Last updated: 8 May 2026
The controller of your personal data is:
Yanis Aimeur — Sole Trader (Entrepreneur Individuel)
SIRET (FR business ID): 952 509 131 00019
Address: 54000 Nancy, France
Email: contact@vervox.app
No Data Protection Officer (DPO) appointed.Vervox’s core activities do not meet the criteria requiring the mandatory appointment of a DPO under GDPR article 37(1) (no public authority task, no large-scale regular and systematic monitoring, no large-scale processing of special categories). For any data protection question, please contact the email address above.
| Data | Collected at |
|---|---|
| Email address | Registration |
| Password (hashed via bcrypt) | Registration |
| First name / last name | Registration |
| TikTok handle | Onboarding / Settings |
| Profiling information | Onboarding |
| Content you enter (prompts, scripts) | Service usage |
| Data | Purpose |
|---|---|
| IP address | Security, statistics |
| Browser and device type | Technical compatibility |
| Pages visited and actions | Service improvement |
| Date and time of login | Security |
| Attribution parameters (source, campaign, referrer) | Measuring acquisition channel effectiveness |
| Email engagement (open, click, bounce) | Communications improvement |
| Server-side product events (registration, onboarding, payment) | Service improvement |
Banking data (card number, CVV, expiry date) is collected and processed exclusively by Stripe. We never have access to your full banking data. We retain billing records (invoices, Stripe customer identifiers, transaction history) for ten (10) years as required by French tax and accounting law (Code de commerce art. L123-22 and CGI art. L102 B).
As part of the Vervox subscription model, we also process the following data:
These data are processed on the basis of contract performance (art. 6.1.b GDPR) for billing and Service delivery, and legitimate interest(art. 6.1.f GDPR) for the detection of abusive or fraudulent use (abnormal Credit consumption, unauthorised multi-accounts, credential sharing). Credit consumption traces also serve as evidence in the event of a payment dispute, in accordance with article 7.13 of the T&Cs. Retention follows the billing data retention period (10 years).
If you choose to connect your YouTube channel to Vervox, we access the following data via YouTube API Services:
| Data collected | Purpose |
|---|---|
| Channel name, ID, avatar | Display your connected channel in the interface |
| Publishing videos to your channel | Cross-post your TikTok videos as YouTube Shorts |
| Posting comments | Add a first comment on your published videos |
Sharing and transfer: your YouTube data is shared with no third party. It is used exclusively to operate the Service (interface display, publishing videos to your own channel). It is neither sold, rented nor transferred to third parties for advertising, profiling or any other purpose not described above.
Storage: YouTube access and refresh tokens are encrypted (AES-256-GCM) before storage in our database. Only the Service accesses these tokens to perform the actions you request.
Revocation: you can disconnect your YouTube channel at any time from the Privacy section of your account settings. Disconnection immediately removes stored tokens. You can also revoke Vervox’s access from your Google permissions management page.
Compliance: Vervox’s use of data received via Google APIs complies with the Google API Services User Data Policy, including Limited Use Requirements.
If you choose to connect your TikTok account to Vervox, we access the following data via the TikTok API:
| Data collected | Purpose |
|---|---|
| Username, avatar, bio | Display your connected account and personalise analyses |
| Profile statistics (followers, likes, number of videos) | Account analysis and progress tracking |
| List of your videos and their statistics (views, likes, comments, shares) | Performance analysis, personalised idea generation and benchmark |
| Publishing videos to your account | Cross-post your videos to other platforms or publish scheduled content |
Sharing and transfer: your TikTok data is shared with no third party. It is used exclusively to operate the Service. It is neither sold, rented nor transferred to third parties for advertising or any other purpose not described above.
Storage: TikTok access and refresh tokens are encrypted (AES-256-GCM) before storage. Your video statistics are stored in our database to enable progress tracking over time.
Revocation:you can disconnect your TikTok account at any time from the Privacy section of your account settings. Disconnection revokes the tokens and removes Vervox’s access to your TikTok data.
Switching TikTok account: when you replace the TikTok account linked to your Vervox profile with a different account, your previous data (videos, statistics, progression snapshots) is retained in archived form — it is no longer displayed in your dashboard, but remains stored in our database for two purposes: (i) automatic restoration if you reconnect that same TikTok account later; (ii) aggregated and anonymized analysis to improve our recommendation and virality-prediction models. This retention relies on the legitimate-interest legal basis (GDPR art. 6(1)(f)). You can request permanent deletion of this archived data at any time via the “Erase my data” button in your account settings (Privacy section) or by writing to contact@vervox.app.
