Privacy Policy

The data controller is EI ChampagneDevOps, 6 avenue des Troubadours, 31750 Escalquens, France (SIRET: 943 294 517 100 026). For any privacy-related inquiry, contact us at contact@champagnedevops.fr.

We collect the following categories of personal data:

• Account data: name, email address, password (hashed), organisation name, role within the organisation.
• Billing data: processed by Stripe, Inc. We store your Stripe customer ID and subscription status. We do not store credit card numbers.
• Supply chain data: supplier names, contact details, parcel coordinates (GeoJSON), shipment records, due diligence statements — uploaded by you to fulfill EUDR obligations.
• Usage data: authentication logs, API request timestamps, IP addresses — collected automatically for security and service operation.

We process your data on the following grounds:

• Contract performance (Art. 6(1)(b) GDPR): to provide the Service you subscribed to, including EUDR due diligence management, supplier tracking, and DDS submission.
• Legal obligation (Art. 6(1)(c) GDPR): to comply with accounting, tax and anti-deforestation regulations (Regulation (EU) 2023/1115).
• Legitimate interest (Art. 6(1)(f) GDPR): to ensure service security, prevent fraud, and improve the platform.

We share personal data with the following third-party processors:

• Stripe, Inc. (San Francisco, USA) — payment processing. Stripe is certified under the EU-US Data Privacy Framework. See stripe.com/privacy.
• OVHcloud (Gravelines, France) — infrastructure hosting. All application data is stored in the EU.

We do not sell, rent, or share your personal data with any other third party for marketing purposes.

All application data is hosted on OVHcloud servers located in Gravelines, France. Payment data is processed by Stripe under the EU-US Data Privacy Framework and Standard Contractual Clauses (SCCs). No other international transfers occur.

We retain your data for the following periods:

• Account and supply chain data: for the duration of your subscription, then deleted within 30 days of account closure — unless longer retention is required by law.
• Billing records: 10 years after the transaction, as required by French commercial law (Code de commerce, Art. L123-22).
• Authentication and security logs: 12 months.
• EUDR due diligence statements: 5 years after submission, as required by Regulation (EU) 2023/1115, Art. 4(2).

Under the GDPR, you have the right to:

• Access your personal data (Art. 15).
• Rectify inaccurate data (Art. 16).
• Request erasure of your data (Art. 17), subject to legal retention obligations.
• Restrict processing (Art. 18).
• Data portability — receive your data in a structured, machine-readable format (Art. 20).
• Object to processing based on legitimate interest (Art. 21).
• Lodge a complaint with the CNIL (Commission Nationale de l'Informatique et des Libertés), 3 place de Fontenoy, 75007 Paris, France — www.cnil.fr.

To exercise any of these rights, email us at contact@champagnedevops.fr. We will respond within 30 days.

The Service uses strictly necessary cookies only:

• Authentication token (JWT): stored in browser local storage to maintain your session. No expiry beyond the token lifetime.

We do not use analytics cookies, advertising cookies, or any third-party tracking. No cookie consent banner is required under ePrivacy rules as only technically essential storage is used.

We implement appropriate technical and organisational measures to protect your data, including: encryption in transit (TLS 1.2+), hashed passwords (bcrypt), role-based access control, and infrastructure hardened with firewall rules and intrusion detection. Despite these measures, no system is 100% secure. If you discover a vulnerability, please report it to contact@champagnedevops.fr.

We may update this Privacy Policy from time to time. Material changes will be communicated via email or an in-app notification at least 15 days before taking effect. Continued use of the Service after the effective date constitutes acceptance of the updated policy.