ThumbLead← Back to site

Privacy Policy

FrançaisEnglishEspañolDeutschItalianoPortuguêsРусский
⚠︎ This is a courtesy translation. Only the French version is legally binding.Read the French version

Privacy Policy (GDPR)

Last updated: 2 July 2026

This privacy policy describes the manner in which personal data is collected, used, retained and protected in connection with the use of the online software (SaaS) ThumbLead, accessible at https://thumblead.com (hereinafter the "Service").

It is established in accordance with Regulation (EU) 2016/679 of 27 April 2016 (hereinafter the "GDPR") and with French Act No. 78-17 of 6 January 1978, as amended, on information technology, data files and civil liberties (loi Informatique et Libertés) (hereinafter the "French Data Protection Act").

Use of the Service implies acknowledgement and acceptance of this policy. We invite you to read it carefully.


Article 1 — Data Controller

The controller of the personal data collected in connection with the operation of the Service is the publisher:

  • Publisher: Enzo Violante
  • SIRET: 948 968 318 000 14
  • Address: 6 rue Émile Barthe, 34500 Béziers, France
  • Intra-Community VAT No.: TVA non applicable, article 293 B du CGI (VAT-exempt small-business scheme)
  • Contact (personal data): contact@thumblead.com
  • Publication director: Enzo Violante

Hereinafter referred to as "we", "the publisher" or "the data controller".

The publisher acts as data controller for the data it determines (account data, billing data, technical tokens, logs, etc.). A specific case applies to the prospect data imported by the user, for which the publisher acts as a data processor (see Article 9).


Article 2 — Personal Data Collected

We collect only the data strictly necessary for the purposes described in Article 3. The categories of data processed are as follows:

2.1 Account data

  • Last name and/or first name (or the chosen display name provided);
  • Email address;
  • Password, stored in hashed form (never in plain text — see Article 7);
  • Where applicable, the information resulting from sign-in via a Google account ("Google / OAuth"), such as the account identifier and the associated email address.

2.2 Billing data

  • Name / company name, billing address;
  • Where applicable, SIRET number and intra-Community VAT number;
  • History of subscriptions, quotes, invoices and credit notes;
  • Technical identifiers associated with the payment provider (see 2.5).

Payment card data (card number, security code) is never collected or stored by ThumbLead. It is processed directly by our payment provider Stripe (see Article 4). Conversely, if you enter your own bank details (IBAN/BIC) to have them appear on your invoices, these are retained and encrypted at rest (see Article 7).

2.3 Contact / CRM data entered by the user

Within the CRM and sales management features, the user may create and record contact records (clients, prospects) as well as orders. This data (name, email, contact details, notes, items relating to the prospected YouTube channels, order history) is entered and managed under the sole responsibility of the user. The regime applicable to this data is set out in Article 9.

2.4 Google OAuth access tokens

When the user connects their Google account for Google Calendar synchronisation (and, where applicable, other Google services), we retain OAuth access and refresh tokens, encrypted at rest (see Article 7) and used solely to carry out the requested actions.

To send their prospecting email sequences, the user connects their own mailbox (SMTP). We then retain their sending credentials (email address and application password), the latter being encrypted at rest (see Article 7) and used solely to send the emails they schedule, from their own address.

2.5 Stripe identifiers

For the management of subscriptions and payments, we retain the technical identifiers assigned by Stripe (for example customer identifier, subscription identifier, tokenised payment method identifier). These identifiers make it possible to link a subscription to an account, without ever giving access to full bank details.

2.6 Technical logs

For reasons of security, diagnostics and proper operation of the Service, we collect technical logs: IP address, date and time of connection, browser / device type, pages or features accessed, error and security events.


Article 3 — Purposes and Legal Bases of Processing

Each processing operation relies on a specific legal basis determined in accordance with Article 6 of the GDPR.

Purpose Data concerned Legal basis
Creation and management of the user account, provision of the Service Account data, Google OAuth tokens Performance of the contract (art. 6.1.b)
Management of subscriptions, payments, quotes, invoices and credit notes Billing data, Stripe identifiers Performance of the contract (art. 6.1.b) and legal obligation (art. 6.1.c — accounting and tax obligations)
CRM, calendar, email sequence and AI thumbnail analysis features Account data, data entered by the user, Google OAuth tokens Performance of the contract (art. 6.1.b)
Google Calendar synchronisation Google OAuth tokens Consent (art. 6.1.a — OAuth authorisation, revocable at any time)
Sending email sequences from the user's mailbox Sending mailbox credentials (address + application password, encrypted) Performance of the contract (art. 6.1.b)
Security of the Service, prevention of fraud and abuse, technical diagnostics Technical logs Legitimate interest (art. 6.1.f)
Improvement of the Service and internal usage statistics Technical logs (aggregated / minimised data) Legitimate interest (art. 6.1.f)
Audience measurement via a third-party tool (PostHog) Browsing and usage data Consent (art. 6.1.a — obtained via a banner, revocable at any time)
Response to contact and support requests Account data, content of exchanges Legitimate interest (art. 6.1.f) and/or performance of the contract
Sending of transactional emails (confirmation, invoice, service information) Email address Performance of the contract (art. 6.1.b)
Compliance with legal obligations and response to official requests Depending on the request Legal obligation (art. 6.1.c)

Where processing is based on consent, such consent may be withdrawn at any time, without such withdrawal calling into question the lawfulness of the processing carried out beforehand. The withdrawal of the Google OAuth authorisation may in particular be carried out from the security settings of the user's Google account and/or from within the Service.


