Privacy Policy
Effective as of April 9, 2026
VDD Content publish — TikTok data handling
The "VDD Content publish" application (operated by Veya Studio for Vins de Dagne) accesses the following data from TikTok when a user authorizes the app:
- Basic profile info (user id, avatar, display name) — scope user.info.basic
- Extended profile info (bio, links, verification status) — scope user.info.profile
- Account statistics (follower count, like count, following count, video count) — scope user.info.stats
- Public video list and metadata for the connected account — scope video.list
- Video upload and publishing permissions — scopes video.upload and video.publish
Data is used solely to:
- Display performance analytics inside our internal dashboard
- Publish scheduled content authored by Vins de Dagne staff to the connected TikTok account
Data storage:
- OAuth access and refresh tokens are stored encrypted in Supabase (EU region) and used only for API calls to TikTok
- No TikTok data is shared with or sold to third parties
- Users can revoke access at any time via TikTok account settings; upon revocation we delete all stored tokens and associated data within 30 days
Article 1 — Data controller
The data controller is:
Veya Studio
Micro-enterprise registered under SIRET 832 503 395 00044
Owner: Alaa Mourad
Headquarters: Paris, France
Data controller email: [email protected]
Data protection email: [email protected]
1.1. Data Protection Officer (DPO)
In accordance with Article 37 of the GDPR, the appointment of a Data Protection Officer is not mandatory for Veya Studio given the nature, scope, and volume of its processing activities. Nevertheless, Veya Studio has designated a dedicated point of contact for any data protection inquiries, reachable at [email protected]. Veya Studio reserves the right to appoint an external DPO if business developments require it.
Article 2 — Data collected and purposes
In the course of our activities, we collect and process the following categories of personal data, for the purposes and on the legal bases indicated:
| Category | Data | Purpose | Legal basis (GDPR) | Retention period |
|---|---|---|---|---|
| Identity and contact | Last name, first name, email, phone, company name, job title | Account creation, business relationship management, billing, Service-related communication | Contract performance (Art. 6.1.b) | Duration of contract + 3 years after last interaction |
| WhatsApp contact | Phone number, conversation metadata, content of messages exchanged with the AI Brain | AI Brain service delivery, personalized response generation, service quality improvement | Contract performance (Art. 6.1.b) | Duration of subscription + deletion within 30 days of termination |
| Payment | Billing data (name, address, registration number). Banking data (card number, CVC) is never stored by Veya Studio — it is processed exclusively by Stripe (PCI-DSS Level 1 certified). | Payment processing, billing, accounting | Contract performance (Art. 6.1.b) + legal obligation (Art. 6.1.c) | 10 years (accounting obligations) |
| AI training content | Documents, FAQs, methodologies, business knowledge, publications provided by the Client for AI Brain training | Customization and training of the Client's specific AI Brain; storage as vector embeddings | Contract performance (Art. 6.1.b) | Duration of contract + deletion within 30 days of termination (vector and source data) |
| Browsing | IP address (anonymized), browser type, operating system, pages visited, visit duration, traffic source | Audience measurement, site improvement, security anomaly detection | Legitimate interest (Art. 6.1.f) or consent (Art. 6.1.a) depending on cookie type | 13 months maximum |
| Marketing communications | Email, communication preferences | Newsletters, information about new services, event invitations | Consent (Art. 6.1.a) | Until withdrawal of consent + 3 years (B2B commercial prospecting: legitimate interest) |
| Technical support | Email exchanges, support tickets, screenshots | Technical problem resolution, Service improvement | Contract performance (Art. 6.1.b) | Duration of contract + 1 year |
Article 3 — Sensitive data
Veya Studio does not intentionally collect sensitive data within the meaning of Article 9 of the GDPR (health data, political opinions, religious beliefs, biometric data, sexual orientation, trade union membership, genetic data, racial or ethnic origin).
If the Client transmits sensitive data to the Provider as part of AI Brain training, they must inform the Provider in writing beforehand so that enhanced protection measures can be implemented. The processing of sensitive data requires a specific additional agreement between the parties.
Article 4 — Data processing by artificial intelligence
4.1. AI processing mechanism
When the Client provides documents and knowledge for AI Brain training, this data is processed as follows:
- Ingestion and vectorization: Documents are split into segments, transformed into numerical vectors (embeddings) by an artificial intelligence model (OpenAI or Anthropic), and stored in a vector database (Pinecone). The vectors do not contain the original plain text but a numerical representation of its semantic content.
- Response generation: When an End User asks a question via WhatsApp, the question is vectorized, the most relevant segments are retrieved from Pinecone, then transmitted to a language model (OpenAI or Anthropic) with specific instructions (system prompt) to generate a contextualized response.
