Introduction
COMPASSUP SAS ("Company," "we," "us," or "our") is committed to protecting your privacy and personal data. This Privacy Policy explains how we collect, use, store, share, and protect information when you use the Accessible document transformation and remediation platform (the "Service").
This Privacy Policy applies to all users of the Service and should be read in conjunction with our Terms of Use, available at ada-uni.com.
By using the Service, you acknowledge that you have read, understood, and agree to this Privacy Policy. If you do not agree, please do not use the Service.
Table of Contents
- Controller Information and Contact Details
- Scope and Applicability
- Information We Collect
- How We Use Your Information
- Legal Basis for Processing (GDPR)
- AI and Machine Learning: Use of Your Documents
- Information Sharing and Disclosure
- International Data Transfers
- Data Retention and Deletion
- Your Privacy Rights
- Children's Privacy
- Data Security
- Cookies and Tracking Technologies
- Third-Party Services and Links
- Changes to This Privacy Policy
- How to Contact Us
1. Controller Information and Contact Details
Data Controller:
COMPASSUP SAS
Legal Form: Société par Actions Simplifiée (SAS)
Registration Number: 933 416 265 00017
Registered Office: 58 RUE DE MONCEAU, 75008 PARIS, France
Email: briac@compassup.fr
Website: ada-uni.com
Data Protection Officer (if applicable):
Email: briac@compassup.fr
Address: 58 RUE DE MONCEAU, 75008 PARIS, France
For privacy-related questions, data subject access requests, or to exercise your rights under applicable data protection laws (including GDPR and CCPA), please contact us using the information above.
2. Scope and Applicability
2.1 Geographic Scope
This Privacy Policy applies to all users of the Service, regardless of location. We are committed to complying with:
- The European Union General Data Protection Regulation (GDPR) (Regulation EU 2016/679) for users in the European Economic Area (EEA), United Kingdom, and Switzerland;
- The California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA) for California residents;
- Other applicable national, state, and international data protection and privacy laws.
2.2 Service Coverage
This Privacy Policy covers:
- Our website (ada-uni.com);
- The Accessible cloud-based platform and all associated features;
- All communications with you (email, support, notifications);
- Any other services we provide under the Accessible brand.
2.3 Third-Party Services
This Privacy Policy does not apply to third-party websites, applications, or services that may be linked to or integrated with our Service. We recommend reviewing the privacy policies of any third-party services you use.
3. Information We Collect
We collect different types of information to provide, improve, and secure the Service.
3.1 Information You Provide Directly
(A) Account Registration Information
When you create an account, we collect:
- Full name
- Email address
- Password (stored in encrypted/hashed form)
- Institutional affiliation
- Country/region
(B) Billing and Payment Information
When you purchase access to the Service, we collect:
- Billing name and address
- Payment method details (credit/debit card information, Paypal account)
- Transaction history
Note: Payment card details are processed by our third-party payment processors (Stripe). We do not store complete credit card numbers on our servers.
(C) Profile Information
You may optionally provide:
- Job title
- Department
- Phone number
(D) Communications and Support
When you contact us for support or communicate with us, we collect:
- The contents of your messages
- Support ticket information
- Feedback, survey responses, or testimonials you provide
3.2 Documents and Content You Upload
(A) User Content
We collect and process documents and files you upload to the Service ("Your Content"), including:
- Document files (PDF, Word, PowerPoint, images, etc.)
- Document metadata (file names, creation dates, file sizes, format types)
- Text content within documents
- Images, tables, charts, and other embedded elements
- Structural information and formatting
(B) Output Documents
We store the transformed and remediated documents generated by the Service based on Your Content.
IMPORTANT: Your documents may contain Personal Data. If you upload documents containing Personal Data, you are responsible for ensuring you have a lawful basis to process that data and to share it with us. See Section 5 for details on the legal basis for our processing.
