1. Data controller
AP FRANCE — SASU, SIREN 802 005 108, 49 bd du Lycée, 92170 Vanves, France.
DPO contact: contact@assistantprive.io
2. Data collected
We only collect the data necessary for the purposes described below:
- Account & authentication: email address (encrypted at rest with AWS KMS), WebAuthn passkeys. Legal basis: contract performance.
- Billing: first name, last name, postal address, country, and where applicable VAT number and SIREN. Legal basis: contract performance & legal obligation (retained 10 years — Art. L123-22 French Commercial Code).
- Documents submitted: identity documents and supporting evidence you upload or entrust to us for handling your administrative processes (residence permit, visa, civil status, etc.). Legal basis: contract performance. These documents are used only for the processes you have entrusted to us.
- Case tracking: projects, tasks, deadlines, and exchanges related to your processes. Legal basis: contract performance.
- Consents: date and version of accepted terms of sale, withdrawal-right waiver, IP address. Legal basis: legal obligation.
- Technical data: request logs (IP, user agent, timestamp). Legal basis: legitimate interest (security, debugging). Retention: 90 days.
3. Data recipients
Your data may be shared with the following processors, strictly limited to the purposes described:
- Neon Inc. (PostgreSQL database) — EU hosting available.
- Vercel Inc. (application hosting) — SOC 2 certified.
- AWS KMS (encryption of sensitive data) — eu-west-1 region.
- Cloudflare Inc. (document storage — R2) — data hosted in the European Union.
- Stripe Payments Europe Ltd. (card payments) — licensed payment institution; we do not store any banking data.
- Resend Inc. (transactional email delivery).
- Upstash Inc. (Redis cache) — EU region available.
- PostHog Inc. (audience measurement, product analytics, and technical error tracking) — data hosted in the EU region (
eu.i.posthog.com). Error tracking only collects technical data (error message, stack trace), no personal data. Used solely to improve and maintain service reliability; no sharing with third parties for advertising purposes.
Your documents and data may also be shared with the relevant French administrations (prefecture, OFII, URSSAF, CAF, etc.), solely within the scope of the processes you have expressly entrusted to us.
No data is sold to third parties. No data is used for advertising or commercial profiling purposes.
4. Retention periods
- Active account data: duration of the contractual relationship.
- Documents submitted: duration of the contractual relationship; deletable on request at any time.
- Deleted account data: immediate anonymization, except billing data retained for 10 years.
- Technical logs: 90 days.
- Terms-of-sale consents: 5 years from the date of acceptance.
5. Your rights (GDPR Art. 15–22)
You have the right to access, rectify, erase, and port your data, as well as the right to object to and restrict its processing.
To exercise these rights, contact us at contact@assistantprive.io. We will respond within 30 days. If you disagree with our response, you may lodge a complaint with the CNIL.
6. Cookies
See our Cookie Policy for details on the trackers used.
7. Security
Sensitive data (email address) is encrypted at rest via AWS KMS. Authentication relies on WebAuthn passkeys — no password is stored. Access to your documents is strictly partitioned per account. Communications are encrypted in transit (TLS 1.3).
8. Transfers outside the EU
Some processors (Vercel, Resend, Upstash) are based in the United States. These transfers are governed by the European Commission's Standard Contractual Clauses (SCCs) or the EU-US Data Privacy Framework.