Aller au contenu principal
AIFORYA

Privacy Policy

1. Introduction and commitment

AIFORYA is committed to protecting the privacy of its users and customers. This Privacy Policy (hereinafter "the Policy") describes how AIFORYA collects, uses, protects, retains, and shares your personal data. The approach is minimalist and adheres to the principles of "Privacy by Design".

This Policy complies with the requirements of the General Data Protection Regulation (GDPR, EU Regulation 2016/679), the UK General Data Protection Regulation (UK GDPR), the California Consumer Privacy Act (CCPA), and the Lei Geral de Proteção de Dados (LGPD) in Brazil.

2. Data Controller and DPO

  • Data Controller: AIFORYA (sole proprietorship), 1 rue de Stockholm, 75008 Paris, France. SIREN 498 592 104.
  • DPO: A Data Protection Officer has been appointed. Contact: dpo@aiforya.fr.

3. Personal data collected — a minimalist approach

AIFORYA only collects data that is strictly necessary for the purposes defined below.

| Purpose | Data categories | Legal basis | Retention period | | :--- | :--- | :--- | :--- | | Account and subscription management | Email, name, hashed password, subscription type, transaction history | Contract performance | Duration of the subscription + 3 years | | Billing and accounting | Postal address, country, intra-community VAT number (if applicable) | Legal obligation | 10 years | | Customer support | Content of exchanges, customer ID, issue history | Contract performance / Legitimate interest | 5 years after the last interaction | | Security and maintenance | Connection logs (IP, User-Agent, date, key actions) | Legitimate interest | 12 months | | Audience measurement (anonymized) | Anonymized browsing data | Consent | 13 months | | Newsletter | Email address | Consent | Until unsubscription |

4. What is NEVER collected (Privacy by Design)

  • Third-party service API keys (BYOK): The API keys that the customer uses for AI providers (Anthropic, OpenAI, Google, etc.) are stored encrypted on their WordPress installation and never pass through AIFORYA's servers. AIFORYA has no access to them.
  • Content generated via the extensions: The prompts sent to the AI models and the responses are exchanged directly between the customer's server and the AI provider. AIFORYA never intercepts, reads, stores, or analyzes this content.
  • Full payment data: Credit card information is processed directly by Stripe. AIFORYA never stores card numbers or CVVs.
  • CMS site content: AIFORYA never accesses, reads, or stores the editorial content (articles, pages, user data) of customer sites.

5. Recipients and international transfers

Data is shared only with essential data processors:

| Data Processor | Country | Role | Transfer guarantee | | :--- | :--- | :--- | :--- | | Stripe Inc. | USA / Ireland | Payments and subscription management | EU-US Data Privacy Framework (DPF) / SCCs | | Vercel Inc. | USA | Frontend hosting, audience measurement after consent | EU-US DPF / SCCs | | Railway Corp | USA | Backend hosting | Standard Contractual Clauses (SCCs) | | Supabase Inc. | USA | Database | EU-US DPF / SCCs | | Axeptio (Sirdata) | France (EU) | Consent Management Platform (CMP) | GDPR — no transfer outside the EU | | Resend, Inc. | USA | Sending of transactional emails (contact confirmation, newsletter) | EU-US DPF / SCCs |

AIFORYA ensures that any transfer outside the European Economic Area is carried out in accordance with legal requirements (European Commission's SCCs or the EU-US DPF framework).

6. Data security

  • Encryption: TLS for all communications, encryption of sensitive data at rest.
  • Access controls: Principle of least privilege policy.
  • Hashing: Passwords are hashed with robust, non-reversible algorithms.
  • Audits: Regular penetration tests and security audits.
  • Backups: Backup and restoration procedures.

7. GDPR / UK GDPR Rights

  • Right of access (Art. 15): obtain a copy of the data held.
  • Right to rectification (Art. 16): correct inaccurate data.
  • Right to erasure (Art. 17): delete data.
  • Right to restriction of processing (Art. 18).
  • Right to data portability (Art. 20).
  • Right to object (Art. 21).

To exercise these rights: dpo@aiforya.fr. A response will be provided within 1 month (extendable by 2 months in case of complexity). Proof of identity may be requested.

You have the right to lodge a complaint with the CNIL: www.cnil.fr.

8. Specific rights (CCPA, LGPD)

  • California (CCPA): Rights of access, deletion, and non-discrimination. AIFORYA does not sell personal data and respects "Do Not Track" signals.
  • Brazil (LGPD): Rights similar to the GDPR.

Contact: dpo@aiforya.fr.

9. Clauses specific to generative AI and the BYOK model

AIFORYA operates on a Bring Your Own Key (BYOK) model. Calls to generative AI services are made directly by the extension from the customer's server to the AI provider, using the customer's API key.

