Privacy Policy.

We collect only the data strictly needed to run the site and respond to your request:

• Contact form — first name, last name, email address, message content. Provided voluntarily when you contact us.
• Anti-spam protection — a technical token generated by Google reCAPTCHA, tied to your IP address, used to distinguish human submissions from bots.
• Server technical logs — IP address, timestamp, pages visited, user-agent. Retained for security and incident detection.
• Audience measurement — if you consent, Google Analytics collects navigation data (pages visited, duration, source, technical identifiers). Without consent, no audience measurement takes place.

In accordance with Article 6 of the GDPR, each processing activity relies on an explicit legal basis:

• Pre-contractual measures (Art. 6.1.b) — handling requests received via the contact form in view of a possible commercial relationship.
• Legitimate interest (Art. 6.1.f) — site security, anti-spam protection, technical log retention, service improvement.
• Consent (Art. 6.1.a) — audience measurement cookies and any cookie that is not strictly necessary.
• Legal obligation (Art. 6.1.c) — retention of accounting and tax records, once a contractual relationship is in place.

Your data is used exclusively to:

• Respond to contact, quote and project requests
• Deliver the agreed services and follow up on them
• Secure the site and prevent abuse (anti-spam, logs)
• Measure site audience in aggregated form, if you have consented
• Meet our legal and accounting obligations

We do not sell, rent or share your data for commercial purposes. No profiling or automated decision-making is performed.

We keep your data only for durations strictly proportionate to their purpose:

• Contact form messages — 3 years from the last exchange (B2B prospection, aligned with CNIL guidance).
• Project or contract data — duration of the relationship + 5 years (accounting obligations, Art. L.123-22 of the French Commercial Code).
• Server technical logs — 12 months maximum.
• Audience measurement cookies — 13 months maximum from deposit.

Beyond these periods, your data is deleted or securely archived.

Your data may be passed to the following providers, acting as sub-processors within the meaning of Article 28 of the GDPR:

• Scaleway SAS (France, EU) — site hosting and storage of technical logs.
• Mailjet (Sinch) (France, EU) — delivery of emails sent from the contact form.
• Google LLC / Google Ireland (United States / Ireland) — Google Analytics (audience measurement, with consent), Google reCAPTCHA (anti-spam protection), Google Fonts (typography).
• Calendly, LLC (United States) — online scheduling, when you click through to a Calendly page.

No other transfers to third parties take place. Each sub-processor is bound by a contract imposing safeguards equivalent to the GDPR.

Some sub-processors are established in the United States — notably Google (Analytics, reCAPTCHA, Fonts) and Calendly.

These transfers are framed by the mechanisms set out in Articles 44 et seq. of the GDPR:

• Certification to the EU–U.S. Data Privacy Framework (European Commission adequacy decision of 10 July 2023), where the provider is enrolled;
• Failing that, Standard Contractual Clauses (SCC) adopted by the European Commission.

You can obtain a copy of these safeguards on written request at the address listed at the bottom of the page.

The site uses three categories of cookies:

• Strictly necessary cookies — required for the site to function (session, language preference). They do not require consent, per Article 82 of the French Data Protection Act.
• Security cookies — set only on the contact page for anti-spam protection (Google reCAPTCHA). Based on our legitimate interest in protecting our forms from abuse (Art. 6.1.f GDPR), with an explicit notice displayed on the form itself.
• Audience measurement cookies — Google Analytics. Set only after explicit acceptance via our consent banner. You can withdraw consent at any time from the “Cookie preferences” link in the footer.

The maximum retention period for consent-based cookies is 13 months. Withdrawing consent is as simple as giving it.

In accordance with Articles 15 to 22 of the GDPR and the French Data Protection Act, you have the following rights:

• Right of access — obtain a copy of the data concerning you.
• Right to rectification — correct inaccurate or incomplete data.
• Right to erasure — have your data deleted, subject to our legal obligations.
• Right to object — object to processing, in particular for prospection purposes.
• Right to restriction — temporarily limit processing.
• Right to portability — receive your data in a structured, reusable format.
• Post-mortem directives — arrange what happens to your data after your death.

To exercise these rights, write to us at the address below. We respond within one month at the latest.

If you believe your rights are not being respected, you may lodge a complaint with the CNIL, the French supervisory authority (3 place de Fontenoy, TSA 80715, 75334 Paris Cedex 07 — www.cnil.fr).

We implement technical and organizational measures proportionate to the risk in order to protect your data against unauthorized access, alteration, disclosure or destruction: end-to-end TLS encryption, access control for secrets, environment segregation, regular backups.

In the event of a personal data breach likely to result in a risk to your rights and freedoms, we notify the CNIL within 72 hours (Art. 33 GDPR) and, where the risk is high, inform you directly without undue delay (Art. 34 GDPR).

This policy may be updated to reflect technical, regulatory or organizational changes. The date of the last update appears at the top of the page. In case of a substantial change, we will inform you by an appropriate means before it takes effect.