.png)
Privacy Policy & Data Processing Agreement
Effective Date: December 2, 2025
This Privacy Policy describes how Eliott (hereinafter "the Application", "we", "us", "our") collects, uses, stores, and protects the personal data of its users (hereinafter "you", "user", "data subject") in connection with our SaaS marketing data analytics service. This document also includes a Data Processing Agreement (DPA) for users who act as data controllers under applicable data protection laws.
1. Data Controller Information
Company Name: Eliott
Address: 2bis allée des favrières, 44240 La Chapelle-sur-Erdre
Contact Email: marco99103@gmail.com
As of this date, Eliott has not appointed a Data Protection Officer (DPO). All inquiries regarding data protection may be directed to the contact information above.
2. Categories of Personal Data Collected
2.1 Account Information
Full name (first name, last name)
Email address
Profile avatar URL (optional)
2.2 OAuth Tokens and Integration Data
When you connect third-party services, we store encrypted OAuth tokens to access your data on your behalf:Google Analytics: Read-only access token, refresh token, property ID, property name, website URL, Google account emailGoogle Ads: Access token, refresh token, customer ID, login customer ID, account name, Google account emailGoogle Sheets: Access token, refresh token, selected sheet ID, sheet name, sheet URL, Google account emailMeta Ads (Facebook/Instagram): Access token, ad account ID, Meta user ID, Meta user email, Meta user nameLinkedIn Ads: Access token, refresh token, account ID, LinkedIn user ID, LinkedIn account emailHubSpot: Access token, refresh token, hub ID, HubSpot account emailSalesforce: Access token, refresh token, instance URL, Salesforce account email
2.3 Usage Data
Queries submitted to the analytics engineDashboard items (charts, analyses) created and savedFavorite queriesReports generatedSubscription status and usage metrics (requests used per month)
2.4 Technical and Security
DataIP addresses (truncated for privacy)User agent strings (browser and device information)Security audit logs (authentication events, access attempts)OAuth session states for secure authentication flowsRate limiting data to prevent abuse
2.5 Payment Data
Stripe Customer IDStripe Subscription IDSubscription type and billing intervalCurrent billing period datesNote: We do not store credit card numbers, CVV codes, or full payment card details. All payment processing is handled securely by Stripe.
2.6 Data NOT Collected
We do not collect sensitive personal data as defined by Article 9 of the GDPR, including:Racial or ethnic originPolitical opinionsReligious or philosophical beliefsTrade union membershipGenetic or biometric dataHealth dataSexual orientation
3. Legal Bases for ProcessingPurposeLegal BasisDetails
Account creation and managementPerformance of contract (Art. 6(1)(b) GDPR)Necessary to provide access to the Application and process billingThird-party integrations (Google Analytics, Meta Ads, etc.)Explicit consent (Art. 6(1)(a) GDPR)You explicitly authorize access via OAuth with specific scopesCustomer support and communicationLegitimate interest (Art. 6(1)(f) GDPR)Responding to inquiries and improving service qualitySecurity, fraud prevention, and service integrityLegitimate interest (Art. 6(1)(f) GDPR)Security logging, abuse detection, rate limitingTax and accounting obligationsLegal obligation (Art. 6(1)(c) GDPR)Retention of billing records as required by lawYou may withdraw consent for third-party integrations at any time by disconnecting the integration from your account settings or by contacting us.
4. Data Recipients and Sharing
4.1 Internal Access
Your data is accessible only to authorized Eliott personnel who are bound by confidentiality obligations.
