Privacy Policy

1. Identity of the Data Controller

The data controller responsible for your personal data is:

2. Introduction

Aldo places great importance on the protection of your personal data and the respect of your privacy. This Privacy Policy describes how we collect, use, store, and protect your personal data in accordance with the General Data Protection Regulation (GDPR - EU Regulation 2016/679) and the French Data Protection Act (Loi Informatique et Libertés).

This policy applies to all users of the Aldo service accessible at https://aldo.works.

3. Personal Data Collected

3.1 Account and authentication data

• Email address
• Password (encrypted and secured)
• Unique account identifier (automatically generated UUID)
• Account name (personal or team)
• Account creation date and last modification date
• Account type (personal or team)

3.2 Team account data

If you use a team account, we collect:

• Team name
• Team unique identifier (slug)
• List of members and their roles (owner, admin, member)
• Granted permissions (role management, billing, settings, members, invitations)
• Invitations sent and their status

3.3 Client data from your professional activity

To enable you to manage your clients, we store the information you provide:

• Individual clients: first name, last name, email, phone, full postal address
• Business clients: company name, SIRET number, intra-community VAT number, registered office address
• Client record creation date and modifications
• Identifier of the user who created or modified the record

3.4 Catalog and pricing data

• Names and descriptions of your products/services (items)
• Unit prices excluding tax
• Applicable VAT rates
• Pricing units and annual variations
• Creation date and modifications

3.5 Invoicing and quotation data

• Automatically generated document numbers (invoices and quotations)
• Issue dates and payment due dates
• Client references
• Line items (description, quantity, price, VAT)
• Total amounts (excl. tax, VAT, incl. tax)
• Document status (draft, sent, paid, overdue, cancelled)
• Payment terms and late payment penalties
• Generated PDF files
• Metadata (creator, modifier, timestamps)

3.6 AI assistant conversation data

• Conversation history (titles and timestamps)
• Messages exchanged with the AI assistant (content, role: user/assistant/system)
• Structured parts of messages (JSON format)
• Identifier of the authoring user

3.7 AI usage data

To optimize the service and comply with our rate limits, we collect:

• AI operation type (chat, text generation, embedding, image)
• Model and provider used (e.g., OpenAI GPT-4)
• Number of input and output tokens
• Estimated cost of the operation (in cents)
• Processing duration (in milliseconds)
• Success or failure status with error messages
• Reference to the related conversation
• Tracking period (year, month, day, hour)

3.8 Customer support data

• Ticket title and description (HTML and JSON)
• Status (open, in progress, resolved, closed)
• Priority (low, medium, high, urgent)
• User assigned to the ticket
• Ticket messages (content, internal/external visibility)
• Attachments (images stored in Supabase Storage)

3.9 Billing and subscription data

• Stripe customer identifier
• Billing email
• Subscription status (active, trial, past due, cancelled, incomplete, paused)
• Payment provider (Stripe)
• Currency and pricing information
• Subscription period start and end dates
• End-of-period cancellation indicator

3.10 Technical and connection data

• IP address
• Browser type and version
• Operating system
• Session data (authentication cookies)
• Login and activity timestamps
• Interface preferences (light/dark theme, language)

4. Purposes of Processing

Your personal data is collected and processed for:

• Service provision: creating and managing your account, enabling you to use all platform features (client management, invoicing, quotations, AI assistant, support)
• Authentication and security: verifying your identity, securing your account, preventing fraud and unauthorized access
• Billing management: processing your payments, issuing invoices, managing your subscription
• Customer support: answering your questions, resolving your technical issues, assisting you in using the service
• Service improvement: analyzing AI usage, optimizing performance, fixing bugs, developing new features
• Legal compliance: retention of accounting and tax data in accordance with French legislation
• Communications: informing you of important updates, service changes, and security issues (transactional emails only)
• Usage limit management: enforcing AI usage rate limits according to your subscription plan

5. Legal Basis for Processing

In accordance with the GDPR, we process your personal data on the basis of:

• Performance of a contract (Article 6(1)(b) GDPR): processing is necessary for the performance of the Terms of Use and Sale to which you have subscribed
• Legitimate interest (Article 6(1)(f) GDPR): service improvement, security, fraud prevention, performance analysis
• Legal obligation (Article 6(1)(c) GDPR): retention of accounting and tax data for the legally required periods
• Consent (Article 6(1)(a) GDPR): for certain non-essential cookies and marketing communications (if applicable)

6. Data Recipients

6.1 Internal access

Your data is accessible internally only by authorized Aldo personnel, within the limits of their duties and on a need-to-know basis.

6.2 Subcontractors and technical partners

To provide the service, we use external providers who process your data on our behalf and under our responsibility:

• Supabase (hosting, database, authentication, file storage) - United States - Standard contractual clauses
• OpenAI (artificial intelligence processing) - United States - Standard contractual clauses
• Stripe (payment processing) - United States - Standard contractual clauses
• Vercel (application hosting, analytics) - United States - Standard contractual clauses
• Upstash (rate limiting, Redis cache) - United States - Standard contractual clauses

These providers are bound by strict contractual obligations regarding security and confidentiality. They may only use your data for the purposes determined by Aldo and in accordance with our instructions.