When you run a competitor analysis on a TikTok account that is not yours, Vervox processes only publicly available datafrom that account (public profile, public video metrics). We do not collect private or non-public data. The third-party creator’s data is processed on the legal basis of our legitimate interest in providing competitive benchmarking (GDPR art. 6(1)(f)), is not retained beyond the analysis, and is not used for direct marketing or profiling of those third parties.
When you write to contact@vervox.app (before or after registration), we collect and store:
AI processing — Alice: every received email is analysed by our internal support tool (“Alice”). The subject and body of the message are transmitted to Anthropic (Claude Haiku) to (1) classify it automatically (category, sentiment, urgency, language, topics, short summary), and (2) on demand from the support team, draft a reply suggestion written in your language. If you write in a language other than French, the content may also be transmitted to Claude Sonnet solely to translate between your language and French, so that the (French-speaking) support team can review the suggestion before sending. Anthropic is bound by a DPA (GDPR art. 28(3)) and does not use your data to train its models.
Telegram conversational agent (founder-internal): to handle support on the go, the founder interacts with Alice via a private Telegram bot. During these conversations, the content of your email may be transmitted to Anthropic (Claude Haiku) so that Alice can reason and draft reply suggestions. Alice has manual curation tools (full-text email search by keyword, updating a thread's category / urgency / kind, archiving) which remain within the internal support scope — all these operations are audited in inbound_email_events. If the founder records their instructions by voice, the audio is transmitted to OpenAI (Whisper)for transcription before processing by Anthropic. The transcription contains the founder's instructions only (never your email content). No data about you is shared publicly; Telegram FZ-LLC only receives operational notifications already pseudonymised (sender hash, truncated subject, AI summary) — see section 5. The Telegram conversation is never read or used for marketing purposes.
Legal basis:performance of a contract (art. 6.1.b) when you are a registered User, otherwise legitimate interest in providing quality customer support (art. 6.1.f). You may object to Alice’s processing at any time by writing to the same address — your request will then be handled manually.
No automated decision-making in the sense of GDPR art. 22: Alice’s classification routes your message into our support queues; it produces no legal decision or similarly significant effect. The reply is always sent by a human (in this case the founder).
Retention: 24 months from receipt, then full erasure 6 months later (i.e. 30 months maximum). See section 6.
Pseudonymisation on account deletion: if you delete your Vervox account, your support emails are pseudonymised (your email address + name replaced by a hashed identifier, content replaced by an erasure marker) rather than hard-deleted. This preserves the coherence of conversation threads in which you may have participated with other users while retaining no information identifying you.
The data marked as mandatory at registration (email, password or Google login) is necessary to perform the contract. Without it, you cannot create an account or access the Service.
Profiling data (niche, TikTok handle, preferences) is optional but improves the relevance of generated content. Analytics cookies are optional and subject to your consent.
| Purpose | Legal basis (GDPR) |
|---|---|
| Creating and managing your account | Performance of a contract (art. 6.1.b) |
| Providing the Vervox service | Performance of a contract (art. 6.1.b) |
| Personalising generated scripts | Performance of a contract (art. 6.1.b) |
| Billing, VAT records, invoice retention | Legal obligation (art. 6.1.c) |
| Service improvement and statistics | Legitimate interest (art. 6.1.f) |
| Service-related communications (feedback emails, product updates) | Legitimate interest (art. 6.1.f) |
| Server-side product event tracking | Legitimate interest (art. 6.1.f) |
| Analytics cookies and session recording | Consent (art. 6.1.a) |
For Brazilian residents, legal bases under LGPD art. 7 follow the same mapping (contract performance, legitimate interest, consent, and compliance with legal obligation).
