Privacy · GDPR

Privacy policy

Tutobox processes your personal data in compliance with the GDPR. Primary cloud hosting in the European Union, use of subprocessors governed by contractual safeguards, no resale, no targeted advertising. This page describes all processing and your associated rights.

Dernière mise à jour · juillet 2026

1Data controller

The data controller is Tutobox, actuellement en cours d'immatriculation en France. Délégué à la protection des données : privacy@tutobox.eu.

2Data collected

Tutobox collects only the data necessary for the operation of the service. No data is resold or shared for advertising purposes.

CategoryDataOrigin
Account Last name, first name, work email, organization. User input
Authentication Hashed password, session tokens, login log. System-generated
Billing Legal name, address, VAT, subscription history. User input
Content Screen captures, imported videos, generated tutorials. User production
Usage Pages viewed, key actions (anonymized aggregate). Audience measurement

3Purposes and legal basis

  • Service provision (capture, generation, export) — performance of the contract.
  • Billing and accounting — legal obligation.
  • Support and transactional communication — legitimate interest.
  • Anonymized audience measurement — consent (cookie banner).
  • Security and fraud prevention — legitimate interest.

4Retention period

Active account
For the entire duration of the contractual relationship.
Inactive account
Automatic deletion after 24 months of inactivity.
User content
Kept while the account is active, deleted upon termination (except for a portability request).
Billing documents
10 years (legal accounting obligation).
Login logs
12 months (security).

5Your rights

In accordance with the GDPR, you have the following rights: access, rectification, erasure, restriction, objection, portability, withdrawal of consent and complaint to the competent supervisory authority (CNIL in France).

To exercise your rights, write to privacy@tutobox.eu. A reply will be provided within 30 days. You may also lodge a complaint with the CNIL — cnil.fr.

6Subprocessors and transfers

Application hosting and content storage rely on a cloud infrastructure, primarily located in the European Union. Certain processing relies on subprocessors that may operate outside the EU:

  • Amazon Web Services (AWS) — hosting and storage of files (videos, generated documents).
  • Google (Gemini API) — AI-assisted generation of procedures from screen recordings.
  • Stripe — payment processing.

When a transfer outside the EU takes place, it is governed by the safeguards provided by the GDPR: standard contractual clauses of the European Commission and, where applicable, adherence to the EU-US Data Privacy Framework. The list of subprocessors may change; any update is published on this page.

7Security measures

  • TLS encryption for all network communications.
  • Encryption at rest of user content (cloud storage).
  • Password hashing.
  • Encrypted backups.
  • Owner-based access control: each file is accessible only to the account that produced it.
  • Data breach notification within the timeframes set by the GDPR (72 h).