6.3 Transfers outside the European Union

Some of our subcontractors are located outside the European Union, particularly in the United States. These transfers are governed by:

• Standard contractual clauses approved by the European Commission
• Appropriate safeguards regarding data protection
• Compliance with GDPR principles concerning international transfers

6.4 Authorities

We may be required to disclose your data to competent authorities if required by law or to protect our legal rights.

7. Data Retention Period

Your data is retained for the following periods:

• Active account data: for the entire duration of your subscription and until deletion of your account
• Client data, items, quotations: for the duration of your subscription + 3 years after deletion (to allow possible reactivation)
• Billing and accounting data: 10 years in accordance with French legal obligations (Commercial Code, General Tax Code)
• Stripe payment data: retained according to Stripe's policies and legal anti-money laundering obligations
• AI assistant conversations: for the duration of your subscription + 1 year after deletion
• Support tickets: 3 years after ticket resolution
• AI usage logs: 12 months (for analysis and billing)
• Connection data: 12 months (for security and fraud detection)

Upon expiration of these periods, your data is deleted or irreversibly anonymized, unless a longer retention period is required by law.

8. Your Rights Regarding Your Personal Data

In accordance with the GDPR and the French Data Protection Act (Loi Informatique et Libertés), you have the following rights:

8.1 Right of access (Article 15 GDPR)

You may obtain confirmation that your data is being processed and access your personal data.

8.2 Right to rectification (Article 16 GDPR)

You may request the correction of inaccurate or incomplete data. Most data can be modified directly from your personal dashboard.

8.3 Right to erasure (Article 17 GDPR)

You may request the deletion of your personal data. You can delete your account from the settings. Certain data may be retained to comply with our legal obligations (notably accounting data for 10 years).

8.4 Right to restriction of processing (Article 18 GDPR)

You may request the temporary suspension of the processing of your data in certain situations (contesting accuracy, unlawful processing, etc.).

8.5 Right to data portability (Article 20 GDPR)

You may retrieve your data in a structured, commonly used, and machine-readable format, and transmit it to another data controller. You can export your data from your personal dashboard.

8.6 Right to object (Article 21 GDPR)

You may object to the processing of your data for reasons relating to your particular situation, when the processing is based on legitimate interest.

8.7 Right to withdraw consent

When processing is based on your consent, you may withdraw it at any time. This withdrawal does not affect the lawfulness of processing carried out prior to the withdrawal.

8.8 Post-mortem directives (Article 85 of the French Data Protection Act)

You may define directives regarding the retention, erasure, and communication of your data after your death.

8.9 Exercising your rights

To exercise your rights, you may contact us:

• By email: contact@aldo.works
• By mail: Aldo, 6 rue des Macchabées, 69005 Lyon

We commit to responding to your request within one month of receipt. This period may be extended by two months in the event of complexity or a high number of requests. You will be informed accordingly.

To ensure the security of your data, we may ask you to verify your identity before processing your request.

9. Right to Lodge a Complaint

If you believe that the processing of your personal data does not comply with applicable regulations, you have the right to lodge a complaint with the French Data Protection Authority (Commission Nationale de l'Informatique et des Libertés - CNIL):

10. Data Security

We implement appropriate technical and organizational measures to ensure the security of your personal data and protect it against any destruction, loss, alteration, unauthorized disclosure, or access:

• Encryption: HTTPS connection (TLS 1.3), password encryption with robust algorithms (bcrypt), encryption at rest for sensitive data
• Access control: Row-Level Security (RLS) at the database level, strong authentication, role-based permission management
• Attack protection: CSRF (Cross-Site Request Forgery) protection, SQL injection protection, rate limiting to prevent abuse
• Monitoring: security logs, anomaly detection, automatic alerts
• Backups: regular encrypted data backups, disaster recovery plan
• Updates: systems and software kept up to date, rapid application of security patches
• Audits: regular security reviews, vulnerability testing

Despite these measures, no data transmission over the Internet can be guaranteed as completely secure. We commit to notifying any personal data breach to the CNIL and to the affected individuals within the legally required timeframes.

11. Cookies and Similar Technologies

We use cookies and similar technologies to ensure the operation of the Service and improve your experience. To learn more, please refer to our Cookie Policy.

12. Minors' Data

The Aldo Service is intended for individuals who are of legal age (18 years and older). We do not knowingly collect personal data from minors. If you become aware that a minor has provided personal information, please contact us so that we can delete such data.

13. Changes to the Privacy Policy

We reserve the right to modify this Privacy Policy at any time, particularly to comply with legislative, regulatory, case law, or technological developments.

Substantial changes will be notified to you by email or via a notification within the Service at least 30 days before they take effect. We encourage you to regularly review this page.

The date of the last update is indicated at the top of this document.

14. Personal Data Contact

For any questions regarding the protection of your personal data or this Privacy Policy, you may contact: