Privacy Policy - Orchesia EI

Version 1.0.1 effective as of 6 October 2025

Legal Notice

Publisher: Sole proprietorship Pierre ABOUCAYA (trade name: Orchesia)

SIREN: 942 838 244 - SIRET (head office): 942 838 244 00013

Head office: 8 rue du Pont de l'Abbaye, 59520 Marquette-lez-Lille (France)

Contact: contact@orchesia.com

Covered services: https://www.orchesia.com (website) and https://app.orchesia.com/app (application)

SECTION 1 - GENERAL PROVISIONS

Article 1.1 - Preamble

We may update this policy at any time. Changes are published here and, where appropriate, communicated by email or via the application based on their significance.

Article 1.2 - Purpose and scope

This privacy policy confirms our commitment to protecting your privacy when using the websites https://www.orchesia.com (website) and https://app.orchesia.com/app (application), operated by EI Pierre ABOUCAYA (Orchesia).

In connection with operating the websites https://www.orchesia.com (website) and https://app.orchesia.com/app (application), we collect and process your personal data in compliance with GDPR 2016/679 of 27 April 2016.

This policy explains which data we process, why, on which legal bases, for how long, with whom we share it, and your rights. It applies to the website, the application, support, and billing. It supplements the Terms of Use / Terms and Conditions.

We process your data in accordance with the GDPR; the applicable legal bases are detailed in Section 3.

Article 1.3 - Data controller

Controller: EI Pierre ABOUCAYA (Orchesia) - sole trader registered with the RNE SIREN: 942 838 244 - SIRET (head office): 942 838 244 00013 Head office: 8 rue du Pont de l'Abbaye, 59520 Marquette-lez-Lille (France) Privacy contact: contact@orchesia.com

Article 1.4 - Data Protection Officer (DPO)

Orchesia has not appointed a DPO at this time. For any data protection question or to exercise your rights, please write to contact@orchesia.com. Orchesia is not required to appoint a DPO under Article 37 GDPR.

SECTION 2 - DATA PROCESSED AND COLLECTION METHODS

Article 2.1 - Data categories

We do not collect special categories of data ("sensitive" data) within the meaning of the GDPR.

Article 2.2 - Collection moments and sources

Mandatory fields are identified; if not provided, account creation, service provision, or billing may be prevented.

SECTION 3 - PURPOSES, LEGAL BASES & AUTOMATED DECISIONS

Article 3.1 - Purposes and legal bases

Article 3.2 - Automated decisions

No automated decision-making produces legal effects concerning you.

Article 3.3 - Consent

We request your consent only for processing activities that require it (e.g., marketing, non-essential cookies). This consent is freely given, specific, informed, and unambiguous, and may be withdrawn at any time.

Processing necessary for account creation/management, service provision, first-level support, and billing relies on contract performance (Art. 6(1)(b)) or legitimate interest (Art. 6(1)(f)), without requiring global consent.

SECTION 4 - RETENTION PERIODS

Article 4.1 - Main periods

SECTION 5 - COOKIES & TRACKERS

Article 5.1 - Principles

A banner allows "Accept all," "Reject all," and "Customize." Your choices can be changed at any time via Cookie Settings. The list and lifespan of cookies are detailed in the Cookie Charter (Annex).

Proof of cookie consent: we retain records of your choices (consent/refusal) for the time needed to evidence and manage them.

SECTION 6 - RECIPIENTS, TRANSFERS & GDPR ROLES

Article 6.1 - Recipients and service providers

Access is strictly limited to authorised Orchesia personnel and our partners (categories listed below). The detailed list of main providers, their roles, and links is set out in Article 6.4.

Article 6.2 - Transfers outside the EU/EEA

No transfer outside the EU/EEA is carried out without appropriate safeguards under Article 46 GDPR. Some providers may process data outside the EU/EEA (e.g., United States). We apply appropriate safeguards (SCCs, transfer assessments, encryption, minimisation) and transfer only what is necessary.

Article 6.3 - Allocation of roles (Controller/Processor)

Article 6.4 - Partners (details, roles & links)

Article 6.5 - Data sharing with third parties

We do not sell or rent your personal data. We share it only where strictly necessary:

Article 6.6 - Disclosure to authorities

We may retain or disclose data to comply with a legal obligation or with a valid, necessary, and proportionate request from an administrative or judicial authority (police/courts). Legal basis: legal obligation (Art. 6(1)(c) GDPR) or legitimate interest (legal defense, Art. 6(1)(f)).

SECTION 7 - SECURITY, ENCRYPTION & ADMINISTRATIVE ACCESS

Article 7.1 - Passwords

We never receive your passwords in plaintext. They are hashed and salted. If you forget your password, reset via temporary token is available; an existing password cannot be retrieved.

Article 7.2 - Encryption

Data is encrypted in transit (HTTPS/TLS) and encrypted at rest (database, attachments, backups). The service does not use end-to-end encryption (E2EE): keys are managed by our servers to ensure operation of the application (processing, searches, backups).

Exceptional access to data may occur in the cases set out in Articles 7.3 to 7.6 (support with consent, legal requests, anti-fraud), subject to authorisation, with minimisation, and access logging (Article 7.7).

