Privacy Policy

RepForm respects your privacy and is committed to protecting your personal data in accordance with Regulation (EU) 2016/679 (GDPR) and French Law No. 78-17 of 6 January 1978 as amended (Data Protection Act). This policy describes the processing of personal data we perform as part of the RepForm service.

1. Data controller

The data controller is [RepForm — Legal form to be confirmed], whose registered office is at [full address to be confirmed], registered with the [city] Trade and Companies Registry under SIREN number [to be completed]. For any question regarding your personal data, you can contact us at privacy@repform.app.

2. Personal data collected

When you use the service, we collect the following data: (a) identification data — first name, last name, email address, professional phone number; (b) professional data — organisation, role (admin, technician, admintech), team; (c) user content you create — clients, sites, contacts, interventions, reports, photos, handwritten signatures captured on screen; (d) technical data — IP address, connection logs, usage events, browser type, session identifier; (e) billing metadata handled by Stripe — we do not store any payment card number, only subscription metadata (Stripe customer ID, plan, subscription status). Payment data is collected and processed directly by Stripe Payments Europe, Ltd. under its own privacy policy (stripe.com/privacy).

3. Purposes and legal bases

Your data is processed for the following purposes: (a) service delivery (account creation, feature access) — contract performance (Art. 6.1.b GDPR); (b) subscription and billing management — contract performance and legal accounting obligations (Art. 6.1.b and 6.1.c); (c) customer support — contract performance (Art. 6.1.b); (d) security, fraud prevention, access logging — legitimate interest in protecting the service and its users (Art. 6.1.f); (e) transactional communications (confirmations, alerts, team invites) — contract performance; (f) service improvement and aggregate statistical analysis — legitimate interest (Art. 6.1.f), with right to object at any time; (g) compliance with legal and accounting obligations — legal obligation (Art. 6.1.c).

4. Recipients and sub-processors

Your data is accessible to our internal team strictly within the scope of their duties, and to our technical sub-processors bound by a Data Processing Agreement (DPA) compliant with Article 28 GDPR: Vercel Inc. (application hosting, compute served from Paris datacenter "cdg1"; US company — Standard Contractual Clauses applicable for operational and support access); Supabase Inc. (database and file storage, Frankfurt datacenter, European Union); Stripe Payments Europe, Ltd. (payment processing, United States for the group — Standard Contractual Clauses); Resend, Inc. (transactional email sending, United States — Standard Contractual Clauses); Sentry (Functional Software, Inc.) (application error monitoring, Frankfurt datacenter, European Union); Upstash, Inc. (rate limiting, United Kingdom — European adequacy decision); Hostinger International Ltd. (encrypted database backups, Paris datacenter, France). We do not sell or rent your personal data to third parties. We never share your data for advertising purposes.

5. International transfers outside the European Union

Some of our sub-processors are established in the United States: Stripe Inc. (parent entity of the Stripe group for payment processing), Resend Inc. (transactional email sending), and Vercel Inc. (US company, although our compute is served from the Paris datacenter "cdg1"). Transfers are framed by the Standard Contractual Clauses (SCC) adopted by the European Commission (decision 2021/914), supplemented by additional technical measures: TLS 1.3 encryption in transit, AES-256 encryption at rest, access restricted to what is strictly necessary. The transfer to the United Kingdom (Upstash) is covered by the European Commission's adequacy decision of 28 June 2021. The primary data plane (PostgreSQL database, uploaded files, application compute) is processed entirely within the European Union (Supabase Frankfurt + Vercel Paris).

6. Retention period

Account data is retained throughout the contractual relationship, then archived for 3 years after account closure for evidentiary purposes (claims, disputes). Billing data is retained for 10 years in accordance with Article L.123-22 of the French Commercial Code. Technical logs (application logs, security events) are retained for a maximum of 12 months in accordance with CNIL guidance. Full encrypted backups are retained for 30 days in rolling rotation. User content (interventions, reports, photos, signatures) is permanently deleted within 30 days following account termination, unless you explicitly request otherwise before that deadline.

7. Your rights

In accordance with Articles 15 to 22 GDPR, you have the following rights: right of access (Art. 15); right to rectification (Art. 16); right to erasure, also known as "right to be forgotten" (Art. 17), under the conditions of the regulation; right to restriction of processing (Art. 18); right to data portability (Art. 20) — a complete JSON export is available from Settings → Data; right to object (Art. 21) to processing based on legitimate interest; right to issue post-mortem directives on your data (Article 85 of the French Data Protection Act). To exercise these rights, contact us at privacy@repform.app. We respond within the one-month period set by Article 12 GDPR, extendable by 2 months for complex requests.

8. Complaint to the CNIL

If you believe your rights are not respected, you can lodge a complaint with the French Data Protection Authority (CNIL), 3 place de Fontenoy — TSA 80715 — 75334 Paris Cedex 07 — www.cnil.fr — phone: +33 1 53 73 22 22. You may also contact the supervisory authority in your country of residence.

9. Security

We implement appropriate technical and organisational measures to protect your data in accordance with Article 32 GDPR: TLS 1.3 encryption in transit; AES-256 encryption at rest on databases and storage; strong authentication with bcrypt password hashing; role-based access control at the database level (PostgreSQL Row Level Security); access and security event logging; daily encrypted backups; regular review of our sub-processors; formalised incident management policy including CNIL notification within 72 hours and notification to data subjects within the legal deadlines in the event of a data breach presenting a high risk.

10. Cookies and trackers

The details of cookies used and how to manage your consent are described in our Cookie Policy, which complements this policy.

11. Technician and end-customer data

When you use RepForm as a professional to manage your own technicians, clients or contacts, you are the data controller for that data; RepForm acts as a data processor within the meaning of Article 28 GDPR. As such, you are notably required to inform your technicians and clients of the processing of their data via RepForm, to obtain the required consent where applicable, and to allow them to exercise their rights. A template Data Processing Agreement (DPA) is available on request at privacy@repform.app, in English and French.

12. Automated decisions

RepForm does not perform any solely automated decision-making producing legal effects within the meaning of Article 22 GDPR. No marketing-related profiling is carried out.

13. Changes to the policy

This policy may be updated to reflect changes in our practices or regulations. The date of the last update is indicated at the top of this page. In the event of a substantial change (new major sub-processor, new purpose), we will notify you by email at least 30 days before it takes effect.