Your data may be transmitted to the following sub-processors, each bound by a Data Processing Agreement (DPA) signed in accordance with GDPR art. 28(3):
| Sub-processor | Role | Location | Transfer mechanism |
|---|---|---|---|
| Supabase | Database | EU (AWS eu-west-1) | EU — no cross-border transfer |
| Vercel | Hosting | United States | DPF + SCCs |
| Anthropic | AI provider (Claude — content generation, support email triage and reply suggestion, multilingual translation; see section 2.7) | United States | DPF + SCCs |
| Stripe | Secure payment | Ireland / United States | DPF + SCCs |
| OAuth authentication | United States | DPF + SCCs | |
| Google (YouTube API Services) | Video publishing, channel info (see section 2.4) | United States | DPF + SCCs |
| OpenAI | AI provider (GPT) | United States | DPF + SCCs |
| Google (Gemini) | AI provider (Gemini) | United States | DPF + SCCs |
| Google (Cloud Vision) | Optical character recognition (OCR) on public images for TikTok carousel detection | United States | DPF + SCCs |
| PostHog | Product analytics | EU | EU — no cross-border transfer |
| Vercel Analytics | Audience measurement (anonymised) | United States | DPF + SCCs (anonymised — no personal data) |
| Sentry | Error monitoring | United States (EU region available) | DPF + SCCs |
| Resend | Transactional emails, service communications, and outbound support replies sent via Alice | United States | SCCs |
| IONOS | Support mailbox hosting (IMAP/SMTP receipt of emails sent to contact@vervox.app) | Germany (EU) | EU — no cross-border transfer |
| Telegram (Telegram FZ-LLC) | Founder-internal operational notifications (urgent inbound alert, daily digest) + Alice conversational agent channel (Phase 3, see section 2.7). Only receives pseudonymised data: sender hash, truncated subject (80 chars max), AI summary, and category labels. No raw email addresses or message bodies are transmitted. Messages exchanged between the founder and Alice are never read by Telegram. | United Arab Emirates (Dubai) | SCCs (Module 4 — controller-to-processor outside EEA) |
| OpenAI (Whisper) | Transcription of the founder's voice instructions when interacting with the Alice agent on Telegram (Phase 3). The audio received contains only the founder's words — never your email content. OpenAI is bound by a DPA and does not reuse data to train its models. | United States | DPF + SCCs |
| Upstash | Cache and rate limiting (Redis) | EU (AWS eu-west-1) | EU — no cross-border transfer |
| Cloudflare (R2) | Object storage (uploaded photos in Collections, carousel blobs, video exports) | EU / Global | DPF + SCCs |
| TikTok API | Account connection, profile and video reading, content publishing (see section 2.5) | Singapore / United States | SCCs (TikTok Ireland) |
| Pinterest API | Pinterest account connection, board and pin reading (Collections feature) | United States | SCCs |
| Supadata | Audio/video transcription (videos uploaded in Studio, analysed TikTok and YouTube videos) | United States | SCCs |
| Social media trends analysis provider | Synchronisation of your public TikTok data and content benchmarks | United States | SCCs |
| Pexels | Royalty-free image bank (carousels) | United States | No personal data transferred |
| Serper | Web image search for carousels | United States | SCCs (search queries only, no personal data) |
Transfers to the United States are governed by the EU-US Data Privacy Framework (European Commission adequacy decision of 10 July 2023) for DPF-certified sub-processors, and by the European Commission’s Standard Contractual Clauses (SCCs) (implementing decision 2021/914) as a layered safeguard in all cases.
For UK residents, transfers are governed by the UK International Data Transfer Agreement (IDTA) or the UK Addendum to the EU SCCs.
You can obtain a copy of the applicable safeguards (SCCs, DPAs) by writing to contact@vervox.app.
| Data | Duration |
|---|---|
| User account and profile (active) | Until account deletion by the User |
| Generated content (scripts, ideas, analyses) | Until account deletion |
| Billing and invoice records | 10 years (French tax law — Code de commerce art. L123-22, CGI art. L102 B) |
| Analytics data (PostHog) | 24 months |
| Error logs (Sentry) | 90 days |
| Cache data (Redis) | 30 days maximum |
| User-uploaded photos in Collections (R2) | Until photo, parent collection, or account deletion |
| Temporary carousel blobs (R2) | 2 days (auto-delete lifecycle) |
| History of emails sent | 24 months |
Inbound support emails received at contact@vervox.app (Alice mailbox) | 24 months (soft-delete) then 6 additional months (hard-delete), i.e. 30 months maximum |
| Audit trail of actions on support emails (inbound_email_events) | Until the parent thread is purged. The trail stores hashes (not content) of subjects and bodies, in line with the data minimisation principle |
Upon account deletion, all your personal data and generated content are removed from our database, except for billing records which we are required to retain for 10 years under French tax and accounting law. Data held by our sub-processors is deleted according to their own retention policies.
Special case for support emails: emails you sent to contact@vervox.app are pseudonymised on account deletion (your address + name replaced by a hashed identifier, content replaced by an erasure marker) rather than hard-deleted, in order to preserve the coherence of any conversation threads you may have participated in with other users. No information directly identifying you remains after pseudonymisation. Definitive erasure occurs at the latest at the end of the retention period above (30 months from message receipt).
In the event of a personal data breach likely to result in a risk to your rights and freedoms, Vervox will notify the competent supervisory authority (CNIL for France) within 72 hours of becoming aware of the breach, as required by GDPR art. 33.
If the breach is likely to result in a high risk to your rights and freedoms, we will also notify you directly without undue delay, in accordance with GDPR art. 34 (and equivalent provisions of UK GDPR, CCPA §1798.82 and LGPD art. 48).
