This Privacy Policy aims to inform users of the TipsYou mobile application (hereinafter "the Application") about how their personal data is collected, used, shared, and protected. It complies with the provisions of the General Data Protection Regulation (GDPR - EU Regulation 2016/679) and applicable French laws, including the Data Protection Act of January 6, 1978, as amended.
2. Data Controller
The data controller responsible for your personal data is HumanX, a simplified joint-stock company (SAS) registered with the Bobigny Trade and Companies Register (RCS) under number 931 308 704, with its registered office at 48 Boulevard Jean Moulin, 93190 Livry-Gargan, France.
Contact: support@tipsyou.fr
3. Data We Collect
3.1. Identification data: last name, first name, email address, date of birth, country of residence.
3.2. Authentication data: password (stored in encrypted form), Google Sign-In or Apple Sign-In identifiers where applicable.
3.3. Financial data: tip amounts received, transaction history, bank transfer history, account balance. Bank details (IBAN) are collected and managed directly by our payment provider Stripe; HumanX does not have access to and does not store this information.
3.4. Profile photo: image uploaded by the user from their camera or gallery.
3.6. Notification data: Firebase Cloud Messaging (FCM) tokens used to send push notifications to your devices.
3.7. Team data: team membership, role (leader or member), distribution history, participation in distributions.
3.8. Support data: content of messages exchanged with our support team through the Application.
3.9. Identity verification data: identity documents and KYC (Know Your Customer) information are collected and processed directly by our payment provider Stripe. HumanX does not store these documents.
4. Legal Bases for Processing
4.1. Performance of a contract (Article 6.1.b GDPR): processing financial transactions, managing your account, operating teams.
4.2. Legitimate interest (Article 6.1.f GDPR): improving the Application, security and fraud prevention, service notifications.
4.3. Legal obligation (Article 6.1.c GDPR): retention of transaction data in accordance with accounting and tax obligations.
4.4. Consent (Article 6.1.a GDPR): sending push notifications, use of profile photo.
5. Purposes of Data Processing
5.1. To provide and manage the Application's services (receiving tips, distributions, bank transfers).
5.2. To process financial transactions and manage balances.
5.3. To enable the creation and management of teams.
5.4. To send notifications related to your account (tips received, distributions, balance updates).
5.5. To ensure service security and prevent fraud.
5.6. To provide customer support.
5.7. To comply with legal and regulatory obligations.
6. Sub-processors and Data Sharing
We use the following sub-processors for the operation of the Application:
6.1. Stripe (Stripe Inc., United States): payment processing, connected account management, identity verification (KYC), bank transfer execution. Stripe is PCI-DSS Level 1 certified. Transfers outside the EU are governed by the European Commission's Standard Contractual Clauses (SCCs).
6.2. Firebase / Google Cloud (Google LLC, United States): push notifications via Firebase Cloud Messaging (FCM), Google Sign-In verification. Transfers outside the EU are governed by SCCs.
6.3. Cloudinary (Cloudinary Ltd., United States): hosting and delivery of profile photos. Images are automatically optimized (resizing, format conversion). Transfers outside the EU are governed by SCCs.
6.4. MongoDB Atlas (MongoDB Inc., United States / Europe): database hosting. Data may be stored in European data centers. Transfers outside the EU are governed by SCCs.
6.5. OVH (OVH SAS, France): transactional email delivery (verification codes, password reset). Data hosted in France.
6.6. Apple (Apple Inc., United States): authentication via Apple Sign-In. Transfers outside the EU are governed by SCCs.
6.7. Vercel (Vercel Inc., United States): hosting of the showcase website. Transfers outside the EU are governed by SCCs.
6.8. Competent authorities: if required by law or in response to legal requests.
Your data is never sold to third parties. No data is shared for advertising purposes.
7. International Data Transfers
Some of our sub-processors are located in the United States. These transfers are governed by the Standard Contractual Clauses (SCCs) adopted by the European Commission, ensuring an adequate level of protection for your personal data.
As the Application is available in over 30 countries, data from users located outside the European Union is processed in accordance with applicable local data protection laws.
8. Data Retention
8.1. Account data (name, email, photo): retained for the duration of service use, then deleted within 30 days after account closure.
8.2. Financial transaction data: retained for 24 months from the date of the last transaction, in accordance with accounting obligations.
8.3. Identity verification data (KYC): retained by Stripe in accordance with its own retention policies and regulatory obligations.
8.4. Notification tokens (FCM): deleted upon device logout or account closure.
8.5. Connection logs: retained for 12 months for security purposes.
8.6. Support messages: retained for the duration of the account, then deleted upon closure.
9. Data Security
We implement appropriate technical and organizational security measures:
- Password encryption (bcrypt);
- JWT token authentication with automatic rotation (access token lifetime limited to 15 minutes);
- Secure on-device storage (FlutterSecureStorage) for sensitive data;
- Encrypted communications (HTTPS/TLS);
- Rate limiting to prevent abuse;
- HTTP security headers (Helmet);
- Payments processed by Stripe, PCI-DSS Level 1 certified.
10. Data Stored on Your Device
The Application stores the following data locally on your device:
- Your authentication tokens (in encrypted secure storage);
- Your email address and authentication method;
- Your application preferences (theme, language);
- An image cache (profile photos) to improve performance.
No local database is used. You can delete this data by uninstalling the Application.
11. Your Rights
Under the GDPR, you have the following rights:
11.1. Right of access (Article 15): obtain information about the data we hold about you.
11.2. Right to rectification (Article 16): request correction of inaccurate or incomplete data.
11.3. Right to erasure (Article 17): request deletion of your personal data, subject to legal retention obligations.
11.4. Right to restriction of processing (Article 18): request limitation of processing of your data.
11.5. Right to data portability (Article 20): receive your data in a structured, commonly used format.
11.6. Right to object (Article 21): object to the processing of your data based on legitimate interest.
To exercise these rights, contact us at: support@tipsyou.fr. We will respond within a maximum of 30 days.
You also have the right to lodge a complaint with the CNIL (French Data Protection Authority): www.cnil.fr.
12. Cookies and Trackers
The mobile Application does not use cookies.
The showcase website (thetipsyou.com) may use strictly necessary technical cookies for the operation of the site.
No advertising or tracking cookies are used. No third-party analytics or tracking SDK is integrated into the Application.
13. Minors
The Application is not intended for persons under 16 years of age. We do not knowingly collect personal data from minors. If you become aware that a minor has created an account, please contact us at support@tipsyou.fr.
14. Changes to the Privacy Policy
We reserve the right to modify this Privacy Policy at any time.
Any changes will be posted on this page with an updated effective date.
Significant changes will be notified via the Application.
We encourage you to review this page regularly to stay informed of any changes.
15. Contact Us
For any questions regarding this Privacy Policy or to exercise your rights, you can contact us:
- By email: support@tipsyou.fr
- By mail: HumanX SAS, 48 Boulevard Jean Moulin, 93190 Livry-Gargan, France