Legal notices

Article 1 — Data controller

The data controller for personal data is VOIGHT-KAMPFF, a SARL with a share capital of 100 euros, RCS Creteil 823 547 526, registered office: 49 rue Charles Infroit, 94500 Champigny-sur-Marne.

Data Protection Officer (DPO): Arthur Dagard — dpo@payemesheures.fr.

This policy is established in accordance with Regulation (EU) 2016/679 of 27 April 2016 (GDPR) and French law no. 78-17 of 6 January 1978 as amended (Data Protection Act).

Data Protection Officer: dpo@payemesheures.fr — VOIGHT-KAMPFF, 49 rue Charles Infroit, 94500 Champigny-sur-Marne.

Article 2 — Data collected

We collect the following categories of data, depending on the features used:

Identification data: email address, password (stored in hashed form using bcrypt, cost factor 12 — never in plain text), country of residence.

Professional data: employer name, SIRET/BCE number, collective agreement / joint committee, contract type, professional status, gross monthly salary, contractual working hours, date of joining the company, declared leave and absence periods.

Documents: payslips uploaded in PDF format (stored in an encrypted private bucket on Supabase, Frankfurt servers, Germany, EU), analysis results extracted by artificial intelligence.

Calendar data (optional, with consent): if you connect an external calendar (Google Calendar, Outlook, Slack), we access metadata in read-only mode (date, time, title). Detailed message content is not collected. Access is revocable at any time.

Transaction data: purchase history, amounts, payment dates, invoice numbers. Bank card data is never collected or stored by VOIGHT-KAMPFF (processed by Stancer, PCI DSS Level 1 certified).

Technical data: IP address (security and fraud prevention), connection timestamps, browser user agent.

Article 3 — Legal bases and purposes

Your data is processed on the following legal bases:

Performance of the contract (art. 6.1.b GDPR): provision of the audit service, payslip analysis, discrepancy detection, document generation, account and purchase management.

Consent (art. 6.1.a GDPR): access to external calendars and messaging (Google, Outlook, Slack), sending of commercial communications.

Legal obligation (art. 6.1.c GDPR): retention of invoices (art. L.123-22 of the French Commercial Code, 10 years), fraud prevention, response to judicial requisitions.

Legitimate interest (art. 6.1.f GDPR): sending service emails (account verification, password reset, security notifications), service improvement based on anonymised statistics, abuse prevention and Service security.

Article 4 — Hosting and sub-processors

Your data is hosted and processed by the following sub-processors, all bound by data processing agreements (DPAs) compliant with the GDPR:

• Supabase Inc. — PostgreSQL database and file storage, servers in Frankfurt, Germany (EU)

• Vercel Inc. — web application hosting, edge network with processing in the EU (SCCs and Data Privacy Framework)

• Stancer SAS — payment processing, France, PCI DSS Level 1 certified

• Brevo SAS — transactional and marketing email delivery, France

• Google LLC (Gemini API) — payslip analysis by AI, images are not retained by Google after processing (SCCs and Data Privacy Framework)

• Google LLC / Microsoft Corp. — Calendar, Gmail, Outlook, Teams APIs (read-only access, with consent, data processed in the EU via SCCs)

• Slack Technologies LLC — messaging API (metadata only, with consent, SCCs)

Article 5 — Data transfers outside the EU

Some of our sub-processors (Vercel, Google, Slack) are US companies. Data transfers to the United States are governed by:

• The EU-US Data Privacy Framework (European Commission adequacy decision of 10 July 2023) for certified sub-processors

• Standard Contractual Clauses (SCCs) adopted by the European Commission (decision 2021/914) as a supplement

VOIGHT-KAMPFF undertakes that no transfer of personal data will be made to a third country without appropriate safeguards. We never sell, rent or share your personal data with third parties for commercial purposes.

