Privacy Policy

1. Introduction

1.1 About This Policy

This Privacy Policy explains how Richard Angapin, operating as an individual from France ("we," "us," or "our"), collects, uses, shares, and protects information when you use the Achilleus Security Monitoring Service ("Service").

1.2 Data Controller

The data controller for your personal information is:

• Name: Richard Angapin
• Status: Individual operator based in France
• Contact: support@achilleus.so
• Location: France

1.3 Compliance

We comply with:

• GDPR - General Data Protection Regulation (EU 2016/679)
• French Data Protection Act (Loi Informatique et Libertés)
• ePrivacy Directive - EU 2002/58/EC (as amended)

We also voluntarily follow CCPA (California Consumer Privacy Act) principles to protect all users' privacy rights, even though not legally required for our business size.

1.4 Data Protection Officer

Under GDPR Article 37, we are not required to appoint a Data Protection Officer as we process fewer than 5,000 data subjects annually and do not engage in large-scale systematic monitoring or special category data processing.

For data protection inquiries, contact: support@achilleus.so

2. Information We Collect

2.1 Account Information

Information you provide directly:

• Email address (required) - for account creation, authentication, and communications
• Name (optional) - for account personalization
• Password (required) - stored using bcrypt hashing with salt
• Payment information - processed and stored securely by Stripe (we never see full card numbers)

2.2 Domain Information

Information about your monitored domains:

• Domain names you add for security monitoring
• Security scan results including SSL/TLS certificates, headers, DNS records
• Historical security data and trend analysis (retained for 12 months)
• Domain configuration such as email mode and DKIM selectors

2.3 Technical Information

Automatically collected information:

• IP address - for security, fraud prevention, and geographic compliance
• Login timestamps - for security monitoring and session management
• Application activity - scans performed, reports generated (for service delivery only)

Landing Page Only (Vercel Analytics):

• Page views - anonymized, no cookies
• Traffic sources - where visitors come from
• Geographic region - country-level data only

Note: Browser type, OS, and device information are automatically sent by your browser but we do not log or store this data beyond what's necessary for immediate technical troubleshooting.

2.4 Communications

When you contact us:

• Support request contents and email correspondence
• Feedback and survey responses
• Any other information you choose to provide

3. Legal Basis for Data Processing (GDPR Article 6)

We process your personal data based on the following legal grounds:

3.1 Contract Performance (Article 6(1)(b))

Processing necessary to provide services you requested:

• Creating and managing your account
• Performing security scans on your domains
• Generating security reports
• Processing subscription payments
• Providing customer support

3.2 Legitimate Interests (Article 6(1)(f))

Processing necessary for our legitimate business interests:

• Preventing fraud and abuse
• Improving service quality and features
• Security monitoring and threat detection
• Analytics for service optimization
• Network and information security

Where we rely on legitimate interests, we have balanced these against your rights and freedoms and determined processing is proportionate and necessary.

3.3 Legal Obligation (Article 6(1)(c))

Processing required to comply with legal requirements:

• Tax and accounting obligations
• Anti-money laundering requirements
• Data protection law compliance
• French business regulations
• Court orders or legal proceedings

3.4 Consent (Article 6(1)(a))

Processing based on your explicit consent:

• Marketing communications: Occasional product updates and tips (you can withdraw consent anytime)

Note: We do not use optional analytics, tracking cookies, or non-essential cookies. Vercel Analytics (landing page only) is GDPR-compliant by design and requires no consent.

