Privacy Policy
Version 2.4
En vigueur depuis le May 15, 2026
Dernière modification le June 17, 2026
Introduction
This Privacy Policy concerns the processing of personal data carried out by Utelys in its capacity as data controller, namely:
- Visitors to the
trigger-flow.comwebsite, - Users of the
app.trigger-flow.comapplication (internal users of hotel clients, demonstration leads), - Utelys prospects and clients.
For personal data processed by Utelys in its capacity as processor on behalf of its hotel clients (guest, prospect and traveler data), the terms are defined in the Data Processing Agreement (DPA) concluded with each client, available on request at privacy@trigger-flow.com.
1. Identification of the data controller
- Corporate name: Utelys (SAS with share capital of €24,000)
- Trade and Companies Register (RCS): Toulouse 842 608 671
- Registered office: 13 rue Saint-Ursule, 31000 Toulouse, France
- Legal representative: Mr. Mounir LAKHFIF, President
- Privacy contact: privacy@trigger-flow.com
- Data protection officer: dpo@trigger-flow.com
2. Personal data collected
2.1 Data collected on the website and at subscription
- Identification: last name, first name, job title
- Professional contact details: email address, phone number, company name
- Billing information (bank details are never stored on our servers; they are processed directly by Stripe and GoCardless)
2.2 Usage and browsing data
- Technical session identifiers, IP address, browser type, pages viewed, visit duration
- Anonymized audience measurement via Google Analytics
3. Purposes of the processing
Data is processed in order to:
- Manage the business relationship (account creation, demonstration, billing, support)
- Enable use of the Trigger Flow Solution
- Ensure security and fraud prevention
- Analyze website audience to improve its content and features
- Send, subject to consent, commercial communications (newsletter)
- Comply with legal and regulatory obligations (accounting, anti-money laundering, requests from authorities)
4. Legal basis for processing
| Purpose | Legal basis (GDPR art. 6) |
|---|---|
| Account and subscription management | Performance of the contract |
| Billing | Legal obligation |
| Audience measurement | Legitimate interest |
| Newsletter and commercial communications | Consent |
| Security and fraud prevention | Legitimate interest |
5. Data recipients
5.1 Technical processors
Utelys uses the following processors for the purposes of the service. All are bound by contract and subject to confidentiality and security obligations compliant with the GDPR:
| Category | Provider | Location |
|---|---|---|
| Infrastructure hosting | DigitalOcean | European Union |
| Email sending | Mailgun | European Union |
| SMS sending | Twilio, Gateway API | European Union / international |
| Card payment | Stripe | European Union (Ireland) |
| SEPA direct debit | GoCardless | European Union / United Kingdom |
| Audience measurement | Google Analytics | United States |
| Artificial intelligence assistance | Anthropic | United States |
5.2 Transfers outside the EU
Where a transfer of data to a country outside the European Union that does not offer an equivalent level of protection is necessary, Utelys implements the appropriate safeguards provided for by the GDPR: Standard Contractual Clauses of the European Commission, adequacy decisions, and supplementary measures (encryption, access controls).
6. Retention period
| Data | Period |
|---|---|
| Account data (active user) | As long as the account is active |
| Account data (inactive user) | 3 years after last activity, then archived or deleted |
| Billing data | 10 years (accounting and tax obligation) |
| Connection and security logs | 1 year |
| Commercial prospecting data | 3 years from the last contact |
| Analytics cookies | 13 months maximum |
7. Rights of data subjects
In accordance with the GDPR (articles 15 to 22) and the French Data Protection Act, every data subject has the following rights:
- Right of access to the data concerning them
- Right to rectification of inaccurate data
- Right to erasure ("right to be forgotten")
- Right to restriction of processing
- Right to object to processing
- Right to data portability
- Right to withdraw consent at any time, without retroactive effect
How to exercise your rights
- Email: privacy@trigger-flow.com
- Mail: Utelys SAS, 13 rue Saint-Ursule, 31000 Toulouse, France
Proof of identity may be requested in case of doubt.
Response time: one (1) month, extendable by two (2) additional months in the case of a complex request, in accordance with article 12.3 of the GDPR.
Remedies: in the event of difficulty or disagreement, you have the right to lodge a complaint with the French Data Protection Authority (CNIL, www.cnil.fr).
8. Data security
Utelys implements appropriate technical and organizational measures:
- Encryption of communications (TLS 1.2 minimum)
- Strengthened authentication of administrator access
- Segregation of environments (production, pre-production)
- Logging of access and sensitive operations
- Regular backups and restoration tests
- Confidentiality commitments from staff
- Notification of data breaches in accordance with article 33 of the GDPR
In a logic of accountability, Utelys maintains a record of processing activities in accordance with article 30 of the GDPR, in its capacity both as data controller and as processor. This record is kept available to the supervisory authority and, for processing carried out on behalf of a client, may be provided to that client on request within the framework of the Data Processing Agreement.
9. Cookies and trackers
The trigger-flow.com website uses cookies for:
| Type | Purpose | Subject to consent |
|---|---|---|
| Strictly necessary cookies | Website operation, security, language preferences | No (exempt) |
| Audience measurement cookies | Google Analytics, anonymized statistics | Yes |
A consent banner is displayed on your first visit. You can change your preferences at any time by clicking the "Manage my cookies" link available in the footer.
Consent is stored for 6 months, after which the banner is displayed again.
10. Services intended for professionals
Trigger Flow is intended exclusively for professional clients (hoteliers, accommodation providers, restaurateurs). No targeting of minors is carried out.
11. Use of artificial intelligence
Some features of the Solution rely on artificial intelligence models: assistance with drafting messages, summarizing and analyzing conversations, automatic translation. These features are enabled on request by the client establishment (opt-in) and are in no way automatic by default.
- Data transmitted to the model: we apply a principle of minimization. Data is, as far as possible, anonymized or pseudonymized before processing. Certain personal data (notably the content of messages) may nevertheless be transmitted to the model for the time needed to produce the requested result.
- Provider: the processing is operated via Anthropic, with processing in the United States governed by the Standard Contractual Clauses of the European Commission and encryption of communications.
- No training: the data transmitted is not used to train the models.
- No automated decision-making: no decision producing legal effects or significantly affecting you is made solely on the basis of automated processing, within the meaning of article 22 of the GDPR.
12. SMS Communications
As part of the Solution, SMS messages may be sent to the guests of hotel establishments (reservation confirmations, arrival and departure information, payment of the tourist tax, and stay-related notifications).
- No sharing of numbers: mobile phone numbers and SMS opt-in data are not sold, rented, or shared with third parties or affiliates for marketing or promotional purposes.
- Message frequency: varies depending on the reservation and stay.
- Charges: Message and data rates may apply.
- Opt-out: you can unsubscribe at any time by replying STOP. Reply HELP for help, or contact privacy@trigger-flow.com.
Consent to receive these SMS messages is collected when booking with the establishment and is not a condition of purchase.
13. Updates to the Policy
This policy may change over time. The date of the last update appears at the top of the document. In the event of a substantial change, users will be informed by email or through the Solution.
14. Contact
- Privacy email: privacy@trigger-flow.com
- Data protection officer: dpo@trigger-flow.com
- Postal address: Utelys SAS, 13 rue Saint-Ursule, 31000 Toulouse, France