Privacy Policy

← Back to Application

1. Introduction

Welcome to Enterprise Directory ("we," "our," or "us"). We are committed to protecting your personal data and respecting your privacy rights. This Privacy Policy explains how we collect, use, store, and protect your personal information when you use our Enterprise Directory Management System (the "Service").

This policy is designed to help you understand:

• What information we collect and why
• How we use that information
• Your rights regarding your personal data
• How to exercise those rights

2. Data Controller

3. Legal Basis for Processing

We process your personal data on the following legal bases under GDPR Article 6:

• Contract Performance: Processing necessary to provide our services to you
• Consent: Where you have given explicit consent for specific processing activities
• Legal Obligation: Where processing is required by law (e.g., audit logs, security)
• Legitimate Interests: For fraud prevention, security, and service improvement

4. Information We Collect

4.1 Account Information

When you create an account or are added to the system, we collect:

• Full name (nom, premier_nom, nom_de_famille)
• Email address
• Password (stored as encrypted hash only)
• User role (Admin, Editor, Viewer)
• Account status (active/inactive)

4.2 Directory Entry Information

For directory management purposes, we may collect:

• Company/Organization name (entreprise)
• Access levels (niveaux d'accès 1-4)
• Establishment numbers (numéro d'établissement 1-2)
• Record group classification (groupe de registres)
• Sequential index number (auto-generated)

4.3 Usage and Technical Data

When you use the Service, we automatically collect:

• IP address
• Browser type and version (user agent)
• Login timestamps
• Actions performed (audit logs)
• API usage statistics (for API key users)
• Session information

4.4 Cookies and Similar Technologies

We use the following types of cookies:

• Essential Cookies: Required for authentication and session management (JWT tokens)
• Functional Cookies: To remember your preferences and settings

We do NOT use advertising, tracking, or analytics cookies.

5. How We Use Your Information

We use your personal data for the following purposes:

5.1 Service Provision

• To create and manage your account
• To authenticate and authorize access
• To manage directory entries and records
• To provide search and filtering functionality
• To enable data export (CSV)

5.2 Security and Compliance

• To maintain audit logs for accountability
• To detect and prevent fraud or unauthorized access
• To comply with legal obligations
• To enforce our terms of service

5.3 Service Improvement

• To understand how the Service is used
• To identify and fix technical issues
• To improve functionality and user experience

6. Data Sharing and Recipients

We do NOT sell your personal data to third parties. We only share your data with:

6.1 Service Providers (Data Processors)

• Supabase Inc.: Database hosting (Frankfurt, Germany - EU)
  Purpose: Data storage and management
  DPA: In place, GDPR-compliant
• Google Cloud Platform: Application hosting (Belgium - EU)
  Purpose: Service infrastructure and hosting
  DPA: Google Cloud Data Processing Addendum

6.2 Legal Requirements

We may disclose your information if required by law, court order, or government request.

7. Data Storage and Security

7.1 Data Location

All data is stored within the European Union:

• Database: Supabase (Frankfurt, Germany)
• Application: Google Cloud (Belgium)
• No data transfers outside the EU

7.2 Security Measures

We implement industry-standard security measures:

• Password encryption using bcrypt (10 rounds)
• JWT token-based authentication
• API key hashing (SHA256)
• Transport Layer Security (HTTPS/TLS)
• Row-level security (RLS) policies
• Rate limiting and DDoS protection
• Regular security audits

8. Data Retention

We retain your personal data for the following periods:

• Active Account Data: As long as your account is active
• Soft-Deleted Records: 90 days, then permanently deleted
• Audit Logs: 2 years (legal requirement)
• API Usage Logs: 1 year
• Session Data: 7 days after expiration
• Closed Accounts: 90 days for legal purposes, then deleted

9. Your Rights Under GDPR

You have the following rights regarding your personal data:

9.1 Right to Access (Article 15)

You can request a copy of all personal data we hold about you.

How to exercise: Contact privacy@[yourdomain].com or use the "Export My Data" feature in your account settings.

9.2 Right to Rectification (Article 16)

You can request correction of inaccurate or incomplete data.

How to exercise: Update your information directly in the application or contact us.

9.3 Right to Erasure / "Right to be Forgotten" (Article 17)

You can request deletion of your personal data in certain circumstances.

How to exercise: Contact privacy@[yourdomain].com. We will delete your data within 30 days unless legal obligations require retention.

9.4 Right to Restriction of Processing (Article 18)

You can request that we limit how we use your data in certain situations.

9.5 Right to Data Portability (Article 20)

You can receive your data in a machine-readable format (JSON/CSV).

How to exercise: Use the "Export My Data" feature or contact us.

9.6 Right to Object (Article 21)

You can object to processing based on legitimate interests.

9.7 Right to Withdraw Consent

Where processing is based on consent, you can withdraw it at any time.

9.8 Right to Lodge a Complaint

You have the right to lodge a complaint with the Belgian Data Protection Authority:

10. International Data Transfers

No International Transfers: All data processing occurs within the European Union. We do not transfer your personal data outside the EU/EEA.

11. Children's Privacy

Our Service is not directed to individuals under 16 years of age. We do not knowingly collect personal data from children. If you believe we have collected data from a child, please contact us immediately.

12. Automated Decision-Making and Profiling

We do NOT use automated decision-making or profiling that produces legal effects or similarly significantly affects you.

13. Data Breach Notification

In the event of a data breach that is likely to result in a risk to your rights and freedoms, we will notify you and the Belgian Data Protection Authority within 72 hours of becoming aware of the breach, as required by GDPR Article 33.

14. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices or legal requirements. We will notify you of any material changes by:

• Posting the new policy on this page with an updated "Last Updated" date
• Sending an email notification (if you have an account)
• Displaying a prominent notice in the application

Your continued use of the Service after changes become effective constitutes acceptance of the revised policy.

15. Contact Us

If you have questions, concerns, or wish to exercise your rights regarding your personal data, please contact us:

16. Consent

By using our Service, you consent to the collection and use of your information as described in this Privacy Policy. If you do not agree with this policy, please do not use our Service.