4. How We Use Your Information

4.1 Service Delivery

• Security Scanning: Perform SSL/TLS, security headers, and DNS/email security scans
• Report Generation: Create comprehensive security reports and recommendations
• Notifications: Send alerts about certificate expiry, security issues, and critical findings
• Customer Support: Respond to inquiries, troubleshoot issues, provide technical assistance
• Account Management: Maintain your account, preferences, and subscription

4.2 Business Operations

• Payment Processing: Process monthly subscription payments via Stripe
• Fraud Prevention: Detect and prevent fraudulent activity, abuse, and security threats
• Service Improvement: Analyze usage patterns to improve features and user experience
• Legal Compliance: Meet tax, accounting, regulatory, and legal obligations

4.3 Communications

• Service Communications: Send essential service updates, security alerts, technical notices
• Marketing Communications: Send occasional product updates and tips (opt-out available)
• Surveys and Feedback: Request feedback to improve service quality

4.4 What We Do NOT Do

• Sell or rent your personal information
• Share data with advertisers or data brokers
• Use your data for purposes unrelated to our service
• Train AI models on your private data
• Share scan results with third parties

5. Data Sharing and Disclosure

5.1 Third-Party Service Providers (Subprocessors)

We share limited data with trusted service providers who process data on our behalf:

Data Processing Agreements:

We have Data Processing Agreements (DPAs) with all subprocessors to ensure GDPR compliance.

Subprocessor List:

Complete and current list available at https://achilleus.so/subprocessors

5.2 We DO NOT Share Data With

• Advertising networks or marketing companies
• Data brokers or analytics companies for resale
• Social media platforms
• Any third parties for marketing purposes
• AI training companies

5.3 Legal Disclosures

We may disclose information when required by law:

• Court Orders: Valid legal process or court orders
• Law Enforcement: Legitimate law enforcement requests with proper legal basis
• Legal Rights: To protect our legal rights, property, or safety
• Fraud Prevention: To prevent fraud, security threats, or illegal activity

We will notify affected users of legal requests unless prohibited by law or where notification would compromise an investigation.

6. Data Security

6.1 Technical Safeguards

Encryption:

• In Transit: TLS 1.3 for all data transmission
• At Rest: AES-256 encryption for stored data
• Passwords: Bcrypt hashing with per-user salts
• Backups: Encrypted with separate keys

Access Controls:

• Multi-factor authentication available for user accounts
• Role-based access control (RBAC) throughout application
• Principle of least privilege for all system access
• Regular access reviews and automated deprovisioning

Infrastructure Security:

• Web Application Firewall (WAF)
• DDoS protection and mitigation
• Network segmentation and isolation
• Continuous security monitoring

6.2 Organizational Safeguards

Privacy by Design:

• Security built into all systems from inception
• Data minimization enforced throughout architecture
• Privacy impact assessments for new features

Infrastructure Security (Laravel Cloud/AWS):

• Hosted on Laravel Cloud/AWS with 24/7 infrastructure monitoring
• Automated threat detection and DDoS protection
• Infrastructure provider maintains SOC 2 Type II and ISO 27001 certifications
• Regular security updates applied via managed hosting

Our Security Practices:

• Automated security testing in deployment pipeline
• Dependency vulnerability scanning (Dependabot)
• Incident response procedures documented

GDPR Breach Notification:

• Data breaches reported to supervisory authority within 72 hours
• Affected users notified without undue delay
• Comprehensive breach documentation maintained

7. Your Rights Under GDPR

As a data subject under GDPR, you have the following rights:

7.1 Right of Access (Article 15)

Request a copy of your personal data:

• Receive confirmation of processing
• Access to personal data and processing details
• Receive copy in commonly used electronic format

How to Exercise: Email support@achilleus.so with subject "Data Access Request"

7.2 Right to Rectification (Article 16)

Correct inaccurate or incomplete data:

• Update account information directly in settings
• Request correction of inaccurate data
• Complete incomplete personal data

How to Exercise: Update in account settings or email support@achilleus.so

7.3 Right to Erasure / "Right to be Forgotten" (Article 17)

Request deletion of your personal data:

• Delete account and associated data
• Withdraw consent for processing
• Object to processing

Limitations:

• Legal retention requirements (e.g., tax records: 7 years)
• Ongoing legal obligations or disputes
• Legitimate business purposes (e.g., fraud prevention)

How to Exercise: Email support@achilleus.so with subject "Account Deletion Request"

7.4 Right to Data Portability (Article 20)

Export your data in machine-readable format:

• Receive personal data in structured, commonly used format (JSON)
• Transmit data to another controller where technically feasible