Article 4 — Recipients and Processors

The data is neither sold, rented, nor transferred to third parties for commercial purposes.

It may be disclosed to the following categories of recipients, strictly to the extent necessary for the purposes described above:

  • The publisher and, where applicable, the authorised persons acting under its authority;
  • The processors listed below, acting on our instructions and providing sufficient guarantees within the meaning of Article 28 of the GDPR;
  • The competent administrative or judicial authorities, upon lawful request.

Processors and providers

Provider Role / purpose Location Transfer outside the EU
Railway Corporation Hosting of the application and of the PostgreSQL database United States Yes (see Article 5)
Stripe Payments Europe, Ltd. Payment processing and subscription management Ireland (EU) No
Google Ireland Ltd. AI thumbnail analysis (Google Gemini), Google sign-in / OAuth, Google Calendar synchronisation Ireland (EU) See Article 5
PostHog Audience measurement and usage statistics of the Service (on the basis of the user's consent) European Union (EU hosting) No
Sentry (Functional Software, Inc.) Detection and diagnosis of technical errors (application monitoring) European Union (EU data region) No
Resend and/or Gmail SMTP Sending of transactional emails and invoices Google (sending via the Gmail API / Google Ireland Ltd., Ireland) Not applicable (provider located in the European Union)

The address of the hosting provider is: Railway Corporation, 548 Market Street, San Francisco, CA 94104, United States.

With regard to the data transmitted to Google (in particular the content of the thumbnails analysed via Gemini), its processing is also subject to Google's privacy policies. The Service uses these accesses only to carry out the actions expressly requested by the user.


Article 5 — Data Transfers Outside the European Union

The hosting of the application and of the PostgreSQL database is provided by Railway Corporation, a company established in the United States. As such, certain personal data is subject to a transfer outside the European Economic Area (EEA).

This transfer is governed by appropriate safeguards within the meaning of Chapter V of the GDPR, namely the conclusion of the standard contractual clauses (SCCs) adopted by the European Commission (Implementing Decision (EU) 2021/914 of 4 June 2021), supplemented where applicable by additional technical and organisational measures.

With regard to Google, where the contracting processor is Google Ireland Ltd. (EU), the data is processed within the European framework; any possible transfer to infrastructure located outside the EEA is governed by the standard contractual clauses and the safeguards implemented by Google.

A copy of the applicable safeguards may be obtained on request at the address indicated in Article 1.


Article 6 — Retention Periods

Data is retained only for the period strictly necessary for the purposes for which it is processed, then archived or deleted in accordance with the periods below:

Category of data Retention period
Account data For the entire duration of the contractual relationship, then deletion (or anonymisation) within a maximum period of 3 months after the closure of the account
Google OAuth tokens Until the authorisation is revoked by the user, the Google service is disconnected, or the account is closed
Billing data, invoices and accounting records 10 years from the closure of the accounting period, in accordance with Article L123-22 of the French Commercial Code
CRM contacts and orders entered by the user For the entire duration of the user's use of the Service; deleted upon closure of the account, subject to the user's own action (see Article 9)
Technical logs 12 months in accordance with security recommendations
Data relating to the handling of rights requests For the time necessary to process the request, then retained as evidence within the applicable limitation periods

Upon expiry of these periods, the data is deleted or irreversibly anonymised. Certain data may be retained in intermediate archiving, with restricted access, in order to comply with a legal obligation or to assert a right in legal proceedings.


Article 7 — Data Security

We implement appropriate technical and organisational measures in order to ensure a level of security appropriate to the risk, in accordance with Article 32 of the GDPR. These measures include in particular:

  • The hashing of passwords by means of the bcrypt algorithm (passwords are never stored or transmitted in plain text);
  • The encryption at rest of sensitive data (in particular IBAN-type bank details used for billing, Google access tokens and the application password of the sending mailbox) by means of AES-256 encryption;
  • The encryption of communications in transit via the HTTPS/TLS protocol;
  • Access control and the limitation of authorisations to what is strictly necessary;
  • The logging of security events;
  • The use of processors providing security guarantees compliant with Article 28 of the GDPR.

