//PRIVACY & GDPR

Privacy policy

Compliant with Regulation (EU) 2016/679 (GDPR), the French Data Protection Act (Law no. 78-17 of January 6, 1978, as amended), and Regulation (EU) 2024/1689 on artificial intelligence (AI Act).

Last updated: May 2026

This is a convenience translation. The French version is the legally binding text.

1. Data Controller

The controller of personal data collected on the epsiio.fr website and as part of Epsiio services is:

  • Édouard Porcheron — Sole trader (Entrepreneur individuel — EI), doing business as Epsiio
  • Registered with Bernay RCS under number 104 925 433
  • SIRET: 104 925 433 00013
  • Address: 340 Rue des Forges, 27210 Boulleville, France
  • Email: edouard@epsiio.fr
  • Phone: +33 7 49 06 47 00

Given the size of the structure (sole trader, limited processing volume, no large-scale processing of sensitive data), no Data Protection Officer (DPO) is appointed. Requests relating to personal data are handled directly by the data controller at the address above.

2. Data Collected

Only data strictly necessary for the purposes described below is collected (data minimisation principle, GDPR Article 5.1.c).

  • Contact form — required fields: last name, first name, email, company, message content; optional field: phone number. The provision of required fields conditions the possibility of responding to your request.
  • Appointment booking (Cal.com): name, email address, time zone, selected date and time, optional context message.
  • Professional exchanges: email correspondence, documents shared during an engagement (briefs, meeting notes, deliverables).
  • Connection data: IP address, browser type, pages visited, server logs (kept for security and as legal evidence).
  • Contractual and accounting data: billing details, history of services delivered (within a client relationship).

No sensitive data within the meaning of GDPR Article 9 (racial or ethnic origin, political opinions, religious beliefs, health, sexual orientation, etc.) is collected.

3. Purposes & Legal Bases

Each processing activity relies on one of the legal bases set out in GDPR Article 6:

  • Responding to contact requests — pre-contractual measures at the request of the data subject (Article 6.1.b).
  • Service performance and invoicing — contract performance (Article 6.1.b) and compliance with legal obligations (Article 6.1.c — notably accounting and tax obligations).
  • Site security and abuse prevention (logs, anti-spam, bot protection) — legitimate interest (Article 6.1.f).
  • Commercial communications — explicit consent (Article 6.1.a) for individuals and new prospects, or legitimate interest for B2B prospects within the limit of similar products or services, in accordance with Article L.34-5 of the French Postal and Electronic Communications Code.

4. Retention Periods

  • Contact requests with no follow-up: 3 years from last contact.
  • Client data (contractual relationship): duration of the contractual relationship, then 5 years after the end of the contract (general civil limitation period — Article 2224 of the French Civil Code).
  • Accounting documents and invoices: 10 years (Article L.123-22 of the French Commercial Code).
  • Connection logs: 12 months maximum (Article L.34-1 of the French Postal and Electronic Communications Code).
  • Prospects (marketing consent): 3 years from collection or last active contact.

5. Recipients & Processors

Your data is never sold, rented or transferred to third parties. It is processed exclusively by the data controller. Some technical service providers may access the data within the strict scope of their mission, under contracts compliant with GDPR Article 28:

  • Web hosting: Vercel Inc. (United States) — epsiio.fr site infrastructure.
  • Anonymous audience measurement: Vercel Web Analytics (Vercel Inc.) — aggregated statistics with no cookie or persistent identifier, hashed IP addresses, no cross-site tracking.
  • Online appointment booking: Cal.com, Inc. (United States) — booking widget embedded on the contact page, slot processing, email reminders, calendar synchronisation with the data controller.
  • Transactional email delivery: Gmail / Google Workspace (Google Ireland Limited).
  • Accounting and tax obligations: chartered accountant (under professional secrecy) and tax authorities, on legal request.

The list of processors may evolve. To know the current state, contact me.

