Back to Pillow

Privacy Policy

Last updated:

This Privacy Policy explains how TAPE LABS ("we", "us", "our") processes personal data when you use the Pillow website (the "Site") or the Pillow service (the "Service").

Pillow is a B2B SaaS platform that enables businesses to deploy AI-powered conversational agents on web interfaces to conduct user research through automated conversations, which are then processed through LLM workflows for insights extraction.

1. Who we are

Controller (Site & operations): TAPE LABS is the data controller for the Site (sign-ups, waitlist, support).

Processor (Service campaigns): For end-user data collected through customer-deployed conversational agents, we act as data processor and our customer acts as data controller.

Company Details:
TAPE LABS – RCS Créteil 925 003 303
14 Avenue du Général de Gaulle, 94160 Saint-Mandé, France
Privacy contact: hi@trypillow.ai

2. Data we process

Site / Operations (as Controller)

  • Account registration details (email address, company name, contact information)
  • Support requests and communications
  • Technical data (IP address, browser type, device information, access logs)
  • Usage data and analytics (if applicable)

Service / Campaigns (as Processor)

  • End-user identifiers provided by customers (e.g., user ID, session ID)
  • Conversation content from web-based chat interactions
  • Metadata (timestamps, session duration, interaction patterns)
  • AI-generated outputs (summaries, insights, analysis, structured data)

3. Legal basis for processing

As Controller (Site/Operations)

  • Contract performance: Managing your account, providing support, delivering the Service
  • Legitimate interests: Ensuring platform security, preventing fraud, improving service reliability
  • Consent: Marketing communications (where applicable)
  • Legal obligation: Compliance with applicable laws

As Processor (Service)

We process end-user conversation data strictly according to our customers' documented instructions. Customers must establish their own lawful basis (typically consent or legitimate interest) for collecting end-user data.

4. Customer obligations and end-user consent

Customers using our Service warrant that they:

  • Have obtained valid, informed consent from end-users before initiating conversations
  • Clearly inform end-users at the start of each chat session that:
    • They are interacting with an AI agent
    • The conversation is being recorded and analyzed
    • Both the customer and Pillow (as processor) are involved in data processing
  • Will not use the Service to collect data from individuals under 18 years of age
  • Have implemented age verification mechanisms where appropriate
  • Will not deliberately collect special category data (health, religion, political views, etc.)
  • Comply with all applicable data protection laws

5. AI processing and automated decision-making

  • We use large language models (LLMs) for conversation facilitation and analysis
  • Currently, conversation data is used only for inference, not for training or fine-tuning models
  • Our agents are instructed to avoid collecting special category data
  • We do not engage in automated decision-making that produces legal or similarly significant effects on individuals
  • Customers are responsible for reviewing AI-generated outputs before taking any actions based on them

6. Data sharing and subprocessors

We use carefully selected subprocessors to operate the Service:

  • Hosting & Infrastructure: Google Cloud Platform (EU region)
  • AI Processing: OpenAI (United States - inference only, limited retention)
  • Email Delivery: Loops (transactional communications)

We will update this list as our service evolves. We require all subprocessors to maintain appropriate security and privacy standards through contractual agreements.

7. International transfers

  • Primary data hosting is in the EU
  • AI processing may involve transfers to the United States
  • Where transfers outside the EU/EEA occur, we rely on:
    • Standard Contractual Clauses (SCCs) where available
    • Technical safeguards including encryption and data minimization
    • Limited data retention by subprocessors

8. Data retention

  • Account data: Duration of contract plus 6 months
  • Conversation content: Deleted within 30 days after campaign completion
  • AI-generated outputs: Retained until customer deletion or contract termination
  • Technical logs: Maximum 6 months
  • Legal/financial records: As required by French law (typically 5-10 years)
  • Marketing data: Until consent withdrawal

9. Security measures

We implement appropriate technical and organizational measures including:

  • Encryption of data in transit and at rest
  • Access controls and authentication
  • Regular security assessments
  • Employee confidentiality agreements
  • Segregated customer environments

While we are an early-stage company without formal certifications (ISO 27001, SOC 2), we are committed to implementing industry-standard security practices.

10. Data breach procedures

In case of a personal data breach:

  • We will notify affected customers without undue delay
  • We will notify the CNIL within 72 hours where required under GDPR
  • We will assist customers in notifying affected end-users where necessary
  • We maintain records of all data breaches

11. Your rights

When we are Controller (Site users)

Under GDPR, you have the right to:

  • Access your personal data
  • Rectify inaccurate data
  • Erase your data ("right to be forgotten")
  • Restrict processing of your data
  • Data portability (receive your data in electronic format)
  • Object to processing based on legitimate interests
  • Withdraw consent where processing is based on consent
  • Lodge a complaint with the CNIL (French Data Protection Authority): www.cnil.fr

We will respond to rights requests within one month of receipt.

When we are Processor (End-users in campaigns)

End-users should direct rights requests to our customer (the Controller). We will assist our customers in fulfilling these requests.

12. Data Protection Officer

As an early-stage company, we have not yet appointed a formal DPO. For privacy concerns, please contact: hi@trypillow.ai

13. Data Protection Impact Assessment

Given our early stage, we have not yet conducted a formal DPIA. As we scale and our processing activities evolve, we will conduct DPIAs as required under GDPR.

14. Children's data

The Service is not directed at individuals under 18. Customers must ensure they do not collect data from minors through our platform. If we become aware of processing children's data, we will delete it promptly.

15. Cookies

We use only strictly necessary cookies for Service functionality. See our Cookie Policy for details.

16. Prohibited uses

The Service must not be used for:

  • Processing data from individuals under 18
  • Deliberately collecting special category/sensitive data
  • Unsolicited communications or spam
  • Harassment, discrimination, or abuse
  • Illegal activities or content
  • Any purpose violating applicable laws

17. Changes to this policy

We may update this Policy periodically. Material changes will be notified via email or Service announcement. The "Last updated" date reflects the current version.

18. Contact information

TAPE LABS
RCS Créteil 925 003 303
14 Avenue du Général de Gaulle
94160 Saint-Mandé, France
Privacy contact: hi@trypillow.ai

Supervisory Authority:
Commission Nationale de l'Informatique et des Libertés (CNIL)
3 Place de Fontenoy
75007 Paris, France
www.cnil.fr