In short
We don’t sell your data. Ever. Not to advertisers, and not to AI services. Your emails are protected when stored. We only process them to provide the service, and we do not train AI models on them.
We host your main data in France. Your attachments are stored in the European Union. It’s your content, it stays with you, under your control.
You are free to leave whenever you want. You can export your data and delete your account in a few clicks from your interface. Once the account is deleted, your data disappears immediately from our active servers and is permanently purged from our backups within 30 days maximum.
For any questions regarding your data, you can contact us via the form at /contact/ or write to us by post at ALK Innovations, 31 avenue des Korrigans, 44300 Nantes, France.
The detailed version is available below.
Detailed version
Table of contents
- Who is responsible for data
- Data we process
- Purposes and legal bases
- Retention periods
- Service providers and recipients
- Transfers outside the European Union
- Your rights
- Data security
- Cookies and trackers
- Data relating to minors
- Future developments (Artificial Intelligence)
- Changes to this policy
- Contact and complaints
1. Who is responsible for data
The company responsible for data is ALK Innovations, a SASU with a capital of €1,000, registered with the Nantes RCS under number 983 856 642, whose registered office is located at 31 avenue des Korrigans, 44300 Nantes, France (hereinafter “ALK Innovations” or “we”).
ALK Innovations publishes the Trupeo service (hereinafter “the Service”), a shared inbox intended for professionals.
The legal representative and publication director is Quentin Georget, President of ALK Innovations. He is also the point of contact for any questions relating to the protection of personal data.
2. Data we process
We collect and process the following categories of data:
- User account data: first name, last name, professional email address.
- Connected mailbox data: email address of the synced mailbox and protected technical information needed to connect that mailbox to Trupeo.
- Message content: subject, message body, senders, recipients, attachments, labels, and folders. This data is protected when stored.
- Billing data: name, billing address, VAT number, transaction history. Credit card data is processed directly by our provider Stripe; ALK Innovations does not store any payment data.
- Technical logs: IP address (for security and incident detection), connection timestamps.
3. Purposes and legal bases
| Purpose | Legal basis |
|---|---|
| Provision and management of the Trupeo Service | Performance of the contract |
| Management of billing and accounting | Legal obligation |
| Service security and fraud detection | Legitimate interest |
| Customer support and response to requests | Performance of the contract |
| Site audience measurement (Google Analytics 4, Microsoft Clarity) | Consent (Article 6-1-a GDPR + Article 82 French Data Protection Act) |
| Commercial prospection and marketing tools (no tool currently active) | Consent (Article 6-1-a GDPR + Article 82 French Data Protection Act) |
4. Retention periods
- Active account: data is kept for the entire duration of the contractual relationship.
- After account deletion: deletion is immediate on production servers. Full purge of backups occurs within 30 days maximum.
- Billing data: kept for 10 years under accounting obligations (French Commercial Code).
- Security logs: kept for the minimum duration required by law or necessary for incident management.
5. Service providers and recipients
| Service provider | Role | Country | Guarantees |
|---|---|---|---|
| Microsoft Azure (Microsoft France SAS) | Main service hosting | France | Local hosting |
| Cloudflare R2 | Secure attachment storage | European Union | Local storage (EU) |
| Cloudflare, Inc. | Anti-spam protection on public forms (Turnstile) | USA | Strictly necessary, no tracking cookie |
| Gandi | DNS and domain name | France | French provider |
| Google LLC | Secure Gmail connection | USA | GDPR-compliant transfer safeguards |
| Microsoft Corporation | Secure Outlook/365 connection | USA | GDPR-compliant transfer safeguards |
| Google LLC | Google Tag Manager and Google Analytics 4 (audience measurement) | USA | Consent required and GDPR safeguards |
| Microsoft Corporation | Microsoft Clarity (audience measurement and usability improvement) | USA | Consent required and GDPR safeguards |
| Stripe, Inc. | Payment processing | Ireland / USA | GDPR-compliant transfer safeguards |
| Resend, Inc. | Transactional emails | USA | GDPR-compliant transfer safeguards |
| GitHub, Inc. | Source code hosting and technical automation | USA | GDPR-compliant transfer safeguards |
6. Transfers outside the European Union
Transfers of personal data to our service providers based in the United States are carried out in accordance with the GDPR. We rely on safeguards recognized by European regulation and, where necessary, on contractual clauses adopted by the European Commission.