6. Transfers Outside the European Union

Some processors (Vercel, Google, Cal.com) may process data on servers located in the United States. These transfers are governed by:

  • the European Commission's Standard Contractual Clauses (Implementing Decision 2021/914);
  • and/or certification under the EU-U.S. Data Privacy Framework (adequacy decision of 10 July 2023).

7. Data Security

Appropriate technical and organisational measures are implemented in accordance with GDPR Article 32: TLS encryption of communications, system access control, regular backups, strong authentication on critical accounts, contractual confidentiality with processors. In the event of a data breach likely to result in a risk to your rights and freedoms, you will be informed in accordance with GDPR Article 34, and the CNIL (France's data protection authority) notified within 72 hours (GDPR Article 33).

8. Your Rights

In accordance with Articles 15 to 22 of the GDPR and Articles 38 to 43 of the French Data Protection Act, you have the following rights over your personal data:

  • Right of access — obtain confirmation and a copy of the data processed.
  • Right to rectification — have inaccurate or incomplete data corrected.
  • Right to erasure ("right to be forgotten") — in the cases provided for in GDPR Article 17.
  • Right to restriction of processing — GDPR Article 18.
  • Right to portability — receive your data in a structured, machine-readable format and transmit it to another controller (Article 20).
  • Right to object — object to processing based on legitimate interest or for direct marketing purposes.
  • Right to withdraw consent at any time, without affecting the lawfulness of processing carried out beforehand.
  • Right to set post-mortem directives — Article 40-1 of the French Data Protection Act.

To exercise your rights, send a request (accompanied, if applicable, by proof of identity in case of doubt about the requester's identity) to: edouard@epsiio.fr. A response will be sent within one month, in accordance with GDPR Article 12.

You also have the right to lodge a complaint with the French data protection authority (Commission Nationale de l'Informatique et des Libertés — CNIL), 3 place de Fontenoy, TSA 80715, 75334 Paris Cedex 07 — cnil.fr.

9. Cookies and Trackers

The epsiio.fr site does not set any HTTP cookies in your browser. A display preference (light/dark mode) is stored locally via localStorage so your interface choice is preserved between visits. This information remains on your device, is not transmitted to the server, and constitutes a strictly necessary tracker within the meaning of Article 82 of the French Data Protection Act (exempt from consent, in line with CNIL recommendations).

Audience measurement is provided by Vercel Web Analytics, a cookieless solution producing aggregated statistics (page views, traffic sources, device type). IP addresses are hashed and no persistent identifier is kept, allowing the consent exemption provided for by CNIL deliberation no. 2020-091 for strictly anonymous audience measurement.

The Contact page embeds a Cal.com booking widget (loaded in an iframe on the app.cal.com domain). This widget may set its own cookies on the Cal.com domain when you interact with the calendar; those cookies fall exclusively under Cal.com's privacy policy and are not accessible to epsiio.fr.

No advertising, social network or third-party tracking cookie is set without your prior consent.

10. Artificial Intelligence and Transparency (AI Act)

Epsiio designs and integrates artificial intelligence systems as part of client engagements. In accordance with Regulation (EU) 2024/1689 (AI Act) and transparency principles:

  • Internal use: generative AI tools may be used for productivity (writing, analysis, code). No confidential client data is submitted to these tools without prior agreement.
  • Client delivery: AI systems delivered as part of an engagement are accompanied by clear documentation — purposes, models used, known limits, security measures, logging, human oversight mechanisms.
  • Training: no personal data collected via this site is used to train AI models.
  • Automated decisions: no decision producing legal or similarly significant effects concerning you is taken solely on the basis of automated processing, without human intervention (GDPR Article 22).

For any question about the AI systems used or delivered, you may request an explanation at: edouard@epsiio.fr.

11. Minors

The Epsiio site and services are intended for an adult professional clientele. Data of minors is not knowingly collected. If you believe a minor's data has been transmitted, contact me for immediate deletion.

12. Policy Updates

This policy may be updated to reflect legal, technical or organisational changes. The date of last update appears at the top of the document. In case of substantial change, specific information will be communicated.

13. Contact

For any question, request to exercise rights, or complaint: edouard@epsiio.fr.

See also the legal notice.