1Data controller
The data controller is Tutobox, actuellement en cours d'immatriculation en France. Délégué à la protection des données : privacy@tutobox.eu.
2Data collected
Tutobox collects only the data necessary for the operation of the service. No data is resold or shared for advertising purposes.
| Category | Data | Origin |
|---|---|---|
| Account | Last name, first name, work email, organization. | User input |
| Authentication | Hashed password, session tokens, login log. | System-generated |
| Billing | Legal name, address, VAT, subscription history. | User input |
| Content | Screen captures, imported videos, generated tutorials. | User production |
| Usage | Pages viewed, key actions (anonymized aggregate). | Audience measurement |
3Purposes and legal basis
- Service provision (capture, generation, export) — performance of the contract.
- Billing and accounting — legal obligation.
- Support and transactional communication — legitimate interest.
- Anonymized audience measurement — consent (cookie banner).
- Security and fraud prevention — legitimate interest.
4Retention period
5Your rights
In accordance with the GDPR, you have the following rights: access, rectification, erasure, restriction, objection, portability, withdrawal of consent and complaint to the competent supervisory authority (CNIL in France).
To exercise your rights, write to privacy@tutobox.eu. A reply will be provided within 30 days. You may also lodge a complaint with the CNIL — cnil.fr.
6Subprocessors and transfers
Application hosting and content storage rely on a cloud infrastructure, primarily located in the European Union. Certain processing relies on subprocessors that may operate outside the EU:
- Amazon Web Services (AWS) — hosting and storage of files (videos, generated documents).
- Google (Gemini API) — AI-assisted generation of procedures from screen recordings.
- Stripe — payment processing.
When a transfer outside the EU takes place, it is governed by the safeguards provided by the GDPR: standard contractual clauses of the European Commission and, where applicable, adherence to the EU-US Data Privacy Framework. The list of subprocessors may change; any update is published on this page.
7Security measures
- TLS encryption for all network communications.
- Encryption at rest of user content (cloud storage).
- Password hashing.
- Encrypted backups.
- Owner-based access control: each file is accessible only to the account that produced it.
- Data breach notification within the timeframes set by the GDPR (72 h).