Privacy Policy

Effective date: June 20, 2026

This Privacy Policy explains how Itto, a service operated by Yassine Gayl ("Itto", "we", "us"), collects, uses, and protects information when you use Itto at ittohq.com and app.ittohq.com (the "Service"). For privacy questions or requests, contact yassine.gayl@gmail.com. For users in the EU/EEA/UK, the data controller is Yassine Gayl, reachable at that email.

1. Information we collect

• Account data: your email address and basic authentication metadata, used to sign you in and identify your workspace.
• Google account data you authorize (via a service-account grant today, or Google OAuth in future): read-only access to
  • Google Analytics (GA4): traffic, engagement, and conversion metrics for the property you connect.
  • Google Search Console: search performance (queries, impressions, clicks, positions) for the site you connect.
  We request read-only scopes only.
• Content you create: your business context, notes, and chat history with the Itto agent, stored in your account's vault and our database.
• Third-party SEO data: non-personal SEO data we retrieve about public web pages and search results on your behalf (e.g., rankings, keyword metrics, page crawls).

2. Google user data — Limited Use disclosure

Itto's access to, use, and transfer of information received from Google APIs adheres to the Google API Services User Data Policy, including the Limited Use requirements. Specifically:

• We use Google Analytics and Search Console data only to provide and improve the user-facing features of the Service (analysis, reporting, and recommendations you request).
• We do not sell this data, and we do not use it for advertising.
• We do not transfer this data to third parties except as needed to operate the Service (see Sub-processors) or as required by law.
• We do not allow humans to read this data, except: (a) with your explicit consent, (b) for security or to comply with law, or (c) where the data is aggregated/anonymized for operations.

3. How we use information

• To operate the Service: authenticate you, run analyses you request, and generate answers/recommendations.
• To maintain memory of your business so the Service improves across sessions.
• To secure, debug, and improve the Service.

Legal bases (GDPR): performance of our contract with you, and our legitimate interests in operating and securing the Service. Where required, we rely on your consent (which you may withdraw at any time).

4. Storage, location, and retention

• The Service and its data are self-hosted on our infrastructure at Hetzner (Germany, EU). Your vault is stored as a private git repository.
• We retain your data for the lifetime of your account and delete it on request (see §7).

5. Sub-processors

We use the following processors to operate the Service; each receives only the data needed for its function:

• Google — Analytics & Search Console (data source you connect)
• Anthropic — the LLM that powers the agent
• DataForSEO and Apify — SEO data and web crawling
• Resend — transactional email
• Hetzner — hosting / infrastructure (EU)

We do not send your connected Google Analytics/Search Console data to advertising networks.

6. Sharing

We do not sell your personal data. We share data only with the sub-processors above, when required by law, or in connection with a business transfer (with notice).

7. Your rights and data deletion

You can request access, correction, export, or deletion of your data at yassine.gayl@gmail.com. Your vault is git-based — you can export (clone) it at any time. You may revoke Itto's access to your Google data at any time via your Google Account permissions; we will stop accessing it and delete the associated extracts on request. EU/EEA/UK users also have the right to lodge a complaint with their local supervisory authority.

8. Security

We use access controls, per-tenant data isolation, and least-privilege credentials. No system is perfectly secure; we work to protect your data and will notify you of material breaches as required by law.

9. Children

The Service is not directed to children under 16, and we do not knowingly collect their data.

10. Changes

We may update this policy; we will post the new effective date here and, for material changes, notify you.

11. Contact

Itto — operated by Yassine Gayl — yassine.gayl@gmail.com