3.3 Automatically Collected Information
(A) Usage Data
When you use the Service, we automatically collect:
- Pages and features accessed
- Actions performed (uploads, downloads, transformations)
- Time spent on different features
- Frequency of use
- Error logs and diagnostic information
- Performance data
(B) Device and Technical Information
We collect:
- IP address
- Browser type and version
- Operating system
- Device type (desktop, mobile, tablet)
- Screen resolution
- Referring/exit pages
- Date and time stamps
(C) Cookies and Similar Technologies
We use cookies, web beacons, and similar tracking technologies to collect information about your browsing behavior. See Section 13 for details.
3.4 Information from Third Parties
(A) Payment Processors
We receive transaction confirmation and payment status information from our payment processors (Stripe).
(B) Authentication Services (if applicable)
If you sign in using a third-party authentication service (e.g., Google, Microsoft), we receive:
- Your name
- Email address
- Profile picture
- Unique identifier
We only receive information you authorize the third-party service to share with us.
3.5 Information We Do NOT Collect
We do not knowingly collect:
- Sensitive Personal Data, including health information, financial account numbers, government identifiers (e.g., Social Security numbers, passport numbers), racial or ethnic origin, political opinions, religious beliefs, genetic or biometric data, or information about sexual orientation, unless inadvertently included in Your Content;
- Information from children under the age of 18 (see Section 11).
If you upload documents containing Sensitive Personal Data, you do so at your own risk and in violation of our Terms of Use. We are not responsible for such data, and you agree to indemnify us for any liability arising from such uploads.
4. How We Use Your Information
We use the information we collect for the following purposes:
4.1 To Provide and Operate the Service
- Creating, maintaining, and securing your account
- Processing your documents through our transformation and remediation algorithms
- Analyzing documents for accessibility and compliance issues
- Generating Output Documents that meet accessibility standards
- Providing format conversion, OCR, metadata extraction, and document merging capabilities
- Storing Your Content and Output Documents securely
- Providing customer support and responding to your inquiries
- Sending transactional communications (account confirmations, receipts, service notifications)
4.2 To Process Payments and Prevent Fraud
- Processing payments and billing
- Verifying payment information
- Detecting and preventing fraudulent transactions
- Complying with financial regulations and tax obligations
4.3 To Improve and Develop the Service
- Training, testing, and improving our artificial intelligence and machine learning models (see Section 6 for detailed information)
- Analyzing usage patterns to understand how users interact with the Service
- Identifying and fixing bugs, errors, and technical issues
- Developing new features and capabilities
- Conducting research and development
- Performing statistical analysis and data analytics
4.4 To Communicate with You
- Responding to your questions, requests, and feedback
- Sending important updates about the Service, Terms of Use, or Privacy Policy
- Notifying you of maintenance, downtime, or security issues
- Sending promotional communications, offers, or product updates (with your consent, where required)
4.5 To Ensure Security and Compliance
- Monitoring for security threats, fraud, and abusive behavior
- Detecting and preventing unauthorized access
- Enforcing our Terms of Use and policies
- Complying with legal obligations, court orders, and regulatory requirements
- Investigating and responding to security incidents or data breaches
- Protecting the rights, property, and safety of COMPASSUP SAS, our users, and the public
4.6 For Legal and Business Purposes
- Complying with applicable laws and regulations (GDPR, CCPA, tax laws, etc.)
- Responding to legal process (subpoenas, court orders, government requests)
- Exercising or defending legal claims
- Facilitating corporate transactions (mergers, acquisitions, asset sales)
- Conducting audits and maintaining business records
5. Legal Basis for Processing (GDPR)
If you are located in the European Economic Area (EEA), United Kingdom, or Switzerland, we process your Personal Data based on the following legal grounds under the GDPR:
5.1 Contract Performance (Article 6(1)(b) GDPR)
Processing is necessary to perform our contract with you (the Terms of Use), including:
- Creating and managing your account
- Providing the Service
- Processing your documents
- Delivering Output Documents
- Processing payments
5.2 Legitimate Interests (Article 6(1)(f) GDPR)
Processing is necessary for our legitimate interests or those of a third party, including:
- Improving and developing the Service, including through AI/ML model training
- Ensuring the security and integrity of the Service
- Preventing fraud, abuse, and unauthorized access
- Analyzing usage patterns and Service performance
- Conducting research and development
- Marketing and promoting the Service (where not based on consent)
- Operating our business efficiently
We have conducted balancing tests to ensure that our legitimate interests do not override your fundamental rights and freedoms.
