Privacy Policy
Your privacy is our priority.
We attach great importance to the confidentiality of your data. This privacy policy explains how we collect, use, and protect your personal information when you visit our website or purchase our products.
Last updated: April 26, 2026
1. Introduction
This Privacy Policy aims to clearly and transparently inform users of the site and the product Autoya, operated by The Next Stories SAS, about how their personal data are collected, used, stored, and protected.
Autoya is a software solution for AI-assisted content generation. As such, certain data processing operations are necessary for the proper functioning of the service, the management of user accounts, and the continuous improvement of the platform.
Use of the site or services implies acceptance of this Policy.
2. Data controller
The data controller is:
The Next Stories SAS
Simplified joint-stock company
Registered office: 40 rue de la Tour d’Auvergne – 44200 Nantes (France)
Nantes Trade and Companies Register: 931 621 114
Contact email: hello@thenextstories.com
Autoya is a registered trademark and a commercial product published by The Next Stories SAS.
3. Persons concerned
This Policy applies to:
visitors to the Autoya website
prospective customers and business customers
users with an Autoya account
any person interacting with the services offered
The services are intended exclusively for adults with the required legal capacity.
4. Personal data collected
Depending on the use of the services, The Next Stories may collect the following categories of data:
identity data (last name, first name)
contact data (email, phone)
account technical identifiers (unique user identifier generated by AWS Cognito, known as “Cognito sub”, authentication tokens)
professional data (company, position)
billing and payment data
data relating to in-app purchases made through the Apple App Store or Google Play: transaction identifiers, type of subscription or credit pack purchased, subscription status, purchase date. No bank card data is collected by The Next Stories; payment is handled entirely by Apple or Google.
photos and visual content uploaded by the user as part of using Autoya image-generation features (cutouts, background generation, custom studios, video). These images are processed to produce the requested result, then securely stored on Autoya's infrastructure in the user's private space until manual deletion or account closure.
login and usage data (logs, history, credit consumption)
technical data (IP address, browser, system, cookies)
No sensitive data within the meaning of the GDPR is intentionally collected.
5. Purposes of Processing
The data are collected and processed for the following purposes:
creation and management of user accounts
provision and operation of Autoya services
billing, subscription management, and payments
customer support and operational communication
improvement of performance and features
security, prevention of fraud and abuse
compliance with legal and regulatory obligations
marketing communication (with consent)
6. Legal basis for processing
The processing is based on:
performance of the contract binding the user to The Next Stories
The legitimate interest of The Next Stories in improving its services
the user's explicit consent when required
compliance with applicable legal obligations
7. Artificial intelligence services
Autoya provides access to artificial intelligence services via third-party provider APIs (e.g. OpenAI, Anthropic, Google, Runway, ElevenLabs, etc.).
In this context:
The Next Stories acts as a technical intermediary
some data may be transmitted to AI providers for processing
each provider applies its own terms and privacy policies
the data is used only to provide the requested service
The Next Stories is committed to selecting providers that comply with the GDPR and the European AI Act (AI Act).
8. Hosting and Security
Autoya’s data is hosted primarily within the European Union, with the following providers:
Amazon Web Services EMEA SARL — eu-west-1 region (Ireland): application hosting, storage of photos and generated content (Amazon S3), databases, and user authentication via AWS Cognito. In this capacity, Cognito processes the email address, password (encrypted), unique user identifier (“sub”), session tokens, and login metadata (date, IP address).
OVH SAS (France): complementary infrastructure services.
Vercel Inc.: application infrastructure and website delivery.
Each of these service providers acts as a processor within the meaning of the GDPR. The Next Stories has entered into the required Data Processing Agreements with them.
When transfers outside the EU are necessary, they are governed by the standard contractual clauses approved by the European Commission (see §13).
