Autoya modifie-t-il le véhicule ?

Non. Architecture de compositing : les pixels du véhicule ne sont jamais modifiés. Seul l'arrière-plan est remplacé. Plaques, logos et carrosserie sont préservés à l'identique.

Quelle différence avec CarCutter ou d'autres outils IA ?

Les concurrents régénèrent l'image entière : risque de plaques déformées, logos altérés. Autoya utilise le compositing : le véhicule est protégé pixel par pixel, seul le décor est généré.

Autoya s'intègre-t-il avec mon DMS ?

Oui. Intégrations actives : OpenFlex, PlanetVO2. En cours : DCS Net, Fabrik à ID. API REST disponible pour tout DMS.

Combien de temps prend le traitement ?

Moins de 2 minutes par véhicule via l'API. Résultats prêts à publier immédiatement.

À qui s'adresse Autoya ?

Concessionnaires automobiles, groupes automobiles, spécialistes VO et plateformes de remarketing automobile en France et en Europe.

Products

Solutions

Pricing

Integrations

App

Request a demo

Products

Solutions

Pricing

Solutions

Integrations

App

Request a demo

Products

Solutions

Pricing

Integrations

App

Demo

Your privacy is our priority.

We attach great importance to the confidentiality of your data. This privacy policy explains how we collect, use, and protect your personal information when you visit our website or purchase our products.

Last updated: May 11, 2026

1. Introduction

This Privacy Policy aims to inform users of the site and the product Autoya, operated by The Next Stories SAS, in a clear and transparent manner, about how their personal data is collected, used, stored, and protected.

Autoya is a B2B SaaS generative artificial intelligence platform specializing in the creation of photo and video visuals for used vehicles. As such, certain data processing activities are necessary for the proper functioning of the service, user account management, security, and the continuous improvement of the platform.

Use of the site or services implies acceptance of this Policy.

2. Data Controller

The data controller is:

The Next Stories SAS
Simplified joint-stock company
Registered office: 40 rue de la Tour d’Auvergne – 44200 Nantes (France)
RCS Nantes: 931 621 114
Contact email: hello@thenextstories.com

Autoya is a registered trademark and a commercial product published by The Next Stories SAS.

The roles of The Next Stories under the GDPR are as follows:

for processing related to the website, commercial relations, billing, security, and the improvement of the service, The Next Stories acts as the data controller;
with respect to client dealerships:
- The Next Stories acts as a processor within the meaning of Article 28 of the GDPR for data provided by the dealer or its users (for example: user account data, vehicle-related data, uploaded photos/videos, text content, metadata provided in the application) ;
- The Next Stories acts as the data controller for the raw data generated by the platform, including logging data (logs), technical metadata, security data and usage statistics data, used to ensure the proper functioning, security, billing, improvement and management of the service.

When The Next Stories acts as a processor, the data controller remains the professional client (for example, the dealership or used-vehicle dealer), which determines the purposes and the main means of the processing; The Next Stories then acts on the basis of processor agreements compliant with Article 28 of the GDPR.

3. Persons concerned

This Policy applies to:

visitors to the Autoya website
prospects and professional customers
users with an Autoya account
any person interacting with the services offered

The services are exclusively intended for adults with the required legal capacity.

The Autoya services are strictly B2B and intended for professionals. The end consumer (vehicle purchaser) is only exposed to the content generated on dealers’ channels; The Next Stories has no direct relationship with them. Data relating to them may nevertheless appear in the generated content (for example when a vehicle is identifiable), under the sole responsibility of the professional customer (dealer, vehicle seller).

4. Personal data collected

Depending on the use of the services, The Next Stories may collect the following categories of data:

identity data (last name, first name)
contact data (email, phone)
account technical identifiers (unique user identifier generated by AWS Cognito, known as "Cognito sub", authentication tokens)
professional data (company, position)
billing and payment data
vehicle-related data: technical characteristics, internal references, descriptive information, price, vehicle location, listing data, as well as, where applicable, identifying elements visible in photos or videos (for example license plates, logos, badges, defects, immediate surroundings) ;
uploaded photos and visual content by the user as part of using Autoya image generation features (cutouts, background generation, custom studios, video generation, etc.). These images are processed to produce the requested result and then stored securely on Autoya's infrastructure, in the user's private space, until manual deletion or account closure, subject to the backups and technical logs necessary for the proper operation and security of the platform ;
content generated by the platform: retouched photos, "studio" visuals, videos, ad texts, scripts, voice-overs where applicable ;
connection and usage data (logs, history, credit consumption)
technical data (IP address, browser, system, cookies)

No sensitive data within the meaning of the GDPR is intentionally collected. If such data were nevertheless uploaded or made visible by a user in content (for example via a photo), it would be processed exclusively to provide the requested technical service, without specific use or profiling on that basis.