You have the right to object to processing based on legitimate interests. See Section 10 for details.
5.3 Consent (Article 6(1)(a) GDPR)
Where required by law, we process your Personal Data based on your explicit consent, including:
- Marketing communications (where consent is required)
- Optional cookies and tracking technologies
- Specific data processing activities where consent is legally required
You have the right to withdraw consent at any time. Withdrawal does not affect the lawfulness of processing based on consent before withdrawal.
5.4 Legal Obligation (Article 6(1)(c) GDPR)
Processing is necessary to comply with our legal obligations, including:
- Tax and accounting requirements
- Responding to legal process (court orders, subpoenas)
- Compliance with data protection laws (e.g., responding to data subject requests)
- Anti-money laundering and fraud prevention obligations
5.5 Vital Interests (Article 6(1)(d) GDPR)
In rare cases, processing may be necessary to protect someone's vital interests, such as in emergencies involving life-threatening situations.
6. AI and Machine Learning: Use of Your Documents
IMPORTANT: PLEASE READ THIS SECTION CAREFULLY.
6.1 Overview
The Service uses advanced artificial intelligence (AI) and machine learning (ML) technologies to analyze, transform, and remediate documents. To improve the accuracy, efficiency, and capabilities of our AI/ML models, we use Your Content (the documents you upload) to train, test, and refine our algorithms.
By using the Service, you expressly acknowledge and consent to the use of Your Content for AI/ML training purposes as described in this Section 6.
6.2 How We Use Your Documents for AI Training
(A) Training Data
Your Content is used as training data to:
- Teach our AI models to recognize document structures, formatting, and accessibility issues
- Improve the accuracy of our document analysis algorithms
- Enhance our remediation and transformation capabilities
- Develop new features and improve existing ones
- Test and validate model performance
(B) What This Means
- Documents you upload may be analyzed by our AI systems to identify patterns, structures, and characteristics
- Information extracted from Your Content may be incorporated into our training datasets
- Your documents help our AI learn how to better identify and fix accessibility and compliance issues in future documents
(C) Technical Process
Our AI training process may involve:
- Extracting text, images, tables, and structural elements from Your Content
- Annotating documents to identify accessibility issues and compliance gaps
- Using documents as examples to train supervised learning models
- Generating synthetic variations or augmentations of Your Content for training purposes
- Evaluating model performance on real-world documents
6.3 Privacy Protections for AI Training
We implement the following measures to protect your privacy during AI training:
(A) No Public Distribution
We do not publish, sell, or publicly distribute Your Content to third parties for their own AI training or commercial purposes.
(B) Confidentiality
Your documents are treated as confidential business information and are protected by technical and organizational security measures (see Section 12).
(C) Aggregation and Anonymization
Where technically feasible, we aggregate and anonymize training data to reduce identifiability. However, we cannot guarantee that all Personal Data in Your Content will be fully anonymized or removed during the AI training process due to technical limitations of current AI technologies.
(D) Access Controls
Access to training data is restricted to authorized personnel (data scientists, machine learning engineers) who are bound by confidentiality obligations.
(E) Secure Infrastructure
Training data is stored on secure servers in the EU and/or US, operated by trusted service providers (AWS) under strict contractual agreements.
6.4 Your Consent and Control
(A) Consent Requirement
Use of the Service constitutes your consent to the use of Your Content for AI training. If you do not consent, you must not use the Service.
(B) No Opt-Out Available
AI training is integral to the Service's functionality and continuous improvement. We do not currently offer an opt-out option for AI training while still using the Service.
If this is unacceptable to you, we recommend not using the Service or using it only with documents that do not contain Personal Data or confidential information.