Article 6 — Data retention periods

Data is retained for the following periods:

• Account data (profile, settings) — lifetime of the active account + 30 days after deletion

• Payslips and analyses — lifetime of the account, erased within 30 days after account deletion

• Imported calendar data — lifetime of the account, erased on integration disconnection or account deletion

• Invoices and accounting data — 10 years from the close of the financial year (legal obligation, art. L.123-22 of the French Commercial Code)

• Legal consent data (checkboxes ticked, GTS versions accepted, IP address) — 5 years from acceptance

• Technical logs (IP address, timestamps) — 12 months

• Anonymised data for statistical purposes — no time limit

Article 7 — Your rights (GDPR)

In accordance with articles 15 to 22 of the GDPR and articles 48 to 56 of the French Data Protection Act, you have the following rights:

Right of access (art. 15 GDPR): obtain confirmation that your data is being processed and receive a copy. Exercise this right from Settings → My data, or by email to dpo@payemesheures.fr.

Right to rectification (art. 16 GDPR): have your inaccurate or incomplete data corrected.

Right to erasure — 'right to be forgotten' (art. 17 GDPR): obtain the deletion of your data. Exercise this right from Settings → Delete my account. Permanent deletion within 30 days.

Right to data portability (art. 20 GDPR): receive your data in a structured, machine-readable format (JSON). Exercise this right from Settings → My data → Export.

Right to object and right to restriction (art. 18 and 21 GDPR): object to processing on legitimate grounds. Contact: dpo@payemesheures.fr.

Right to withdraw consent: withdrawable at any time without affecting the lawfulness of prior processing. For integrations: disconnect from Integrations. For emails: unsubscribe link in each email.

You may lodge a complaint with the CNIL (www.cnil.fr) or, for Belgian residents, with the Data Protection Authority (www.autoriteprotectiondonnees.be).

Data Protection Officer: dpo@payemesheures.fr — VOIGHT-KAMPFF, 49 rue Charles Infroit, 94500 Champigny-sur-Marne.

Article 8 — Data security

VOIGHT-KAMPFF implements the following technical and organisational measures to protect your data:

• Encryption of all communications via HTTPS (TLS 1.3)

• Passwords hashed with bcrypt (cost factor 12)

• OAuth integration tokens encrypted in the database (AES-256)

• Payslips stored in a private bucket not publicly accessible

• JSON Web Token (JWT) authentication with expiration

• Protection against CSRF, XSS and SQL injection attacks

• HTTP security headers (HSTS, X-Frame-Options, CSP, X-Content-Type-Options)

• Rate limiting on all API routes

• Row Level Security (RLS) enabled on all database tables

• Administrator access protected by separate authentication

Article 9 — Cookies

The site exclusively uses strictly necessary cookies for the operation of the service, which do not require prior consent in accordance with article 82 of the French Data Protection Act:

• 'token' — JWT authentication cookie (duration: 30 days)

• 'cookie_consent' — storing the user's choice (duration: 12 months)

No advertising, profiling, tracking or third-party analytics cookies are placed. No third-party audience measurement tools are used.

Article 10 — Artificial intelligence

Payslip analysis is performed by an artificial intelligence model (Google Gemini) via the Google AI API. Images of your payslips are sent securely (HTTPS) to the API for data extraction (hours worked, amounts, labels).

In accordance with the Google AI API terms of use: data sent is not used by Google to train its models; data is not retained by Google beyond the processing time; extracted results are stored on our servers hosted in the EU (Supabase, Frankfurt).

The user is informed that AI analysis results are estimates and should be verified.

Article 11 — Minors

The Service is intended exclusively for adults (aged 18 or over). VOIGHT-KAMPFF does not knowingly collect personal data from minors. If we discover that a minor has created an account, it will be deleted and the data erased.

Article 12 — Policy modification

This policy may be updated to reflect legal, technical or practice changes. In the event of a substantial modification, users will be informed by email at least fifteen (15) days before it comes into effect. The date of last update is indicated at the top of this page.

Article 13 — Contact

To exercise your rights, ask a question or report a security incident:

Data Protection Officer — dpo@payemesheures.fr

Postal address: VOIGHT-KAMPFF, DPO, 49 rue Charles Infroit, 94500 Champigny-sur-Marne, France

Response time: thirty (30) days maximum from receipt of the request (art. 12.3 GDPR).

Data Protection Officer: dpo@payemesheures.fr — VOIGHT-KAMPFF, 49 rue Charles Infroit, 94500 Champigny-sur-Marne.