Privacy policy
Introduction
This privacy policy describes how Toplio collects, uses and protects its users' personal data, in accordance with the General Data Protection Regulation (GDPR — EU Regulation 2016/679) and the French "Informatique et Libertés" law.
Data controller
The controller of the data collected on Toplio is: Viky Gillard — Sole proprietorship 10 Rue de la Paix, 75002 Paris, France SIRET: 89260479400016 Email: contact@toplio.app
Data collected
Toplio collects only the data strictly necessary to operate the Service: • Account data: email address, password (hashed), pseudo, creation date. • Listing data: title, description, images, category, contact details (email, phone, address, external link) that the user chooses to publish. • Usage data: viewed listings, votes, boosts, point purchases, reports. • Technical data: IP address (hashed), browser type, device type, language, time zone. • Payment data: no card data is stored by Toplio. Payments are handled by Stripe (see "Subprocessors"). Toplio does not knowingly collect any sensitive data (health, political opinions, religion, sexual orientation, etc.).
Purposes and legal bases
Your data is processed for the following purposes: • Provide the Service (account creation, listing publishing, ranking, point purchases) — legal basis: performance of the contract (Terms). • Manage billing and accounting obligations — legal basis: legal obligation. • Fight fraud, spam and abuse — legal basis: legitimate interest. • Improve the Service (internal statistics, debugging) — legal basis: legitimate interest. • Send you transactional notifications (account security, purchases, moderation) — legal basis: performance of the contract. • Send you optional notifications (push, marketing emails) — legal basis: your consent, revocable at any time.
Listing anonymity
User accounts are strictly private: no listing publicly reveals the identity of the account that published it. Pseudos can be hidden on listings from the account settings. Toplio does not offer public profiles.
Retention period
• Account data: kept while the account is active, then deleted within 30 days after account deletion. • Deleted listings: archived for 90 days for moderation and audit purposes, then permanently deleted. • Billing data: kept for 10 years to comply with French accounting obligations. • Technical and security logs: kept for up to 12 months.
Your rights
Under the GDPR you have the following rights regarding your data: • Right of access: obtain a copy of your data. • Right of rectification: correct inaccurate data. • Right to erasure ("right to be forgotten"): request the deletion of your data. • Right to restriction of processing. • Right to data portability. • Right to object to processing. • Right to withdraw consent at any time for processing based on consent. • Right to set directives regarding the fate of your data after death. To exercise these rights, contact us at contact@toplio.app. We will reply within one month at the latest. You also have the right to lodge a complaint with the CNIL (French data protection authority) — www.cnil.fr.
Subprocessors and data transfers
To deliver the Service, Toplio relies on technical subprocessors within the meaning of the GDPR: • Lovable AB (Norrlandsgatan 18, 111 43 Stockholm, Sweden — EU): hosting platform and application orchestration. • Supabase, Inc. (970 Toa Payoh North #07-04, Singapore 318992): database, authentication and file storage. Toplio user data is hosted in data centers located in the European Union. • Cloudflare, Inc. (101 Townsend Street, San Francisco, CA 94107, USA): edge delivery (CDN), DDoS / WAF protection. Cloudflare does not durably store business data; transfers are governed by the European Commission's Standard Contractual Clauses. • Stripe Payments Europe, Ltd. (1 Grand Canal Street Lower, Dublin, Ireland): card payment processing. Stripe acts as a controller for payment-strict data. • Resend (or equivalent provider): sending transactional emails (confirmation, security, notifications). Any transfer outside the EU is framed by appropriate safeguards (Standard Contractual Clauses, adequacy decisions).
Cookies and local storage
Toplio only uses cookies and local storage strictly necessary to operate the Service: • Authentication cookie / token (Supabase Auth): required to keep you signed in. • Local storage of preferences (language, theme, display settings). • Service Worker: used only if you explicitly enable push notifications. Toplio uses NO advertising cookies and NO third-party behavioral tracking tools (Google Analytics, Meta Pixel, etc.). In line with the CNIL's position, cookies strictly necessary to operate the Service do not require prior consent and do not require a consent banner.
Data security
Toplio implements appropriate technical and organizational measures to protect your data: • Encryption in transit (HTTPS / TLS) and at rest. • Hashed passwords (bcrypt), never stored in clear. • Strict access policies (Row-Level Security at the database level). • Regular backups. • Security monitoring and logging of sensitive accesses. In case of a data breach likely to result in a risk to your rights and freedoms, you will be informed without undue delay in accordance with article 34 of the GDPR.
Minors
The Service is not intended for individuals under 15. Toplio does not knowingly collect data concerning minors under 15 without verifiable consent from holders of parental authority. If you believe a minor has provided us with data, contact us at contact@toplio.app for immediate deletion.
Changes to the policy
This policy may be amended to reflect changes in the Service or in regulations. Substantial changes will be notified to you. The date of last update is shown at the bottom of this page.
