Back

Products

Solutions

Pricing Customers

Resources

Company

Free Trial Demo

Our products

icon-chat-dark

AI Chat
qr-code-blue

Self-service
icon-code-blue

Embedded dashbord
tablet-blue

Web app

Functionalities

icon-link-yellow

Connect
monitor-yellow

Compute
icon-eye-yellow

Visualize
icon-code-yellow

Embed
icon-eye-yellow
See our product in action
Picture of web page edition

What are the 4 levels of self-service in analytics?

Read acticle

Roles

icon-user-blue

Product leader
icon-user-blue

Business leader
icon-user-blue

Business analyst
icon-user-blue

IT professionals

Needs

icon-pie-chart-dark

Easily scale your analytics
icon-bag-dark

Embed for customers
icon-smartphone-dark

Mobile analytics
icon-cloud-dark

Cloud data access
icon-connect

Security

Industries

icon-settings-blue

Software
icon-dollard-blue

Financial services
icon-sun-blue

Energy
icon-settings-blue

Transportation and logistics
icon-briefcase-blue

Professional services

 View more

Documentation

icon-pencil-blue

Blog
icon-open-book-blue

Ebook
icon-play-blue

Webinar
icon-chart-blue

Reports
icon-download-blue

Free tools
icon-award-blue

Compare

Help center

icon-book-dark

How to use
icon-chat-dark

Support

About us

icon-users-blue

Team
icon-bookmark-blue

We're hiring!
icon-star-blue

Partners
icon-open-book-blue

Press
icon-open-book-blue

About Toucan

PRIVACY POLICY

Toucan Toco - AI-Native Embedded Analytics Effective Date: May 2026

 

1. INTRODUCTION

This Privacy Policy explains how Toucan Toco SAS ("we", "us", "Toucan Toco"), located at 59 rue de Ponthieu, Bureau 562, 75008 Paris, France, collects, uses, and protects personal data.

 

Important distinction:

 

  • Your Data (databases, analytics) = You are responsible (see Terms of Service Section 5)
  • Personal Data about you (email, usage logs, etc.) = We are responsible and explain here

 

This Policy applies to:

 

  • Website visitors
  • Service users (both free trial and paid)
  • Authorized Users on your Account

 

2. PERSONAL DATA WE COLLECT

2.1 Data You Provide Directly

 

When you create an Account or use the Service:

 

  • Name & email address
  • Company name & industry
  • Phone number (optional)
  • Billing address & payment information
  • Communications (emails, chat logs, support tickets)
  • Profile information & preferences
  •  

2.2 Data Collected Automatically

 

When you access the Service:

 

  • Account activity logs: Login times, features used, queries run, data sources accessed
  • Usage analytics: Dashboards viewed, filters applied, exports created, time spent
  • Technical data: IP address, browser type, operating system, device info
  • Cookies & tracking: Session IDs, performance metrics (see Section 3)
  • Error reports: Crash logs, bug reports (if you opt-in)
  •  

2.3 Data from Authorized Users

 

When Authorized Users access the Service on your behalf:

 

  • Same data as Section 2.2 (usage logs, IP, browser info, etc.)
  • We may log their actions for audit and security purposes

 

2.4 Data from Third Parties

 

  • Your organization: If you're an Authorized User, your employer may provide employment status
  • Payment processors: Stripe, payment history, subscription status
  • Vendors: Integrations you authorize (e.g., Slack, Zapier)
  • Public sources: We may validate company info for enterprise accounts

 

3. COOKIES & TRACKING

3.1 What Cookies Do We Use?

 

Cookie Type

Purpose

Duration

Session cookies

Keep you logged in

Until browser closes

Performance cookies

Measure Service speed/stability

12 months

Analytics cookies

Understand how you use features

12 months

Security cookies

Prevent fraud & unauthorized access

Until logout

 

3.2 Your Cookie Choices

 

  • Essential cookies (security, session): Cannot be disabled
  • Optional cookies (analytics, performance): You can disable in Account settings or browser settings

 

How to disable cookies:

 

  • Chrome: Settings → Privacy → Cookie settings
  • Firefox: Preferences → Privacy → Cookies
  • Safari: Preferences → Privacy → Cookies
  • Edge: Settings → Privacy → Cookies
  •  

3.3 Third-Party Analytics

 

We use Amplitude and Posthog to understand how users interact with the Service (anonymized, aggregated). You can opt-out in your Account settings.