4.2 Sub-Processors
We use the following sub-processors who process data on our behalf according to our instructions:Sub-ProcessorPurposeLocationSupabase Inc.Database hosting, authentication, edge functionsEU / United StatesOVHcloudInfrastructure hostingFrance (EU)RailwayMCP server hostingUnited Statesn8n (self-hosted on OVH)Workflow automation and orchestrationFrance (EU)Stripe Inc.Payment processingUnited StatesGoogle reCAPTCHABot protection and abuse preventionUnited States
4.3 OAuth Providers
When you connect integrations, data flows directly between your account and the respective OAuth provider:Google LLC (Google Analytics, Google Ads, Google Sheets)Meta Platforms Inc. (Meta Ads)LinkedIn CorporationHubSpot Inc.Salesforce Inc.The Rocket Science Group LLC (Mailchimp)
4.4 Third-Party Disclosures
We may disclose your data to:Law enforcement agencies when required by valid legal processProfessional advisors (lawyers, accountants) bound by professional secrecyPotential acquirers in case of merger, acquisition, or asset sale (with prior notice)
5. International Data Transfers
Some of our sub-processors (Supabase, Railway, Stripe) may process your data in the United States. When data is transferred outside the European Economic Area (EEA), we ensure appropriate safeguards are in place:Standard Contractual Clauses (SCCs): We use EU Commission-approved SCCs with our US-based sub-processorsSupplementary Measures: We implement additional technical and organizational measures as recommended by the EDPBData Processing Agreements: All sub-processors are bound by DPAs that ensure GDPR-equivalent protectionYou may request a copy of the relevant transfer mechanisms by contacting us.
6. Data Retention PeriodsData CategoryRetention PeriodJustification
Account data (name, email)Active account duration + 3 years after last interaction or deletionContract management and legal obligationsOAuth tokensUntil disconnection or account closureService functionalityDashboard items and queriesUntil user deletion or account closureService functionalitySecurity audit logs12 monthsSecurity, debugging, legal complianceRate limiting data24 hours (automatic cleanup)Abuse preventionEmail verification codes24 hours (automatic cleanup)SecurityBilling records10 yearsLegal and tax obligationsEncrypted backups30 daysBusiness continuityAt the end of these periods, data is permanently deleted or irreversibly anonymized.
7. Data Security Measures
7.1 Technical Measures
Encryption in Transit: TLS 1.2+ for all communicationsEncryption at Rest: AES-256 encryption for database storagePassword Security: Bcrypt hashing with salt; no plaintext password storageToken Encryption: OAuth tokens are encrypted using PGP symmetric encryption before storageRow Level Security (RLS): Database policies ensure users can only access their own dataPKCE: Proof Key for Code Exchange for OAuth flowsInput Sanitization: Protection against SQL injection and XSS attacksRate Limiting: Protection against brute force and denial-of-service attacksSecure Headers: CORS policies, CSP, and other security headers
7.2 Organizational Measures
Principle of least privilege for all access controlsSegregation of environments (production, testing, development)Continuous monitoring and loggingRegular security assessmentsIncident response procedures
7.3 Bot Protection
We use Google reCAPTCHA Enterprise to protect against automated abuse, spam, and bot attacks. This service may collect hardware and software information, such as device and application data, and send it to Google for analysis.
8. Your Rights Under GDPR
Under Articles 15-22 of the GDPR, you have the following rights:Right of Access (Art. 15): Request a copy of your personal data and information about how it is processedRight to Rectification (Art. 16): Request correction of inaccurate or incomplete personal dataRight to Erasure (Art. 17): Request deletion of your personal data ("right to be forgotten")Right to Restriction (Art. 18): Request limitation of processing in certain circumstancesRight to Data Portability (Art. 20): Receive your data in a structured, commonly used, machine-readable formatRight to Object (Art. 21): Object to processing based on legitimate interests or for direct marketingRight to Withdraw Consent (Art. 7(3)): Withdraw consent at any time without affecting prior processingHow to Exercise Your RightsTo exercise any of these rights, contact us at: marco99103@gmail.comWe will respond within one month of receiving your request. This period may be extended by two additional months for complex requests, in which case we will inform you within the first month.Right to Lodge a ComplaintIf you believe your rights have not been respected, you may lodge a complaint with a supervisory authority. In France, this is the Commission Nationale de l'Informatique et des Libertés (CNIL): www.cnil.fr
9. Cookies and Local Storage
The Application uses only strictly necessary technical storage mechanisms:Session Cookies: For authentication and maintaining your logged-in stateLocal Storage: For OAuth state management and user preferences (language, theme)We do not use any advertising, marketing, or third-party tracking cookies. Google reCAPTCHA may set cookies necessary for its bot protection functionality.
