2+) and at rest (AES-256), least-privilege access for employees, separate environments, audit logs, automated vulnerability scanning, and a documented incident response process. The full picture lives on our Security page.

Despite our best efforts, no system is unbreakable. If a breach occurs that is likely to result in a risk to your rights, we'll notify the CNIL within 72 hours and inform affected users without undue delay.

9. Your rights

Under the GDPR you have the right to:

  • Access: ask for a copy of the personal data we hold about you
  • Rectification: correct inaccurate data
  • Erasure: ask us to delete your data ("right to be forgotten")
  • Restriction: ask us to stop processing your data temporarily
  • Portability: receive your data in a structured, machine-readable format
  • Objection: object to processing based on legitimate interest, including profiling
  • Withdraw consent: for any processing based on consent, at any time
  • Lodge a complaint: with the French data protection authority, the CNIL (cnil.fr)

To exercise any of these rights, email privacy@tootela.net. We respond within 30 days. Most rights are also one-click in the app : Settings → Privacy → Export, or Settings → Privacy → Delete account.

10. Cookies

We use a minimal set of cookies. The full list and how to manage them is on our Cookie Policy.

11. Children

Tootela is a B2B product. The service is not directed to children under 16, and we don't knowingly collect personal data from them. If you believe a child has created an account, contact us and we'll delete it.

12. Changes to this policy

If we make material changes, we'll notify you by email and via an in-product banner at least 30 days before they take effect. The "last updated" date at the top of the page always reflects the current version.

13. Contact

Questions, concerns, requests : privacy@tootela.net or dpo@tootela.net for data protection specifically. Postal mail: Tootela SAS, TODO_STREET_ADDRESS, TODO_POSTCODE Bordeaux, France.