Privacy Policy — Orchesia SP (sole proprietorship)

Effective as of October 6, 2025. This English version is provided for convenience only. In case of discrepancy, the French version shall prevail.

Publisher: Sole proprietorship Pierre ABOUCAYA (trade name: Orchesia)

SIREN: 942 838 244 — SIRET (head office): 942 838 244 00013

Head office: 8 rue du Pont de l’Abbaye, 59520 Marquette-lez-Lille (France)

Contact: contact@orchesia.com

Covered services: https://www.orchesia.com (website) and https://app.orchesia.com/app (application)

SECTION 1 — GENERAL PROVISIONS

Article 1.1 — Preamble

We may update this policy at any time. Changes are published here and, if necessary, notified by email or in-app depending on their importance.

Article 1.2 — Purpose and scope

This privacy policy sets out our commitment to protecting your privacy when using https://www.orchesia.com (website) and https://app.orchesia.com/app (application), operated by SP Pierre ABOUCAYA (Orchesia).

In operating the website https://www.orchesia.com and the application https://app.orchesia.com/app, we collect and process your personal data in compliance with the GDPR (EU) 2016/679 of 27 April 2016.

This policy explains what data we process, why, on which legal bases, for how long, with whom we share it, and your rights. It applies to the website, the application, support and billing. It complements our Terms of Use/Sale.

We process your data in accordance with the GDPR; applicable legal bases are detailed in Section 3.

Article 1.3 — Controller

Controller: SP Pierre ABOUCAYA (Orchesia) — registered with the RNE SIREN: 942 838 244 — SIRET (head office): 942 838 244 00013 Head office: 8 rue du Pont de l’Abbaye, 59520 Marquette-lez-Lille (France) Privacy contact: contact@orchesia.com

Article 1.4 — Data Protection Officer (DPO)

Orchesia has not appointed a DPO under Article 37 GDPR. For any privacy question or to exercise your rights, write to contact@orchesia.com.

SECTION 2 — DATA PROCESSED AND COLLECTION METHODS

Article 2.1 — Categories of data

Account & identity: name, surname, email, password (hashed/salted, never in clear text).
Subscription & billing: billing address, country, company, VAT number, order history, amounts excl./VAT/incl., payment status (via Stripe).
Customer Content in the app: projects, tasks, attachments, comments (encrypted at rest; see Section 7).
Technical data: logs, device identifiers, IP addresses, usage events (security, performance, non-profiling internal statistics).
Support & customer relations: emails, tickets, responses to optional surveys.
Cookies/trackers: see Section 5.

We do not collect special categories of data (“sensitive data”) within the meaning of the GDPR.

Article 2.2 — When and from which sources

Directly from you: site forms (contact/booking), sign-up, and use of the application (projects, tasks, attachments, comments).
Automatically: when using the site/app (cookies/trackers and technical data).
From providers: e.g., payment status via Stripe.

Required fields are indicated; without them we may be unable to create the account, provide the service, or invoice.

SECTION 3 — PURPOSES, LEGAL BASES & AUTOMATED DECISIONS

Article 3.1 — Purposes and legal bases

Contract performance (Art. 6(1)(b)): account creation/management, app delivery, seat management, billing, support.
Legitimate interests (Art. 6(1)(f)): security, fraud prevention/detection and ToS/T&Cs breach prevention, service improvement, non-profiling internal statistics, proof of contract, defense of rights.
Legal obligation (Art. 6(1)(c)): retention of accounting documents/invoices, responses to competent authorities.
Consent (Art. 6(1)(a)): optional marketing communications and non-essential cookies (withdrawable at any time).

Article 3.2 — Automated decisions

No automated decision produces legal effects concerning you.

Article 3.3 — Consent

We seek your consent only for processing activities that require it (e.g., marketing, non-essential cookies).

Marketing opt-in at sign-up or from your preferences.
Acceptance of non-essential cookies via the cookie banner (“Accept all” or custom choices).
Occasional explicit consent for targeted technical access to your Customer Content for support (see Article 7.6).

Processing necessary for account creation/management, service delivery, first-level support and billing relies on contract performance (Art. 6(1)(b)) or legitimate interests (Art. 6(1)(f)).

SECTION 4 — RETENTION PERIODS

Article 4.1 — Main periods

Account: for the duration of use, then 30 days after termination (reversibility), then deletion.
Billing: 10 years (French legal obligation).
Security technical logs: up to 12 months.
Support: 3 years after ticket closure.
Marketing (consent): until consent is withdrawn or 3 years after last contact.
Administrator access logs (see Article 7.7): 12 months.
Attachments / backups: follow the app rules (see T&Cs, Art. 4.5). For cookies/trackers, see Section 5.

SECTION 5 — COOKIES & TRACKERS

Article 5.1 — Principles

Necessary cookies: authentication, security, anti-fraud, preferences. Basis: legitimate interests/necessity for the service.
Audience measurement cookies: only with consent.
No advertising cookies without prior consent.

A banner allows “Accept all”, “Reject all”, “Customize”. You can change your choices anytime via “Cookie settings”. The list and lifetime of cookies are detailed in the Cookie Charter (Annex).