In the event of a personal data breach likely to result in a risk to the rights and freedoms of the data subjects, we undertake to notify the CNIL under the conditions and within the time limits provided for in Article 33 of the GDPR, and, where applicable, to inform the data subjects in accordance with Article 34 of the GDPR.

As no system offers absolute security, the user is invited to contribute to the protection of their data, in particular by choosing a strong password and keeping it confidential.


Article 8 — Rights of Data Subjects

In accordance with the GDPR and the French Data Protection Act, every data subject has the following rights over their personal data:

  • Right of access (art. 15 GDPR): to obtain confirmation that data concerning them is being processed and to receive a copy thereof;
  • Right to rectification (art. 16 GDPR): to have inaccurate or incomplete data corrected;
  • Right to erasure (art. 17 GDPR): to obtain the deletion of their data, subject to legal retention obligations (in particular accounting and tax obligations);
  • Right to portability (art. 20 GDPR): to receive the data provided in a structured, commonly used and machine-readable format, and to transmit it to another data controller;
  • Right to object (art. 21 GDPR): to object, for reasons relating to their particular situation, to processing based on legitimate interest;
  • Right to restriction of processing (art. 18 GDPR): to request the temporary freezing of the use of their data in certain cases;
  • Right to withdraw consent at any time, where the processing is based on it;
  • Right to define guidelines relating to the fate of their data after their death (Article 85 of the French Data Protection Act).

How to exercise your rights

These rights may be exercised by sending a request to the contact address indicated in Article 1: contact@thumblead.com, or by post to the publisher's postal address.

In order to process the request, proof of identity may be required. A response will be provided within one month of receipt of the request, extendable by two months in the event of complexity or a high number of requests, the data subject then being informed thereof.

Complaint to the CNIL

If, after having contacted the publisher, the data subject considers that their rights are not being respected, they may lodge a complaint with the French Data Protection Authority (Commission nationale de l'informatique et des libertés — CNIL):

  • CNIL — 3 Place de Fontenoy, TSA 80715, 75334 Paris Cedex 07
  • Website: https://www.cnil.fr

Article 9 — Specific Case: Prospect Data Imported by the User

The Service enables the user to import, create and manage data relating to prospects (YouTube channels and their managers, business contacts, contact details, notes, history of exchanges), in particular within the prospecting, CRM and email sequence features.

For this data, the allocation of roles is as follows:

  • The user is the data controller of their own prospects. They determine the purposes and means of the processing of this data, choose the persons prospected, and decide on the messages sent to them.
  • The publisher (ThumbLead) acts as a data processor within the meaning of Article 28 of the GDPR: it processes this data solely on the instructions of the user and on their behalf, for the sole purpose of providing the features of the Service.

Accordingly, it is the responsibility of the user, in their capacity as data controller of their prospects:

  • to have a valid legal basis for the prospecting (in particular compliance with the rules applicable to B2B and B2C prospecting, with the "ePrivacy" directive on privacy and electronic communications, with Article L34-5 of the French Postal and Electronic Communications Code, and with the CNIL's guidelines);
  • to inform the persons prospected and to respect their rights (access, objection, erasure, etc.);
  • to obtain, where required, the prior consent of the persons;
  • to ensure the lawfulness of the sources from which the imported data originates.

The publisher, as a processor, undertakes to process this data only in accordance with the user's documented instructions, to ensure its confidentiality and security, and to delete or return it at the end of the service, under the conditions provided for by the general terms and conditions of the Service and, where applicable, by a separate data processing agreement (DPA). Furthermore, the publisher has concluded data processing agreements (DPAs) with its own processors (Railway, Stripe, Google).


Article 10 — Cookies and Trackers

The Service essentially uses technical cookies, strictly necessary for its operation:

  • session and authentication cookies (allowing the user to remain logged in);
  • preference cookies (storage of interface choices).

As these cookies are strictly necessary for the provision of the Service expressly requested, they are exempt from the requirement to obtain consent in accordance with Article 82 of the French Data Protection Act and the CNIL's guidelines.

The Service does not use third-party advertising cookies or tracking for advertising targeting purposes.

For further details on the nature of the cookies used and their management, please refer to the Cookie Policy of the Service: https://thumblead.com/politique-cookies.


Article 11 — Minors

The Service is intended for professionals (freelancers, self-employed persons) and is not intended for minors. We do not knowingly collect data relating to persons under 15 years of age. Should we become aware of the collection of such data without the required consent, we would proceed to delete it as soon as possible. Any person who considers that a minor has provided us with data is invited to inform us at the address indicated in Article 1.


Article 12 — Amendments to This Policy

This privacy policy is liable to be amended at any time, in particular in order to take account of legal, regulatory, case-law or technical developments, or of developments in the Service.

The applicable version is the one in force on the date of access to the Service, the date of the last update appearing at the top of this document. In the event of a substantial amendment, users may be informed thereof by an appropriate means (for example email or notification within the Service). Continued use of the Service after the amendments come into force constitutes acknowledgement thereof.