Article 7.3 - Exceptional administrative access & minimisation

We may, exceptionally and with proper justification, access certain data (including Client Content) via an administration panel in order to:

Any access is subject to authorisations, follows data minimisation, and is logged (who, when, why, scope consulted).

Article 7.4 - Fraud prevention & compliance with Terms of Use/Terms and Conditions

We may analyse usage indicators (e.g., number of projects, number of tasks, storage volumes, technical signals) and, where serious suspicion exists, perform targeted checks, including the strict minimum of Client Content required. Legal basis: legitimate interest. Right to object is possible on legitimate grounds, unless overriding grounds apply.

Article 7.5 - Requests from authorities

We may be required to retain or disclose certain data to comply with a legal obligation or a request from a competent authority (police/courts). We respond only to valid, necessary, and proportionate requests, after appropriate verification.

Article 7.6 - Support & technical assistance (prior agreement)

If technically needed, we may ask for your explicit agreement to temporarily access your data for diagnosis/resolution. Without this agreement, we limit ourselves to technical logs and metadata. Granted access is temporary, traceable, and limited to what is necessary.

Article 7.7 - Logging of sensitive access

Any sensitive access (including administrative access to Client Content) is logged (who, when, why, scope consulted) and retained for 12 months.

Article 7.8 - Technical and organisational measures

We implement technical and organisational measures appropriate and proportionate to the risk in order to ensure confidentiality, integrity, availability, and resilience of personal data, in line with the GDPR. These measures are reviewed periodically and adapted to changes in risk, the state of the art, and implementation costs.

Depending on the case, these measures may include appropriate encryption of data in transit and at rest, access controls and enhanced authentication, traceability of sensitive access, backups and restoration testing, security monitoring and vulnerability management, and contractual safeguards with our providers (including transfers outside the EU).

Article 7.9 - Data breach notification

In the event of a personal data breach, we apply our internal incident management procedure and will notify the competent supervisory authority (CNIL) without undue delay and, where feasible, no later than seventy-two (72) hours after becoming aware of it, in accordance with Article 33 GDPR.

Where the breach is likely to result in a high risk to the rights and freedoms of data subjects, we will inform them without undue delay, in clear and plain language, of recommended protective measures and contact details for further information, in accordance with Article 34 GDPR. Where legal conditions allow (for example, data rendered unintelligible by robust encryption), individual notification may not be required.

SECTION 8 - PROSPECTING & COMMUNICATIONS

Article 8.1 - Service and marketing emails

SECTION 9 - DATA SUBJECT RIGHTS

Article 9.1 - Exercising rights

As a user, you benefit from several rights guaranteed by the GDPR and French Data Protection Act, including:

Article 9.2 - Practical arrangements

We will respond without undue delay and no later than one (1) month from receipt of your request. This period may be extended by two (2) months depending on complexity and number of requests; in that case, you will be informed within one month of the reasons for the extension.

Where a request is manifestly unfounded or excessive (in particular due to its repetitive nature), we may refuse to act on it or charge a reasonable fee based on administrative costs; the burden of proof lies with us. We may request additional information to verify your identity where necessary and only in case of doubt as to the requestor's identity. Where the request is made electronically, information is provided electronically whenever possible, unless otherwise requested.

SECTION 10 - CHANGES & CONTACTS

Article 10.1 - Changes

The version date at the top is updated; in case of significant changes, dedicated information is sent (email/in-app).

Article 10.2 - Contacts

Any question relating to privacy or the exercise of your rights: contact@orchesia.com.

ANNEX - Cookie Charter - Orchesia

1) What we use

2) Manage your choices

On your first visit, a panel offers Accept all / Reject all / Manage my preferences. You can change your choices at any time via Cookie Settings.

3) List of cookies & trackers

A. Necessary (without consent)

NameProviderPurposeDurationDomainSecureHttpOnlySameSiteLegal basis
orchesia_cookie_consentOrchesia (1P)Remember your choices (analytics, YouTube) + timestamp6-12 months (currently 180 days).orchesia.comYesNoLaxNecessary (consent management)

Value (example): v=1|nec=1|ana=1|ytb=0|ts=2025-10-09T09:12:00Z.

B. Audience measurement (with consent)

ToolProviderPurposeData processedLegal basis
Google Analytics 4 (GA4)GoogleAggregated statistics (pages, events)Identifiers, browser/IP information (anonymised IP), eventsConsent (opt-in)

Conditional loading: GA4 is loaded only if "Analytics" is accepted.

Settings: anonymised IP, no advertising retargeting via GA4.

C. Video player (with consent)

ToolProviderPurposeData processedLegal basisPlacement timing
YouTube (iframe)Google/YouTubePlayback of embedded videosOnline identifiers, browser informationConsent ("YouTube" category)On load or interaction; youtube-nocookie.com when possible

D. Local storage (outside cookies)

TypeExamplePurposeLegal basis
localStorage / sessionStorageNon-sensitive UI preferencesUser convenience / easier navigationLegitimate interest / service necessity

4) Your choices, anytime

5) Legal framework (summary)

6) Updates

This charter may be updated. Significant changes will be subject to dedicated notice.

7) Contact

Questions / rights: contact@orchesia.com

For full details, see the Privacy Policy.