Privacy Policy

Last updated: 15 May 2026

This Privacy Policy explains how TJM TECH ("Cicadas", "we", "us") collects, uses, and protects your personal data when you visit our website or use our Service.

We comply with the EU General Data Protection Regulation (GDPR), the French Data Protection Act (Loi Informatique et Libertés), and other applicable privacy laws.

1. Data controller

The data controller responsible for the processing described in this Policy is:

TJM TECH

Registered office: 369 avenue Marcel Castié, 83000 Toulon, France
RCS: Toulon 952 741 700
Contact for privacy matters: privacy@cicadas.fm

We are not required to appoint a Data Protection Officer (DPO) under Article 37 GDPR, but you can reach our privacy contact at the address above for any data-related question.

2. What data we collect

2.1 Data you provide directly

Account data: name, email address, password (hashed), preferred language, billing address.
Payment data: processed by our payment processor (we do not store full payment card numbers — see Section 5).
Content you upload: audio files, video files, RSS feed URLs, transcripts, text inputs, and related media metadata.
Communications: any message you send to us via email, support email, or our in-product chat widget. This includes the content of the messages, any files you share, and contact details you provide in the chat.

2.2 Data collected automatically

Usage data: features used, episodes processed, processing times, error logs.
Device and connection data: IP address, browser type, operating system, language settings, referrer URL, timestamps.
Cookies and similar technologies: see our Cookie Policy.

2.3 Data in your uploaded content

Uploaded media may contain personal data of third parties, such as voices, images, faces, likenesses, names, or other identifying information of podcast guests, callers, or people appearing in video. You are the data controller for that data; we act as your data processor under Article 28 GDPR. See Section 8.

3. Why we process your data and on what legal basis

Purpose	Legal basis (GDPR Art. 6)
Provide and operate the Service (account creation, processing uploads, media processing, transcription, generating outputs and clips where available)	Performance of a contract — Art. 6(1)(b)
Bill you and manage payments	Performance of a contract — Art. 6(1)(b)
Send transactional emails (account, billing, processing notifications)	Performance of a contract — Art. 6(1)(b)
Provide customer support	Performance of a contract — Art. 6(1)(b)
Improve the Service, debug, monitor performance and security	Legitimate interest — Art. 6(1)(f)
Prevent abuse and fraud (rate limiting, signup verification, IP tracking)	Legitimate interest — Art. 6(1)(f)
Send marketing emails (newsletters, product announcements, promotional content)	Consent — Art. 6(1)(a) — opt-in collected at signup or via an in-product preference, opt-out available in every email and from account settings
Comply with legal obligations (accounting, tax, responding to authorities)	Legal obligation — Art. 6(1)(c)

We do not process special categories of personal data (Article 9 GDPR) intentionally. If your uploaded media contains such data (e.g., health information disclosed by a guest), you remain responsible for the lawful basis to process it.

We do not intentionally perform facial recognition, biometric identification, or special-category inference from uploaded media unless a future feature and legal notice expressly say otherwise.

We do not engage in automated decision-making producing legal or similarly significant effects on you (Article 22 GDPR).

We do not sell personal data. We share data only with:

4.1 Service providers (sub-processors)

We rely on the following categories of sub-processors to operate the Service:

Category	Purpose	Location of processing	Safeguard
Cloud infrastructure and database	Hosting the website and application, database, authentication, file storage	EU (France) and EU/USA depending on the service	Intra-EU processing for primary hosting; SCCs and supplementary measures where any processing occurs outside the EU
Payment processing	Subscription billing, payment method storage, fraud prevention	EU and USA	The payment processor acts as an independent data controller for payment data; SCCs apply
AI processing	Speech-to-text transcription, media processing, large language model content generation, audio enhancement, and video clip generation where available	EU (France, Austria) and USA (with EU data residency where available)	SCCs and supplementary measures; API data not used to train third-party AI models per contractual commitments
Email and communications	Email inbox hosting, transactional email delivery, marketing email delivery, in-product customer support chat	Switzerland (adequacy decision) and EU (France)	Intra-EU processing or transfers under the European Commission's Switzerland adequacy decision
Analytics and monitoring	Privacy-respecting website analytics, error tracking, application performance monitoring	EU	Intra-EU processing

4.2 Legal authorities

We may disclose data when legally required (court order, subpoena, regulatory request) or to protect our rights, your safety, or that of third parties.

