Privacy & Cookies Policy
Privacy & Cookies Policy
Last update: May 16, 2025
Last updated: 16 May 2025
Preamble
The Chatbot Factory, a French simplified joint-stock company (SAS) registered with the Paris Trade and Companies Register under No. 789 487 121, having its registered office at 16 Villa des Nymphéas, 75020 Paris, France (hereinafter “Scuuba,” “we,” or “us”) operates the SaaS platform Scuuba (the “Platform”) available at app.scuuba.ai.
The Platform converts customer verbatims (chat messages, tickets, call transcripts, reviews, etc.) into actionable insights using proprietary and third-party artificial-intelligence models.
We are committed to protecting your personal data in compliance with the EU General Data Protection Regulation 2016/679 (“GDPR”) and the amended French Data-Protection Act (Loi Informatique & Libertés).
1. Definitions
The terms personal data, processing, controller, processor, cookie, and data subject have the meanings set out in Article 4 GDPR.
2. Scope
This Policy covers all processing activities relating to:
browsing our public website;
using the Platform (app.scuuba.ai);
B2B marketing communications;
customer-success and support;
recruitment.
3. Categories of Data Collected
CategoryExamplesSourceIdentity & contactfirst name, last name, work email, phoneforms, onboardingAccountuser ID, role, login logs, preferencesPlatformClient contentverbatims (messages, tickets, surveys, attachments) that may contain third-party dataclient import or APIUsagejourneys, clicks, session duration, generated reportsautomatic collectionTechnicalIP address, browser type, OS, errorsautomatic collectionMarketingopt-in preferences, email opensCRM
We do not intentionally request special-category data. Any sensitive content contained in verbatims is the client’s responsibility (see our Data Processing Agreement).
4. Purposes & Legal Bases
PurposeLegal basis (Art. 6 GDPR)Provision and management of accountsContract (b)Generation of insights & recommendations (AI)Legitimate interest (f) – functional necessity⁺AI model improvement (re-training with anonymised data)Legitimate interest (f)Support & billingContract (b)B2B prospecting (newsletters, demos)Consent (a) or Legitimate interest with soft opt-in (f)Compliance, security, anti-fraudLegal obligation (c) and Legitimate interest (f)
⁺ Aligned with AI best practices: documented purpose, impact assessment, and human oversight.
5. Automated Processing & AI
No profiling with legal or similarly significant effects is performed without human intervention.
Reports are decision-support tools; final responsibility remains with the user.
Scuuba conducts an annual DPIA and maintains a processing register available to the Supervisory Authority.
From 2 February 2025 onwards, Scuuba will comply with the applicable obligations of the EU AI Act (transparency of GPAI systems, bias management).
6. Recipients & Sub-Processors
Personal data may be shared with:
Hosting: Microsoft Azure EU / France
Metrics: Google Analytics 4 EU
Support: Genii, tolk.ai EU
Billing: Stripe United States
Security: Cloudflare EU / United States
NLP enrichment Possible AI-API vendors (e.g., Microsoft France, n8n (self-hosted) EU
7. Cookies & Trackers
7.1 Consent Banner
Scuuba uses a GDPR- and ePrivacy-compliant CMP (e.g., Hubspot) to capture granular consent.
7.2 Cookie Categories
CategoryPurposeExampleMax durationStrictly necessarysession, load balancingsc_sessionsessionAnalyticsinternal statistics_pk_id13 monthsPersonalisationsave language, UIlocale6 monthsMarketingLinkedIn Ads campaigns_gcl_au3 months
The exact list is generated automatically by the CMP and updated dynamically.
You can change your preferences at any time via the “Manage Cookies” link in the footer.
8. Retention Periods
Account & contracts subscription term + 3 years (statute of limitations)
Imported verbatims 24h (default)
Logs & security12 monthsAccounting records10 years (legal obligation)
Upon expiry, data are either deleted or irreversibly anonymised.
9. Security
Measures include AES-256 encryption at rest, TLS 1.3 in transit, MFA, strict RBAC, annual penetration tests, encrypted backups, and a business-continuity plan.
10. Your Rights
You may exercise the rights of access, rectification, erasure, restriction, objection, portability, withdrawal of consent, and post-mortem instructions.
Complaints may be lodged with the CNIL (cnil.fr).
DPO contact: dpo@tolk.ai
11. DPIA & Register
Scuuba maintains a processing register and performs a DPIA for any new high-risk processing activity (large-scale NLP, dataset merging, etc.).
12. Updates
This Policy may evolve (new services, legal changes, upcoming Data Act effective 12 September 2025). The latest version will always be available on our website.