How to Exercise: Use account settings export feature or email support@achilleus.so

7.5 Right to Restriction of Processing (Article 18)

Limit how we process your data:

• While accuracy is being verified
• During legal proceedings
• When you object to processing

How to Exercise: Email support@achilleus.so with specific restriction request

7.6 Right to Object (Article 21)

Object to certain processing activities:

• Object to processing based on legitimate interests
• Object to direct marketing (absolute right)
• Object to profiling or automated decision-making

How to Exercise: Email support@achilleus.so or use unsubscribe links in marketing emails

7.7 Right Not to Be Subject to Automated Decision-Making (Article 22)

We do not engage in automated decision-making or profiling that produces legal effects or similarly significantly affects you. All account decisions involve human review.

7.8 Response Timeframe

We will respond to all rights requests within 30 days as required by GDPR. For complex requests, we may extend by an additional 60 days with explanation.

7.9 Right to Lodge a Complaint

If you believe we have violated your privacy rights, you may lodge a complaint with:

• France: Commission Nationale de l'Informatique et des Libertés (CNIL) - https://www.cnil.fr
• Your Country: Your local data protection supervisory authority
• EU-Wide: List of authorities at https://edpb.europa.eu/about-edpb/about-edpb/members_en

8. Data Retention

8.1 Account Data

Active Accounts:

• Retained while your account remains active
• Updated continuously as you use the service

Closed Accounts:

• Personal data deleted within 90 days of account closure
• Aggregated, anonymized data may be retained indefinitely

8.2 Scan Data

Security Scan Results:

• Retained for 12 months for historical analysis and trends
• Older scan data automatically deleted
• Aggregated statistics may be retained longer (fully anonymized)

8.3 Payment Records

Billing and Tax Compliance:

• Payment transaction records retained for 7 years (French tax law requirement)
• Includes invoices, payment confirmations, subscription history
• Required for accounting, tax audits, and legal compliance

8.4 Communication Records

Support and Correspondence:

• Support tickets retained for 2 years for quality assurance
• Email correspondence retained for 1 year
• May be retained longer if related to legal disputes

8.5 Legal Holds

Data may be retained longer when required for:

• Ongoing legal proceedings or disputes
• Fraud investigation or prevention
• Regulatory investigations
• Other legitimate legal purposes

9. International Data Transfers

9.1 Data Location

Primary Storage:

• European Union regions (GDPR-compliant jurisdictions)
• Backup storage in additional EU regions for redundancy

Transfer Mechanisms:

• Stripe (US): EU-US Data Privacy Framework and Standard Contractual Clauses
• Other US Services: Standard Contractual Clauses (EU Commission approved)

9.2 Transfer Safeguards

When data is transferred outside the EU:

• Standard Contractual Clauses (SCCs) approved by EU Commission
• Adequacy Decisions for countries with adequate data protection
• Additional Technical Measures: Encryption, access controls, data minimization
• Contractual Protections: Data Processing Agreements with all processors

9.3 US Data Privacy Framework

For US-based service providers (e.g., Stripe):

• EU-US Data Privacy Framework certification where available
• Standard Contractual Clauses as additional safeguard
• Regular compliance monitoring and audits

10. Cookies and Tracking

10.1 Essential Cookies

We use strictly necessary cookies for:

• Authentication: Keep you securely logged in
• Security: CSRF protection and session management
• Functionality: Remember your preferences and settings

These cookies are essential for service operation and cannot be disabled.

10.2 No Tracking Cookies

We do NOT use:

• Advertising cookies or pixels
• Third-party tracking cookies
• Social media tracking pixels (Facebook, Google, etc.)
• Cross-site tracking technologies
• Persistent identifiers for marketing

10.3 Analytics

Landing Page Only (achilleus.so):

• Vercel Analytics: Privacy-friendly web analytics
• No cookies used - Uses daily rotating hash instead
• No personally identifiable information collected
• Aggregated data only: page views, traffic sources, geographic regions
• Visitors cannot be tracked across days or different websites
• GDPR compliant by design - No consent required

Application Dashboard (app.achilleus.so):

• No analytics or tracking tools
• No third-party analytics services
• Only essential session cookies for authentication
• Activity data collected solely for service delivery (scan results, account management)

Summary: We collect minimal analytics data, use no tracking cookies, and prioritize your privacy above all else.

