Privacy Policy
Last updated: 11 May 2026
Chut.App BV, a private limited company under Belgian law, BCE/VAT BE 1035.742.145, with registered office at Ballingstraat 116, 8560 Wevelgem, Belgium ("Chut", "we"), operates the Chut platform (chut.app). This Privacy Policy describes how we collect, use and protect your personal data under the EU General Data Protection Regulation (GDPR) and the Belgian Act of 30 July 2018 on the protection of natural persons with regard to the processing of personal data.
1. Roles and responsibilities
For your use of the Chut platform, your company is the Data Controller under the GDPR. Chut.App BV acts as the Data Processor for the data you submit.
A Data Processing Agreement (DPA) is available at /dpa.
2. Data we collect
We process the following categories of data based on their respective legal grounds:
| Category | Data | Legal basis (Art. 6 GDPR) |
|---|---|---|
| Identity data | Email address, name, user identifier | Art. 6(1)(b) — contract performance |
| Company identifiers | BCE number, VAT number, legal name | Art. 6(1)(b) — contract performance |
| Financial documents | Invoices, receipts, bank statements | Art. 6(1)(b) — contract performance |
| Accounting data | Bookkeeping entries, chart of accounts | Art. 6(1)(b) — contract performance |
| Contact data | Email, phone, address of suppliers/customers | Art. 6(1)(f) — legitimate interest |
| Legal documents | Contracts, incorporation documents (Legal module only) | Art. 6(1)(a) — consent |
| AI conversations | Legal Q&A, analysis results (Legal module only) | Art. 6(1)(a) — consent |
3. Where your data is stored
All storage and compute infrastructure is located in the European Union. Some AI processing may require transfers governed by the European Commission's Standard Contractual Clauses (SCCs) — see below.
| Data type | Location |
|---|---|
| Application data (accounts, documents, entries, contracts) | France — Scaleway S.A.S., fr-par region (Paris) |
| Identity verification (KYC) | Lithuania — UAB iDenfy |
| AI prompts and responses | Ireland — OpenAI Ireland Limited, with onward transfers to OpenAI, L.L.C. (United States) covered by SCCs |
| Marketing site analytics (chut.app) | Ireland — Google Ireland Limited (Google Tag Manager + Google Analytics 4), with onward transfers to Google LLC (United States) covered by SCCs |
4. Retention
| Category | Period | Basis |
|---|---|---|
| Active account data | Term of contract + 30 days (soft delete) | Contractual |
| Accounting documents | 7 years | Belgian Economic Law Code, Art. III.86 |
| AI conversations | 1 year after last activity | Legitimate interest |
| Audit logs | 2 years (anonymised thereafter) | Legitimate interest |
| Backups | 30 days rolling | Business continuity |
5. Sub-processors
We rely on the following sub-processors to handle your data. The full, up-to-date list is at /sub-processors.
| Sub-processor | Purpose | Location |
|---|---|---|
| Scaleway S.A.S. | Compute, storage, network, database | EU — France (Paris / fr-par) |
| OpenAI Ireland Limited | AI processing | EU — Ireland (with SCCs for onward transfers) |
| Google Ireland Limited | Marketing-site analytics (Google Tag Manager + Google Analytics 4) | EU — Ireland (with SCCs for onward transfers) |
| UAB iDenfy | Identity verification (KYC) | EU — Lithuania |
6. AI processing
Chut uses OpenAI Ireland Limited for AI processing (tool orchestration, response generation, document analysis). For the Legal module, this processing is subject to your explicit consent (Art. 6(1)(a) GDPR).
Your data is not used to train AI models (we have the "zero data retention" option enabled on the OpenAI API). Any onward transfers to OpenAI, L.L.C. (United States) are governed by the European Commission's Standard Contractual Clauses.
7. Cookies
We use two categories of cookies:
| Category | Purpose | Legal basis | Consent required |
|---|---|---|---|
| Essential cookies | Authentication (session cookie __chut_session on the app.chut.app application), language preferences, remembering your cookie choice. | Art. 6(1)(f) GDPR — legitimate interest; ePrivacy art. 5(3) — strictly necessary | No |
| Audience-measurement cookies | On the marketing site chut.app only: Google Analytics 4 via Google Tag Manager, to understand site usage (pages visited, traffic sources, performance). | Art. 6(1)(a) GDPR — consent | Yes |
Audience-measurement cookies are only set and activated after your explicit consent via the cookie banner. Until then, Google's Consent Mode v2 stays on denied for all four signals (analytics_storage, ad_storage, ad_user_data, ad_personalization) and no identifier is transmitted. You can withdraw consent at any time via the "Manage cookies" link in the footer.
We do not display advertising on the site and we do not run remarketing campaigns. However, when you accept cookies we enable Google's ad-measurement signals (ad_storage, ad_user_data, ad_personalization) so that, if we later run Google Ads campaigns to drive traffic to the site, Google can correctly attribute conversions to those campaigns. Your data is never sold to advertisers.
7.1 Detailed cookie inventory
| Name | Domain | Type | Duration | Purpose | Category |
|---|---|---|---|---|---|
__chut_session | app.chut.app | HTTP (httpOnly, Secure, SameSite=Lax) | Session (until logout or ~30 days) | Encrypted authentication (AES-256-GCM) issued by the gateway after login. | Essential |
chut.cookies.v1 | www.chut.app | localStorage (browser side) | Persistent (until manually cleared) | Stores your cookie-banner choice ("granted" or "denied"). | Essential |
_ga | .chut.app | HTTP (1st-party) | 2 years | Anonymous user identifier for Google Analytics 4. Set only after consent. | Audience measurement |
_ga_TVHD33QP | .chut.app | HTTP (1st-party) | 2 years | GA4 session state for container GTM-TVHD33QP. Set only after consent. | Audience measurement |
If the Google Tag Manager container (GTM-TVHD33QP) is extended with additional tags in the future, this list will be updated before activation and you will be asked to confirm your consent again.
8. Your rights (GDPR)
Under the GDPR, you have the following rights over your personal data:
| Right | GDPR article | How to exercise |
|---|---|---|
| Access | Art. 15 | Request a full export of your data via the interface or by email to the DPO |
| Rectification | Art. 16 | Edit your information in account settings |
| Erasure | Art. 17 | Request account deletion via the interface or by email to the DPO |
| Portability | Art. 20 | Export your data as JSON via the interface |
| Restriction of processing | Art. 18 | Contact the DPO at dpo@chut.app |
| Objection | Art. 21 | Disable AI processing in settings |
| Withdraw consent | Art. 7(3) | Manage your consents in account settings |
9. Contact
For any question about the protection of your data, you can contact our Data Protection Officer (DPO):
- Email: dpo@chut.app
You also have the right to lodge a complaint with the Belgian Data Protection Authority (APD / GBA):
- Rue de la Presse 35, 1000 Brussels
- Website: www.dataprotectionauthority.be
- Phone: +32 (0)2 274 48 00
- Email: contact@apd-gba.be
10. Change log
| Date | Change |
|---|---|
| 11 May 2026 | Detailed cookie inventory added (section 7.1). All four Consent Mode v2 signals (analytics, ad storage, ad user data, ad personalization) now flip together on Accept/Reject. EN translation published. |
| 9 May 2026 | Google Ireland Limited added to sub-processors for marketing-site analytics. Cookie section rewritten to describe two-tier model with consent banner. |
| 23 April 2026 | Initial publication post-migration to Scaleway: OpenAI Ireland Limited (AI) and UAB iDenfy (KYC) listed as sub-processors. |