- No training on your data: Your data is never used to train the underlying language models (OpenAI, Anthropic). The APIs used are configured with the no-training option enabled (zero data retention or opt-out). Your data is used exclusively to feed your AI Brain's context via vector search.
4.2. Data isolation
Each Client's data is strictly isolated from one another through a secure multi-tenant architecture:
- Each Client has a dedicated namespace in Pinecone, preventing any cross-access to vector data.
- Relational data (Supabase) is isolated through Row Level Security (RLS) policies and per-tenant encryption keys.
- WhatsApp conversations are associated with a unique client identifier and are never mixed.
4.3. Automated decision-making
The Service does not perform any automated decision-making having legal or significant effects on data subjects within the meaning of Article 22 of the GDPR. Responses generated by the AI Brain are provided for informational purposes and produce no automatic legal effect.
Article 5 — Sub-processors and data recipients
5.1. Sub-processors
Personal data may be communicated to the following sub-processors, acting on documented instructions from Veya Studio and bound by data protection clauses in compliance with Article 28 of the GDPR:
| Sub-processor | Function | Data location | Transfer safeguards |
|---|---|---|---|
| Stripe, Inc. | Payment processing (PCI-DSS Level 1 certified) | USA + EU | EU-US Data Privacy Framework + SCCs |
| Supabase, Inc. | Relational database, authentication, storage | USA / EU (configurable) | SCCs + EU hosting available |
| Pinecone Systems, Inc. | Vector database (embedding storage) | USA | SCCs |
| OpenAI, LLC | Language model (text and embedding generation) | USA | EU-US DPF + SCCs + API DPA (zero data retention) |
| Anthropic, PBC | Language model (text generation) | USA | SCCs + API DPA |
| WhatsApp LLC (Meta Platforms) | Messaging channel — Business API | USA / EU | EU-US DPF + SCCs + end-to-end encryption |
| TikTok (ByteDance Ltd.) | Social media content publishing — Content Posting API ("VDD Content publish" application) | Singapore / USA / EU | SCCs + TikTok for Developers DPA |
| n8n GmbH | Workflow orchestration (self-hosted or cloud) | Germany / EU | EU hosting — no transfer outside EEA |
| Vercel Inc. | Website hosting (global Edge Network) | USA (global Edge Network) | EU-US DPF + SCCs |
5.2. Other recipients
Personal data is not communicated to any third party other than the sub-processors listed above, except in the following cases:
- Legal, regulatory, or judicial obligation (judicial requisition, request from an administrative authority).
- Express consent of the data subject.
- Protection of the rights, property, or security of Veya Studio, its clients, or the public.
Veya Studio never sells, rents, or communicates personal data to third parties for commercial or advertising purposes.
Article 6 — International transfers
Some of the sub-processors listed in Article 5 are located outside the European Economic Area (EEA), particularly in the United States. In accordance with Chapter V of the GDPR (Articles 44 to 49), these transfers are governed by the following appropriate safeguards:
- Adequacy decisions of the European Commission, where applicable.
- Standard Contractual Clauses (SCCs) adopted by the European Commission (Implementing Decision (EU) 2021/914 of June 4, 2021), "controller to processor" and/or "processor to processor" modules.
- EU-US Data Privacy Framework for certified US sub-processors (Stripe, OpenAI, Meta/WhatsApp).
Veya Studio conducts a Transfer Impact Assessment for each sub-processor located outside the EEA, in accordance with the recommendations of the EDPB (European Data Protection Board) adopted on June 18, 2021. Assessment documents are available upon request at [email protected].
Article 7 — Data security
In accordance with Article 32 of the GDPR, Veya Studio implements appropriate technical and organizational measures to ensure a level of security appropriate to the risk, including:
7.1. Technical measures
- Encryption in transit: TLS 1.2 minimum on all communications (website, API, data transfers).
- Encryption at rest: AES-256 for stored data (Supabase, backups).
- Enhanced authentication: Multi-factor authentication (MFA) mandatory for access to production systems and client data.
- Data isolation: Multi-tenant architecture with dedicated Pinecone namespaces and Row Level Security (RLS) on Supabase.
- Backups: Automatic daily backups with 30-day retention, stored in a separate geographic zone.
- Logging: Data access logs with timestamps, user identifiers, and operation type, retained for 12 months.
- Monitoring: Continuous system monitoring with automatic alerts in case of security anomalies.
- Secure APIs: Encrypted API keys, regular rotation, rate limiting, and IP address whitelisting for sensitive access.
7.2. Organizational measures
- Principle of least privilege: data access limited to what is strictly necessary.
- Confidentiality commitment from any person with access to data.
- Regular review of access rights.
- Documented security incident management procedure.
- Regular data protection awareness training.