(C) Enterprise Options
For large organizations with specific data processing requirements, please contact us at briac@compassup.fr to discuss custom enterprise agreements that may include different data processing terms.
6.5 Legal Basis
For users in the EEA/UK/Switzerland, our legal basis for using Your Content for AI training is:
- Legitimate Interests (GDPR Article 6(1)(f)): Improving and developing the Service is a legitimate interest that benefits all users by providing better accuracy and capabilities. We have assessed that this interest is not overridden by your rights and freedoms, particularly given the transparency of this disclosure and the security measures in place.
- Consent (GDPR Article 6(1)(a)): By using the Service after reading this Privacy Policy, you provide consent to this processing.
You have the right to object to processing based on legitimate interests (see Section 10.8).
6.6 Transparency and Accountability
We are committed to transparency about our AI practices. If you have questions or concerns about how Your Content is used for AI training, please contact our Data Protection Officer at briac@compassup.fr.
6.7 CCPA Notice (California Residents)
California residents are hereby notified that:
- Categories of Personal Information Used for AI Training: Documents you upload, which may contain personal identifiers, professional information, educational information, and other categories of personal information.
- Business Purpose: Training and improving AI/ML models to enhance Service functionality.
- Right to Opt-Out of Sale/Sharing: We do not "sell" or "share" (for cross-context behavioral advertising) your Personal Information as defined by the CCPA. However, use of Your Content for AI training may constitute "sale" or "sharing" under some interpretations. California residents may have the right to opt out. See Section 10.11 for details.
8. International Data Transfers
8.1 Data Processing Locations
COMPASSUP SAS is based in France. However, the Service operates globally, and your information may be transferred to, stored, and processed in:
- The European Union
- The United States
- Other countries where our service providers operate
These countries may have data protection laws that differ from those in your country of residence.
8.2 Safeguards for International Transfers
When we transfer Personal Data outside the European Economic Area (EEA), United Kingdom, or Switzerland, we implement appropriate safeguards, including:
(A) Standard Contractual Clauses (SCCs)
We use Standard Contractual Clauses approved by the European Commission (Decision 2021/914) for transfers to countries that do not have an adequacy decision.
(B) Adequacy Decisions
We may transfer data to countries that the European Commission has determined provide an adequate level of data protection.
(C) Binding Corporate Rules (if applicable)
For intra-group transfers, we may rely on Binding Corporate Rules approved by data protection authorities.
(D) Derogations for Specific Situations
In limited cases, we may transfer data based on GDPR Article 49 derogations, such as:
- Transfers necessary to perform our contract with you
- Transfers to which you have explicitly consented
- Transfers necessary to establish, exercise, or defend legal claims
8.3 US Service Providers
Some of our service providers (AWS, Vercel, Stripe) are based in the United States. We have entered into Standard Contractual Clauses with these providers and require them to implement appropriate technical and organizational measures to protect your data.
EU-US Data Privacy Framework (if applicable): Some US service providers may be certified under the EU-US Data Privacy Framework, which provides safeguards for transfers from the EU to the US.
8.4 Your Rights
You have the right to obtain information about the safeguards we have in place for international transfers. You may also request a copy of the Standard Contractual Clauses by contacting us at briac@compassup.fr.
9. Data Retention and Deletion
9.1 Retention Principles
We retain your information for as long as necessary to:
- Provide the Service to you
- Comply with legal obligations
- Resolve disputes
- Enforce our agreements
- Fulfill the purposes described in this Privacy Policy
9.2 Retention Periods
(A) Account Information
We retain your account information (name, email, profile data) for as long as your account is active.
(B) Your Content and Output Documents
- Active Accounts: We retain Your Content and Output Documents for as long as your account is active and as necessary to provide the Service.
- After Account Termination: We retain Your Content for 30 days following account termination or closure to allow you to retrieve your data.
- After 30 Days: Your Content is permanently deleted from our active servers.
