Privacy Policy
aiacto is committed to protecting your personal data in accordance with the General Data Protection Regulation (GDPR).
Last updated : 6 fevrier 2026
1. Data Controller
Identity and contact details of the controller
- Company name
- PIERRE Jeremy (Auto-entreprise)
- Trade name
- aiacto
- SIRET
- 878 615 780 00029
- Commercial Register
- 878 615 780 R.C.S. Clermont-Ferrand
- VAT Number
- FR04878615780
- NAF Code
- 6201Z - Programmation informatique
- Data Protection Officer (DPO)
- PIERRE Jeremy
- Contact email
- contact@aiacto.eu
The data controller determines the purposes and means of processing your personal data. For any questions regarding the protection of your data, you can contact us at the address indicated below.
2. Data Collected
Categories of personal data processed
In connection with providing our AI Act compliance services, we collect and process the following categories of personal data:
2.1. Identification Data
- First and last name
- Email address
- Password (stored in hashed form, never in plain text)
2.2. Client Company Data
If you are a professional (agency, consultant, freelancer) using aiacto to manage your clients' compliance:
- Client company name
- Company registration number
- Industry sector
- Contact details (name, email, phone)
2.3. AI Act Diagnostic Data
Responses to the diagnostic questionnaire:
- Type of artificial intelligence system
- Use case and field of application
- Relevant industry sector
- Role in the value chain (provider, deployer, etc.)
- Classification results (risk level, identified obligations)
2.4. Documentation Data
Content of forms to generate compliance documentation:
- AI system descriptions
- Development processes
- Data governance measures
- Performance metrics
- Risk management plans
- User-generated and edited texts
2.5. Technical Data
- IP address
- Browser type and version (User-Agent)
- Operating system
- Pages visited and action timestamps
- Connection and event logs
2.6. Billing Data
This data is processed by our payment provider Stripe:
- Billing information (name, address)
- Transaction history
- Subscription status
Important: We NEVER store your credit card data. This is processed exclusively by Stripe, which is PCI-DSS certified.
3. Processing Purposes
Why we process your data
Your personal data is collected and processed for the following purposes:
| Purpose | Data concerned |
|---|---|
| Provision of AI Act diagnostic service | Diagnostic data, technical data |
| Generation of compliance documents | Documentation data, client company data |
| User account management | Identification data |
| Billing and payment management | Billing data, identification data |
| Service communications | Email, notification preferences |
| Service improvement | Technical data (anonymized) |
| Security and fraud prevention | Technical data, logs |
4. Legal Basis for Processing
Legal grounds in accordance with GDPR
In accordance with Article 6 of the GDPR, the processing of your personal data is based on the following legal grounds:
Performance of Contract (Art. 6.1.b GDPR)
The processing of your data is necessary for the performance of the contract to which you are a party, including the provision of AI Act diagnostic service, generation of compliance documents and management of your user account.
Legal Obligations (Art. 6.1.c GDPR)
Certain processing is carried out to comply with our legal obligations, particularly in terms of billing, accounting and document retention for tax purposes.
Legitimate Interests (Art. 6.1.f GDPR)
The processing of technical data (logs, IP address) to ensure the security of our platform and improve our services is based on our legitimate interest, after balancing against your rights and interests.
Consent (Art. 6.1.a GDPR)
For certain optional processing, such as sending marketing communications or using non-essential cookies, we obtain your prior consent. You may withdraw this consent at any time.
5. Hosting and Subprocessors
Technical infrastructure and partners
All your data is hosted exclusively on servers located in France and the European Union. No personal data transfer is made outside the European Economic Area (EEA).
To ensure the operation of our platform, we use the following subprocessors, all located in the European Union or offering adequate safeguards:
Primary Hosting
- Provider
- Clever Cloud
- Location
- Paris, France
- Data concerned
- Application, PostgreSQL database, logs
- Security
- Encryption at rest and in transit, ISO certifications
CDN (Content Delivery Network)
- Provider
- Bunny CDN
- Location
- European nodes exclusively
- Data concerned
- Static assets only (images, CSS, JavaScript)
No personal data passes through the CDN.
Payment
- Provider
- Stripe
- Location
- European datacenters
- Certifications
- PCI-DSS Level 1 (highest certification level)
- Data concerned
- Credit card data, transactions
We do not store or have access to your credit card data. Only Stripe processes it securely.
Transactional Emails
- Provider
- Resend
- Data concerned
- Email address, transactional email content
- Usage
- Magic links, registration confirmations, service notifications
6. Artificial Intelligence Generation
Use of AI for document generation
We exclusively use Mistral AI, a French company whose models are developed and operated in Europe, ensuring GDPR compliance.
