Privacy Policy — Ecopilot

← Back to site

🔒 Our commitment: Ecopilot protects your personal data in accordance with the GDPR and the amended French Data Protection Act.

1. Data controller

ECOPILOT — Sole trader
Registered office: 140 Avenue Chanzy, 53000 Laval, France
SIRET: 105 076 210 00019
Contact: contact@ecopilot-ai.com

For any request about your data, email contact@ecopilot-ai.com (subject "GDPR").

2. Data collected

2.1 Account data

Data	Purpose	Legal basis
First and last name	Customer identification	Performance of contract
Email address	Login, communication, billing	Performance of contract
Password (encrypted)	Securing access	Performance of contract
Company, sector	Service personalisation	Performance of contract
Phone, address (optional)	Billing, contact	Consent

2.2 Usage data

Data	Purpose	Legal basis
Assessment answers	Provide the assessment	Performance of contract
Action plans, indicators	Tracking and improvement	Performance of contract
Assessment history	Comparison over time	Performance of contract
Logs, IP address	Security, fraud prevention	Legitimate interest

2.3 Payment data

Bank details are processed exclusively by Stripe Payments Europe Ltd. (PCI-DSS level 1). They never pass through our servers.

3. Purposes of processing

Service delivery: assessments, action plans, indicators;
Account management: authentication, support;
Billing: invoices, payments, accounting;
Marketing communication: only with consent;
Security and improvement (anonymised statistics).

4. Legal bases

Performance of contract (Art. 6.1.b);
Legal obligation (Art. 6.1.c) — billing, accounting (10 years);
Legitimate interest (Art. 6.1.f) — security, improvement;
Consent (Art. 6.1.a) — marketing, non-essential cookies.

5. Data recipients

Recipient	Purpose	Location
Stripe Payments Europe Ltd.	Payments	Ireland (EU)
Supabase	Database hosting	EU (Paris region)
Vercel Inc.	Website hosting	United States*
Anthropic PBC	AI (action plans) — pseudonymised data	United States*
Brevo (if newsletter)	Transactional and marketing emails	France (EU)

* Transfers outside the EU are governed by Standard Contractual Clauses (Art. 45 and 46 of the GDPR).

🛡️ We never sell your data. No data is shared for advertising purposes.

6. Retention period

Type of data	Period
Account (active)	Duration of the subscription
Account (after cancellation)	30 days then deletion
Billing	10 years (accounting obligation)
Connection logs	12 months maximum
Marketing (consent)	3 years after last contact
Cookies	13 months maximum

7. Your rights

In accordance with Articles 15 to 22 of the GDPR, you have the rights of access, rectification, erasure, restriction, portability, objection, rights regarding automated decisions, and the right to set post-mortem directives.

How to exercise them

By email: contact@ecopilot-ai.com (subject "Exercise of my GDPR rights");
By post: 140 Avenue Chanzy, 53000 Laval, France;
From your "My profile" → "Manage my data" area.

Response within 1 month maximum. Proof of identity may be requested.

8. Data security

🔐 HTTPS/TLS encryption, hashed passwords (bcrypt);
🛡️ Secure sessions, access protection;
💾 Automatic, encrypted backups;
🏢 Hosting in ISO 27001-certified data centres in France;
🔄 Regular security patches.

9. Cookies

Strictly necessary cookies (no consent required): session, security (CSRF), language preference. The site uses no third-party analytics cookies and no advertising cookies.

10. Transfers outside the EU

Some processors (Anthropic, Vercel) are located outside the EU (United States). These transfers are governed by Standard Contractual Clauses, confidentiality commitments and technical measures (encryption, pseudonymisation).

11. Complaint to the CNIL

Website: www.cnil.fr
Address: 3 place de Fontenoy, TSA 80715, 75334 PARIS CEDEX 07, France
Phone: +33 1 53 73 22 22

12. Changes

This policy may be amended. Any substantial change is notified by email 30 days before it takes effect.

13. Contact

Email: contact@ecopilot-ai.com
Post: 140 Avenue Chanzy, 53000 Laval, France