Privacy policy

1. Who is the data controller?

The data controller is CyberTool SAS, a company registered with the French companies' register under number [TO COMPLETE: SIREN], with its registered office at [TO COMPLETE: full address]. For any question regarding the protection of your data, you may write to privacy@cybertool.fr.

2. What data do we collect?

We only collect data strictly necessary to operate the service:

• Account: email, full name (optional), hashed password, audience (agency or SMB), language preferences.
• Company: trade name, SIRET (optional), team size.
• Monitored sites: declared domain name, requested scan frequency, verification token.
• Technical results: scores, findings, scan logs (SSL, DNS, headers, blacklists, WordPress CVEs) — technical data publicly exposed by the scanned servers.
• Billing: subscription history and AI consumption (never the credit card number — handled exclusively by Stripe).
• Application logs: IP address, user-agent, request timestamps — automatically purged after 30 days.

3. Why this data?

• Performance of the contract (art. 6.1.b GDPR): providing the monitoring service and the cyber cockpit.
• Legitimate interest (art. 6.1.f GDPR): securing the platform, preventing fraud, improving the service.
• Legal obligation (art. 6.1.c GDPR): retaining invoices for 10 years (French Commercial Code), responding to lawful requests from authorities.
• Consent (art. 6.1.a GDPR): marketing emails (explicit opt-in), non-essential cookies.

4. How long do we keep your data?

• Active account: as long as you use the service.
• Inactive account > 24 months: automatic deletion after notification.
• Scans and findings: 90 days of detailed history, anonymised archiving beyond that.
• Anonymous landing-page audits: 7 days maximum (automatic purge).
• Technical logs: 30 days.
• Invoices: 10 years (accounting obligation).

5. Who do we share your data with?

We work with a limited number of subprocessors. Each has signed a Data Processing Agreement (DPA) compliant with GDPR:

• Supabase (Ireland, EU) — database + auth.
• Vercel (United States) — web application hosting, under Standard Contractual Clauses + up-to-date impact assessment.
• Cloudflare (United States) — scan workers, anti-DDoS, under SCCs.
• Stripe (Ireland, EU) — payments and billing.
• Resend (United States) — transactional email delivery, under SCCs.
• Anthropic (United States) — Claude artificial-intelligence model. Prompts are not used for model training.

6. Your rights

Pursuant to GDPR, you have the following rights:

• Access: obtain a copy of all the data we hold about you.
• Rectification: correct inaccurate data.
• Erasure: request deletion (save for legal retention obligations).
• Restriction: temporarily block a processing operation.
• Portability: retrieve your data in a structured format (JSON).
• Objection: to processing based on legitimate interest.

To exercise your rights, write to privacy@cybertool.fr. We respond within 30 days at most (typically within 72 hours).

7. Complaint to the CNIL

If you believe your rights are not being respected, you may lodge a complaint with the French Data Protection Authority (Commission Nationale de l'Informatique et des Libertés / CNIL): cnil.fr.

8. Cookies and trackers

See our dedicated cookie policy. In summary: a session cookie to keep you signed in, a preferences cookie for the language. No advertising cookie or third-party tracker before consent.

9. Security

All data is encrypted in transit (TLS 1.2+) and at rest (disk-level encryption on Supabase). Passwords are hashed (bcrypt). Server access is protected by MFA. We publish a disclosure policy at /.well-known/security.txt.

10. Changes to this policy

This policy may evolve. In case of material changes, you will be notified by email with 30 days' notice.