Article 8 — Data breach notification
In accordance with Articles 33 and 34 of the GDPR, in the event of a personal data breach (unauthorized access, loss, alteration, disclosure), Veya Studio commits to:
- Notifying the competent supervisory authority (CNIL) within seventy-two (72) hours of becoming aware of the breach, if it is likely to result in a risk to the rights and freedoms of data subjects.
- Informing the affected Client within forty-eight (48) hours of becoming aware of the breach, providing the nature of the breach, the categories and approximate number of data subjects concerned, the likely consequences, and the measures taken or proposed to remedy it.
- Informing the data subjects concerned without undue delay if the breach is likely to result in a high risk to their rights and freedoms.
- Documenting any breach in a register in accordance with Article 33(5) of the GDPR.
Article 9 — Rights of data subjects
In accordance with Articles 15 to 22 of the GDPR, you have the following rights regarding your personal data:
| Right | Description | Legal basis |
|---|---|---|
| Access | Obtain confirmation that your data is being processed and receive a complete copy, along with the information provided for in Article 15 of the GDPR. | Art. 15 GDPR |
| Rectification | Obtain the correction of inaccurate data or the completion of incomplete data. | Art. 16 GDPR |
| Erasure | Obtain the deletion of your data when one of the grounds of Article 17 applies (withdrawal of consent, data no longer necessary, etc.). | Art. 17 GDPR |
| Restriction | Obtain the suspension of processing in the cases provided for in Article 18 (dispute of accuracy, unlawful processing, etc.). | Art. 18 GDPR |
| Portability | Receive your data in a structured, commonly used, and machine-readable format (JSON, CSV), and transmit it to another controller. | Art. 20 GDPR |
| Objection | Object to the processing of your data based on legitimate interest, including profiling. For direct marketing, objection is unconditional. | Art. 21 GDPR |
| Withdrawal of consent | Withdraw your consent at any time, without affecting the lawfulness of processing based on consent before its withdrawal. | Art. 7(3) GDPR |
9.1. Exercising your rights
To exercise your rights, you may contact us:
- By email: [email protected]
- By mail: Veya Studio — Data Protection — Paris, France
We commit to responding to your request within one (1) month of receipt, in accordance with Article 12(3) of the GDPR. This period may be extended by two additional months in case of complexity or a high number of requests, in which case you will be informed within one month of receiving your request.
We may ask you to prove your identity (copy of an identity document) to prevent any unauthorized disclosure of personal data.
9.2. Complaint to the supervisory authority
If you believe that the processing of your personal data constitutes a violation of the GDPR, you have the right to lodge a complaint with the Commission Nationale de l'Informatique et des Libertés (CNIL):
- Online: www.cnil.fr/fr/plaintes
- By mail: CNIL — 3 Place de Fontenoy — TSA 80715 — 75334 Paris Cedex 07
Article 10 — Cookies and trackers
10.1. Legal framework
The deposit and reading of cookies and other trackers on the Site are governed by Article 82 of French Law No. 78-17 of January 6, 1978, as amended, transposing Article 5(3) of Directive 2002/58/EC (the "ePrivacy" Directive).
10.2. Cookie categories
| Category | Purpose | Consent required | Duration |
|---|---|---|---|
| Strictly necessary cookies | Site functionality, security, session management | No (exempt) | Session |
| Audience measurement cookies | Anonymized traffic statistics | Yes (unless CNIL-exempt solution) | 13 months max |
| Marketing / third-party cookies | Targeted advertising, social networks | Yes | 13 months max |
10.3. Preference management
You can accept or refuse non-essential cookies via the consent banner displayed during your first visit. You can change your preferences at any time by clicking the "Manage cookies" link in the footer. You can also configure your browser to block cookies. Refusing non-essential cookies does not prevent browsing the site.
Article 11 — Processing register
In accordance with Article 30 of the GDPR, Veya Studio maintains a register of processing activities describing each personal data processing operation implemented. This register is available to the CNIL and can be consulted upon justified request addressed to [email protected].
Article 12 — Data Protection Impact Assessment (DPIA)
In accordance with Article 35 of the GDPR, when processing is likely to result in a high risk to the rights and freedoms of natural persons, Veya Studio conducts a Data Protection Impact Assessment (DPIA). Given the nature of the activity (data processing by artificial intelligence, large-scale textual data use), a DPIA has been carried out for the AI Brain service. The conclusions of this assessment are available upon request.
Article 13 — Policy modifications
This Privacy Policy may be updated at any time to reflect changes in our practices, our business, or applicable regulations. In the event of a substantial modification affecting the rights of data subjects, we will inform you by email at least thirty (30) days before it takes effect. The date of last update is indicated at the top of this page. We recommend that you regularly consult this page.
Article 14 — Contact
For any questions regarding this Privacy Policy or the exercise of your rights, you may contact us:
- General email: [email protected]
- Data protection email: [email protected]
- Mail: Veya Studio — Paris, France
© 2026 Veya Studio — All rights reserved.