Privacy Policy — SmartAnalyst, SmartAnalyst

1. Who's responsible for your data

The data controller under GDPR is Aurélien Roche EI (Sole proprietorship (FR auto-entrepreneur)), registered office at 174 Rue du Temple, 75003 Paris, France, registered under SIRET 908 185 564 00014.

For any question about your data, reach out at privacy@smartanalyst.io.

2. What we collect

2.1 — Account data (you as a user)

Email, full name, hashed password (bcrypt)
Workspace name, your role in the workspace
Preferences (language, display settings)
Authentication logs (timestamp, IP, user-agent) for security

2.2 — Business data via OAuth connectors

When you connect a tool (GA4, Meta Ads, Shopify, etc.), we fetch and store:

OAuth access tokens (encrypted via Supabase Vault, never logged in plaintext)
Aggregated marketing metrics: sessions, conversions, revenue, ad spend, etc.
Connected account/property identifiers (GA4 property ID, Meta account ID, Shopify domain)

We never collect personal data about your end customers (emails, addresses, card numbers, etc.) — only aggregates.

2.3 — Tracking events via the SmartTag

If you install our sa.js script on your site, we collect per visitor:

Page URLs (path + query keys — values are stripped to avoid capturing emails or tokens in URLs)
Referrer origin (host only, never the full path)
CSS selectors of clicked elements (never the text content)
A random session ID stored in sessionStorage (cleared when the tab closes — not a cookie)
IP prefix (e.g. 185.42.x.x) for country-level geolocation only

Emails and phone numbers found in custom event properties are automatically stripped server-side as a safety net.

3. Why we collect it (purposes)

Service delivery — render your dashboards, compute metrics, connect to your tools.
Transactional communication — anomaly alerts, automated reports, security emails.
Security — detect intrusion attempts, prevent abuse, meet legal obligations.
Product improvement — aggregated, anonymized usage stats (which features are used, where things crash).

We never sell your data. We don't use it for third-party advertising, commercial profiling, or training third-party AI models.

4. Legal bases (GDPR article 6)

Processing	Legal basis
Account creation, service delivery	Performance of a contract (art. 6.1.b)
Connecting an OAuth tool	Explicit consent (art. 6.1.a)
SmartTag tracking on your site	Legitimate interest, no cookies (art. 6.1.f) — see §9
Security logs, fraud prevention	Legitimate interest (art. 6.1.f) + legal obligation (art. 6.1.c)
Product marketing emails	Explicit opt-in consent (art. 6.1.a)

5. Sub-processors & recipients

We use the following sub-processors, all contractually bound to GDPR compliance:

Sub-processor	Role	Location
Supabase Inc.	Database hosting and storage	Ireland (eu-west-1)
Hostinger	Application hosting (API, app, marketing site)	Lithuania / France
Anthropic, PBC	AI insight generation (Claude)	United States — covered by the EU Commission's Standard Contractual Clauses
Resend	Transactional email delivery	United States — SCCs
Stripe	Payments & subscriptions	Ireland / United States — SCCs

No data is shared with advertisers, data brokers, or ad platforms.

6. Transfers outside the EU

Most data is hosted in Europe (Supabase Ireland, Hostinger EU). Some US-based sub-processors (Anthropic, Resend, Stripe) process data on our behalf. These transfers are covered by the Standard Contractual Clauses (SCCs) adopted by the EU Commission on June 4, 2021.

7. How long we keep your data

Data	Retention
Active user account	As long as the account exists
Deleted account	Anonymization within 30 days, full purge within 90 days
Aggregated connector metrics	Subscription duration + 12 months
Raw SmartTag events	Free plan: not stored (real-time only). Paid plans: 30 to 365 days depending on plan
Security logs, invoices	5 to 10 years (accounting / tax obligations)
Revoked OAuth tokens	Deleted immediately

8. Your rights

Under GDPR, you have the following rights:

Access — get a copy of all data we hold about you
Rectification — correct inaccurate or incomplete data
Erasure ("right to be forgotten") — request deletion of your account and data
Portability — get your data in a machine-readable format (JSON)
Restriction — temporarily limit processing
Object to processing based on legitimate interest
Withdraw consent at any time, without affecting prior processing
Lodge a complaint with your local data protection authority — for EU residents that's typically your country's DPA (e.g. CNIL in France, ICO in the UK, etc.)

To exercise these rights, email privacy@smartanalyst.io. We respond within one month (extendable by two months for complex requests, with notice).

9. Cookies & trackers

Marketing site (smartanalyst.io): no tracking cookies, no third-party analytics. We only use technical session cookies for the contact form.

Application (app.smartanalyst.io): strictly necessary session cookies for authentication (HttpOnly, Secure, SameSite=Strict). These cookies are exempt from prior consent under GDPR / PECR / CNIL guidance.

Our SmartTag (the sa.js script installed by our customers): no cookies. Events are tied to a session ID stored in sessionStorage — which is not a cookie and is cleared when the tab closes. Per CNIL / EDPB guidance, this mechanism is exempt from consent for statistical analytics, provided it's not used for cross-site tracking or targeted advertising — which is our case.

10. Security

We implement appropriate technical and organizational measures: TLS 1.2+ encryption for all transfers, at-rest encryption via Supabase Vault for OAuth tokens, Postgres Row-Level Security for workspace isolation, bcrypt password hashing, audit logs for sensitive accesses, daily encrypted backups.

In case of a data breach likely to result in a risk to your rights, we notify the relevant DPA within 72 hours and inform you directly if the risk is high, per GDPR articles 33 and 34.

11. Changes

This policy may evolve. For material changes, we notify you by email at least 30 days before they take effect. The last-updated date is shown at the top of this page.

12. Contact

For any question, rights request, or complaint: privacy@smartanalyst.io

You may also lodge a complaint with your local data protection authority. For EU residents, that's the supervisory authority in your country of residence.

Privacy policy.