ElyxAI Privacy Policy
(Effective as of 11 February 2026 – updated)
1. Introduction
This privacy policy explains how TCD Apps ("we", "our" or "the Company") collects, uses, stores and protects the personal data of users of the ElyxAI platform, which includes the ElyxAI website (getelyxai.com) and the ElyxAI Excel add‑in (hereinafter collectively "the Service").
2. Data Controller
Thomas Cogé – TCD Apps
88 Rue Sadi Carnot, 59280 Armentières, France
Email: [email protected]
3. Data Protection Officer (DPO)
Thomas Cogé
Email: [email protected]
4. Scope
This policy covers all processing operations carried out when using ElyxAI, including:
- The ElyxAI website (getelyxai.com)
- The ElyxAI Excel add‑in distributed on Microsoft AppSource / Store
- API calls to our backend services
- Customer support interactions
5. Categories of Personal Data Processed
| Category | Example data | Collected automatically | Provided by the user |
|---|---|---|---|
| Account identifiers | Email address, password, Supabase user ID | No | Yes |
| Authentication data | OAuth tokens (Google, Microsoft), JWT sessions | Partially | Yes |
| Usage metadata | Launch timestamp, Excel version, functions called | Yes | No |
| AI request content | Prompts, text pasted from workbooks | No | Yes |
| AI call metadata | Model used, provider, tokens consumed, estimated costs, response time | Yes | No |
| Payment & billing data | Billing history, credit consumption, quota, subscription plan | Yes | Yes |
| Workbook snapshots | Encrypted Excel checkpoints stored in Supabase Storage | No | Yes |
| Uploaded files | Excel, CSV, images, PDF (temporarily processed, deleted within 5 minutes) | No | Yes |
| Custom AI rules | User‑defined instructions sent to AI providers | No | Yes |
| WebSocket session data | Session identifiers, real‑time server connections | Yes | No |
| Language preferences | Auto‑detected and stored language setting | Yes | No |
| Error / support logs | Log messages, exception traces | Yes | No |
Important: ElyxAI never accesses cell content or the complete Excel file without explicit user action (copy/paste or manual selection in the prompt).
Uploaded files (Excel, CSV, images, PDF) are not permanently stored. They are processed for the requested operation and automatically deleted within 5 minutes.
6. Purposes and Legal Bases
| Purpose | Legal basis (GDPR) | Details |
|---|---|---|
| Service delivery | Contract performance (Art. 6‑1‑b) | Authentication, session management, feature activation |
| AI processing | Contract performance (Art. 6‑1‑b) | Execution of AI calls, formula generation, data analysis, Vision/OCR |
| Payment processing | Contract performance (Art. 6‑1‑b) | Subscription management, billing, credit tracking via Stripe |
| Communication | Contract performance (Art. 6‑1‑b) | Transactional emails, incident notifications, service alerts via Resend |
| Customer support | Contract performance (Art. 6‑1‑b) | Addressing requests and resolving issues |
| Security & fraud detection | Legitimate interest (Art. 6‑1‑f) | Real‑time threat monitoring, anomaly logging, API call monitoring, rate limiting |
| Business continuity | Legitimate interest (Art. 6‑1‑f) | Backups, disaster recovery, encrypted workbook snapshots |
| Analytics & improvement | Consent (Art. 6‑1‑a) | Google Analytics and DataFast – aggregated usage statistics |
| Legal compliance | Legal obligation (Art. 6‑1‑c) | Security log retention, regulatory requirements |
7. Cookies and Tracking Technologies
We use the following cookies and tracking technologies on the ElyxAI website:
| Service | Purpose | Legal basis |
|---|---|---|
| Google Analytics | Website usage analytics and traffic measurement | Consent (Art. 6‑1‑a) |
| DataFast | Website analytics and performance monitoring | Consent (Art. 6‑1‑a) |
You can manage your cookie preferences at any time via the cookie banner displayed on our website.
8. Local Storage (Add‑in)
The ElyxAI Excel add‑in uses the following client‑side storage mechanisms:
| Storage type | Data stored | Purpose |
|---|---|---|
| OfficeRuntime.storage | JWT token, application settings | Authentication and configuration |
| localStorage | Conversation cache, user preferences | Performance and user experience |
| sessionStorage | Temporary session data | Current session management |
This data is stored locally on your device and is not transmitted to our servers except as described in this policy.
9. Data Sharing and Recipients
| Recipient | Role | Location | Safeguards |
|---|---|---|---|
| Supabase Inc. | Database hosting, authentication, Edge Functions, file storage | European Union (eu‑central) | SOC2 + Standard Contractual Clauses |
| Vercel Inc. | Website hosting and deployment | European Union | SOC2 + Standard Contractual Clauses |
| OpenAI LLC | AI model processing (prompts, Vision/OCR) | European Union | SOC2 + Standard Contractual Clauses + TLS |
| Anthropic PBC | AI model processing (prompts, extended thinking) via AWS Bedrock | European Union | SOC2 + Standard Contractual Clauses + TLS |
| Tavily Inc. | Real‑time web search for AI queries | United States | Standard Contractual Clauses + TLS |
| Resend Inc. | Transactional email delivery (confirmations, invitations, credit alerts) | United States | Standard Contractual Clauses + TLS |
| Stripe Inc. | Payment processing and billing management | United States (with EU processing) | PCI DSS Level 1 + Standard Contractual Clauses |
| Google LLC | Website analytics (Google Analytics) | United States | Standard Contractual Clauses |
| DataFast | Website analytics and performance monitoring | European Union | Data processing agreement |
All service providers are SOC2 certified or equivalent.