10. Children's Privacy
The Application is not intended for use by individuals under the age of 16. We do not knowingly collect personal data from children. If we become aware that we have inadvertently collected data from a child, we will take immediate steps to delete it.
11. Changes to This Policy
We may update this Privacy Policy to reflect changes in our practices or legal requirements. For material changes, we will notify you via email at least 30 days before the changes take effect. The "Effective Date" at the top of this document indicates when the current version became effective.
Data Processing Agreement (DPA)
This Data Processing Agreement forms part of the Privacy Policy and Terms of Service between you ("Controller") and Eliott ("Processor").
DPA 1. Definitions
"Controller" means the user who determines the purposes and means of processing personal data"Processor" means Eliott, which processes personal data on behalf of the Controller"Sub-processor" means any third party engaged by the Processor to process personal data"Personal Data" has the meaning given in the GDPR"Processing" has the meaning given in the GDPR"Data Subject" means an identified or identifiable natural person
DPA 2. Scope and Purpose
This DPA applies when Eliott processes personal data on behalf of users who connect their third-party accounts (e.g., Google Analytics, Meta Ads). In this context:The user is the Controller of the data from their connected accountsEliott is the Processor acting on the user's documented instructionsThe purpose of processing is to provide the analytics and reporting services described in our Terms of Service.
DPA 3. Processor Obligations
As Processor, Eliott shall:Process personal data only on documented instructions from the ControllerEnsure that persons authorized to process personal data are bound by confidentiality obligationsImplement appropriate technical and organizational security measures (as described in Section 7)Not engage another processor without prior authorization from the Controller (current sub-processors are listed in Section 4.2)Assist the Controller in responding to data subject requestsAssist the Controller in ensuring compliance with security, breach notification, and DPIA obligationsDelete or return all personal data upon termination of services, at the Controller's choiceMake available all information necessary to demonstrate compliance with GDPR obligations
DPA 4. Controller Obligations
As Controller, you shall:Ensure you have a lawful basis to share personal data with EliottEnsure data subjects have been informed about the processingProvide documented instructions for processingBe responsible for the accuracy, quality, and legality of personal data shared
DPA 5. Data Breach Notification
In the event of a personal data breach, Eliott will:Notify the Controller without undue delay and within 72 hours of becoming aware of the breachProvide sufficient information for the Controller to meet its notification obligationsCooperate with the Controller in investigating and mitigating the breachDocument the breach, its effects, and remedial actions taken
DPA 6. International Transfers
Where personal data is transferred outside the EEA, Eliott ensures appropriate safeguards through:Standard Contractual Clauses (SCCs) approved by the European CommissionBinding Corporate Rules where applicableAdequacy decisions where available
DPA 7. Audits
Eliott will make available to the Controller all information necessary to demonstrate compliance with this DPA and allow for audits and inspections by the Controller or an authorized auditor, subject to:Reasonable advance noticeConfidentiality obligationsNot interfering with normal business operations
DPA 8. Records of Processing
Eliott maintains records of processing activities carried out on behalf of Controllers, including:Name and contact details of the Processor and ControllerCategories of processing carried outTransfers to third countries and safeguardsGeneral description of technical and organizational security measures
DPA 9. Sub-Processor List
The current list of authorized sub-processors is provided in Section 4.2 of this Privacy Policy. The Controller consents to the use of these sub-processors. Eliott will notify the Controller of any intended changes to sub-processors, allowing the Controller to object.
DPA 10. Termination
Upon termination of the services agreement:Eliott will delete or return all personal data processed on behalf of the ControllerEliott will delete existing copies unless storage is required by lawUpon request, Eliott will certify deletion of dataContact UsFor any questions about this Privacy Policy or to exercise your rights, please contact:Email: marco99103@gmail.comAddress: Eliott, 2bis allée des favrières, 44240 La Chapelle-sur-ErdreLast Updated: December 2, 2025
