Privacy
Policy

Privacy Policy — Eliott Last updated: [11/23/2025]
‍
Company: “Eliott” represented by the microenterprise “Marc-Antoine ALLAIN”
SIREN number : 914147970
Website: https://askeliott.com
Email: marco99103@gmail.com
Registered Address: 2bis allée des favrières, 44240 La Chapelle sur Erdre, France

1. IntroductionThis Privacy Policy explains how Eliott (“we”, “our”, “the App”) collects, uses, processes, and protects your personal data when you use our AI-powered marketing analytics application.Eliott is designed to help users analyze marketing, CRM, and advertising performance by connecting their third-party marketing tools via OAuth. We follow the principles of data minimization, security by design, and privacy by default as required under the General Data Protection Regulation (GDPR).By using Eliott, you acknowledge that you have read and understood this Privacy Policy.2. Data ControllerFor users located in the EU or EEA, the Data Controller is:Marc-Antoine ALLAIN (Auto-Entreprise “Eliott”)
2bis allée des favrières, 44240 La Chapelle sur Erdre
France
Email: marco99103@gmail.comWe do not have a Data Protection Officer (DPO). All privacy inquiries should be directed to the email above.3. Data We CollectWe follow a strict data minimization approach.
We do not store any marketing, CRM, or advertising data retrieved from your connected platforms.We only store what is strictly necessary to operate the App.3.1. Information You ProvideFirst name

Last name

Email address

Account identifiers for connected marketing platforms (e.g., account ID, account name)

3.2. OAuth InformationWhen you connect external services (Google Analytics, Google Ads, Google Sheets, Meta Ads, HubSpot, Salesforce, etc.), we store:OAuth access tokens (encrypted using strong encryption)

OAuth refresh tokens (encrypted)

Provider identifiers

The minimal scopes required to perform read-only API requests

We never store raw data retrieved from those platforms.3.3. Technical and Usage DataAutomatically collected:IP address

Device information

Logs of API calls

Authentication events

Cookies and trackers (see section 11)

3.4. Data We Do NOT CollectWe do not store:❌ CRM records (leads, deals, contacts)
❌ Advertising data (spend, impressions, conversions, etc.)
❌ Google Analytics reports
❌ Any raw marketing data retrieved from your platformsAll such data is processed in memory only, strictly for answering the user’s request.4. Purpose of ProcessingWe process your data solely to:4.1. Provide and operate the AppConnect to your marketing tools via OAuth

Execute read-only API queries

Provide insights, analysis, and responses to your questions

4.2. Authenticate and manage your accountCreate and maintain your account

Secure login and access control

4.3. Improve the AppMonitor performance

Debug issues

Understand usage behavior (via Posthog, GA4, GTM)

4.4. SecurityDetect suspicious activity

Prevent abuse or unauthorized access

Maintain audit logs

We do not sell or monetize your data.5. Legal Basis for Processing (GDPR)We process personal data on the following legal bases:5.1. Contract Performance (Art. 6(1)(b))To provide the Eliott service.5.2. Legitimate Interest (Art. 6(1)(f))For:analytics and service optimization

fraud prevention

app security

5.3. Consent (Art. 6(1)(a))For cookies and tracking technologies on the website.You may withdraw your consent at any time.6. No Human Access to Your Connected DataWe implement strict controls to ensure that:OAuth tokens are encrypted and accessible only by secure backend processes

No employee, including the founder, can manually access customer tokens or connected data

All decryption operations happen exclusively by automated systems

All API calls are logged and auditable

No raw marketing data is ever stored in our database

This is aligned with GDPR’s privacy-by-design and least-privilege principles.7. Data RetentionWe store:Data TypeRetentionEncrypted OAuth tokensUp to 365 days or until manually revokedAccount metadataUp to 365 daysLogsUp to 365 daysAggregated analytics (non-personal)Up to 365 daysRaw marketing dataNot storedYou may request data deletion at any time.8. Data SecurityWe use multiple layers of security:8.1. EncryptionOAuth tokens encrypted with strong algorithms (AES-256 or equivalent)

Secrets stored in secure key management systems (KMS)

8.2. Access ControlNo direct database access for humans

Role-based access control

Server-to-server authenticated communication

8.3. Infrastructure SecuritySupabase hosted in the EU

Railway servers located in Amsterdam (EU)

OVH hosting in France

n8n self-hosted

HTTPS enforced everywhere

8.4. IsolationMulti-tenant isolation

Row Level Security (RLS) policies

No cross-access between users

9. Sub-ProcessorsWe use the following service providers, all GDPR compliant:Supabase – Authentication & Database (EU)

Railway – AI backend hosting (EU — Amsterdam)

OVH – Main application hosting (France)

OpenAI – AI model provider

n8n – Self-hosted automation server

GA4 & Google Tag Manager – Website analytics

Posthog – Product analytics

Each subprocesssor operates under a data processing agreement.10. International Data TransfersSome partners (e.g., OpenAI, Google Analytics) may transfer data outside the EU.We ensure compliance using:Standard Contractual Clauses (SCCs)

Adequacy decisions where applicable

Additional technical safeguards (pseudonymization, limited data sent)

We do not send any identifiable CRM, marketing, or advertising data to third-country services.11. Cookies and TrackingWe use:Google Analytics (GA4)

Google Tag Manager

Posthog

Cookies are used for:User experience optimization

Performance monitoring

Basic analytics

You can manage cookies via your browser or through our cookie banner.12. User Rights (GDPR)You have the right to:Access your personal data

Rectify inaccurate data

Delete your data (“right to be forgotten”)

Withdraw consent

Restrict or object to processing

Request data portability

Lodge a complaint with CNIL (France)

To exercise your rights, email: marco99103@gmail.com13. Data Deletion and RevocationYou can delete your account or revoke any connected platform at any time by:Disconnecting the integration inside Eliott, or

Removing Eliott’s access directly from the connected platform (Google, Meta, HubSpot, Salesforce, etc.)

Revocation immediately disables all API access.14. Changes to This Privacy PolicyWe may update this Privacy Policy to reflect new features or regulatory updates. We will notify users of significant changes.15. ContactFor any questions regarding this Privacy Policy or your data, contact:Marc-Antoine ALLAIN
Email: marco99103@gmail.com
Address: 2bis allée des favrières, 44240 La Chapelle sur Erdre, France