Privacy Policy
Last updated: April 3, 2026
1. Data Controller
The data controller is GROUPE GARAN, a French SAS (simplified joint-stock company) with a share capital of 100 €, registered under SIREN 953 558 582 (RCS Paris), headquartered at 200 rue de la Croix Nivert, 75015 Paris, France.
Contact: contact@tonaily.com
2. Data We Collect
2.1 Account data
When you create a Tonaily account, we collect your name, email address, and authentication credentials (or third-party OAuth tokens when you sign in via Google).
2.2 Google Search Console data
If you connect your Google Search Console account, we access and store performance data related to your websites: search queries, click counts, impressions, average positions, and site URLs. This data is retrieved via the Google Search Console API under the permissions you explicitly grant through OAuth consent.
2.3 Payment data
Payments are processed by Stripe. We do not store your full credit card number. Stripe acts as an independent data controller for payment data. See Stripe's privacy policy.
2.4 Usage and analytics data
We collect anonymous usage data through:
- Matomo (self-hosted) — page views, device type, referrer. No data is shared with third parties.
- Google Analytics — aggregated traffic and behavior data, processed by Google. See Google's privacy policy.
3. Purpose and Legal Basis
| Purpose | Legal basis (GDPR) |
|---|---|
| Provide and operate the Tonaily platform | Performance of contract (Art. 6(1)(b)) |
| Process payments | Performance of contract (Art. 6(1)(b)) |
| Analyze usage to improve the product | Legitimate interest (Art. 6(1)(f)) |
| Send service-related emails | Legitimate interest (Art. 6(1)(f)) |
4. Data Sharing
We share personal data only with the following processors, strictly for the purposes described above:
- Amazon Web Services (AWS) — hosting infrastructure (EU region)
- Stripe — payment processing
- Google — OAuth authentication and analytics
We do not sell your data. We do not share it with advertisers.
5. Data Retention
We retain your account and Search Console data for as long as your account is active. If you delete your account, we delete all associated data within 30 days, except where retention is required by law (e.g., invoicing records kept for 10 years under French tax law).
6. Your Rights
Under the GDPR, you have the right to:
- Access your personal data
- Rectify inaccurate data
- Delete your data ("right to be forgotten")
- Export your data in a portable format
- Object to processing based on legitimate interest
- Withdraw consent at any time (e.g., disconnect Google Search Console)
To exercise any of these rights, email us at contact@tonaily.com. We will respond within 30 days. You may also file a complaint with the CNIL: www.cnil.fr.
7. Cookies
Tonaily uses the following cookies and trackers:
- Matomo (self-hosted): analytics cookies, no third-party sharing
- Google Analytics: analytics cookies, subject to Google's policies
- Session cookies: required for authentication
You can manage cookies through your browser settings. Disabling analytics cookies will not affect your ability to use Tonaily.
8. Security
We use industry-standard measures to protect your data: encrypted connections (TLS), secure cloud infrastructure on AWS, and restricted access to production systems. OAuth tokens are stored encrypted at rest.
9. Changes to This Policy
We may update this policy from time to time. Significant changes will be communicated via email or in-app notification. The "last updated" date at the top reflects the most recent revision.