The Service uses artificial intelligence to generate content suggestions (scripts, ideas, carousel text) based on your profiling inputs. These AI-generated suggestions are not automated decisions producing legal effects or similarly significantly affecting you within the meaning of GDPR art. 22. They are suggestions you may freely accept, modify or reject.
You may disable the AI profiling at any time via the “AI Profiling” toggle in the Privacy section of your account settings.
The Service is intended for Users aged 16 and over. We do not knowingly collect personal data from individuals under 16, regardless of whether local law permits lower ages (e.g., 13 in the United Kingdom, 14 in Spain or Italy, 15 in France, 16 in Germany).
For United States residents, we comply with the Children’s Online Privacy Protection Act (COPPA, 15 U.S.C. §§ 6501-6506): we do not knowingly collect personal information from children under 13, and our age threshold of 16 is stricter than COPPA’s.
If you are a parent or guardian and believe your child has provided personal data to Vervox, please contact contact@vervox.app for immediate deletion.
Under the EU GDPR and UK GDPR, you have the following rights:
If you have a Vervox account, most rights are directly accessible from the Privacy section of your account settings:
If you do not have a Vervox account but we process your data (e.g., your public content was analysed by a Vervox user), or for requests not self-serviceable (restriction of processing, data in a specific non-JSON format), email contact@vervox.app. We respond within 30 days as required by GDPR art. 12(3), extendable by two months for complex requests. We may verify your identity before responding.
You have the right to lodge a complaint with your local supervisory authority:
Acceptance of the Terms of Sale, the Terms of Service, and this Privacy Policy is materialised by the creation of your Vervox account. The exact date and time of your registration are automatically recorded in our systems at the moment of account creation and constitute formal proof of your acceptance pursuant to Article 6(1)(b) GDPR (legal basis: performance of a contract).
This information can be obtained on simple request to contact@vervox.app, as part of the right of access provided by Article 15 GDPR.
Vervox does not currently meet the statutory thresholds under California Civil Code §1798.140(d) to qualify as a “business” subject to the California Consumer Privacy Act (CCPA), as amended by the California Privacy Rights Act (CPRA). We voluntarily honour the following CCPA-style rights for California residents.
If you have a Vervox account, most rights are self-service via the Privacy section of your account settings (see section 10.1).
For requests not self-serviceable, or if you don’t have an account but we process your data as a California resident, email contact@vervox.app with the subject “California Privacy Request”. We respond within 45 days, extendable once by 45 additional days if necessary. We may verify your identity before responding. You may also contact the California Attorney General at oag.ca.gov/privacy/ccpa.
Under the Brazilian General Data Protection Law (Lei 13,709/2018, LGPD), and consistent with our GDPR practices, Brazilian residents have rights including access, correction, anonymisation/blocking/deletion, portability, information about sharing, and withdrawal of consent (LGPD art. 18).
If you have a Vervox account, these rights are self-service via the Privacy section of your account settings (see section 10.1). For requests not self-serviceable, email contact@vervox.app with the subject “LGPD Request”. We respond within 15 days as required by LGPD art. 19.
Encarregado (DPO) — exemption: Vervox qualifies as a small-scale processing agent under ANPD Resolution CD/ANPD 2/2022 and is exempt from the mandatory appointment of an Encarregado. For data protection questions, please use the contact email above.
You may also contact the Brazilian National Data Protection Authority (ANPD): www.gov.br/anpd.
We may update this Privacy Policy to reflect changes to our processing, our sub-processors, the applicable legal framework, or to clarify provisions.
Modifications are considered substantial when they have a direct and significant effect of:
Such modifications will be notified to you by email prior to their entry into force, within a reasonable timeframe adapted to the nature of the modification, and in any event at least fifteen (15) days. You may oppose them by exercising the rights provided in section 10.
Modifications not falling under section 13.1 (notably drafting corrections, clarifications, descriptive updates related to the evolution of the Service, operational or technical adjustments without impact on the processing of your data) may enter into force immediately and will be published on this page with an updated “Last updated” date.
Continued use of the Service beyond the effective date of a modification constitutes acceptance. Failing opposition expressed by email to contact@vervox.app before that date, you are deemed to have accepted the new conditions.
This Privacy Policy is governed by French law, without prejudice to the mandatory local protections that apply to you based on your country of residence (EU GDPR, UK GDPR, CCPA/CPRA, LGPD, and any other applicable law).
In case of discrepancy between the English and French versions, the French version (“Politique de Confidentialité”) prevails as the authoritative text.
For any question:
Email: contact@vervox.app
This English version is provided for international convenience. The French version (“Politique de Confidentialité”) is the authoritative text and prevails in case of any discrepancy.