 

4. HOW WE USE YOUR PERSONAL DATA

4.1 To Provide the Service

 

  • Creating and managing your Account
  • Processing payments and billing
  • Delivering features and support
  • Sending service notifications (updates, maintenance, security alerts)
  • Debugging and improving Service performance

 

4.2 Communication

 

  • Sending newsletters (if you opt-in)
  • Responding to support requests
  • Announcing new features or plan changes
  • Security notices (mandatory, no opt-out)

 

4.3 Compliance & Legal

 

  • Complying with laws and regulations (GDPR, tax laws, etc.)
  • Responding to government requests with proper legal authority
  • Enforcing our Terms of Service
  • Preventing fraud and abuse

 

4.4 Legitimate Business Interests

 

  • Understanding user behavior to improve the Service
  • Optimizing UX and feature prioritization
  • Detecting and preventing security threats
  • Conducting aggregated analytics (no individual identification)

 

4.5 What We Do NOT Do

 

We do NOT:

 

  • Sell your Personal Data to third parties
  • Use your Personal Data to train AI models on your behalf
  • Share your Account data with competitors or vendors (except essential service providers)
  • Combine your Service usage data with Your Data (analytics data remains separate)
  • Use behavioral data for discriminatory profiling

 

5. DATA SHARING & TRANSFERS

5.1 Who We Share Data With

 

Party

Why

Data Shared

Payment processors (Stripe)

Process payments

Name, email, billing address

Hosting provider (Scaleway/OVH, France)

Infrastructure & uptime

Technical logs (encrypted)

Customer support (Zendesk)

Support ticketing

Support messages, email

Analytics vendors (Amplitude, Posthog)

Aggregate insights

Anonymized usage metrics

Legal & tax advisors

Compliance

Company info only if required

 

We only share the minimum data necessary and require all vendors to maintain confidentiality.

 

5.2 Data Transfers Outside EU

 

Your data is hosted entirely in the EU (France). We do NOT transfer Personal Data outside the EU/EEA except:

 

  • To US vendors using Standard Contractual Clauses (SCCs) approved by the EU
  • With your explicit consent
  • Where legally required (e.g., court order with proper safeguards)

 

For any US vendor engagement, we execute an SCC addendum.

 

5.3 Subprocessors

 

For Personal Data included in Your Data (see Terms Section 5.3), subprocessors are listed in the Data Processing Agreement (Appendix A).

 

6. YOUR RIGHTS & CONTROLS

 

Under GDPR and French data protection law, you have the right to:

 

6.1 Right of Access

 

Get a copy of your Personal Data we hold. Request at: charles.miglietti@toucantoco.com

 

6.2 Right to Rectification

 

Correct or update inaccurate data. You can update your Account profile anytime.

 

6.3 Right to Erasure ("Right to be Forgotten")

 

Request deletion of your Personal Data (exceptions apply for legal obligations, fraud prevention, etc.). We'll delete within 30 days.

 

6.4 Right to Restrict Processing

 

Ask us to limit how we use your data (e.g., no marketing emails while evaluating). We'll comply within 14 days.

 

6.5 Right to Data Portability

 

Receive your Personal Data in a structured, portable format (JSON/CSV). Useful if switching services.

 

6.6 Right to Object

 

Opt-out of:

 

  • Marketing communications (anytime, one-click unsubscribe)
  • Analytics & performance cookies
  • Legitimate interest processing

 

6.7 Right to Lodge a Complaint

 

If you believe we've violated your privacy rights, you can lodge a complaint with your national data protection authority:

 

  • France: CNIL (Commission Nationale de l'Informatique et des Libertés)
  • Other EU countries: Contact your local DPA

 

7. DATA RETENTION

7.1 How Long We Keep Your Data

 

Data Type

Retention Period

Reason

Account & profile

Until account deletion

Service operation

Usage logs & activity

12 months

Analytics & security

Payment & billing

7 years

Legal (tax, audit compliance)

Support tickets

3 years

Legal/dispute resolution

Marketing emails

Until unsubscribe

Engagement (can opt-out anytime)

Your Data (in-memory)

During session

Service processing only

Your Data (if storage enabled)

Until you delete or contract ends

Your retention choice

 

7.2 After Account Termination

 

  • Active Personal Data: Deleted within 30 days
  • Backups: Retained for 90 days (for recovery), then destroyed
  • Aggregated analytics: Retained indefinitely (cannot identify you)
  • Legal holds: If required by law, retained until obligation expires

 

8. SECURITY & DATA PROTECTION

8.1 How We Protect Your Data

 

