Privacy Policy

Data controller

The data controller for the purposes of the General Data Protection Regulation (GDPR) is:

Entreprise Individuelle (EI) – DA SILVA AVELAR William
Trade name: to.it.com
SIRET: 831 461 363 00028
Address: 10 rue de Penthièvre, 75008 Paris, France
Email: contact@to.it.com

Personal data is hosted on infrastructure provided by Scaleway (France/EU).

Scope

This Privacy Policy applies to personal data we process when you:

• Visit or browse our website
• Create or manage profile pages, links, widgets, and campaign destinations
• Create and use an account or dashboard
• Purchase or manage paid subscriptions via checkout (Stripe)
• Create short links, publish pages, and review analytics within your account
• Contact support or correspond with us

It does not govern third-party sites or sources cited in reports; their privacy practices are described on those sites.

Data we collect

Account & identity

• Email address
• Name (if you provide it)
• Credentials and session data needed to secure your account

Pages, links, and account configuration

• Email address
• Profile/page names, widget and theme settings, public paths (such as @username and campaign slugs), plan configuration, and publishing status
• Locale or language where you provide it

Content, redirects, and analytics data

• Links, redirects, widgets, media embeds, profile content, short-link destinations, and metadata you add to your pages or campaigns
• Page views, click events, QR interactions, anti-abuse checks, and support or moderation communications related to your account

Subscriptions & billing

Subscription payments are processed by Stripe. We receive limited billing data (such as payment status, amount, currency, subscription tier, and identifiers needed to fulfil your order). We do not store full card numbers on our servers.

Usage & technical data

• IP address and approximate location derived from it
• Browser type, device type, and similar technical data
• Pages viewed, actions taken on the site, and timestamps
• Server and application logs for security and reliability

Public pages and private account data

Profile pages and links you choose to publish are publicly accessible by design. Account settings, billing information, internal logs, and unpublished edits remain private to your account unless you explicitly share them.

How we use data

We use personal data to:

• Operate and improve the platform, including page publishing, link routing, and redirect performance
• Authenticate accounts and secure the Service
• Render profile pages, resolve short links, generate QR outputs, and produce usage analytics
• Send service-related email you have requested or that is necessary to operate the Service
• Manage paid subscriptions, feature limits, and billing
• Provide support and respond to requests
• Analyse usage in aggregate to improve the product
• Detect abuse, fraud, and security incidents
• Comply with legal obligations

Email communications

We use email in connection with the Service. The main types sent through our delivery providers are described below; other correspondence may occur outside those systems.

• Transactional emails, such as account verification, login, password reset, billing or subscription updates, project status notifications, and support replies.
• Optional marketing emails, only if we offer them and you have opted in.

We do not purchase, rent, scrape, or use third-party email lists for marketing.

Where we offer marketing email, opt-in is collected through to.it.com-owned flows. We record subscription status and related metadata where required to evidence consent and protect against abuse.

Transactional email frequency depends on your use of the Service (for example account or billing events).

Marketing emails, if offered, include an unsubscribe link. You may unsubscribe at any time using the link in the email or by contacting contact@to.it.com. Transactional or service-critical emails may still be sent where necessary to operate the Service, secure your account, respond to your requests, or fulfil a transaction.

We use email delivery providers, including Amazon SES, to send and manage transactional email. These providers may process email addresses, message metadata, delivery events, bounces, complaints, and suppression data on our behalf.

We maintain suppression records where needed to respect unsubscribe requests, complaints, and delivery failures.

Legal bases

We process personal data on the following legal bases under GDPR, as applicable:

• Contract: providing the Service you request (accounts, projects, subscriptions)
• Legitimate interests: securing the platform, improving the product, analytics that do not require consent, and limited marketing to existing users where permitted
• Consent: marketing emails where required, and non-essential cookies as described in our Cookie Policy
• Legal obligation: where the law requires processing

Data sharing

We share personal data with service providers who process it on our instructions (“processors”), including:

• Hosting and infrastructure providers
• Payment processing: Stripe
• Email delivery: Amazon SES (transactional email)
• Security: Cloudflare (including Turnstile where used)
• Error monitoring (e.g. Sentry) where enabled
• Support or chat tools (e.g. Crisp) where enabled
• Analytics or ads measurement (e.g. Google) only where you consent
• AI and language-model providers (e.g. OpenAI) for optional writing assistance, moderation support, and internal quality workflows where enabled

We do not sell your personal data.

