Chrono running
00:00:00

Privacy Policy

Last updated: 07/06/2026

1. Data Controller

Controller: ThumbUp (contact: contact@byevti.com).

2. Data We Collect

  • Account data: email, hashed password, role, time zone, verification status.
  • Business data: clients, orders, deliverables, revision comments, and related history.
  • Security data: login logs, session tokens, CSRF protections, technical logs.
  • Communication data: verification emails, password reset messages, contact form requests.
  • Payment data: PayPal/Stripe transaction identifiers, status, amount, currency, timestamp.

3. Purposes and Legal Bases

  • Contract performance: account creation, order management, billing, support.
  • Legitimate interest: service security, fraud prevention, operational monitoring.
  • Legal obligation: accounting and tax retention for payment operations.
  • Consent: processing requests submitted through the contact form.

4. Login and Security

  • Passwords are stored in hashed form (never plaintext).
  • Login forms are protected by CSRF tokens.
  • Role-based access control and mandatory email verification are enforced.
  • Sessions and technical traces are used to detect abusive activity.
  • Data is encrypted in transit using HTTPS/TLS.
  • Sensitive data is protected by technical and organizational security measures (access control, least privilege, monitoring, and incident response procedures).

5. Payments (PayPal and Stripe)

  • Transactions are processed by PCI DSS certified providers (PayPal and/or Stripe).
  • Full card details do not transit through ThumbUp servers.
  • Only technical payment references and statuses are retained for tracking purposes.

6. Data Recipients

  • Strictly authorized internal team members.
  • Technical providers: hosting, SMTP email delivery, payment providers (PayPal/Stripe).
  • Public authorities when legally required.

7. Google User Data (OAuth)

  • Google user data is only used to provide and improve the requested app functionality.
  • We do not sell Google user data.
  • We do not share, transfer, or disclose Google user data with third parties, except: (a) with service providers strictly necessary to operate the service under confidentiality and security obligations, (b) when required by applicable law, or (c) with your explicit consent.
  • Access to Google user data is restricted to authorized personnel and protected by security controls, including encryption in transit and access logging.

8. Retention Periods

  • User account data: for the duration of the contractual relationship, then limited archival retention.
  • Security and login logs: up to 12 months, unless an incident requires extended retention.
  • Payment/accounting data: up to 10 years (legal obligations).
  • Contact requests: up to 3 years from the last exchange.

9. Your Rights

Under the GDPR and applicable French data protection laws, you have rights of access, rectification, erasure, restriction, objection, portability, and withdrawal of consent.

To exercise your rights: contact@byevti.com. You may also lodge a complaint with the CNIL.

10. Cookies and Tracking Technologies

ThumbUp mainly uses strictly necessary cookies for authentication, user session, and security. No third-party advertising cookies are placed without an appropriate legal basis.

11. Policy Updates

This policy may be updated to reflect service changes, legal obligations, or provider updates.