Proof of cookie consent: we keep a record of your choices (consent/refusal) for as long as needed for management and proof.

SECTION 6 — RECIPIENTS, TRANSFERS & GDPR ROLES

Article 6.1 — Recipients and processors

Access is strictly limited to authorized Orchesia personnel and our partners (categories listed below). The detailed list of main providers, their roles and links is in Article 6.4.

Article 6.2 — Transfers outside the EU/EEA

No transfer outside the EU/EEA is made without appropriate safeguards under Article 46 GDPR. Some providers may process data outside the EU/EEA (e.g., United States). We apply appropriate safeguards (SCCs, transfer assessments, encryption, minimization) and transfer only what is necessary.

Article 6.3 — Roles (Controller/Processor)

Controller: Orchesia, for account, billing, customer relations, security and website data.
Independent controllers: Stripe for certain payment data; Google Analytics if you consented.
Processor for your content: for hosted Customer Content (projects, tasks, files), Orchesia acts as processor to the Client (controller). A DPA is available on request and forms part of the contract.

Article 6.4 — Partners (details, roles & links)

Stripe — Independent controller for payment data.
Purpose: payment, 3-D Secure, anti-fraud.
Data: identity/billing, email, country, amount, payment metadata, IP.
Policy: https://stripe.com/privacy
Vercel — Processor (frontend hosting & logs).
Purpose: web app delivery, performance, security.
Data: IP addresses, user-agent, access/error logs.
Policy: https://vercel.com/legal/privacy-policy
Render — Processor (backend/API hosting).
Purpose: API execution, security, monitoring.
Data: IP, requests, technical logs.
Policy: https://render.com/privacy
MongoDB Atlas — Processor (database).
Purpose: application data hosting.
Data: account data, application data (per your models).
Policy: https://www.mongodb.com/legal/privacy/privacy-policy
AWS S3 — Processor (file storage & backups).
Purpose: attachments, encrypted backups at rest.
Data: files/attachments, backups, metadata.
Policy: https://aws.amazon.com/legal/
Google Analytics (GA4) — Independent controller (audience measurement, subject to consent).
Purpose: traffic statistics (if consented).
Data: online identifiers, IP (shortened if configured), navigation events.
Policy: https://policies.google.com/privacy

Article 6.5 — Data sharing with third parties

We do not sell or rent your personal data. We share it only where strictly necessary:

Processors acting on our instructions to operate the service (hosting, database, storage, payment, consented audience measurement, support).
Independent controllers for certain operations (e.g., Stripe; Google Analytics if consented).
Marketing partners only if you have opted in, with the ability to withdraw at any time.
Competent authorities where required by law or to defend our rights. We may also share aggregated or anonymized data that does not identify you.

Article 6.6 — Disclosure to authorities

We may retain or disclose data to comply with a legal obligation or a valid, necessary and proportionate request from an administrative or judicial authority. Legal basis: legal obligation (Art. 6(1)(c) GDPR) or legitimate interests (defense in legal proceedings, Art. 6(1)(f)).

SECTION 7 — SECURITY, ENCRYPTION & ADMIN ACCESS

Article 7.1 — Passwords

We never receive your passwords in clear text. They are hashed and salted. If forgotten, a reset via temporary token is offered; the existing password cannot be recovered.

Article 7.2 — Encryption

Data is encrypted in transit (HTTPS/TLS) and at rest (database, attachments, backups). The service is not end-to-end encrypted (E2EE): keys are managed by our servers to operate the app (processing, search, backups).

Exceptional access to data may occur in the cases provided in Articles 7.3 to 7.6 (support with consent, legal requisitions, anti-fraud), under authorization, with minimization and access logging (Article 7.7).

Article 7.3 — Exceptional admin access & minimization

Exceptionally and duly justified, we may access certain data (including Customer Content) via an admin panel in order to:

resolve an incident or provide support (see Article 7.6);
respond to a legal request (see Article 7.5);
prevent, detect or investigate fraud or breaches of the ToS/T&Cs (see Article 7.4).

All access is permissioned, minimized and logged (who, when, why, consulted scope).

Article 7.4 — Anti-fraud & ToS/T&Cs compliance

We may analyze usage indicators (e.g., number of projects, tasks, storage volumes, technical signals) and, in case of serious suspicion, perform targeted checks including the bare minimum of Customer Content. Legal basis: legitimate interests. Right to object for legitimate reasons, unless compelling grounds.

Article 7.5 — Requests from authorities

We may retain or disclose certain data in order to comply with a legal obligation or to respond to a request from a competent authority (such as the police or judicial authorities). We only respond to valid, necessary, and proportionate requests, after appropriate verification.

Article 7.6 — Support & technical assistance (prior consent)

If needed, we may request your explicit consent for temporary and limited access to your data for diagnostics/resolution. Without consent, we restrict ourselves to technical logs and metadata. Granted access is temporary, tracked and limited.

Article 7.7 — Logging of sensitive access

All sensitive access (notably admin access to Customer Content) is logged (who, when, why, scope) and retained for 12 months.