(C) Backup Copies
Backup copies of Your Content may be retained for an additional period (typically up to 90 days) as part of our routine backup and disaster recovery procedures. These copies are not accessible to you and will be automatically deleted according to our backup retention schedule.
(D) AI Training Data
Data that has been incorporated into our AI/ML models in aggregated, anonymized, or derivative form may be retained indefinitely to preserve model integrity and performance. Once integrated into models, individual data points are generally not identifiable or retrievable.
(E) Transaction and Billing Records
We retain transaction records, invoices, and billing information for 7 years to comply with tax, accounting, and financial regulations.
(F) Support Communications
We retain support tickets, emails, and communications for 3 years for customer service, quality assurance, and dispute resolution purposes.
(G) Usage and Log Data
We retain usage data, IP logs, and access logs for 12 months for security, analytics, and operational purposes.
(H) Marketing Data
If you have consented to receive marketing communications, we retain your marketing preferences until you withdraw consent or for 3 years of inactivity, whichever comes first.
9.3 Deletion Upon Request
You may request deletion of your account and Personal Data at any time (see Section 10.6). Upon receiving a verified deletion request, we will delete your Personal Data within 30 days, except where retention is required by law or for legitimate business purposes (e.g., fraud prevention, dispute resolution).
9.4 Legal Holds
In some cases, we may be required to retain data beyond the standard retention periods due to:
- Ongoing litigation or investigations
- Government or regulatory requests
- Audits or legal obligations
We will resume normal deletion practices once the legal hold is lifted.
10. Your Privacy Rights
Depending on your location, you may have certain rights regarding your Personal Data.
10.1 Rights Under GDPR (EEA, UK, Switzerland Residents)
If you are located in the EEA, UK, or Switzerland, you have the following rights under the GDPR:
(A) Right of Access (Article 15)
You have the right to obtain:
- Confirmation of whether we process your Personal Data
- A copy of your Personal Data
- Information about how we process your data (purposes, categories, recipients, retention periods)
(B) Right to Rectification (Article 16)
You have the right to correct inaccurate or incomplete Personal Data.
(C) Right to Erasure / "Right to be Forgotten" (Article 17)
You have the right to request deletion of your Personal Data in certain circumstances, including:
- The data is no longer necessary for the purposes for which it was collected
- You withdraw consent (where processing is based on consent)
- You object to processing based on legitimate interests, and there are no overriding legitimate grounds
- The data was unlawfully processed
- Erasure is required to comply with a legal obligation
Note: This right is not absolute. We may refuse erasure if retention is necessary for compliance with legal obligations, establishment or defense of legal claims, or other lawful grounds.
(D) Right to Restriction of Processing (Article 18)
You have the right to restrict processing of your Personal Data in certain circumstances, including:
- You contest the accuracy of the data (restriction until accuracy is verified)
- Processing is unlawful, but you prefer restriction rather than erasure
- We no longer need the data, but you need it for legal claims
- You have objected to processing, pending verification of our legitimate grounds
(E) Right to Data Portability (Article 20)
You have the right to receive your Personal Data in a structured, commonly used, machine-readable format and to transmit it to another controller, where:
- Processing is based on consent or contract
- Processing is carried out by automated means
(F) Right to Object (Article 21)
You have the right to object to processing based on:
- Legitimate interests (Article 6(1)(f)): You may object at any time. We will cease processing unless we demonstrate compelling legitimate grounds that override your interests, rights, and freedoms, or for legal claims.
- Direct marketing: You may object at any time to processing for direct marketing purposes. We will cease such processing immediately.
(G) Right to Withdraw Consent (Article 7(3))
Where processing is based on consent, you have the right to withdraw consent at any time. Withdrawal does not affect the lawfulness of processing before withdrawal.
