Legal

Privacy Notice

Your data is the whole point of the loom — so protecting it is the whole point of this notice. Here's exactly what we collect, why, and the rights you have under the GDPR.

Last woven: 1 June 2026 · Effective: 1 June 2026

1 · Who we are

Tapestrly ("we", "us") provides an AI data-analytics service. For personal data about your account and our website, Tapestrly is the data controller. For the data you connect as threads and process through the Service, you are the controller and Tapestrly acts as your processor, under our Data Processing Addendum. Our studio is at 23 Avenue des Tuileries, 91350 Grigny, Île-de-France, France.

2 · What we collect

  • Account data — name, work email, organisation, role, and authentication details when you sign up or are invited.
  • Usage data — how you interact with the Service (features used, weaves run, device and log data) to keep it secure and improve it.
  • Thread content — the data from sources you connect, processed on your instructions to produce your tapestries. We treat this as confidential and do not browse it.
  • Communications — messages you send us, and form submissions such as a demo request.
  • Cookies & similar — see section 10.

3 · How we use it

  • To provide, secure and maintain the Service and weave your tapestries;
  • to authenticate users, prevent abuse and protect against fraud and security threats;
  • to support you, respond to enquiries, and send essential service messages;
  • to improve the Service in aggregate — never by selling your data, and never by training shared models on your private content;
  • to comply with legal obligations.

4 · Legal bases (GDPR)

We rely on: performance of a contract (to deliver the Service you signed up for); legitimate interests (to secure and improve the Service, balanced against your rights); consent (for non-essential cookies and marketing, which you can withdraw at any time); and legal obligation (where the law requires it).

5 · Sharing & subprocessors

We don't sell personal data. We share it only with vetted subprocessors who help us run the Service — cloud hosting, infrastructure, email and analytics — under contracts that require GDPR-grade protection. A current list of subprocessors is available on request, and paid customers can subscribe to change notifications. We may disclose data where legally required, and we'll challenge requests that overreach.

6 · International transfers

Thread content is hosted in the European Union by default. Where any processing involves a transfer outside the EEA, we rely on appropriate safeguards such as the European Commission's Standard Contractual Clauses, plus additional technical measures like encryption.

7 · Security

Security is the selvage that keeps the fabric from fraying — we build it in, not on. Our measures include:

  • encryption in transit (TLS) and at rest;
  • row- and column-level access controls, SSO and SCIM provisioning, and least-privilege internal access;
  • full lineage and an immutable audit of every weave;
  • SOC 2 Type II practices, regular penetration testing, and a responsible-disclosure programme;
  • EU data residency and optional VPC or on-prem deployment for Atelier customers.

Found something? Email security@tapestrly.com.

8 · Retention

We keep personal data only as long as needed for the purposes above or as the law requires. Account data is kept while your account is active; after closure, you can export tapestries for 30 days, then we delete or anonymise content in line with our schedule. History retention by plan is described on the pricing page.

9 · Your rights

Under the GDPR you can: access your data; correct it; erase it; restrict or object to processing; and receive it in a portable format. To exercise these, email privacy@tapestrly.com — we respond within one month. You also have the right to lodge a complaint with your local supervisory authority; in France this is the CNIL (cnil.fr). Where you're a Tapestrly customer, requests about your own end-users' data are routed to you as controller.

10 · Cookies

We use a small number of cookies: essential ones that make the Service work (sign-in, security, preferences) and, with your consent, analytics ones that help us understand and improve usage. You can manage non-essential cookies through our banner or your browser settings at any time. We don't use cross-site advertising cookies.

11 · Children

The Service isn't directed to children. We don't knowingly collect personal data from anyone under 16 (or the age of digital consent where you live). If you believe a child has provided us data, contact us and we'll delete it.

12 · Changes

We may update this notice as the Service and the law evolve. For material changes we'll give reasonable notice in-product or by email. The "last woven" date above always reflects the current version.

13 · Contact

For any privacy question or to reach our data-protection contact:

Tapestrly Studio — Privacy
23 Avenue des Tuileries, 91350 Grigny
Île-de-France, France
privacy@tapestrly.com · +33 1 59 94 06 60