Privacy Policy
Version 1.1 — effective June 12, 2026 (replaces v1.0 of May 12, 2026)
This policy describes how Torool collects, uses, and protects your personal data. It applies to the Torool mobile app and to the guest webapp accessible via the link your organizer sent you.
0. Who is the data controller
The data controller is DBEK, with registered office at 75 rue de Lourmel, 75015 Paris, France, registered with the Paris Trade and Companies Register under number 932 689 037.
Contact: contact@dbek.fr
Publication director: Mathieu Baldek
DBEK is not required to appoint a Data Protection Officer (DPO) under Article 37 of the GDPR. For any data-related question, contact the address above.
1. Data we collect
1.1. Organizer account
- Credentials: email address, password (hashed, never readable).
- Displayed identity: display name, profile picture (avatar, optional — stored in a public Supabase bucket).
- Preferences: language (fr / en), theme (light / night / neon / follow system), selected app icon, email visibility to guests.
- Account state: creation date, premium status (boolean), number of events created.
1.2. Third-party sign-in
If you choose "Continue with Google" or "Continue with Apple", we receive from these providers: your email, your name, and your profile picture if available. Apple may offer to hide your real email via "Hide My Email" — in that case we receive an alias only you can link to your real email.
1.3. Events and guests
- Events: title, date, location, description, table and seating plan configurations you create.
- Guests: first name, last name, email (optional), phone (optional), RSVP status, 6-character access code, funnel responses (diet, transport, +1, dress code, arrival time, etc., depending on the chosen format).
- Guest access code: random 6-character code letting a guest access their invitation without creating an account.
- Event add-ons (when enabled by the organizer): carpooling (driver contact details — phone and/or email —, departure point, schedule, seat count, shared with the passengers of that ride), accommodation, potluck, cost sharing (declared amounts and Lydia / Revolut / PayPal payment handles entered voluntarily, visible to the participants concerned).
- Shared content: photos uploaded to the event album and guestbook messages — visible to the other participants of the event.
- Address search: when you type a place (event location, carpool departure point, accommodation), the typed text is sent to the Google Places API for autocompletion. Your device location is never read.
As the organizer, you are responsible for ensuring your guests consent to having their name and contact details appear in the app. For this collection, you act as a joint controller with us.
1.4. Clubs and memberships
- Clubs: name, description, cover image, and the club's member list (name, email, membership status and expiry date).
- Paid memberships: if a club enables paid membership fees, the payment is processed by Stripe. We keep the payment status and the receipt; we never see or store your card number.
- Club organizers: membership fee collection goes through Stripe Connect. Identity verification (KYC) is performed and stored by Stripe; we only store the Stripe account ID and its status.
1.5. Subscription and payments
- Torool Premium is a monthly subscription purchased via the App Store (Apple), Google Play, or by card on the web via Stripe.
- Apple, Google, or Stripe transaction ID.
- Your Premium subscription status (active / expired).
- RevenueCat subscription event history linked to your account (purchase, renewal, cancellation, restoration).
- For web payments: Stripe processes your card data directly; it never transits through our servers.
1.6. Diagnostics
- Technical error logs (stack trace, app version, device type) sent to Sentry.
- Torool user ID attached to the log (never your email, never your name).
1.7. Data we do not collect
Torool does not read your device location, contacts, photo library, or messages. The only photos we receive are the ones you voluntarily choose to upload (your avatar, or a photo added to an event album). No advertising SDK or behavioral tracking tool is integrated.
2. Purposes and legal bases
| Purpose | Legal basis (GDPR) |
|---|---|
| Create and manage your account, authenticate you | Contract performance (Art. 6.1.b) |
| Allow you to create events and invite participants | Contract performance (Art. 6.1.b) |
| Allow your guests to access their invitation and reply | Contract performance (Art. 6.1.b) on your side · Legitimate interest on guest side (Art. 6.1.f) |
| Send event-related emails (invitations, reminders, RSVP confirmations, carpool or guestbook notifications) | Contract performance (Art. 6.1.b) on your side · Legitimate interest on guest side (Art. 6.1.f) |
| Manage your Premium subscription, validate payments (in-app and web) | Contract performance (Art. 6.1.b) |
| Manage clubs, memberships, and membership fee collection | Contract performance (Art. 6.1.b) |
| Retain accounting records for purchases | Legal obligation (Art. 6.1.c) — French Commercial Code Art. L. 123-22 |
| Secure the service, detect abuse, audit | Legitimate interest (Art. 6.1.f) |
| Anonymized error logs (Sentry) | Legitimate interest (Art. 6.1.f) |
| Contact you for critical bugs, security, or major updates | Legitimate interest (Art. 6.1.f) |
No data is used for direct marketing or behavioral analytics in this version of the service. If we add such processing in the future, it will be strictly based on your prior consent (Art. 6.1.a) and you will be notified.