  • Encryption: All data in transit uses TLS 1.2+ (HTTPS). At-rest encryption for sensitive data.
  • Access controls: Role-based access; employees access data only for necessary business purposes
  • Authentication: Strong password requirements, optional 2FA
  • Network security: Firewall, DDoS protection, intrusion detection
  • Physical security: Data centers in France with controlled access
  • Audit logs: All access to Personal Data is logged and monitored
  • Regular testing: Annual security audits and penetration testing
  • Incident response: Breach notification within 72 hours (per GDPR)

 

8.2 Your Responsibility

 

You must:

 

  • Keep your password confidential
  • Enable 2FA (recommended)
  • Not share Authorized User credentials
  • Monitor your Account for suspicious activity
  • Notify us immediately of security concerns

 

8.3 Data Breach Response

 

If we discover a breach affecting your Personal Data:

 

  • We notify you within 72 hours (by email)
  • We notify relevant authorities (CNIL, etc.)
  • We take immediate remedial action
  • We document the incident per GDPR requirements

 

9. CHILDREN & RESTRICTED AUDIENCES

 

The Service is intended for adults only (18+). We do NOT knowingly collect data from children under 13 (or 16 in some EU countries).

 

If we become aware of data from a child, we delete it immediately.

 

Parents/guardians who suspect data collection of a minor should contact: charles.miglietti@toucantoco.com

 

 

10. THIRD-PARTY LINKS & INTEGRATIONS

 

The Service may link to or integrate with third-party services (Slack, Zapier, data warehouses, etc.).

 

We are NOT responsible for their privacy practices. Before authorizing an integration, review their privacy policies.

 

When you authorize an integration:

 

  • You grant explicit consent for data sharing
  • That third party's terms apply to their use of your data
  • You can revoke access anytime in Account settings

 

 

11. INTERNATIONAL DATA TRANSFERS

11.1 EU/EEA Data

 

Personal Data from EU/EEA users is processed and stored in the EU (France). No transfers outside EU unless with SCCs.

 

11.2 Non-EU Users

 

Users outside EU/EEA: Your data may be transferred to the EU. By using the Service, you consent to this transfer.

 

 

12. LEGAL BASIS FOR PROCESSING

We process your Personal Data based on:

 

Processing Purpose

Legal Basis

Providing the Service

Contract (Terms of Service)

Payment processing

Contract + Legal obligation

Security & fraud prevention

Legitimate interest

Compliance (tax, audit)

Legal obligation

Marketing (if consented)

Your consent

Service improvement

Legitimate interest

 

We rely on "legitimate interest" only when it outweighs your privacy rights. You can object to legitimate interest processing.

 

 

13. AUTOMATED DECISION-MAKING & PROFILING

 

We do NOT use automated decision-making to:

 

  • Deny you service
  • Determine your pricing
  • Make significant decisions affecting you without human review

 

Our AI analytics recommendations are advisory only; you are never bound by them.

 

 

14. CALIFORNIA PRIVACY RIGHTS (CCPA)

If you are a California resident, you have the right to:

 

  • Know: What personal data we collect and how it's used
  • Delete: Request deletion (exceptions apply)
  • Opt-out: Opt-out of data sales (though we do NOT sell data)
  • Non-discrimination: No discriminatory treatment for exercising rights

 

Request at: charles.miglietti@toucantoco.com

 

We will verify your identity and respond within 45 days.

 

 

15. CONTACT US & DATA SUBJECT RIGHTS

 

Data Protection Officer / Privacy Contact: Charles Miglietti Email: charles.miglietti@toucantoco.com

 

Mailing Address: Toucan Toco SAS 59 rue de Ponthieu, Bureau 562 75008 Paris France

 

Response Time: We aim to respond to all data subject requests within 14 days.

 

 

16. CHANGES TO THIS POLICY

 

We may update this Privacy Policy to reflect:

 

  • Changes in legal requirements
  • Service improvements
  • Security enhancements

 

Material changes (affecting your rights or data usage) will be announced with 30 days' notice via email. Continued use means acceptance.

 

Non-material changes (clarifications, formatting) are effective immediately.

 

 

17. YOUR DATA WHEN YOUR DATA INCLUDES PERSONAL DATA

 

Important: If your Service usage includes Personal Data (customer data, employee records, etc.), the Data Processing Agreement (DPA) also applies.

 

The DPA clarifies:

 

  • You are the "data controller"
  • We are the "data processor"
  • How we handle Personal Data in Your Data
  • Your compliance obligations

 

See Appendix A (DPA) for details.

 

 

Last Updated: May 2026 Version: 2.0

 

 

APPENDIX A: DATA PROCESSING AGREEMENT (DPA)

[See separate DPA document]