Privacy Policy
Huxley — Tagstack SASU · Last updated: 17/03/2026 · Version 1.0
Courtesy translation — This English version is provided for convenience only. In the event of any discrepancy, the French version shall prevail.
1. Data controller
The data controller for personal data collected through huxley.to and the Huxley service is:
Tagstack SASU, share capital 100 €
Registered office: 17 rue Paul Bert, 94160, Saint-Mandé
SIREN: 100419340
Contact: privacy@huxley.to
2. Personal data collected
2.1 User account data
When you register and use the service, we collect:
| Data | Purpose | Legal basis |
|---|---|---|
| Name | Account management and commercial relationship | Performance of contract (Art. 6.1.b GDPR) |
| Email address | Authentication, communication, notifications | Performance of contract |
| Organisation name | Multi-user management, billing | Performance of contract |
| IP address | Security, fraud prevention, logging | Legitimate interest (Art. 6.1.f GDPR) |
| Browsing data (pages viewed, clicks) | Service improvement, usage analysis | Consent (Art. 6.1.a GDPR) |
| Payment data | Billing and payment collection | Performance of contract |
2.2 Data collected during website checks
When Huxley analyses a user's website, the following data is collected:
| Data | What IS stored | What is NOT stored |
|---|---|---|
| Detected cookies | Cookie name, domain, path, expiration, attributes (Secure, HttpOnly, SameSite) | Cookie value |
| Network requests | Domain name and request path | URL parameters, request body, transmitted cookies |
| Screenshots | Image of the page at the time of the check | N/A |
Huxley does not store any personal data of end users visiting its users' websites. Checks are performed by an automated browser (headless browser) without any real user session.
3. Cookies and trackers on huxley.to
The huxley.to website uses the following cookies and trackers:
| Name | Service | Purpose | Type | Duration | Legal basis |
|---|---|---|---|---|---|
| auth_session | huxley.to | Authentifcation and session management | Essential | 1 month | Delivery of service |
| g_state | Google 1 Tap Sign In | Authentification through user own Google Acccount | Essential | 180 days | Delivery of service |
| cf_clearance | Cloudflare | Bot detection | Essential | 365 days | Application security |
Essential cookies are placed without prior consent as they are strictly necessary for the service.
4. Sub-processors and data transfers
Personal data may be processed by the following sub-processors:
| Sub-processor | Service | Data | Location | Safeguards |
|---|---|---|---|---|
| Cloudflare, Inc. | Hosting (Pages), database (D1), CDN, Object storage for screenshots (R2), WAF (Application Firewall) | All service data | EU / US | SCCs, Cloudflare DPA |
| Stripe, Inc. | Payment processing | Billing and payment data | EU / US | PCI DSS certified, SCCs |
| Qonto | Banking services | Billing data | France / EU | ACPR regulated, EU hosting |
For transfers to the United States, we rely on Standard Contractual Clauses (SCCs) adopted by the European Commission and, where applicable, the EU-US Data Privacy Framework when the sub-processor is certified.
5. Data retention periods
| Data category | Retention period |
|---|---|
| Account data (name, email, organisation) | Duration of contract + 3 years (commercial limitation period) |
| Billing data | 10 years (accounting obligation, Art. L.123-22 French Commercial Code) |
| Check results (cookies, requests, screenshots) | According to the subscribed plan (7 days to 12 months), then deleted |
| Connection logs | 12 months (Article 6 of the LCEN) |
| Analytics data (GA4) | 14 months maximum |
Once these periods expire, data is deleted or irreversibly anonymised.
6. Your rights
Under the GDPR and the French Data Protection Act, you have the following rights over your personal data:
| Right | Description |
|---|---|
| Right of access (Art. 15 GDPR) | Obtain confirmation that your data is being processed and receive a copy |
| Right to rectification (Art. 16) | Have inaccurate or incomplete data corrected |
| Right to erasure (Art. 17) | Request deletion of your data within legal limits |
| Right to restriction (Art. 18) | Request the freezing of data processing |
| Right to portability (Art. 20) | Receive your data in a structured, machine-readable format |
| Right to object (Art. 21) | Object to processing based on legitimate interest |
| Right to withdraw consent | Withdraw consent at any time for consent-based processing |
| Right to lodge a complaint | File a complaint with the CNIL (www.cnil.fr) |
| Post-mortem directives | Define instructions regarding the fate of your data after death |
To exercise your rights, send your request by email to: privacy@huxley.to. We commit to responding within one month. This period may be extended by two months for complex requests, in which case you will be informed.
7. Data security
Tagstack implements the following technical and organisational measures to protect your data: encryption of data in transit (TLS/HTTPS), encryption at rest on Cloudflare D1, secure authentication with session management, role-based access control (RBAC) within organisations, hosting on Cloudflare infrastructure (ISO 27001, SOC 2 certified), and regular data backups.
8. Children's data
Huxley is a B2B service intended exclusively for professionals. We do not knowingly collect personal data from individuals under the age of 16. If we become aware that a minor has provided us with personal data, we will delete it promptly.
9. Changes to this privacy policy
This policy may be modified at any time. In the event of a substantial change, we will inform you by email or by notification in the service interface at least thirty (30) days before the changes take effect.
10. Contact
For any questions about this policy or the processing of your personal data:
Email: privacy@huxley.to
Tagstack SASU — 17 rue Paul Bert, 94160, Saint-Mandé
You may also lodge a complaint with the French Data Protection Authority (CNIL): www.cnil.fr