(H) Right to Lodge a Complaint
You have the right to lodge a complaint with a supervisory authority, particularly in your country of residence, place of work, or place of alleged infringement. In France, the supervisory authority is:
Commission Nationale de l'Informatique et des Libertés (CNIL)
Address: 3 Place de Fontenoy, TSA 80715, 75334 Paris Cedex 07, France
Website: https://www.cnil.fr/
Phone: +33 1 53 73 22 22
(I) Automated Decision-Making (Article 22)
You have the right not to be subject to decisions based solely on automated processing (including profiling) that produce legal effects or similarly significantly affect you, unless:
- The decision is necessary for entering into or performing a contract
- Authorized by EU or Member State law
- Based on your explicit consent
Note: The Service uses AI for document analysis and transformation, but these processes do not involve automated decision-making that produces legal effects or significantly affects you in the sense of Article 22.
10.2 How to Exercise Your GDPR Rights
To exercise any of the above rights, please contact us at:
Email: briac@compassup.fr
Subject Line: "GDPR Data Subject Request"
Please include:
- Your full name and email address associated with your account
- A clear description of the right you wish to exercise
- Any additional information necessary to verify your identity
We will respond to your request within one month of receipt. In complex cases, we may extend this period by two additional months, in which case we will inform you of the extension and the reasons for delay.
10.3 Rights Under CCPA/CPRA (California Residents)
If you are a California resident, you have the following rights under the California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA):
(A) Right to Know
You have the right to request that we disclose:
- The categories of Personal Information we collected about you
- The categories of sources from which we collected Personal Information
- The business or commercial purpose for collecting or selling Personal Information
- The categories of third parties with whom we share Personal Information
- The specific pieces of Personal Information we collected about you
(B) Right to Delete
You have the right to request deletion of Personal Information we collected from you, subject to certain exceptions (e.g., to complete a transaction, comply with legal obligations, detect security incidents, exercise free speech, or engage in research).
(C) Right to Correct
You have the right to request correction of inaccurate Personal Information.
(D) Right to Opt-Out of Sale/Sharing
You have the right to opt out of the "sale" or "sharing" of your Personal Information.
Important: We do not sell Personal Information for monetary compensation. However, use of Your Content for AI training may be considered a "sale" or "sharing" under CCPA. To opt out, you must discontinue use of the Service, as AI training is integral to its functionality.
(E) Right to Limit Use of Sensitive Personal Information
You have the right to limit the use of Sensitive Personal Information to purposes necessary to provide the Service. We prohibit the upload of Sensitive Personal Information in our Terms of Use and do not intentionally collect it.
(F) Right to Non-Discrimination
We will not discriminate against you for exercising your CCPA rights, including by:
- Denying goods or services
- Charging different prices or rates
- Providing a different level or quality of goods or services
10.4 How to Exercise Your CCPA Rights
To exercise your CCPA rights, please:
Email: briac@compassup.fr
Subject Line: "CCPA Consumer Request"
Please include:
- Your full name and email address
- California residency verification (e.g., California address)
- A description of the right you wish to exercise
We will acknowledge receipt of your request within 10 business days and respond substantively within 45 days. In some cases, we may extend this period by an additional 45 days, in which case we will notify you.
10.5 Authorized Agents (California)
You may designate an authorized agent to submit CCPA requests on your behalf. We will require:
- Written authorization signed by you granting the agent authority to act on your behalf
- Verification of your identity and California residency
- Direct confirmation from you that you provided the agent with permission
10.6 Account Deletion
To delete your account entirely, you may:
- Submit a deletion request via the methods described above
- Contact customer support at alan@compassup.fr
- Use the account deletion feature in the Service (if available)
Upon account deletion, we will delete or anonymize your Personal Data within 30 days, except where retention is required by law or for legitimate business purposes.
10.7 Marketing Opt-Out
You may opt out of marketing communications at any time by:
- Clicking the "unsubscribe" link in marketing emails
- Updating your preferences in your account settings
- Contacting us at briac@compassup.fr
Note: Even if you opt out of marketing, we will still send you transactional and Service-related communications (e.g., account notifications, receipts, security alerts).
10.8 Objection to AI Training (GDPR)
If you are in the EEA/UK/Switzerland and wish to object to the use of Your Content for AI training based on legitimate interests (GDPR Article 21), please contact us at briac@compassup.fr.