  • Data flow: AI prompts and responses never pass through AIFORYA's servers.
  • Responsibility: The customer is solely responsible for the data they submit to AI providers and for the generated content. The customer must ensure that their usage complies with the providers' policies and applicable laws.

10. Google Sign-In — Use of Google User Data

AIFORYA optionally allows users to sign in to its web application via Google Sign-In (OAuth 2.0 / OpenID Connect). This section comprehensively describes, in line with the Google API Services User Data Policy (including its Limited Use requirements), how AIFORYA accesses, uses, stores and shares Google user data.

10.1. Scopes requested

AIFORYA requests only the three standard non-sensitive OpenID Connect scopes:

  • openid — Google's stable user identifier (the sub claim)
  • email — the primary email address of the Google account
  • profile — full name, given name, family name, locale and profile picture URL

No sensitive or restricted scope is requested. AIFORYA does not access Gmail, Drive, Calendar, Contacts, YouTube, Photos, or any other Google product API containing user data.

10.2. Data effectively collected

When a user signs in, AIFORYA collects from Google strictly:

  • the Google subject identifier (sub),
  • the verified email address,
  • the display name and, when available, the public profile picture URL.

10.3. Purpose of use (Data Usage)

This data is used solely to:

  • Authenticate the user into the AIFORYA web application (identity verification at login);
  • Create or look up the AIFORYA account corresponding to that user;
  • Display their name and email address inside their dashboard and "My Account" page.

Google user data is never used for advertising purposes, profiling beyond authentication, contact-list scraping, credit assessment, or to train any generalized AI/ML model. It is not shared with marketing partners.

10.4. Retention and storage

Google user data is stored in a managed PostgreSQL database operated by Supabase (EU region — Frankfurt, eu-central-1), with encryption at rest and Row-Level Security. Retention runs for the lifetime of the user account. The user can at any time delete their account and all associated data via https://www.aiforya.fr/en/mon-compte; deletion is effective within 30 days.

10.5. Sharing and sub-processors

Google user data is never sold, rented, transferred or shared with third parties for advertising or any purpose unrelated to the use case described above. The only sub-processor with potential incidental access is our managed-database hosting provider (Supabase, EU), under a GDPR-compliant Data Processing Agreement.

10.6. Limited Use compliance

AIFORYA's use and transfer to any other app of information received from Google APIs strictly adheres to the Google API Services User Data Policy, including its Limited Use requirements.

10.7. User control

Users can, at any time:

  • Revoke the access granted to AIFORYA via their Google account permissions page: https://myaccount.google.com/permissions;
  • Delete all data stored by AIFORYA via the in-app "My Account" page;
  • Exercise GDPR rights (access, rectification, erasure, portability, objection) by contacting dpo@aiforya.fr (see section 7).

11. Cookies and trackers

The aiforya.fr website uses cookies and similar technologies (notably localStorage) for its proper functioning, audience measurement, and user experience improvement.

11.1. Consent Management Platform (CMP)

Consent management is handled by Axeptio, a certified French CMP. The banner is displayed on the first visit to the site and allows the user to accept, reject, or customize their choices by category. The "Reject all" button is as visible and accessible as the "Accept all" button (CNIL compliance). Choices are stored for 6 months and can be changed at any time via the "Manage my trackers" link in the footer.

Google Consent Mode v2 is implemented in "Basic" mode: all consent signals (analytics_storage, ad_storage, ad_user_data, ad_personalization, functionality_storage, personalization_storage) are set to denied by default, until the user expresses their choice.

11.2. Necessary trackers (strictly essential)

Exempt from consent (Article 82 of the 'Loi Informatique et Libertés' (French Data Protection Act)) as they are essential for the site to function: user session, language preferences, recording the consent choice itself, remembering the theme (light/dark), self-hosted web fonts (no IP address transfer to third-party CDNs).

11.3. Audience measurement (analytics)

Subject to explicit consent: Vercel Analytics (anonymized traffic measurement, without personal identifiers, maximum duration of 13 months). These trackers are only activated after explicit acceptance of the "Audience measurement" category in the Axeptio banner.

11.4. Marketing and advertising

No advertising or remarketing trackers are currently used on aiforya.fr. This category is reserved for possible future campaigns (Google Ads, LinkedIn Ads), which would also be subject to consent before any tracker is placed.

12. Policy changes

AIFORYA reserves the right to modify this Policy at any time. Any changes will be published on this page with a new update date. In the event of a substantial change, information will be sent by email or via a visible notification on the site.


### Document 2 : Politique de gestion des cookies et traceurs (cookies.mdx)
Politique de confidentialité | AIFORYA