Privacy Policy
This policy describes how Titlo.io ("we") collects, uses, retains and protects the personal data of users ("you") in accordance with the General Data Protection Regulation (GDPR, EU 2016/679) and applicable national privacy laws.
1. Data controller
The data controller is ANANAS SAS (RCS Évry 892 208 026), whose details are on the Legal notice page. Contact: support@titlo.io.
2. Data collected
- Account: e-mail address, password (bcrypt-hashed), creation date, subscription plan, payment status, last login.
- Compositions: title, layer content (text, shapes, animations), uploaded fonts — created by you within the Service.
- Exports: rendered MOV/PNG files, stored on Cloudflare R2 (EU) with automatic purge after 30 days.
- Technical logs: IP address, browser user-agent, timestamps, approximate city (GeoIP lookup, no street-level precision), used for security and abuse prevention.
- Teams: if you are invited to a team, your e-mail address is visible to the team owner and members.
3. Purposes & legal bases
- Operating the Service (editing, exporting, storage) — performance of the contract (Art. 6.1.b GDPR).
- Billing and VAT compliance — performance of the contract and legal obligation (Art. 6.1.b and 6.1.c).
- Security and abuse prevention (rate-limits, intrusion detection) — legitimate interest (Art. 6.1.f).
- Transactional communications (e-mail verification, password reset, receipts, quota alerts) — performance of the contract.
- Marketing communications (product announcements, newsletter) — only with your explicit consent collected at sign-up or later.
4. Retention periods
- Active account: kept as long as you use it.
- Inactive account: automatically deleted after 24 months without login, following e-mail notification.
- Invoices: 10 years (accounting obligation).
- Security logs: 12 months maximum.
- Exported files: 30 days on R2, then automatic purge.
5. Sub-processors & transfers
We use the following sub-processors, all bound by GDPR-compliant Data Processing Agreements:
- Supabase Inc. (Singapore, EU infrastructure) — authentication and database.
- Cloudflare, Inc. (USA, data stored in EU via R2 EU jurisdiction) — exported file storage. EU Standard Contractual Clauses in place.
- Hostinger International Ltd. (Cyprus, servers in Paris) — web hosting and transactional e-mail (account confirmation and support messages sent from support@titlo.io via Hostinger SMTP).
Card payments are not yet enabled; when self-serve billing goes live, a payment processor (such as Stripe) will be added to this list and this policy updated accordingly.
No transfer outside the EU occurs without appropriate safeguards (Standard Contractual Clauses adopted by the European Commission).
6. Your rights
Under the GDPR, you have the following rights:
- Access: obtain a copy of your data.
- Rectification: correct inaccurate data (editable directly from your account area).
- Erasure: delete your account and all your data, except accounting obligations (invoices kept 10 years).
- Restriction and objection to processing.
- Portability: export your compositions in JSON format.
- Consent withdrawal for marketing communications at any time.
To exercise these rights, write to support@titlo.io. We respond within 30 days. In case of dispute, you may file a complaint with the CNIL (French data protection authority) or your local supervisory authority.
7. Security
Passwords are stored hashed (bcrypt via Supabase Auth). Communications travel over HTTPS (TLS 1.3) with Let's Encrypt certificates. Database access is restricted to the backend by Postgres Row Level Security. Backups are encrypted.
8. Cookies
For details about cookies and trackers, see our Cookies Policy.
9. Changes
This policy may evolve. Substantial changes will be notified by e-mail at least 30 days before they take effect.