PRIVACY POLICY

Vervox — Analytics and content creation service for creators

Last updated: 8 April 2026

1. DATA CONTROLLER

The controller of your personal data is:

Yanis Aimeur — Sole Trader (Entrepreneur Individuel)

SIRET (FR business ID): 952 509 131 00019

Address: 54000 Nancy, France

Email: contact@vervox.app

2. DATA COLLECTED

2.1 Data you provide to us

Data	Collected at
Email address	Registration
Password (hashed via bcrypt)	Registration
First name / last name	Registration
TikTok handle	Onboarding / Settings
Profiling information	Onboarding
Content you enter (prompts, scripts)	Service usage

2.2 Data collected automatically

Data	Purpose
IP address	Security, statistics
Browser and device type	Technical compatibility
Pages visited and actions	Service improvement
Date and time of login	Security
Attribution parameters (source, campaign, referrer)	Measuring acquisition channel effectiveness
Email engagement (open, click, bounce)	Communications improvement
Server-side product events (registration, onboarding, payment)	Service improvement

2.3 Payment data

Banking data is collected and processed exclusively by Stripe. We never have access to your full banking data.

2.4 YouTube / Google API Services data

If you choose to connect your YouTube channel to Vervox, we access the following data via YouTube API Services:

Data collected	Purpose
Channel name, ID, avatar	Display your connected channel in the interface
Publishing videos to your channel	Cross-post your TikTok videos as YouTube Shorts
Posting comments	Add a first comment on your published videos

Sharing and transfer: your YouTube data is shared with no third party. It is used exclusively to operate the Service (interface display, publishing videos to your own channel). It is neither sold, rented nor transferred to third parties for advertising, profiling or any other purpose not described above.

Storage: YouTube access and refresh tokens are encrypted (AES-256-GCM) before storage in our database. Only the Service accesses these tokens to perform the actions you request (publishing, reading statistics).

Revocation: you can disconnect your YouTube channel at any time from your account settings. Disconnection immediately removes stored tokens. You can also revoke Vervox’s access from your Google permissions management page.

Compliance: Vervox’s use of data received via Google APIs complies with the Google API Services User Data Policy, including Limited Use Requirements.

2.5 TikTok data

If you choose to connect your TikTok account to Vervox, we access the following data via the TikTok API:

Data collected	Purpose
Username, avatar, bio	Display your connected account and personalise analyses
Profile statistics (followers, likes, number of videos)	Account analysis and progress tracking
List of your videos and their statistics (views, likes, comments, shares)	Performance analysis, personalised idea generation and benchmark
Publishing videos to your account	Cross-post your videos to other platforms or publish scheduled content

Sharing and transfer: your TikTok data is shared with no third party. It is used exclusively to operate the Service. It is neither sold, rented nor transferred to third parties for advertising or any other purpose not described above.

Storage: TikTok access and refresh tokens are encrypted (AES-256-GCM) before storage. Your video statistics are stored in our database to enable progress tracking over time.

Revocation: you can disconnect your TikTok account at any time from your account settings. Disconnection revokes the tokens and removes Vervox’s access to your TikTok data.

2.6 Mandatory or optional nature

The data marked as mandatory at registration (email, password or Google login) is necessary to perform the contract. Without it, you cannot create an account or access the Service.

Profiling data (niche, TikTok handle, preferences) is optional but improves the relevance of generated content. Analytics cookies are optional and subject to your consent.

3. COOKIES AND TRACKERS

3.1 Strictly necessary cookies

The Service uses an authentication session cookie (authjs.session-token) essential to its operation, as well as an attribution cookie (__vx_utm, duration: 1 hour) allowing us to link your registration to its acquisition source. These cookies do not require your consent.

3.2 Analytics cookies

With your consent, we use PostHog to analyse Service usage (pages visited, clicks, user journey). PostHog may also record browsing sessions (with inputs masked) in order to improve user experience. When you are logged in, your analytics data may be associated with your account (email, name, plan) to personalise our product tracking.

3.3 Audience measurement (Vercel Analytics)

We use Vercel Analytics to measure Site performance and traffic. This service collects aggregated and anonymised data (pages visited, visit duration, country of origin) without using cookies and without collecting identifying personal data. In line with guidance from data protection authorities (notably the French CNIL), this tracker does not require prior consent.

3.4 Monitoring cookies

Sentry collects technical information in the event of an error (stack traces, browsing context) to maintain Service stability. In case of an error, a session recording may be captured to facilitate diagnosis.

3.5 Server-side product event tracking

Certain events related to Service operation (registration, email verification, onboarding, payment, cancellation) are logged server-side via PostHog on the legal basis of legitimate interest (GDPR art. 6.1.f). These events do not depend on cookies and serve exclusively to improve the user journey and ensure proper Service operation.

3.6 Managing your preferences

You can accept or refuse non-essential cookies via the consent banner shown on your first visit. You can change your preferences at any time from the Privacy section of your account settings. Your choice is kept for six (6) months, after which the banner will be presented to you again.

