AppendixPrivacy policy

Privacy policy

Last updated: [date]

This policy explains how [Company legal name] (“we”), the data controller, processes personal data when you use openmmm.com (the “Service”). We process data in accordance with the EU General Data Protection Regulation (GDPR) and French law.

1. Data we process

CategoryExamplesSource
Account dataName, email address, hashed password, organization and roleYou, at signup
Billing dataPlan, invoices, payment status. Card details are collected and stored by Stripe, not by us.You / Stripe
Usage dataServer logs (IP address, pages, timestamps), aggregated product analytics (cookieless)Automatic
Support dataMessages you send usYou
Customer contentDatasets, models and reports you upload or generate. This is your marketing data; it normally contains no personal data. Where it does, you are the controller and we process it only on your instructions.You

2. Purposes and legal bases

PurposeLegal basis
Providing the Service (accounts, hosting, model runs)Contract performance
Billing and accountingLegal obligation, contract performance
Security, abuse prevention, service logsLegitimate interest (keeping the Service secure)
Product analytics (cookieless, aggregated)Legitimate interest (improving the Service)
Service emails (verification, billing, security)Contract performance
Marketing emails, if anyConsent — [delete this row if you send none]

3. Processors and hosting

We share data only with the processors needed to run the Service:

ProcessorPurposeLocationSafeguard
Scaleway SAS [confirm]Application hosting, storage, backupsFrance / EUEU hosting
StripePayment processingEU / US[SCCs / EU-US DPF — confirm]
Modal Labs, Inc. [confirm]GPU compute for Bayesian model runs (processes the modeling dataset for the duration of the run)US[SCCs / DPF — confirm]
Sentry [confirm entity]Error monitoring (technical context of crashes)[EU or US][SCCs / DPF — confirm]
[Email/SMTP provider]Transactional email[location][safeguard]
Umami Software, Inc. (Umami Cloud) [confirm]Cookieless, aggregated web analytics[EU or US — check Umami Cloud region][safeguard]

We do not sell personal data, and we do not use your data to train models for other customers. Where data leaves the EU, we rely on the safeguards listed above.

4. Retention

  • Account data: for the life of the account, then deleted within [X days].
  • Customer content: for the life of the account; deleted within [X days] of account deletion, backups expiring within [X days].
  • Billing records: [10 years] (French accounting law).
  • Server logs: [X months].

5. Security

Data is encrypted in transit (TLS), access is role-based and limited to what each organization member is granted, passwords are stored hashed, and infrastructure access is restricted to authorized personnel. [Add/adjust: encryption at rest, backup policy, etc.]

6. Your rights

You have the right to access, rectify, erase, and receive a copy of your personal data, to restrict or object to processing, and to withdraw consent where processing is based on consent. To exercise these rights, contact privacy@openmmm.com. You may also lodge a complaint with the CNIL (cnil.fr) or your local supervisory authority.

7. Children

The Service is a professional tool and is not directed at children.

8. Changes

We may update this policy; material changes will be announced by email or in-app before they take effect. The date at the top reflects the latest revision.

9. Contact

Data protection contact: privacy@openmmm.com[or name a DPO if you appoint one].