Privacy Policy - Orchesia EI
Version 1.0.1 effective as of 6 October 2025
Legal Notice
Publisher: Sole proprietorship Pierre ABOUCAYA (trade name: Orchesia)
SIREN: 942 838 244 - SIRET (head office): 942 838 244 00013
Head office: 8 rue du Pont de l'Abbaye, 59520 Marquette-lez-Lille (France)
Contact: contact@orchesia.com
Covered services: https://www.orchesia.com (website) and https://app.orchesia.com/app (application)
SECTION 1 - GENERAL PROVISIONS
Article 1.1 - Preamble
We may update this policy at any time. Changes are published here and, where appropriate, communicated by email or via the application based on their significance.
Article 1.2 - Purpose and scope
This privacy policy confirms our commitment to protecting your privacy when using the websites https://www.orchesia.com (website) and https://app.orchesia.com/app (application), operated by EI Pierre ABOUCAYA (Orchesia).
In connection with operating the websites https://www.orchesia.com (website) and https://app.orchesia.com/app (application), we collect and process your personal data in compliance with GDPR 2016/679 of 27 April 2016.
This policy explains which data we process, why, on which legal bases, for how long, with whom we share it, and your rights. It applies to the website, the application, support, and billing. It supplements the Terms of Use / Terms and Conditions.
We process your data in accordance with the GDPR; the applicable legal bases are detailed in Section 3.
Article 1.3 - Data controller
Controller: EI Pierre ABOUCAYA (Orchesia) - sole trader registered with the RNE SIREN: 942 838 244 - SIRET (head office): 942 838 244 00013 Head office: 8 rue du Pont de l'Abbaye, 59520 Marquette-lez-Lille (France) Privacy contact: contact@orchesia.com
Article 1.4 - Data Protection Officer (DPO)
Orchesia has not appointed a DPO at this time. For any data protection question or to exercise your rights, please write to contact@orchesia.com. Orchesia is not required to appoint a DPO under Article 37 GDPR.
SECTION 2 - DATA PROCESSED AND COLLECTION METHODS
Article 2.1 - Data categories
- Account & identity: last name, first name, phone number, email, password (hashed/salted, never plaintext).
- Subscription & billing: billing address, country, company, VAT number, order history, amounts excl. VAT/VAT incl. VAT, payment status (via Stripe).
- Client Content in the app: projects, tasks, attachments, comments (encrypted at rest; see Section 7).
- Technical data: logs, device identifiers, IP addresses, usage events (security, performance, non-profiling internal analytics).
- Support & customer relationship: emails, tickets, responses to optional surveys.
- Cookies/trackers: see Section 5.
We do not collect special categories of data ("sensitive" data) within the meaning of the GDPR.
Article 2.2 - Collection moments and sources
- Directly from you: website forms (contact/book a call), sign-up, and use of the application (creating projects, tasks, attachments, comments).
- Automatically: when using the website/application (cookies/trackers and technical data).
- From service providers: e.g. payment statuses via Stripe.
Mandatory fields are identified; if not provided, account creation, service provision, or billing may be prevented.
SECTION 3 - PURPOSES, LEGAL BASES & AUTOMATED DECISIONS
Article 3.1 - Purposes and legal bases
- Performance of a contract (Art. 6(1)(b) GDPR): account creation/management, provision of the application, seat management, billing, support.
- Legitimate interest (Art. 6(1)(f) GDPR): security, prevention/detection of fraud and breaches of the Terms of Use/Terms and Conditions, service improvement, non-profiling internal analytics, proof of contract, legal defense.
- Legal obligation (Art. 6(1)(c) GDPR): retention of accounting records/invoices, response to requests from competent authorities.
- Consent (Art. 6(1)(a) GDPR): optional marketing communications and non-essential cookies (withdrawable at any time).
Article 3.2 - Automated decisions
No automated decision-making produces legal effects concerning you.
Article 3.3 - Consent
We request your consent only for processing activities that require it (e.g., marketing, non-essential cookies). This consent is freely given, specific, informed, and unambiguous, and may be withdrawn at any time.
- Marketing opt-in (checkbox) at sign-up or from your preferences.