10.4 Cookie Management

• Essential cookies set automatically (required for service)
• You can clear cookies through browser settings
• Clearing cookies will require re-authentication
• No consent banner needed (essential cookies only)

11. Children's Privacy

11.1 Age Requirement

Our Service is not intended for children under 16 years of age. We do not knowingly collect personal information from children under 16.

11.2 Parental Notice

If you are a parent or guardian and believe your child under 16 has provided personal information to us:

• Contact us immediately at support@achilleus.so
• We will promptly delete the information
• We will terminate the account if verified

11.3 Age Verification

We do not actively verify user ages but rely on:

• Terms of Service age requirement (16+)
• User representations during account creation
• Parental notifications and reports

12. California Privacy Rights (CCPA)

12.1 CCPA Disclosures

For California residents, we provide the following information:

Categories of Personal Information Collected (Last 12 Months):

• Identifiers (name, email, IP address)
• Commercial information (subscription, payment history)
• Internet activity (usage logs, scan history)

Business Purpose for Collection:

• Providing security monitoring services
• Processing payments and billing
• Customer support and communications
• Fraud prevention and security

Categories of Third Parties with Whom We Share:

• Service providers (Stripe, Resend, hosting)
• No sale of personal information

12.2 CCPA Rights

California residents have the right to:

• Know: What personal information we collect, use, and disclose
• Delete: Request deletion of personal information
• Opt-Out: Opt-out of sale of personal information (we don't sell data)
• Non-Discrimination: Not be discriminated against for exercising rights

How to Exercise: Email support@achilleus.so with "CCPA Request" in subject line

Verification: We may request additional information to verify identity before processing requests

12.3 Do Not Sell

We do NOT sell personal information as defined by CCPA. We have not sold personal information in the past 12 months.

13. Changes to This Policy

13.1 Modification Rights

We may update this Privacy Policy to reflect:

• Changes in data processing practices
• New features or services
• Legal or regulatory requirements
• Industry best practices

13.2 Notification Process

Material Changes:

• Email notification to your registered email address
• Prominent notice on our website
• Minimum 30 days advance notice

Minor Changes:

• Updated policy posted at https://achilleus.so/privacy
• "Last Updated" date revised
• Version history available upon request

13.3 Acceptance

Continued use of the Service after the effective date of changes constitutes acceptance of the updated Privacy Policy. If you do not agree with changes, you must discontinue use and close your account.

14. Contact Information

14.1 Privacy Questions and Requests

Data Protection Inquiries:

• Email: support@achilleus.so
• Subject Line: "Privacy Inquiry" or "Data Request"
• Response Time: Within 48 hours for acknowledgment, 30 days for completion

For GDPR Rights Requests:

• Email support@achilleus.so with specific request type in subject
• Include account email address for verification
• We may request additional information to verify identity

14.2 General Support

Customer Support:

• Email: support@achilleus.so
• Response Time: Within 48 business hours

14.3 Supervisory Authority Contact

For Privacy Complaints (France):

• CNIL (Commission Nationale de l'Informatique et des Libertés)
• Address: 3 Place de Fontenoy, TSA 80715, 75334 Paris Cedex 07, France
• Website: https://www.cnil.fr
• Phone: +33 1 53 73 22 22

15. Data Processing Addendum

15.1 For Business Customers

Business customers who need a formal Data Processing Agreement (DPA) to establish a controller-processor relationship under GDPR may request our standard DPA.

DPA includes:

• Standard Contractual Clauses (EU Commission approved)
• Processing instructions and limitations
• Security measures and auditing rights
• Sub-processor management
• Data breach notification procedures

Request DPA: Email support@achilleus.so with "DPA Request" in subject line