Privacy Policy
Last updated: February 22, 2026
1. Data controller
BH EURL (TrustAkt brand)
SIRET: 807 554 589 00034
Address: 7, rue Guersant 75017 Paris, France
Email: [email protected]
Data Protection Officer (DPO): [email protected]
2. Data collected
We collect the following categories of data:
| Category | Data | Purpose |
|---|---|---|
| Identity | Name, first name, email | Account management |
| Connection | IP address, user-agent, timestamp | Security, logs |
| Usage | Platform actions, preferences | Service improvement |
| Billing | Payment information (processed by Paddle) | Subscription management |
| Content | User-generated data (projects, documents, etc.) | Service delivery |
3. Legal basis for processing
In accordance with the GDPR (EU Regulation 2016/679), our processing is based on:
- Performance of a contract (Art. 6.1.b): service delivery, account management.
- Legitimate interest (Art. 6.1.f): security, service improvement, fraud prevention.
- Legal obligation (Art. 6.1.c): retention of accounting data.
- Consent (Art. 6.1.a): analytical and marketing cookies.
4. Data retention periods
| Data | Retention period | Legal basis |
|---|---|---|
| Account data | Duration of subscription + 30 days | Performance of contract |
| Accounting records | 10 years | Legal obligation (French Commercial Code, Art. L123-22) |
| Audit logs | 5 years | Legitimate interest |
| Cookies / analytics | 13 months | CNIL recommendation |
5. Sub-processors
We use the following sub-processors to deliver our services:
| Sub-processor | Purpose | Location |
|---|---|---|
| Vercel Inc. | Hosting & CDN | EU (Frankfurt, eu-central-1 region) |
| Supabase Inc. | Database & authentication | EU (Frankfurt) |
| Paddle.com Market Ltd | Payments & billing (Merchant of Record) | United Kingdom / EU |
| Sentry (Functional Software Inc.) | Error monitoring | EU |
All our sub-processors are contractually bound to comply with the GDPR and to process data exclusively for the purposes described above.
6. Transfers outside the EU
Our data is hosted within the European Union. In case of transfer to a third country (notably the United States for certain sub-processors), we ensure that adequate safeguards are in place (European Commission standard contractual clauses, adequacy decision, or EU-US Data Privacy Framework).
7. Your rights
In accordance with the GDPR, you have the following rights:
| Right | GDPR Article | How to exercise |
|---|---|---|
| Access | Art. 15 | Email to [email protected] |
| Rectification | Art. 16 | From your personal space or by email |
| Erasure | Art. 17 | Account deletion or email to DPO |
| Restriction | Art. 18 | Email to DPO |
| Portability | Art. 20 | Export from the platform (CSV, JSON formats) |
| Objection | Art. 21 | Email to DPO |
| Withdrawal of consent | Art. 7.3 | Cookie settings or email to DPO |
We commit to responding to any request within 30 days.
8. Data security
We implement appropriate technical and organizational measures to protect personal data, including:
- Data encryption in transit (TLS 1.3) and at rest
- Secure authentication (bcrypt hashing, MFA available)
- Access logging and regular audits
- Environment separation (production / development)
- Encrypted automatic backups
9. Data breach
In the event of a personal data breach presenting a risk to your rights and freedoms, we commit to notifying the CNIL within 72 hours and to informing you as soon as possible, in accordance with Articles 33 and 34 of the GDPR.
10. Supervisory authority
If you believe that the processing of your data constitutes a violation of the GDPR, you have the right to lodge a complaint with the CNIL (Commission Nationale de l’Informatique et des Libertés):
CNIL
3 Place de Fontenoy, TSA 80715
75334 Paris Cedex 07
www.cnil.fr/fr/plaintes
11. Contact
For any questions relating to this policy, contact our DPO: [email protected]