7. Your rights
In accordance with the GDPR, you have the following rights: access, rectification, erasure, portability, restriction of processing, objection, withdrawal of consent, and definition of directives after death.
You can exercise these rights via the contact form at /contact/ (by selecting “GDPR Request”). We will respond to your request within a maximum of 30 days. You also have the right to lodge a complaint with the CNIL (https://www.cnil.fr).
8. Data security
We implement rigorous technical and organizational measures:
- Connections to Trupeo are protected.
- Protection for message bodies and attachments when stored.
- Separation and protection of each customer account space.
- Main hosting in France.
- Daily protected backups.
- Notification of data breaches within 72 hours to the CNIL and affected users in case of high risk.
9. Cookies and trackers
In line with CNIL recommendations, no non-essential cookie is dropped until you explicitly give your consent via the banner shown on your first visit.
Strictly necessary cookies (no consent required)
We use your browser’s own storage to remember your language preference and the choice you make in the consent banner. This information stays on your device and is never transmitted to third-party servers.
On pages that contain a public form (contact form, access request), we use Cloudflare Turnstile (Cloudflare, Inc.) to limit automated abuse, such as spam. This service checks that the form is being used normally, without setting an advertising tracking cookie or building a user profile. It may set a short-lived technical cookie only to prevent repeated abuse.
Audience measurement cookies (consent required)
If you accept the “Audience measurement” category, we use:
- Google Analytics 4 (Google LLC) to measure anonymized site traffic: pages viewed, traffic source, and device type. Data is deleted automatically after a maximum of 14 months.
- Microsoft Clarity (Microsoft Corporation) to understand how visitors use the site and improve its usability. Sensitive fields, such as emails, passwords, and card numbers, are automatically masked.
These tools are used only with your consent, through the consent banner.
Until you give your consent:
- No audience-measurement cookie is set on your device.
- Microsoft Clarity is not loaded.
- Google Analytics may receive very limited cookie-free information to produce global statistics. This information does not contain a persistent personal identifier. If you require a strict block on any request to Google before consent, contact us.
When you accept the “Audience measurement” category, GA4 and Clarity switch to full mode: cookies dropped, detailed events transmitted, as described above.
Marketing cookies (consent required)
Today, Trupeo drops no marketing or advertising cookie. This category is provided for future tools; it is denied by default and never activates without your explicit action.
Managing and withdrawing your consent
You can modify or withdraw your consent at any time via the “Cookie preferences” link in the footer. Your choice is remembered for up to 13 months; beyond that, the banner will be shown again, in line with CNIL guidance.
10. Data relating to minors
Trupeo is a service for organizations. When Clients use the Service, including educational institutions, ALK Innovations processes data on behalf of the Client in accordance with Article 28 of the GDPR.
The Client warrants that it has the appropriate legal basis, including where applicable parental consent or a public-interest mission, for the personal data it imports or processes via the Service, including data concerning minors under fifteen (15) years of age. The Client undertakes to obtain and maintain, before any use of the Service, the authorization or consent required from the holders of parental authority for minors under 15, in accordance with Article 8 of the GDPR and current French legislation. Trupeo declines all responsibility for the validity of the legal basis chosen by the Client.
11. Future developments (Artificial Intelligence)
We plan to introduce artificial intelligence features, for example automatic email attribution. These features will always be optional and will be explained before use. We undertake not to train AI models on your data and not to share your content with AI providers without your explicit agreement.
12. Changes to this policy
We may update this policy. In the event of a substantial change, we will inform you 30 days in advance. Continued use of the Service after the changes take effect constitutes acceptance.
13. Contact and complaints
For any questions, use the form at /contact/ or write to us at: ALK Innovations, 31 avenue des Korrigans, 44300 Nantes, France.
This English version is provided for convenience. In case of any inconsistency, the French version prevails.