Privacy Policy

1. Who We Are

[COMPANY NAME](“Company”, “we”, “us”, “our”) is a French simplified joint-stock company (SAS) incorporated under French law, with registered office at [REGISTERED ADDRESS], registered with the Trade and Companies Registry under number [SIRET].

We operate the SaaS platform accessible at https://ranks.page (the “Service”).

Contact for privacy matters: [LEGAL EMAIL]

2. Scope of This Policy

This Privacy Policy applies to all personal data collected through the Service, our website, and any interactions with [COMPANY NAME]. It covers our obligations under:

• EU General Data Protection Regulation (GDPR) — Regulation 2016/679
• UK GDPR and Data Protection Act 2018
• California Consumer Privacy Act (CCPA) / CPRA, where applicable
• French loi Informatique et Libertés

The Service is directed exclusively at business professionals (B2B). We do not knowingly collect personal data from individuals under 18.

3. Data We Collect

3.1 Data you provide directly

• Account data: full name, professional email address, job title, company name
• Authentication credentials: email address and hashed password (plaintext passwords are never stored)
• Support data: messages, attachments, and metadata sent through Intercom
• Communications: emails and replies to onboarding sequences

3.2 Data collected automatically

• Usage data: features accessed, actions performed, session duration, navigation paths
• Technical data: IP address (anonymised — see Section 3.3), browser type and version, operating system, screen resolution, timezone
• Log data: server access logs, error logs, API call logs — retained for security and debugging purposes

3.3 Data collected by third-party processors on our behalf

The following sub-processors collect data as part of delivering the Service:

• PostHog (EU cloud or self-hosted): product analytics and session recording. IP addresses are anonymised before any processing. Data is stored exclusively within the European Union. No data is transferred to the United States. PostHog’s Privacy Policy: https://posthog.com/privacy
• Intercom (Intercom, Inc., USA): customer support and in-app messaging. Acts as a data processor under a signed Data Processing Addendum. Transfers to the USA are governed by Standard Contractual Clauses (SCCs). Intercom’s Privacy Policy: https://www.intercom.com/legal/privacy

3.4 Payment data — Creem.io (Merchant of Record)

Payment processing is handled exclusively by Creem (Armitage Labs OÜ, Estonia), which acts as the Merchant of Record for all transactions. Creem — not [COMPANY NAME] — is the legal seller of record and collects and processes all payment card data, billing information, and invoicing directly from buyers.

[COMPANY NAME] does not receive, store, or process your payment card details. Creem processes buyer payment data as an independent data controller under its own Privacy Policy and in compliance with GDPR: https://creem.io/privacy

[COMPANY NAME] receives from Creem only: subscription status, plan type, and a customer reference ID for account management purposes.

4. Legal Bases for Processing (GDPR / UK GDPR)

• Performance of contract (Art. 6(1)(b)): account creation, service delivery, subscription management, technical support.
• Legitimate interests (Art. 6(1)(f)): security monitoring, fraud prevention, server log analysis, and internal aggregate reporting — where no cookie or tracking technology is involved. We have conducted a Legitimate Interests Assessment (LIA) for each such purpose; contact us to request a copy.
• Consent (Art. 6(1)(a)): product analytics via PostHog (session recording, behavioural tracking), functional cookies, and marketing emails. Consent is freely given, specific, informed, and revocable at any time.
• Legal obligation (Art. 6(1)(c)): retention of contractual and accounting records as required by French law (Code de commerce, 10-year statutory period).

Note: We do not rely on legitimate interest as a legal basis for any cookie-based or tracking analytics. In line with the ePrivacy Directive (Art. 5(3)), consent is the only valid basis for setting non-essential cookies, regardless of any GDPR legal basis. PostHog analytics are therefore always consent-dependent.

5. Retention Periods

• Active account data: duration of the contractual relationship + 3 years after termination.
• Contractual records and invoicing data: 10 years (French statutory accounting obligation).
• Support conversations (Intercom): 3 years from last interaction.
• Server and security logs: 12 months.
• PostHog analytics data: [X] months (configurable in your PostHog instance — we recommend 12 months maximum).
• PostHog session recordings: [X] days (configurable — we recommend 90 days maximum).
• Marketing consent records: until consent is withdrawn, or 3 years of inactivity.

6. International Data Transfers

Our analytics stack (PostHog) is configured to store data exclusively within the EU. The following transfers outside the EEA do occur:

• Intercom Inc. (USA): Standard Contractual Clauses (SCCs) + signed Data Processing Addendum.
• Creem (Estonia, EU): no transfer outside the EEA. Creem processes data as an independent controller under GDPR.

For UK customers post-Brexit, transfers to EU entities (including Creem and PostHog EU cloud) are covered by the UK adequacy decision for the EU. Transfers to Intercom (USA) rely on the UK International Data Transfer Agreement (IDTA) or the UK Addendum to the EU SCCs.

7. Your Rights

Rights under GDPR / UK GDPR

• Right of access (Art. 15): obtain a copy of your personal data.
• Right to rectification (Art. 16): correct inaccurate data.
• Right to erasure (Art. 17): request deletion where no overriding legal basis applies.
• Right to restriction (Art. 18): temporarily pause processing.
• Right to data portability (Art. 20): receive your data in a machine-readable format.
• Right to object (Art. 21): object to processing based on legitimate interests or direct marketing.
• Right to withdraw consent: at any time, without affecting prior lawful processing.

Rights under CCPA (California residents)

• Right to know what personal information we collect, use, and disclose.
• Right to delete personal information we hold about you.
• Right to opt-out of the sale of personal information. We do not sell personal information.
• Right to non-discrimination for exercising your privacy rights.

To exercise any right: [LEGAL EMAIL]. We respond within 30 days (GDPR / UK GDPR) or 45 days (CCPA). You may also lodge a complaint with your supervisory authority: CNIL (France) cnil.fr | ICO (UK) ico.org.uk | your local EU DPA.

8. Security

We implement appropriate technical and organisational security measures including: TLS encryption in transit, encryption at rest, role-based access controls, access logging, regular backups, and staff security training. In the event of a personal data breach, we will notify the relevant supervisory authority within 72 hours and affected individuals without undue delay (GDPR Art. 33–34).

9. Sub-processors

Current sub-processors: PostHog (EU analytics), Intercom (support). A full and up-to-date list is available at [LEGAL EMAIL]. We will provide at least 30 days’ notice of any material changes to our sub-processor list.

10. Changes to This Policy

We may update this policy. For material changes, we will notify you by email or in-app notification with at least 30 days’ notice. The current version is always available at https://ranks.page/privacy.