3. Subprocessors
We use the following providers to operate the service. Each one has signed a GDPR-compliant Data Processing Agreement (DPA).
| Provider | Role | Location | DPA / Privacy |
|---|---|---|---|
| Supabase Inc. | Database hosting, authentication, avatar storage, edge functions | European Union (Ireland) | privacy · DPA |
| RevenueCat Inc. | In-app purchase validation and premium status sync | United States (EU-US DPF certified) | privacy |
| Apple Inc. | iOS IAP payment, App Store distribution, Sign in with Apple | United States (EU-US DPF certified) | privacy |
| Google LLC | Play Billing payment, Play Store distribution, Sign in with Google, address autocompletion (Places API) | United States (EU-US DPF certified) | privacy |
| Stripe Payments Europe, Ltd. / Stripe, Inc. | Card payments on the web (Premium subscription, club membership fees), payouts to clubs (Stripe Connect), club organizer identity verification (KYC) | European Union (Ireland); US transfers EU-US DPF certified | privacy · DPA |
| Resend, Inc. | Transactional email delivery (invitations, reminders, confirmations, receipts) | United States (Standard Contractual Clauses) | privacy · DPA |
| Vercel Inc. | Guest webapp hosting (the /join/:code page) and marketing site | US and EU regions (Frankfurt) | privacy · DPA |
| Functional Software, Inc. (Sentry) | Anonymized technical error reporting | United States (EU-US DPF certified) | privacy |
4. International transfers
When your data is transferred outside the European Union (to RevenueCat, Apple, Google, Stripe Inc., Resend, Sentry, or Vercel's US region), it is protected by:
- The EU-US Data Privacy Framework (DPF) certification under which these providers are registered;
- Or, by default, the European Commission's Standard Contractual Clauses (decision 2021/914).
The primary database and avatar storage are hosted within the European Union (Supabase, Ireland region). The main processing of your personal data therefore takes place in the EU.
5. Retention
| Category | Duration |
|---|---|
| Active account and associated data | As long as your account exists |
| On account deletion: effective erasure | Up to 30 days (including encrypted backups) |
| Event content (album photos, guestbook, guest responses) | Until the organizer deletes the event, or the account is deleted |
| Payment records (subscription, membership fees) | 10 years (French Commercial Code Art. L. 123-22) |
| Anonymized Sentry logs | 90 days then automatic deletion |
| Supabase security logs (auth, access) | 12 months |
6. Your rights
Under GDPR articles 15 to 22, you have the following rights:
- Access: obtain a copy of your data. You can export it directly from the app: Settings › Account › Export my data.
- Rectification: correct inaccurate data. Most fields are editable directly (profile, events). For others, write to us.
- Erasure: delete your account and all associated data via Settings › Account › Delete my account.
- Portability: receive your data in a structured, readable format (JSON), via the same export feature.
- Objection: object to processing based on legitimate interest (for example, refuse Sentry error log collection). Write to us.
- Restriction: ask us to freeze the processing of your data in case of dispute.
- Withdrawal of consent: for any consent-based processing, you can withdraw it at any time.
To exercise a right not directly available in the app, write to contact@dbek.fr. Reply within 30 days maximum (an additional month in case of complexity, with reasoned notification).
7. Security
- TLS 1.2+ encryption for all transfers.
- Passwords hashed with bcrypt by Supabase Auth (never stored in plaintext).
- Time-limited JWT access tokens + refresh token rotation.
- Postgres Row-Level Security policies: you only access your own events, never another organizer's.
- Regular dependency and key access audits.
- Informal penetration tests before each major release.
8. Automated decision-making and profiling
Torool performs no fully automated decision producing legal effects concerning you (GDPR Art. 22). No profiling for scoring, ad targeting, or price modulation is implemented.
9. Minors
Torool is intended for users aged 15 and over. Age is not actively verified but is stated at signup and in the terms of service. If you are a parent or guardian and notice that a child under 15 has signed up, contact contact@dbek.fr for immediate deletion (within 24 business hours).
10. Cookies and local storage
The mobile app does not use cookies. It stores locally (AsyncStorage) your session token and your preferences (language, theme, app icon). No third-party tracker.
The guest webapp (used by your guests from the link you share) uses:
- the browser's local storage (localStorage / sessionStorage) to manage the guest's anonymous session;
- a first-party functional cookie per event (
torool_invite_…, 90-day lifetime) that remembers your invitation code so you are recognized on your next visit without re-entering your email; - a random session identifier (sessionStorage, cleared when the tab closes) used solely to deduplicate the event page view counter shown to the organizer.
No advertising cookie, no third-party tracker, no pixel. No prior consent is required as these storages are strictly necessary for service operation (Article 82 exemption of the French Data Protection Act, ePrivacy Art. 5.3).
11. Notification in case of data breach
In the event of a personal data breach likely to result in a risk to your rights and freedoms, we commit to notify the CNIL within 72 hours of discovery, in accordance with GDPR Article 33. If the breach is likely to result in a high risk, you will be informed directly in the app and by email.
12. Supervisory authority
If you believe your rights are not respected, you can lodge a complaint with the Commission Nationale de l'Informatique et des Libertés (CNIL): cnil.fr/en/plaintes, 3 place de Fontenoy, 75007 Paris, France. EU residents outside France may also contact their national data protection authority.
13. Changes
We may update this policy. Any substantial change (new subprocessor, new purpose, new data category) will be notified in the app at least 30 days before it takes effect. Editorial changes (typo fixes, rephrasing with no substantive impact) are published without notice and tracked in the "Version" line at the top of the document.
14. Contact
For any question about this policy or your data: contact@dbek.fr.
Privacy Policy v1.1 — DBEK, Paris Trade Register 932 689 037. Compliant with GDPR (EU 2016/679) and the French Data Protection Act.