- Acceptance of non-essential cookies via the banner ("Accept all" or custom choice).
- Specific explicit agreement for targeted technical access to your Client Content for support purposes (see Article 7.6).
Processing necessary for account creation/management, service provision, first-level support, and billing relies on contract performance (Art. 6(1)(b)) or legitimate interest (Art. 6(1)(f)), without requiring global consent.
SECTION 4 - RETENTION PERIODS
Article 4.1 - Main periods
- Account: during use, then 30 days after end of contract (reversibility), then deletion.
- Billing: 10 years (French legal obligation).
- Technical security logs: up to 12 months.
- Support: 3 years after ticket closure.
- Marketing (consent): until consent withdrawal or 3 years after last contact.
- Administrator access logs (see Article 7.7): 12 months.
- Attachments / backups: according to application rules (see Terms and Conditions, Art. 4.5). For cookies/trackers, see Section 5.
SECTION 5 - COOKIES & TRACKERS
Article 5.1 - Principles
- Necessary cookies: authentication, security, anti-fraud, preferences. Basis: legitimate interest/service necessity.
- Audience measurement cookies: only with consent.
- No advertising cookie without prior consent.
A banner allows "Accept all," "Reject all," and "Customize." Your choices can be changed at any time via Cookie Settings. The list and lifespan of cookies are detailed in the Cookie Charter (Annex).
Proof of cookie consent: we retain records of your choices (consent/refusal) for the time needed to evidence and manage them.
SECTION 6 - RECIPIENTS, TRANSFERS & GDPR ROLES
Article 6.1 - Recipients and service providers
Access is strictly limited to authorised Orchesia personnel and our partners (categories listed below). The detailed list of main providers, their roles, and links is set out in Article 6.4.
Article 6.2 - Transfers outside the EU/EEA
No transfer outside the EU/EEA is carried out without appropriate safeguards under Article 46 GDPR. Some providers may process data outside the EU/EEA (e.g., United States). We apply appropriate safeguards (SCCs, transfer assessments, encryption, minimisation) and transfer only what is necessary.
Article 6.3 - Allocation of roles (Controller/Processor)
- Data controller: Orchesia, for account data, billing, customer relationship, security, and website.
- Independent controllers: Stripe for certain payment data; Google Analytics if you have consented.
- Processor for your content: for hosted Client Content (projects, tasks, files), Orchesia acts as processor vis-a-vis the Client (controller). A DPA (Data Processing Agreement) is available on request and forms an integral part of the contract.
Article 6.4 - Partners (details, roles & links)
- Stripe - Independent controller for payment data.
Purpose: payment, 3-D Secure, anti-fraud.
Data: identity/billing data, email, country, amount, payment metadata, IP.
Policy: https://stripe.com/fr/privacy - Vercel - Processor (frontend hosting and logs).
Purpose: web app delivery, performance, security.
Data: IP addresses, user-agent, access logs, errors.
Policy: https://vercel.com/legal/privacy-policy - Render - Processor (backend/API hosting).
Purpose: API execution, security, monitoring.
Data: IP, requests, technical logs. Policy: https://render.com/privacy - MongoDB Atlas - Processor (database).
Purpose: hosting application data.
Data: account data, application data (depending on your models).
Policy: https://www.mongodb.com/legal/privacy/privacy-policy - AWS S3 - Processor (file storage and backups).
Purpose: attachments, encrypted backups at rest.
Data: files/attachments, backups, metadata.
Policy: https://aws.amazon.com/fr/legal/ - Google Analytics (GA4) - Independent controller for audience measurement (subject to consent).
Purpose: traffic statistics (if consent is given).
Data: online identifiers, IP (shortened when configured), navigation events.
Policy: https://policies.google.com/privacy
Article 6.5 - Data sharing with third parties
We do not sell or rent your personal data. We share it only where strictly necessary:
- Processors acting on our instructions to operate the service (hosting, database, storage, payment, audience measurement subject to consent, support).
- Independent controllers for certain operations (e.g., Stripe; Google Analytics if you have consented).
- Marketing partners only if you have consented (opt-in), with withdrawal possible at any time.
