Privacy Policy
Last updated: 27 June 2026
Chut.App BV, a private limited company under Belgian law, BCE/VAT BE 1035.742.145, with registered office at Ballingstraat 116, 8560 Wevelgem, Belgium ("Chut", "we"), operates the Chut platform (chut.app). This Privacy Policy describes how we collect, use and protect your personal data under the EU General Data Protection Regulation (GDPR) and the Belgian Act of 30 July 2018 on the protection of natural persons with regard to the processing of personal data.
1. Roles and responsibilities
For your use of the Chut platform, your company is the Data Controller under the GDPR. Chut.App BV acts as the Data Processor for the data you submit.
A Data Processing Agreement (DPA) is available at /dpa.
2. Data we collect
We process the following categories of data based on their respective legal grounds:
| Category | Data | Legal basis (Art. 6 GDPR) |
|---|---|---|
| Identity data | Email address, name, user identifier | Art. 6(1)(b) — contract performance |
| Company identifiers | BCE number, VAT number, legal name | Art. 6(1)(b) — contract performance |
| Financial documents | Invoices, receipts, bank statements | Art. 6(1)(b) — contract performance |
| Accounting data | Bookkeeping entries, chart of accounts | Art. 6(1)(b) — contract performance |
| Contact data | Email, phone, address of suppliers/customers | Art. 6(1)(f) — legitimate interest |
| Legal documents | Contracts, incorporation documents (Legal module only) | Art. 6(1)(a) — consent |
| AI conversations | Legal Q&A, analysis results (Legal module only) | Art. 6(1)(a) — consent |
3. Where your data is stored
All storage and compute infrastructure is located in the European Union.
| Data type | Location |
|---|---|
| Application data (accounts, documents, entries, contracts) | France — Scaleway S.A.S., fr-par region (Paris) |
| Identity verification (KYC) | To be confirmed — TrustMe |
| AI processing | Prompts are anonymised before any AI processing — no personal data is sent to AI providers. |
| Waitlist / lead capture (chut.app) | France — Brevo (Sendinblue SAS) |
| Marketing site analytics (chut.app) | Ireland — Google Ireland Limited (Google Tag Manager + Google Analytics 4), with onward transfers to Google LLC (United States) covered by SCCs |
4. Retention
| Category | Period | Basis |
|---|---|---|
| Active account data | Term of contract + 30 days (soft delete) | Contractual |
| Accounting documents | 7 years | Belgian Economic Law Code, Art. III.86 |
| AI conversations | 1 year after last activity | Legitimate interest |
| Audit logs | 2 years (anonymised thereafter) | Legitimate interest |
| Backups | 30 days rolling | Business continuity |
5. Sub-processors
We rely on the following sub-processors to handle your data. The full, up-to-date list is at /sub-processors.
| Sub-processor | Purpose | Location |
|---|---|---|
| Scaleway S.A.S. | Compute, storage, network, database | EU — France (Paris / fr-par) |
| Google Ireland Limited | Marketing-site analytics (Google Tag Manager + Google Analytics 4) | EU — Ireland (with SCCs for onward transfers) |
| TrustMe | Identity verification (KYC) | To be confirmed |
| Brevo (Sendinblue SAS) | Waitlist / lead capture (chut.app) | EU — France |
6. AI processing
Chut uses AI models for tool orchestration, response generation and document analysis. For the Legal module, this processing is subject to your explicit consent (Art. 6(1)(a) GDPR).
Personal data is anonymised before any AI processing. Because anonymised data is no longer personal data within the meaning of the GDPR, AI model providers do not act as sub-processors and no personal data is transferred to them.