13. Contact
Scuuba – Data Protection Officer
Email: dpo@tolk.ai
Address: 16 Villa des Nymphéas, 75020 Paris, France
Preamble
The Chatbot Factory, a French simplified joint-stock company (SAS) registered with the Paris Trade and Companies Register under No. 789 487 121, having its registered office at 16 Villa des Nymphéas, 75020 Paris, France (hereinafter “Scuuba,” “we,” or “us”) operates the SaaS platform Scuuba (the “Platform”) available at app.scuuba.ai.
The Platform converts customer verbatims (chat messages, tickets, call transcripts, reviews, etc.) into actionable insights using proprietary and third-party artificial-intelligence models.
We are committed to protecting your personal data in compliance with the EU General Data Protection Regulation 2016/679 (“GDPR”) and the amended French Data-Protection Act (Loi Informatique & Libertés).
1. Definitions
The terms personal data, processing, controller, processor, cookie, and data subject have the meanings set out in Article 4 GDPR
.
2. Scope
This Policy covers all processing activities relating to:
browsing our public website;
using the Platform (app.scuuba.ai);
B2B marketing communications;
customer-success and support;
recruitment.
3. Categories of Data Collected
CategoryExamplesSourceIdentity & contactfirst name, last name, work email, phoneforms, onboardingAccountuser ID, role, login logs, preferencesPlatformClient contentverbatims (messages, tickets, surveys, attachments) that may contain third-party dataclient import or APIUsagejourneys, clicks, session duration, generated reportsautomatic collectionTechnicalIP address, browser type, OS, errorsautomatic collectionMarketingopt-in preferences, email opensCRM
We do not intentionally request special-category data. Any sensitive content contained in verbatims is the client’s responsibility (see our Data Processing Agreement).
4. Purposes & Legal Bases
PurposeLegal basis (Art. 6 GDPR)Provision and management of accountsContract (b)Generation of insights & recommendations (AI)Legitimate interest (f) – functional necessity⁺AI model improvement (re-training with anonymised data)Legitimate interest (f)Support & billingContract (b)B2B prospecting (newsletters, demos)Consent (a) or Legitimate interest with soft opt-in (f)Compliance, security, anti-fraudLegal obligation (c) and Legitimate interest (f)
⁺ Aligned with AI best practices: documented purpose, impact assessment, and human oversight.
5. Automated Processing & AI
No profiling with legal or similarly significant effects is performed without human intervention.
Reports are decision-support tools; final responsibility remains with the user.
Scuuba conducts an annual DPIA and maintains a processing register available to the Supervisory Authority.
From 2 February 2025 onwards, Scuuba will comply with the applicable obligations of the EU AI Act (transparency of GPAI systems, bias management).
6. Recipients & Sub-Processors
Personal data may be shared with:
Role Provider Location Hosting Microsoft Azure EU / France
Metrics Google Analytics 4 EU
Support Genii, tolk.ai EU
Billing Stripe United States
Security Cloudflare EU / United States
NLP enrichment Possible AI-API vendors (e.g., Microsoft France, Rasa self-hosted) EU / United States*
* All transfers outside the EEA are governed by the 2021 Standard Contractual Clauses.
7. Cookies & Trackers
7.1 Consent Banner
Scuuba uses a GDPR- and ePrivacy-compliant CMP (e.g., Axeptio or Usercentrics) to capture granular consent.
7.2 Cookie Categories
CategoryPurposeExampleMax durationStrictly necessarysession, load balancingsc_sessionsessionAnalyticsinternal statistics_pk_id13 monthsPersonalisationsave language, UIlocale6 monthsMarketingLinkedIn Ads campaigns_gcl_au3 months
The exact list is generated automatically by the CMP and updated dynamically.
You can change your preferences at any time via the “Manage Cookies” link in the footer.
8. Retention Periods
Data type Retention Account & contracts subscription term + 3 years (statute of limitations)
Imported verbatims configurable (30 days default)
Logs & security12 months
Accounting records 10 years (legal obligation)
Upon expiry, data are either deleted or irreversibly anonymised.
9. Security
Measures include AES-256 encryption at rest, TLS 1.3 in transit, MFA, strict RBAC, annual penetration tests, encrypted backups, and a business-continuity plan.
10. Your Rights
You may exercise the rights of access, rectification, erasure, restriction, objection, portability, withdrawal of consent, and post-mortem instructions.
Complaints may be lodged with the CNIL (cnil.fr).
DPO contact: dpo@tolk.ai
11. DPIA & Register
Scuuba maintains a processing register and performs a DPIA for any new high-risk processing activity (large-scale NLP, dataset merging, etc.).
12. Updates
This Policy may evolve (new services, legal changes, upcoming Data Act effective 12 September 2025). The latest version will always be available on our website.
13. Contact
Scuuba – Data Protection Officer
Email: dpo@tolk.ai
Address: 16 Villa des Nymphéas, 75020 Paris, France
Solutions built for action, powered by real customer conversations.
Solutions built for action, powered by real customer conversations.
Solutions built for action, powered by real customer conversations.
Solutions built for action, powered by real customer conversations.