See our Subprocessors page for the current list of subprocessors, purposes, and transfer safeguards.

We only engage processors that provide sufficient guarantees. Each processor listed above processes personal data on our instructions under a data processing agreement meeting GDPR Article 28 requirements.

Automated processing & abuse prevention

to.it.com uses automated processing to publish pages, route short links, aggregate analytics, and detect suspicious or abusive activity (for example phishing, spam, or malicious redirects). These controls support safety and reliability and do not by themselves produce legal effects concerning you.

Where AI-assisted features are enabled, we may use language-model providers (such as OpenAI) for limited tasks such as draft copy assistance, moderation triage, or internal quality workflows. We may log prompts and responses where needed for security, abuse prevention, and debugging. If we introduce new automated or AI-assisted features that materially affect personal data processing, we will update this Policy as needed.

Data retention

We retain personal data only as long as necessary for the purposes described in this Policy. Specific periods or criteria include:

• Account data: deleted or anonymised within 30 days after account closure, except where a legal hold, unresolved dispute, or security investigation requires longer retention.
• Billing and tax records: 10 years from the end of the financial year, as required by the French Commercial Code (Code de commerce).
• Marketing email data, if offered: until you unsubscribe; inactive subscribers may be purged after 3 years without engagement.
• Security and application logs: up to 6 months, unless needed longer for incident investigation or legal obligations.
• Pages, links, analytics summaries, and related records: for as long as your account is active and a reasonable period thereafter to operate the Service, handle disputes, and maintain an audit trail; you may delete content through the Service where available.

Security

We implement appropriate technical and organisational measures to protect personal data, including access controls, encryption in transit where standard, and monitoring.

No system is completely secure; we cannot guarantee absolute security.

Your rights

Under GDPR, you may have the right to:

• Access your personal data
• Rectify inaccurate data
• Request erasure in certain cases
• Restrict or object to certain processing
• Data portability where applicable
• Withdraw consent where processing is based on consent
• Lodge a complaint with a supervisory authority

To exercise these rights, contact contact@to.it.com. Where processing is based on consent (marketing email, non-essential cookies), you may withdraw consent at any time without affecting the lawfulness of processing before withdrawal; see our Cookie Policy and the Withdrawal & refunds section of our Terms for purchase-related withdrawal rights.

Cookies

We use essential cookies to run the site and optional cookies for analytics, ads measurement, or support where you consent. See our Cookie Policy and the “Cookie settings” link in the footer to update preferences.

International transfers

Some processors may process data outside the European Economic Area. Where required, we use appropriate safeguards, including Standard Contractual Clauses (SCCs) approved by the European Commission and, where applicable, the EU-U.S. Data Privacy Framework.

• Stripe (payments): may process data in the EU and United States, using SCCs and/or the EU-U.S. Data Privacy Framework as applicable.
• Amazon SES (email): United States, using SCCs.
• Google (Analytics/Ads, consent-gated): United States, using SCCs and/or the EU-U.S. Data Privacy Framework as applicable.
• Cloudflare (security, CDN, Turnstile): global edge network, using SCCs.
• Sentry (error monitoring) and Crisp (support chat): United States, using SCCs; loaded only with your consent where required.
• AI and language-model providers (e.g. OpenAI): may process data in the United States and other regions, using SCCs and/or the EU-U.S. Data Privacy Framework as applicable.

Changes

We may update this Privacy Policy from time to time. Material changes will be communicated via the Service or email where appropriate.

Contact

For privacy questions or requests, contact contact@to.it.com.