4. PURPOSES AND LEGAL BASES

Purpose	Legal basis (GDPR)
Creating and managing your account	Performance of a contract (art. 6.1.b)
Providing the Vervox service	Performance of a contract (art. 6.1.b)
Personalising generated scripts	Performance of a contract (art. 6.1.b)
Service improvement and statistics	Legitimate interest (art. 6.1.f)
Service-related communications (feedback emails, product updates)	Legitimate interest (art. 6.1.f)
Server-side product event tracking	Legitimate interest (art. 6.1.f)
Analytics cookies and session recording	Consent (art. 6.1.a)

5. SUB-PROCESSORS AND INTERNATIONAL TRANSFERS

Your data may be transmitted to the following sub-processors:

Sub-processor	Role	Location
Supabase	Database	EU (AWS eu-west-1)
Vercel	Hosting	United States
Anthropic	AI provider (Claude)	United States
Stripe	Secure payment	United States
Google	OAuth authentication	United States
Google (YouTube API Services)	Video publishing, channel info and analytics (see section 2.4)	United States
OpenAI	AI provider (GPT)	United States
Google (Gemini)	AI provider (Gemini)	United States
PostHog	Product analytics	EU
Vercel Analytics	Audience measurement (anonymised)	United States
Sentry	Error monitoring	United States
Resend	Transactional emails and service communications	United States
Upstash	Cache and rate limiting (Redis)	EU (AWS eu-west-1)
TikTok API	Account connection, profile and video reading, content publishing (see section 2.5)	Singapore / United States
Pexels	Royalty-free image bank (carousels)	United States
Serper	Web image search for carousels (search queries pass through Serper)	United States

Transfers to the United States are governed by the EU-US Data Privacy Framework (European Commission adequacy decision of 10 July 2023) for certified sub-processors, or by the European Commission’s Standard Contractual Clauses (SCCs) (implementing decision 2021/914) for others.

For UK residents, transfers are governed by the UK International Data Transfer Agreement (IDTA) or the UK Addendum to the EU SCCs.

You can obtain a copy of the applicable safeguards (SCCs, DPAs) by writing to contact@vervox.app.

6. RETENTION PERIODS

Data	Duration
User account and profile	Until account deletion by the User
Generated content (scripts, ideas, analyses)	Until account deletion
Analytics data (PostHog)	24 months
Error logs (Sentry)	90 days
Cache data (Redis)	30 days maximum
History of emails sent	24 months
Payment data (Stripe)	According to Stripe’s retention policy and legal obligations

Upon account deletion, all your personal data and generated content are deleted from our database. Data held by our sub-processors is deleted according to their own retention policies.

7. YOUR RIGHTS (EU GDPR / UK GDPR)

Under the EU GDPR and UK GDPR, you have the following rights:

Access: obtain a copy of your data
Rectification: correct inaccurate data
Erasure: request deletion of your data
Restriction: temporarily restrict processing
Portability: receive your data in a structured, machine-readable format
Objection: object to processing based on legitimate interest
Withdrawal of consent: withdraw your consent at any time for processing based on it (analytics cookies, profiling), without affecting the lawfulness of processing carried out before withdrawal
Unsubscribing from communications: you can unsubscribe from service emails (feedback, product updates) at any time via the unsubscribe link in each email or by writing to us

To exercise your rights: contact@vervox.app. We undertake to respond to your request within one (1) month, in accordance with GDPR article 12.3.

You may also lodge a complaint with your national data protection authority:

France — CNIL: www.cnil.fr
United Kingdom — ICO: ico.org.uk
Germany — BfDI: www.bfdi.bund.de
Italy — Garante per la protezione dei dati personali: www.garanteprivacy.it
Spain — AEPD: www.aepd.es
Other EU/EEA countries: your national supervisory authority

8. CALIFORNIA RESIDENTS (CCPA / CPRA)

If you are a California resident, you have additional rights under the California Consumer Privacy Act (CCPA), as amended by the California Privacy Rights Act (CPRA):

Right to know: request disclosure of the categories and specific pieces of personal information we have collected, used, disclosed or sold about you in the past 12 months
Right to access: request a copy of the personal information we hold about you
Right to delete: request deletion of your personal information
Right to correct: request correction of inaccurate personal information
Right to opt out of sale or sharing: Vervox does not sell your personal information and does not share it for cross-context behavioural advertising
Right to limit use of sensitive personal information: Vervox does not use sensitive personal information for purposes that trigger this right
Right to non-discrimination: we will not discriminate against you for exercising your CCPA rights (e.g. denying service, charging different prices)

To exercise your CCPA rights: contact@vervox.app. Please include “California Privacy Request” in the subject line. We will verify your identity before responding and will respond within 45 days (extendable once for 45 additional days if necessary).

You may also contact the California Attorney General: oag.ca.gov/privacy/ccpa

9. BRAZILIAN RESIDENTS (LGPD)

If you are a resident of Brazil, you have rights under the Lei Geral de Proteção de Dados (LGPD, Law 13,709/2018):

Confirmation of the existence of processing of your data
Access to your data
Correction of incomplete, inaccurate or outdated data
Anonymisation, blocking or deletion of unnecessary or excessive data, or data processed in breach of the LGPD
Portability of your data to another service provider
Deletion of personal data processed with your consent
Information about public or private entities with which we have shared your data
Information about the possibility of not giving consent and the consequences of refusing
Revocation of consent

To exercise your LGPD rights: contact@vervox.app. Please include “LGPD Request” in the subject line.

You may also contact the Brazilian National Data Protection Authority (ANPD): www.gov.br/anpd

10. SECURITY

Encryption of data in transit (HTTPS/TLS)
Password hashing (bcrypt)
OAuth token encryption (AES-256-GCM)
Restricted access to data

11. GOVERNING LAW AND LANGUAGE

This Privacy Policy is governed by French law, without prejudice to the mandatory local protections that apply to you based on your country of residence (EU GDPR, UK GDPR, CCPA/CPRA, LGPD, etc.).

In case of discrepancy between the English and French versions, the French version (“Politique de Confidentialité”) prevails as the authoritative text.

12. CONTACT

For any question:

Email: contact@vervox.app

This English version is provided for international convenience. The French version (“Politique de Confidentialité”) is the authoritative text and prevails in case of any discrepancy.