- Competent authorities where required by law or for the defense of our rights. We may also share aggregated or anonymised non-identifying data.
Article 6.6 - Disclosure to authorities
We may retain or disclose data to comply with a legal obligation or with a valid, necessary, and proportionate request from an administrative or judicial authority (police/courts). Legal basis: legal obligation (Art. 6(1)(c) GDPR) or legitimate interest (legal defense, Art. 6(1)(f)).
SECTION 7 - SECURITY, ENCRYPTION & ADMINISTRATIVE ACCESS
Article 7.1 - Passwords
We never receive your passwords in plaintext. They are hashed and salted. If you forget your password, reset via temporary token is available; an existing password cannot be retrieved.
Article 7.2 - Encryption
Data is encrypted in transit (HTTPS/TLS) and encrypted at rest (database, attachments, backups). The service does not use end-to-end encryption (E2EE): keys are managed by our servers to ensure operation of the application (processing, searches, backups).
Exceptional access to data may occur in the cases set out in Articles 7.3 to 7.6 (support with consent, legal requests, anti-fraud), subject to authorisation, with minimisation, and access logging (Article 7.7).
Article 7.3 - Exceptional administrative access & minimisation
We may, exceptionally and with proper justification, access certain data (including Client Content) via an administration panel in order to:
- resolve an incident or provide support (see Article 7.6);
- respond to a legal request (see Article 7.5);
- prevent, detect, or investigate fraud or breaches of the Terms of Use/Terms and Conditions (see Article 7.4).
Any access is subject to authorisations, follows data minimisation, and is logged (who, when, why, scope consulted).
Article 7.4 - Fraud prevention & compliance with Terms of Use/Terms and Conditions
We may analyse usage indicators (e.g., number of projects, number of tasks, storage volumes, technical signals) and, where serious suspicion exists, perform targeted checks, including the strict minimum of Client Content required. Legal basis: legitimate interest. Right to object is possible on legitimate grounds, unless overriding grounds apply.
Article 7.5 - Requests from authorities
We may be required to retain or disclose certain data to comply with a legal obligation or a request from a competent authority (police/courts). We respond only to valid, necessary, and proportionate requests, after appropriate verification.
Article 7.6 - Support & technical assistance (prior agreement)
If technically needed, we may ask for your explicit agreement to temporarily access your data for diagnosis/resolution. Without this agreement, we limit ourselves to technical logs and metadata. Granted access is temporary, traceable, and limited to what is necessary.
Article 7.7 - Logging of sensitive access
Any sensitive access (including administrative access to Client Content) is logged (who, when, why, scope consulted) and retained for 12 months.
Article 7.8 - Technical and organisational measures
We implement technical and organisational measures appropriate and proportionate to the risk in order to ensure confidentiality, integrity, availability, and resilience of personal data, in line with the GDPR. These measures are reviewed periodically and adapted to changes in risk, the state of the art, and implementation costs.
Depending on the case, these measures may include appropriate encryption of data in transit and at rest, access controls and enhanced authentication, traceability of sensitive access, backups and restoration testing, security monitoring and vulnerability management, and contractual safeguards with our providers (including transfers outside the EU).
Article 7.9 - Data breach notification
In the event of a personal data breach, we apply our internal incident management procedure and will notify the competent supervisory authority (CNIL) without undue delay and, where feasible, no later than seventy-two (72) hours after becoming aware of it, in accordance with Article 33 GDPR.
Where the breach is likely to result in a high risk to the rights and freedoms of data subjects, we will inform them without undue delay, in clear and plain language, of recommended protective measures and contact details for further information, in accordance with Article 34 GDPR. Where legal conditions allow (for example, data rendered unintelligible by robust encryption), individual notification may not be required.
SECTION 8 - PROSPECTING & COMMUNICATIONS
Article 8.1 - Service and marketing emails
- Service emails (security, billing, technical notifications): necessary for contract performance.
- Information/marketing emails: based on consent (unsubscribe at any time). In B2B, sending may rely on legitimate interest for similar products/services (systematic opt-out).