4.3 Business transfers

If we are involved in a merger, acquisition, or asset sale, your data may be transferred. We will notify you and give you the option to delete your account before the transfer takes effect, where required.

5. International transfers

Some of our sub-processors are located outside the European Economic Area (notably in the United States). For such transfers, we rely on:

The EU-US Data Privacy Framework, where the recipient is certified;
Standard Contractual Clauses (SCCs) adopted by the European Commission, supplemented by technical and organizational measures where appropriate.

You can request a copy of the safeguards in place by contacting privacy@cicadas.fm.

Transfers to Switzerland (for email infrastructure) rely on the European Commission's adequacy decision for Switzerland, which recognizes Swiss data protection law as equivalent to GDPR.

6. How long we keep your data

Data	Retention period
Account data	Duration of account + 3 years after account closure (statute of limitations for civil action under French law)
Uploaded media files	Until you delete them, or 30 days after account closure
Generated outputs (transcripts, notes, etc.)	Until you delete them, or 30 days after account closure
Billing and invoice records	10 years (French Commercial Code, Art. L.123-22)
Server logs (IP, technical)	12 months maximum
Marketing consent and email	3 years from last interaction

After these periods, data is deleted or anonymized.

7. Your rights

Under the GDPR, you have the right to:

Access your personal data (Art. 15);
Rectify inaccurate data (Art. 16);
Erase your data ("right to be forgotten") (Art. 17);
Restrict processing in certain cases (Art. 18);
Data portability — receive your data in a structured, machine-readable format (Art. 20);
Object to processing based on legitimate interest (Art. 21);
Withdraw consent at any time, where processing is based on consent (Art. 7);
Define directives regarding your data after your death, under French law.

To exercise these rights, email us at privacy@cicadas.fm. We will respond within one (1) month (extendable to three months for complex requests). We may request proof of identity before acting.

You also have the right to lodge a complaint with the French data protection authority:

CNIL (Commission Nationale de l'Informatique et des Libertés)

3 Place de Fontenoy, TSA 80715, 75334 Paris Cedex 07
Website: https://www.cnil.fr
Phone: +33 (0)1 53 73 22 22

If you reside in another EU/EEA country, you may also contact your local supervisory authority.

8. When you are the data controller (your uploaded content)

When you upload media files or text containing personal data of third parties (e.g., podcast guests, callers, or people appearing in video), you are the data controller for that data, and Cicadas acts as your data processor under Article 28 GDPR.

In that capacity, we:

Process such data solely on your documented instructions (your use of the Service);
Ensure persons processing the data are bound by confidentiality;
Implement appropriate technical and organizational security measures (see Section 9);
Engage sub-processors only with your general authorization (categories of sub-processors described in Section 4.1);
Assist you, taking into account the nature of the processing, with data subject requests and your obligations under Articles 32 to 36 GDPR;
Delete or return data at the end of the Service, subject to applicable retention requirements.

A standalone Data Processing Agreement (DPA) is available on request at privacy@cicadas.fm for customers who need one for their own compliance.

You are responsible for: obtaining the necessary consent from guests or other data subjects whose personal data appears in your content; informing them of the processing; and providing a lawful basis for it.

9. Security

We implement industry-standard technical and organizational measures to protect your data, including:

Encryption in transit (TLS) and at rest;
Hashed passwords (bcrypt or equivalent);
Access controls and audit logging;
Regular dependency updates and security monitoring;
Sub-processors selected for their security posture.

No system is 100% secure. We will notify you and the CNIL of any personal data breach in accordance with Articles 33 and 34 GDPR.

10. Children

The Service is not directed to children under 15 years old. We do not knowingly collect data from children. If you believe a child has provided us with personal data, contact us at privacy@cicadas.fm and we will delete it.

11. Changes to this Policy

We may update this Policy. Material changes will be notified by email and/or in-product at least thirty (30) days before they take effect. The "Last updated" date at the top of this page indicates the latest revision.

12. Contact

For any privacy-related questions or to exercise your data protection rights, please contact us at privacy@cicadas.fm