7. Cookies
We use two categories of cookies:
| Category | Purpose | Legal basis | Consent required |
|---|---|---|---|
| Essential cookies | Authentication (session cookie __chut_session on the app.chut.app application), language preferences, remembering your cookie choice. | Art. 6(1)(f) GDPR — legitimate interest; ePrivacy art. 5(3) — strictly necessary | No |
| Audience-measurement cookies | On the marketing site chut.app only: Google Analytics 4 via Google Tag Manager, to understand site usage (pages visited, traffic sources, performance). | Art. 6(1)(a) GDPR — consent | Yes |
Audience-measurement cookies are only set and activated after your explicit consent via the cookie banner. Until then, Google's Consent Mode v2 stays on denied for all four signals (analytics_storage, ad_storage, ad_user_data, ad_personalization) and no identifier is transmitted. You can withdraw consent at any time via the "Manage cookies" link in the footer.
We do not display advertising on the site and we do not run remarketing campaigns. However, when you accept cookies we enable Google's ad-measurement signals (ad_storage, ad_user_data, ad_personalization) so that, if we later run Google Ads campaigns to drive traffic to the site, Google can correctly attribute conversions to those campaigns. Your data is never sold to advertisers.
7.1 Detailed cookie inventory
| Name | Domain | Type | Duration | Purpose | Category |
|---|---|---|---|---|---|
__chut_session | app.chut.app | HTTP (httpOnly, Secure, SameSite=Lax) | Session (until logout or ~30 days) | Encrypted authentication (AES-256-GCM) issued by the gateway after login. | Essential |
chut.cookies.v1 | www.chut.app | localStorage (browser side) | Persistent (until manually cleared) | Stores your cookie-banner choice ("granted" or "denied"). | Essential |
_ga | .chut.app | HTTP (1st-party) | 2 years | Anonymous user identifier for Google Analytics 4. Set only after consent. | Audience measurement |
_ga_TVHD33QP | .chut.app | HTTP (1st-party) | 2 years | GA4 session state for container GTM-TVHD33QP. Set only after consent. | Audience measurement |
If the Google Tag Manager container (GTM-TVHD33QP) is extended with additional tags in the future, this list will be updated before activation and you will be asked to confirm your consent again.
8. Your rights (GDPR)
Under the GDPR, you have the following rights over your personal data:
| Right | GDPR article | How to exercise |
|---|---|---|
| Access | Art. 15 | Request a full export of your data via the interface or by email to the DPO |
| Rectification | Art. 16 | Edit your information in account settings |
| Erasure | Art. 17 | Request account deletion via the interface or by email to the DPO |
| Portability | Art. 20 | Export your data as JSON via the interface |
| Restriction of processing | Art. 18 | Contact the DPO at dpo@chut.app |
| Objection | Art. 21 | Disable AI processing in settings |
| Withdraw consent | Art. 7(3) | Manage your consents in account settings |
9. Contact
For any question about the protection of your data, you can contact our Data Protection Officer (DPO):
- Email: dpo@chut.app
You also have the right to lodge a complaint with the Belgian Data Protection Authority (APD / GBA):
- Rue de la Presse 35, 1000 Brussels
- Website: www.dataprotectionauthority.be
- Phone: +32 (0)2 274 48 00
- Email: contact@apd-gba.be
10. Change log
| Date | Change |
|---|---|
| 27 June 2026 | Removed OpenAI Ireland Limited, Anthropic, PBC and DeepSeek from sub-processors: personal data is anonymised before any AI processing, so AI providers no longer process personal data. Added Brevo (Sendinblue SAS) for waitlist / lead capture. All listed sub-processors are EU-established. Replaced the identity-verification (KYC) sub-processor: TrustMe in place of UAB iDenfy. |
| 11 May 2026 | Detailed cookie inventory added (section 7.1). All four Consent Mode v2 signals (analytics, ad storage, ad user data, ad personalization) now flip together on Accept/Reject. EN translation published. |
| 9 May 2026 | Google Ireland Limited added to sub-processors for marketing-site analytics. Cookie section rewritten to describe two-tier model with consent banner. |
| 23 April 2026 | Initial publication post-migration to Scaleway: OpenAI Ireland Limited (AI) and UAB iDenfy (KYC) listed as sub-processors. |