SECTION 9 - DATA SUBJECT RIGHTS
Article 9.1 - Exercising rights
As a user, you benefit from several rights guaranteed by the GDPR and French Data Protection Act, including:
- Right to information: clear, accessible, and understandable information.
- Right of access: consult data held about you.
- Right to rectification: correct inaccurate or incomplete data.
- Right to erasure: deletion of data, except where legal/legitimate retention grounds apply.
- Right to object: object to processing based on legitimate interest or for direct marketing.
- Right to restriction: temporary restriction of processing in certain situations.
- Right to portability: receive your data in a structured, readable format.
- Right to withdraw consent: withdraw at any time for consent-based processing.
- Post-mortem right: instructions regarding data after death.
- Right to lodge a complaint (CNIL): 3 Place de Fontenoy TSA 80715 75334 PARIS CEDEX 07, or online: https://www.cnil.fr/fr/plaintes.
Article 9.2 - Practical arrangements
We will respond without undue delay and no later than one (1) month from receipt of your request. This period may be extended by two (2) months depending on complexity and number of requests; in that case, you will be informed within one month of the reasons for the extension.
Where a request is manifestly unfounded or excessive (in particular due to its repetitive nature), we may refuse to act on it or charge a reasonable fee based on administrative costs; the burden of proof lies with us. We may request additional information to verify your identity where necessary and only in case of doubt as to the requestor's identity. Where the request is made electronically, information is provided electronically whenever possible, unless otherwise requested.
SECTION 10 - CHANGES & CONTACTS
Article 10.1 - Changes
The version date at the top is updated; in case of significant changes, dedicated information is sent (email/in-app).
Article 10.2 - Contacts
Any question relating to privacy or the exercise of your rights: contact@orchesia.com.
ANNEX - Cookie Charter - Orchesia
1) What we use
- Necessary (consent-exempt): an internal cookie to remember your choices.
- Subject to consent: GA4 (audience measurement), YouTube (video player).
2) Manage your choices
On your first visit, a panel offers Accept all / Reject all / Manage my preferences. You can change your choices at any time via Cookie Settings.
3) List of cookies & trackers
A. Necessary (without consent)
| Name | Provider | Purpose | Duration | Domain | Secure | HttpOnly | SameSite | Legal basis |
|---|---|---|---|---|---|---|---|---|
| orchesia_cookie_consent | Orchesia (1P) | Remember your choices (analytics, YouTube) + timestamp | 6-12 months (currently 180 days) | .orchesia.com | Yes | No | Lax | Necessary (consent management) |
Value (example): v=1|nec=1|ana=1|ytb=0|ts=2025-10-09T09:12:00Z.
B. Audience measurement (with consent)
| Tool | Provider | Purpose | Data processed | Legal basis |
|---|---|---|---|---|
| Google Analytics 4 (GA4) | Aggregated statistics (pages, events) | Identifiers, browser/IP information (anonymised IP), events | Consent (opt-in) |
Conditional loading: GA4 is loaded only if "Analytics" is accepted.
Settings: anonymised IP, no advertising retargeting via GA4.
C. Video player (with consent)
| Tool | Provider | Purpose | Data processed | Legal basis | Placement timing |
|---|---|---|---|---|---|
| YouTube (iframe) | Google/YouTube | Playback of embedded videos | Online identifiers, browser information | Consent ("YouTube" category) | On load or interaction; youtube-nocookie.com when possible |
D. Local storage (outside cookies)
| Type | Example | Purpose | Legal basis |
|---|---|---|---|
| localStorage / sessionStorage | Non-sensitive UI preferences | User convenience / easier navigation | Legitimate interest / service necessity |
4) Your choices, anytime
- Reject all: only necessary cookies remain active.
- Withdraw your consent: via Cookie Settings for Analytics and/or YouTube; immediate application.
- Proof: records of your choices are retained for the necessary period.
5) Legal framework (summary)
- Necessary cookies: legitimate interest / service necessity.
- Audience cookies & YouTube: only with consent (opt-in), withdrawable at any time.
6) Updates
This charter may be updated. Significant changes will be subject to dedicated notice.
7) Contact
Questions / rights: contact@orchesia.com
For full details, see the Privacy Policy.