Article 7.8 — Technical & organizational measures

We implement appropriate and proportionate technical and organizational measures to ensure the confidentiality, integrity, availability, and resilience of personal data, in accordance with the GDPR. These measures are reviewed periodically and adjusted in line with evolving risks, technological developments, and implementation costs.

Measures may include appropriate encryption in transit and at rest, access controls and strong authentication, sensitive access traceability, backups and restoration tests, security monitoring and vulnerability management, and contractual safeguards with our providers (including for transfers outside the EU).

Article 7.9 — Personal data breach notification

In case of a personal data breach, we follow our incident response procedure and will notify the competent supervisory authority without undue delay and, where feasible, within 72 hours after becoming aware of it, in accordance with Article 33 GDPR.

When a data breach is likely to result in a high risk to the rights and freedoms of individuals, we will inform the affected persons without undue delay, in clear and plain language, about the recommended protective measures and the contact details for further information, in accordance with Article 34 of the GDPR. Where the law allows (for example, when data has been rendered unintelligible through strong encryption), such individual notification may not be required.

SECTION 8 — PROSPECTING & COMMUNICATIONS

Article 8.1 — Service and marketing emails

Service emails (security, billing, technical notifications): necessary for contract performance.
Information/marketing emails: based on consent (unsubscribe at any time). In B2B, sending may rely on legitimate interests for similar products/services (systematic opt-out).

SECTION 9 — DATA SUBJECT RIGHTS

Article 9.1 — Exercising your rights

As a user, you are granted several rights under the GDPR and the French Data Protection Act, including:

Right to information: clear, accessible and understandable information.
Right of access: view the data we hold about you.
Right to rectification: correct inaccurate or incomplete data.
Right to erasure: request deletion, unless we have legal or legitimate grounds to retain.
Right to object: refuse processing based on legitimate interests or for direct marketing.
Right to restriction: temporarily limit processing in certain situations.
Right to portability: receive your data in a structured, machine-readable format.
Right to withdraw consent: at any time for consent-based processing.
Post-mortem right: instructions on data handling after death.
Right to lodge a complaint (CNIL): 3 Place de Fontenoy TSA 80715 75334 PARIS CEDEX 07, or online: https://www.cnil.fr/en/plaintes.

Article 9.2 — How we respond

We will respond without undue delay and at the latest within one (1) month of receiving your request. This period may be extended by two (2) months due to complexity or number of requests; in that case, you will be informed within one month of the reasons for the extension.

We may request additional information to verify your identity where necessary and only in case of doubt. When a request is made electronically, we will respond by electronic means where possible, unless you request otherwise.

Where a request is manifestly unfounded or excessive (notably repetitive), we may refuse to act on it or charge a reasonable fee based on administrative costs (with justification).

SECTION 10 — CHANGES & CONTACTS

Article 10.1 — Changes

The version date at the top is updated; for significant changes, a dedicated notice is sent (email/in-app).

Article 10.2 — Contacts

Any privacy questions or rights requests: contact@orchesia.com.

ANNEX — Cookie Charter — Orchesia

1) What we use

Necessary (consent-exempt): an internal cookie to store your choices.
Subject to consent: GA4 (audience measurement), YouTube (video player).

2) Manage your choices

On first visit, a panel offers Accept all / Reject all / Manage preferences. You can modify your choices at any time via “Cookie settings”.

3) List of cookies & trackers

A. Necessary (no consent)

Name	Provider	Purpose	Duration	Domain	Secure	HttpOnly	SameSite	Legal basis
orchesia_cookie_consent	Orchesia (1P)	Store your choices (analytics, YouTube) + timestamp	6–12 months (currently 180 days)	.orchesia.com	Yes	No	Lax	Necessary (consent management)

Example value: v=1|nec=1|ana=1|ytb=0|ts=2025-10-09T09:12:00Z.

B. Audience measurement (with consent)

Tool	Provider	Purpose	Data processed	Legal basis
Google Analytics 4 (GA4)	Google	Aggregated traffic statistics (pages, events)	Online identifiers, browser/IP info (IP anonymized), events	Consent (opt-in)

Conditional loading: GA4 only if “Analytics” accepted.

Settings: IP anonymized, no ad retargeting via GA4.

C. Video player (with consent)

Tool	Provider	Purpose	Data processed	Legal basis	When set
YouTube (iframe)	Google/YouTube	Embedded video playback	Online identifiers, browser info	Consent (category “YouTube”)	On load or interaction; youtube-nocookie.com when possible

D. Local storage (non-cookie)

Type	Example	Purpose	Legal basis
localStorage / sessionStorage	Non-sensitive UI preferences	Ease of use / navigation	Legitimate interests / necessary for the service

4) Your choices, anytime

Reject all: only necessary cookies remain active.
Withdraw consent: via “Cookie settings” for Analytics and/or YouTube; applied immediately.
Proof: record of your choices kept as needed.

5) Legal framework (summary)

Necessary cookies: legitimate interests / necessity for the service.
Audience & YouTube cookies: only with consent (opt-in), withdrawable at any time.

6) Updates

This charter may be updated. Significant changes will be specifically notified.

7) Contact

Questions / rights: contact@orchesia.com