However, please note:
- AI training is integral to the Service's functionality
- If we cannot use Your Content for AI training, we may not be able to provide the Service to you
- We will assess your objection on a case-by-case basis and inform you of our decision
10.9 Identity Verification
To protect your privacy and security, we may require verification of your identity before responding to data subject requests. Verification methods may include:
- Matching information you provide with information in our records
- Requesting government-issued identification (redacted as appropriate)
- Multi-factor authentication via your account
10.10 Fees
We do not charge fees for responding to data subject requests, except:
- If your request is manifestly unfounded or excessive (e.g., repetitive requests), we may charge a reasonable administrative fee or refuse to act on the request
- We will notify you before applying any fees
10.11 Third-Party Rights Platforms (if applicable)
You may also exercise your privacy rights through authorized third-party platforms or browser-based tools, such as Global Privacy Control (GPC) signals. We will honor GPC signals where required by law.
11. Children's Privacy
The Service is not intended for individuals under the age of 18. We do not knowingly collect Personal Data from children under 18.
If you are under 18, you may not use the Service.
If we become aware that we have inadvertently collected Personal Data from a child under 18, we will take steps to delete such information as soon as possible. If you believe we have collected information from a child under 18, please contact us immediately at briac@compassup.fr.
Note for Educational Institutions: If you are an educational institution seeking to use the Service with students under 18, please contact us at briac@compassup.fr to discuss custom terms and COPPA/FERPA compliance measures.
12. Data Security
12.1 Security Measures
We implement commercially reasonable technical and organizational measures to protect your information against unauthorized access, disclosure, alteration, and destruction, including:
(A) Technical Safeguards
- Encryption: Data in transit is protected using TLS/SSL encryption (TLS 1.2 or higher). Data at rest is encrypted using AES-256 or equivalent encryption standards.
- Access Controls: Role-based access controls (RBAC) restrict access to Personal Data to authorized personnel only.
- Authentication: Multi-factor authentication (MFA) for administrative access to systems.
- Network Security: Firewalls, intrusion detection systems (IDS), and intrusion prevention systems (IPS).
- Secure Development: Secure coding practices, regular code reviews, and vulnerability scanning.
(B) Organizational Safeguards
- Data Minimization: We collect and retain only the data necessary for the purposes described in this Privacy Policy.
- Employee Training: Regular security and privacy training for employees with access to Personal Data.
- Confidentiality Agreements: All employees and contractors with access to Personal Data are bound by confidentiality obligations.
- Vendor Management: Due diligence and contractual safeguards with third-party service providers.
- Incident Response Plan: Documented procedures for detecting, responding to, and reporting security incidents.
(C) Physical Security
Our service providers (AWS, Vercel) maintain physical security controls for data centers, including:
- 24/7 monitoring and surveillance
- Biometric access controls
- Environmental controls (fire suppression, temperature regulation)
12.2 Limitations of Security
No method of transmission over the internet or electronic storage is 100% secure. While we strive to protect your information, we cannot guarantee absolute security. You use the Service at your own risk.
12.3 Data Breach Notification
In the event of a data breach affecting your Personal Data, we will:
(A) For GDPR:
- Notify the relevant supervisory authority (CNIL in France) within 72 hours of becoming aware of the breach, where feasible
- Notify affected individuals without undue delay if the breach is likely to result in a high risk to their rights and freedoms
(B) For CCPA:
- Comply with California Civil Code § 1798.82 and notify affected California residents in accordance with applicable law
(C) Notification Content:
- Nature of the breach
- Categories and approximate number of individuals affected
- Categories and approximate number of records affected
- Likely consequences of the breach
- Measures taken or proposed to address the breach
- Contact information for further inquiries
12.4 Your Responsibilities
You are responsible for:
- Maintaining the confidentiality of your account credentials
- Using a strong, unique password
- Not sharing your account with others
- Notifying us immediately of any unauthorized access or security concerns
- Logging out of your account when using shared devices
14. Third-Party Services and Links
14.1 Third-Party Links
The Service may contain links to third-party websites, applications, or services. We are not responsible for the privacy practices or content of these third parties.