AI Provider
- Provider
- Mistral AI
- Location
- Paris, France
- Certifications
- GDPR, AI Act
Data Transmitted to AI
To generate your compliance documents, we transmit the following information to Mistral AI:
- Your responses to documentation forms
- Results of your AI Act diagnostic
- Information about the AI system concerned
Protection Guarantees
- No training : Your data is NOT used to train Mistral AI models
- Limited retention : Data is not retained by Mistral AI beyond processing the request
- Encryption : All communications with the Mistral API are encrypted (TLS 1.3)
- Processing agreement : A GDPR-compliant Data Processing Agreement (DPA) has been concluded with Mistral AI
7. Data Transfers
Data location and circulation
No transfers outside the European Union
In accordance with our digital sovereignty commitment, we guarantee that no personal data is transferred outside the European Economic Area (EEA).
All our subprocessors and technical providers are either:
- Established in the EU : Clever Cloud (France), Bunny CDN (Slovenia), Mistral AI (France)
- Operating via European infrastructure : Stripe (European datacenters, Data Privacy Framework certified)
In the event of a development requiring data transfer outside the EEA (which is currently not the case), we would implement appropriate safeguards in accordance with Articles 46 et seq. of the GDPR (standard contractual clauses, adequacy decision, etc.) and inform you accordingly.
8. Retention Periods
How long we keep your data
Your personal data is retained for a limited period, determined according to the processing purpose and applicable legal obligations:
| Data category | Retention period | Justification |
|---|---|---|
| Account data | Account duration + 3 years | Civil statute of limitations |
| Generated documents | Account duration + 5 years | AI Act compliance legal obligations |
| Diagnostic data | Account duration + 3 years | Compliance history |
| Technical logs | 12 months | Security and debugging |
| Billing data | 10 years | Accounting and tax obligations |
| Session cookies | Session duration | Service operation |
Upon expiry of these periods, your data is securely deleted or irreversibly anonymized for statistical purposes.
9. Data Security
Technical and organizational measures
We implement appropriate technical and organizational measures to ensure a level of security appropriate to the risks, in accordance with Article 32 of the GDPR:
Encryption
- ✓TLS 1.3 encryption for all communications
- ✓Encryption of data at rest (AES-256)
- ✓Passwords hashed with bcrypt
Access Control
- ✓Secure authentication (email/password or magic link)
- ✓Secure sessions with encrypted tokens
- ✓Principle of least privilege
Application Protection
- ✓Strict input validation (Zod)
- ✓CSRF and XSS protection
- ✓Security headers (CSP, HSTS, X-Frame-Options)
Monitoring
- ✓Rate limiting on sensitive APIs
- ✓Action audit logs
- ✓Regular backups
Procedure in case of data breach
In the event of a personal data breach, we will notify the relevant supervisory authority within 72 hours in accordance with Article 33 of the GDPR. If the breach is likely to result in a high risk to your rights and freedoms, you will be informed without undue delay (Article 34 of the GDPR).
10. Your Rights
Rights guaranteed by GDPR
In accordance with the General Data Protection Regulation, you have the following rights regarding your personal data:
Right of Access (Art. 15 GDPR)
You may obtain confirmation that your data is being processed and access all your personal data as well as information relating to the processing.
Right to Rectification (Art. 16 GDPR)
You may request the correction of inaccurate or incomplete data concerning you.
Right to Erasure (Art. 17 GDPR)
You may request the deletion of your data in certain cases (data no longer necessary, withdrawal of consent, unlawful processing). This right may be limited by our legal retention obligations.
Right to Restriction of Processing (Art. 18 GDPR)
You may request the restriction of processing of your data while verifying its accuracy or in case of objection.
Right to Data Portability (Art. 20 GDPR)
You may receive your data in a structured, commonly used and machine-readable format, and transmit it to another controller.
Right to Object (Art. 21 GDPR)
You may object to the processing of your data based on legitimate interest, particularly for direct marketing purposes.
Right to Withdraw Consent (Art. 7.3 GDPR)
For processing based on your consent, you may withdraw this consent at any time without affecting the lawfulness of processing prior to withdrawal.
Right to define post-mortem directives
You may define directives concerning the retention, deletion and communication of your data after your death (French Data Protection Act, art. 85).
How to exercise your rights?
You can exercise your rights in several ways:
- •By email to our DPO contact@aiacto.eu
- •Via your account settings (data export and deletion)
We will respond to your request within one month of its receipt. This period may be extended by two months in case of complex or numerous requests.
Complaint to the supervisory authority
If you believe that the processing of your data does not comply with the GDPR, you have the right to lodge a complaint with your national supervisory authority. In France:
CNIL - 3 Place de Fontenoy, TSA 80715 - 75334 Paris Cedex 07
Site web : www.cnil.fr
12. Policy Changes
Updates and modifications
We may modify this privacy policy to reflect changes in our practices or legal requirements. In case of substantial modification, we will inform you:
- •By email to the address associated with your account
- •By a visible notification in the application
- •By updating the last modification date at the top of this document
We encourage you to regularly review this page to stay informed about our data protection practices.
13. Contact
Contact us for any questions
For any questions regarding this privacy policy or the exercise of your rights, you may contact our Data Protection Officer:
- DPO
- PIERRE Jeremy
- contact@aiacto.eu
- Website
- www.aiacto.eu
We are committed to processing your request as quickly as possible and providing you with a clear and complete response.