To view these providers’ privacy policies:
Technical and organizational measures in line with industry standards are implemented to protect data, including:
encryption of data in transit (TLS) and at rest
access controls and enhanced authentication
regular backups
security monitoring and audits
user space isolation
Despite these measures, no system is entirely free from risk. The Next Stories undertakes to notify the affected users and the CNIL without delay in the event of a data breach posing a risk to their rights and freedoms.
9. Retention period
Data are retained only for as long as necessary for the purposes pursued:
account data: duration of the registration
billing data: 10 years (legal obligation)
usage data: 3 years after the last activity
technical data and cookies: 13 months maximum
Longer periods may apply in the event of a legal obligation or a dispute.
10. Recipients of the data
The data may be transferred to the following recipients:
authorized internal teams of The Next Stories
technical and hosting providers
AI service providers
payment service providers
administrative or judicial authorities if required by law
No data is sold to third parties.
11. Cookies
We may use cookies, tracking pixels (also called clear GIFs and web beacons), third-party software development kits (SDKs), and other technologies to maintain, provide, and improve our website, applications, and services.
We use cookies for various reasons:
Strictly necessary cookies: These cookies are necessary for the proper functioning of our website and cannot be disabled in our systems. They are usually set only in response to actions you take that amount to a request for services, such as setting your privacy preferences, logging in, or filling out forms. You can configure your browser to block these cookies or alert you to their presence, but some parts of the website will not work.
Functional cookies: These cookies allow the website to provide enhanced functionality and personalization (for example: remembering your preferences so you do not have to reset them on each visit). They may be set by us or by third-party providers whose services have been added to our pages. If you do not allow these cookies, some or all of these services may not function properly.
Performance and analytics cookies: These cookies allow us to count visits and traffic sources so that we can measure and improve the performance of our website. They help us know which pages are the most and least popular and observe how visitors move around the website. If you do not allow these cookies, we will not know when you have visited our website and will not be able to monitor its performance.
Marketing and targeting cookies: These cookies allow us to know whether you have seen an advertisement or a type of advertisement, how you interacted with that advertisement, and how much time has elapsed since you last saw it. We also use cookies to help us manage targeted advertising. We may partner with advertising networks and other advertising service providers that serve ads on our behalf and for third parties on unaffiliated platforms.
12. User rights
In accordance with the GDPR, users have the following rights:
right of access
right to rectification
right to erasure
right to restriction of processing
right to data portability
right to object
right to withdraw consent
right to contest an automated decision
Requests can be sent to: hello@thenextstories.com
A maximum period of one month is guaranteed for any response.
13. Deleting your Autoya account
You can request the permanent deletion of your Autoya account and all associated personal data at any time.
Procedure from the mobile app
Open the Autoya app (iOS or Android)
Go to Profile → Account
Select “Delete my account”
Confirm your choice
Procedure by email If you cannot access the app, send a request to hello@thenextstories.com from the email address associated with your account, with the subject “Account deletion.” You may be asked to verify your identity.
What is deleted
your user profile (name, email, Cognito identifier)
your photos and generated content stored on our servers
your usage history and credit consumption history
your preferences and settings
What may be retained
In accordance with our legal obligations, some data may be retained beyond account deletion:
invoices and accounting data: 10 years (Article L.123-22 of the French Commercial Code)
anonymized security logs: up to 12 months
data necessary to defend legal rights in court, where applicable
Active subscriptions purchased via the App Store or Google Play must be canceled separately from your Apple or Google account before deleting the Autoya account, otherwise billing will continue on the store side.
Deletion takes effect within 30 days maximum. A confirmation email will be sent to you once the procedure is completed.
14. Transfers outside the European Union
When data are transferred outside the EU, The Next Stories implements appropriate safeguards, including standard contractual clauses approved by the European Commission.
15. Changes to the Policy
This Policy may be modified at any time. Changes take effect 30 days after publication, unless otherwise required by law.
16. Contact
For any questions regarding data protection:
📧 hello@thenextstories.com
📍 The Next Stories SAS – 40 rue de la Tour d’Auvergne – 44200 Nantes (France)