Data may also be shared:
- With enterprise business partners under contractual obligation
- With legal authorities when required by law
- In the context of mergers & acquisitions as a legitimate business transaction
- With explicit user consent
Note regarding Microsoft: The add‑in runs locally within the secure Office JS sandbox; only requests to our APIs leave your Office environment.
10. AI Processing Details
ElyxAI uses multiple AI providers to deliver its features. The following applies to AI processing:
- Prompt caching: Anthropic prompt caching may be used to improve performance. Cached data follows the same retention and security policies.
- Extended thinking: AI models may generate reasoning tokens during processing to improve response quality.
- Web search: User queries may be sent to Tavily to obtain real‑time web search results.
- Vision / OCR: Files and images may be sent to AI models for text extraction and analysis.
- Provider retention: AI model API calls may be retained by providers for up to 30 days for security and abuse prevention purposes.
11. International Transfers
Data are primarily hosted in the European Union (Supabase eu‑central region, Vercel EU).
Where processing involves a transfer outside the EEA (e.g., to the United States for Tavily, Resend, or Stripe), we rely on Standard Contractual Clauses and encryption at rest and in transit.
Clients will be notified in advance of any changes to data hosting locations.
12. Retention Periods
| Data type | Retention period |
|---|---|
| Conversations | Archived after 90 days, deleted after 365 days |
| Detailed API logs | 90 days |
| Execution logs | 90 days |
| Analytics data | 2 years |
| Workbook snapshots (checkpoints) | 7 days |
| Uploaded files (Excel, CSV, images, PDF) | 5 minutes (auto‑deleted) |
| Support tickets | 36 months after closure |
| Credit consumption records | Duration of the account |
| Inactive ElyxAI account | Anonymised after 24 months of inactivity |
| AI provider logs | Up to 30 days (provider‑managed) |
After these periods, data are deleted or anonymised.
13. Data Security
We apply technical and organisational measures in line with the state of the art:
- TLS 1.3 encryption for data in transit
- AES‑256 encryption at rest in Supabase
- Email/password authentication with bcrypt hashing
- OAuth 2.0 authentication (Google, Microsoft) via Supabase Auth
- CSRF protection
- Rate limiting and API call monitoring
- Encrypted session management
- RBAC access control
- Incident response plan
14. Automated Decision‑Making
ElyxAI uses artificial intelligence models to process user requests (formula generation, data analysis, text extraction, etc.). These AI‑powered features:
- Only process data explicitly provided by the user
- Do not make decisions with legal or similarly significant effects on users
- Can be reviewed, modified, or rejected by the user at any time
Under Article 22 of the GDPR, you have the right not to be subject to a decision based solely on automated processing that produces legal effects or similarly significant effects. The AI features in ElyxAI are assistive tools and do not constitute automated decision‑making within the meaning of Article 22.
15. Users' Rights
Under the GDPR (Articles 15 to 22), you have the following rights:
- Right of access (Art. 15): obtain a copy of your personal data
- Right to rectification (Art. 16): correct inaccurate data
- Right to erasure (Art. 17): request deletion of your data
- Right to restriction (Art. 18): limit processing of your data
- Right to data portability (Art. 20): receive your data in a structured format
- Right to object (Art. 21): object to processing based on legitimate interest
- Right to withdraw consent at any time for consent‑based processing
To exercise your rights, send an email to [email protected] specifying your request. We will respond within 30 days.
You also have the right to lodge a complaint with the Commission Nationale de l'Informatique et des Libertés (CNIL), the French data protection authority:
- Website: www.cnil.fr
- Address: 3 Place de Fontenoy, TSA 80715, 75334 Paris Cedex 07, France
16. Data Breach Notification
In the event of a personal data breach likely to result in a risk to your rights and freedoms, we will:
- Notify the CNIL within 72 hours as required by Article 33 of the GDPR
- Notify affected users within 15 days of becoming aware of the breach, in accordance with Article 34 of the GDPR
17. Minors
ElyxAI is not intended for use by individuals under the age of 16. We do not knowingly collect personal data from minors. If we become aware that we have collected data from a user under 16, we will take steps to delete it promptly.
18. Updates to this Policy
We may amend this policy to reflect changes to ElyxAI or applicable legislation. Updated versions will be published on our website and will take effect on the date of publication. We will notify any material change via the add‑in and/or by email.
19. Contact Us
Thomas Cogé – Data Protection Officer
Email: [email protected]