We encourage you to review the privacy policies of any third-party services you visit.
14.2 Third-Party Integrations
If you connect the Service with third-party applications (e.g., Google Drive, Dropbox, Microsoft OneDrive), those third parties may collect and process your information according to their own privacy policies.
We are not responsible for third-party data practices.
14.3 Social Media
Our website and communications may include social media features (e.g., Facebook, Twitter, LinkedIn buttons). These features may collect your IP address, page visited, and set cookies. Social media features are governed by the privacy policies of the respective social media companies.
15. Changes to This Privacy Policy
15.1 Updates
We may update this Privacy Policy from time to time to reflect:
- Changes in our data practices
- New features or services
- Changes in applicable laws
- Feedback from users or regulators
15.2 Notification of Changes
We will notify you of material changes to this Privacy Policy by:
- Posting a notice on our website at least 30 days before the changes take effect
- Sending an email to the address associated with your account
- Displaying a notification within the Service
15.3 Effective Date
The "Effective Date" at the top of this Privacy Policy indicates when it was last updated. Your continued use of the Service after the effective date constitutes your acceptance of the updated Privacy Policy.
15.4 Reviewing Changes
We encourage you to review this Privacy Policy periodically to stay informed about how we protect your information.
If you do not agree to the updated Privacy Policy, you must discontinue use of the Service and may request deletion of your account.
16. How to Contact Us
If you have questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us:
COMPASSUP SAS
General Privacy Inquiries:
Email: briac@compassup.fr
Address: 58 RUE DE MONCEAU, 75008 PARIS, France
Data Subject Access Requests (GDPR/CCPA):
Email: briac@compassup.fr
Subject Line: "Data Subject Request" or "CCPA Consumer Request"
Supervisory Authority (France)
If you are located in France and wish to contact the supervisory authority:
Commission Nationale de l'Informatique et des Libertés (CNIL)
Address: 3 Place de Fontenoy, TSA 80715, 75334 Paris Cedex 07, France
Website: https://www.cnil.fr/
Phone: +33 1 53 73 22 22
Response Time
We will respond to your inquiries within:
- 30 days for general inquiries
- One month (30 days) for GDPR data subject requests (extendable by two additional months in complex cases)
- 45 days for CCPA consumer requests (extendable by an additional 45 days with notice)
Important Notices for Specific Jurisdictions
For Users in the European Union:
This Privacy Policy complies with the GDPR (Regulation EU 2016/679). You have specific rights regarding your Personal Data, as described in Section 10.1. For questions or to exercise your rights, contact our Data Protection Officer at briac@compassup.fr.
For Users in California:
This Privacy Policy complies with the California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA). California residents have specific rights, as described in Section 10.3. For CCPA requests, contact us at briac@compassup.fr.
CCPA "Do Not Sell or Share My Personal Information" Notice:
We do not sell your Personal Information for monetary compensation. However, the use of Your Content for AI training may be considered a "sale" or "sharing" under CCPA. To opt out, you must discontinue use of the Service, as this processing is integral to the Service's functionality.
For Users in the United Kingdom:
Following Brexit, the UK has its own data protection regime (UK GDPR). This Privacy Policy complies with UK GDPR. UK users have the same rights as EEA users described in Section 10.1. The UK supervisory authority is the Information Commissioner's Office (ICO): https://ico.org.uk/
For Users in Switzerland:
This Privacy Policy complies with the Swiss Federal Act on Data Protection (FADP). Swiss users have rights similar to those under GDPR, as described in Section 10.1. The Swiss supervisory authority is the Federal Data Protection and Information Commissioner (FDPIC): https://www.edoeb.admin.ch/
BY USING THE SERVICE, YOU ACKNOWLEDGE THAT YOU HAVE READ, UNDERSTOOD, AND AGREE TO THIS PRIVACY POLICY.
Last Updated: January 27, 2026