5. Purposes of processing

Data are collected and processed for the following purposes:

creation and management of user accounts
provision and operation of Autoya services
billing, subscription management, and payments
customer support and operational communication
improvement of platform performance and features: statistical analysis of usage, user feedback, testing and optimization of user journeys, improvement of model and feature quality, in compliance with the minimization principle. Photos, videos, and visual content provided by customers are not reused to train generic AI models beyond what is strictly necessary to provide the service, except with specific contrary agreement;
security, fraud prevention, and abuse prevention
compliance with legal and regulatory obligations
marketing communication (with consent)

6. Legal basis for processing

The processing is based on:

performance of the contract binding the user to The Next Stories
The Next Stories' legitimate interest in improving its services
the user's explicit consent where required
compliance with applicable legal obligations

When The Next Stories acts as a processor on behalf of its professional clients, the legal basis for the processing is determined by those clients in their capacity as data controllers. The Next Stories then processes the data only on the basis of their documented instructions.

7. Artificial intelligence services

Autoya provides access to artificial intelligence services via third-party provider APIs (including Anthropic, OpenAI / OpenRouter, Google Gemini, fal.ai, remove.bg, xAI Grok, and other partners specializing in imaging, video, and where applicable, audio).

In this context:

The Next Stories acts as a technical intermediary
some data may be transmitted to AI providers for processing
each provider applies its own terms and privacy policies
the data is used only to provide the requested service

The Next Stories undertakes to select providers that comply with the GDPR and the European AI Regulation (AI Act).

AI providers generally act as processors of The Next Stories, under data processing agreements (Data Processing Agreements) including, where applicable, standard contractual clauses and/or reliance on the EU–US Data Privacy Framework to govern transfers outside the EU.

The proprietary compositing algorithm used to generate studio visuals is not trained on client data.

Where providers allow it, The Next Stories systematically enables the “no training” / opt-out options so that clients’ data and content are not reused to train generic AI models.

Each provider applies its own terms of use and privacy policies, which we invite you to review.

8. Hosting and security

Autoya's data are hosted mainly within the European Union, with the following providers:

Amazon Web Services EMEA SARL — eu-west-1 region (Ireland): application hosting, storage of photos and generated content (Amazon S3), databases, and user authentication via AWS Cognito. Cognito processes in this capacity the email address, password (encrypted), unique user identifier ("sub"), session tokens, and connection metadata (date, IP address).
OVH SAS (France): complementary infrastructure services.
Vercel Inc.: application infrastructure and website delivery.

The Next Stories also uses:

- Stripe: online payment provider;

- generative AI service providers (Anthropic, OpenAI / OpenRouter, fal.ai, remove.bg, Google Gemini, xAI Grok, etc.) ;

- Google Workspace: internal collaborative tools (messaging, document storage) ;

- GitHub: source code hosting and version management ;

- partner DMS systems (Open Flex, Planet VO, Open Live, etc.) for the exchange of vehicle data at the request of customer dealerships.

Each of these providers acts as a processor within the meaning of the GDPR or, for some DMS, as a separate data controller acting on the dealership's instructions. The Next Stories has entered into data processing agreements with its processors including, where applicable, standard contractual clauses and/or use of the EU–US Data Privacy Framework to govern transfers outside the EU.

To consult the privacy policies of these providers:

AWS : https://aws.amazon.com/privacy/
OVH : https://www.ovh.com/fr/protection-donnees-personnelles/
Vercel : https://vercel.com/legal/privacy-policy

Technical and organizational measures compliant with industry standards are implemented to protect data, including:

encryption of data in transit (TLS) and at rest
access control and strong authentication
regular backups
security monitoring and audits
user space isolation

Despite these measures, no system is completely risk-free. The Next Stories undertakes to notify affected users and the CNIL without delay in the event of a data breach presenting a risk to their rights and freedoms.

9. Retention period

Data are retained only for the time necessary for the purposes pursued:

account data: duration of the registration
billing data: 10 years (legal obligation)
usage data: for the duration of the contractual relationship, then for a maximum of 3 years after the last significant activity, unless there is a dispute or contrary legal obligation
data from cookies: 13 months maximum
technical data, logs and security logs: retained for periods configured by log type, with a goal of harmonization and a maximum period of 12 months in pseudonymized or anonymized form, unless otherwise required by law or necessary for the defense of legal rights.

Longer periods may apply in the event of a legal obligation or a dispute.

