Elyx.AI Privacy Policy
(Effective as of 2 May 2025 – updated)
1. Introduction
This privacy policy explains how TCD Apps ("we", "our" or "the Company") collects, uses, stores and protects the personal data of users of its Elyx.AI Excel add‑in (hereinafter the "Application").
It applies exclusively to the Application as distributed on Microsoft AppSource / Store and does not cover our website or other online services.
2. Data Controller
TCD Apps
88 Rue Sadi Carnot, 59280 Armentières, France
Email: [email protected]
3. Scope of this Policy
This policy covers all processing operations carried out when using Elyx.AI: installation, runtime in Excel (taskpane), API calls to our Supabase backend, updates and customer support.
4. Categories of Personal Data Processed
| Category | Example data | Collected automatically | Provided by the user |
|---|---|---|---|
| Elyx.AI account identifiers | Email address and password, Supabase user ID | No | Yes |
| Usage metadata | Launch timestamp, Excel version, functions called | Yes | No |
| AI request content | Prompt written in Elyx.AI, text pasted from a workbook | No | Yes |
| Error / support logs | Log messages, exception trace | Yes | No |
Important: Elyx.AI never accesses cell content or the complete Excel file without explicit user action (copy/paste or manual selection in the prompt).
5. Purposes and Legal Bases
| Purpose | Legal basis (GDPR) | Details |
|---|---|---|
| Provision of features (AI, formula generation, etc.) | Contract performance (Art. 6‑1‑b) | Supabase authentication, execution of AI calls |
| Continuous improvement and statistics | Legitimate interest (Art. 6‑1‑f) | Aggregated and pseudonymised usage analyses |
| Customer support | Contract performance | Ticket handling and incident resolution |
| Legal compliance | Legal obligation (Art. 6‑1‑c) | Security log retention |
6. Data Sharing and Recipients
| Recipient | Role | Location | Safeguards |
|---|---|---|---|
| Supabase Inc. | Database hosting, authentication and Edge Functions | European Union (eu‑central) | Standard Contractual Clauses + technical measures |
| OpenAI LLC | Processing AI requests (prompts). Receives only user‑provided content. | United States | Standard Contractual Clauses + TLS encryption |
Microsoft is not a recipient of your personal data.
The add‑in runs locally within the secure Office JS sandbox; only requests to our Supabase APIs leave your Office environment.
7. International Transfers
Data are mainly hosted in the Supabase region you choose (typically "eu‑central" for the EU).
If processing involves a transfer outside the EEA (e.g., to the United States for OpenAI), we rely on Standard Contractual Clauses and encryption at rest and in transit.
8. Retention Periods
- Usage logs: 12 months
- Support tickets: 36 months after closure
- Elyx.AI account: deletion upon erasure request or after 24 months of inactivity
After these periods, data are deleted or anonymised.
9. Data Security
We apply technical and organisational measures in line with the state of the art: TLS 1.3 encryption, AES‑256 encryption at rest in Supabase, RBAC access control, annual penetration tests and an incident response plan.
10. Users' Rights
Under the GDPR you have the rights of access, rectification, erasure, restriction, objection, portability and the right to lodge a complaint with the CNIL (French data protection authority).
To exercise your rights, send an email to [email protected] specifying your request.
11. Updates to this Policy
We may amend this policy to reflect changes to Elyx.AI or legislation. Updated versions will be published at the URL below and will take effect on the date of publication.
We will notify any material change via the add‑in.
12. Contact Us
[email protected] | +33 (0)1 87 66 21 34