10. Data recipients

The data may be disclosed to the following recipients:

authorized internal teams of The Next Stories
technical and hosting service providers
AI service providers
payment service providers
administrative or judicial authorities if required by law

No data is sold to third parties. Processors are not authorized to use the data for their own marketing purposes without your consent or that of our professional clients.

11. Cookies

We may use cookies, tracking pixels (also called clear GIFs and web beacons), third-party software development kits (SDKs), and other technologies to maintain, provide, and improve our website, applications, and services.

We use cookies for various reasons:

Strictly necessary cookies: These cookies are necessary for the proper functioning of our website and cannot be disabled in our systems. They are usually set only in response to actions you take that amount to a request for services, such as setting your privacy preferences, logging in, or filling out forms. You can configure your browser to block these cookies or alert you to their presence, but some parts of the website will not work.

Functional cookies: These cookies enable the website to provide enhanced functionality and personalization (for example: remembering your preferences so you do not have to reset them each time you visit). They may be set by us or by third-party providers whose services have been added to our pages. If you do not allow these cookies, some or all of these services may not function properly.

Performance and analytics cookies: These cookies allow us to count visits and traffic sources so that we can measure and improve the performance of our website. They help us know which pages are the most and least popular and observe how visitors move around the website. If you do not allow these cookies, we will not know when you visited our website and will not be able to monitor its performance.

Marketing and targeting cookies: These cookies allow us to know whether you have seen an advertisement or a type of advertisement, how you interacted with that advertisement, and how long it has been since you last saw it. We also use cookies to help us manage targeted advertising. We may partner with advertising networks and other advertising service providers that display advertisements on our behalf and on behalf of third parties on unaffiliated platforms.

During your first visit to our site, an information banner allows you to set your choices regarding cookies and other trackers. Non-strictly necessary cookies (functional, audience measurement, marketing, and targeting) are activated only with your consent, which you can withdraw at any time via this banner or your browser settings, in accordance with CNIL guidelines.

12. User Rights

In accordance with the GDPR, users have the following rights:

right of access
right to rectification
right to erasure
right to restriction of processing
right to data portability
right to object
right to withdraw consent
right to contest an automated decision

Requests may be sent to: hello@thenextstories.com
A maximum period of one month is guaranteed for any response.

When The Next Stories acts as a processor on behalf of its professional clients (for example, a dealership), we invite the data subjects to address their requests primarily to the relevant data controller (their employer or the dealership). The Next Stories will assist the data controller in handling these requests within the time limits and conditions provided for by the GDPR.

Users also have the right to lodge a complaint with the CNIL.

13. Deletion of your Autoya account

You can request the permanent deletion of your Autoya account and all associated personal data at any time.

Procedure in the mobile app

Open the Autoya app (iOS or Android)
Go to Profile → Account
Select “Delete my account”
Confirm your choice

Procedure by email If you cannot access the app, send a request to hello@thenextstories.com from the email address associated with your account, with the subject “Account deletion”. You may be asked to verify your identity.

What is deleted

your user profile (name, email, Cognito identifier)
your photos and generated content stored on our servers
your usage history and credit consumption history
your preferences and settings

What may be retained

In accordance with our legal obligations, certain data may be retained beyond account deletion:

invoices and accounting data: 10 years (Article L.123-22 of the French Commercial Code)
anonymized security logs: up to 12 months
data necessary to defend legal rights, where applicable

Active subscriptions purchased via the App Store or Google Play must be canceled separately from your Apple or Google account before deleting the Autoya account, otherwise billing will continue on the store side.

Deletion takes effect within 30 days at the latest. A confirmation email will be sent once the procedure is complete.

Security logs and pseudonymized or anonymized technical logs may be retained for up to 12 months, unless otherwise required by law or necessary for the defense of legal rights.

14. Transfers outside the European Union

When data is transferred outside the EU, notably to some of our technical service providers or AI vendors located in the United States (for example Vercel, certain AI model providers, Stripe, GitHub, Google, etc.), The Next Stories implements appropriate safeguards, including:

- the signing of standard contractual clauses adopted by the European Commission;

- reliance, where possible, on the EU–US Data Privacy Framework;

- additional technical and organizational measures (encryption, access restrictions, data minimization).**

You can obtain additional information about these safeguards and, where applicable, a copy of the standard contractual clauses by contacting us at hello@thenextstories.com.

15. Changes to the Policy

This Policy may be modified at any time. Changes take effect 30 days after their publication, unless otherwise required by law.

We invite you to check this page regularly to stay informed of any updates.

16. Contact

For any questions regarding data protection:

📧 hello@thenextstories.com
📍 The Next Stories SAS – 40 rue de la Tour d’Auvergne – 44200 Nantes (France)