This policy explains how [Company legal name] (“we”), the data controller, processes personal data when you use openmmm.com (the “Service”). We process data in accordance with the EU General Data Protection Regulation (GDPR) and French law.
1. Data we process
| Category | Examples | Source |
|---|---|---|
| Account data | Name, email address, hashed password, organization and role | You, at signup |
| Billing data | Plan, invoices, payment status. Card details are collected and stored by Stripe, not by us. | You / Stripe |
| Usage data | Server logs (IP address, pages, timestamps), aggregated product analytics (cookieless) | Automatic |
| Support data | Messages you send us | You |
| Customer content | Datasets, models and reports you upload or generate. This is your marketing data; it normally contains no personal data. Where it does, you are the controller and we process it only on your instructions. | You |
2. Purposes and legal bases
| Purpose | Legal basis |
|---|---|
| Providing the Service (accounts, hosting, model runs) | Contract performance |
| Billing and accounting | Legal obligation, contract performance |
| Security, abuse prevention, service logs | Legitimate interest (keeping the Service secure) |
| Product analytics (cookieless, aggregated) | Legitimate interest (improving the Service) |
| Service emails (verification, billing, security) | Contract performance |
| Marketing emails, if any | Consent — [delete this row if you send none] |
3. Processors and hosting
We share data only with the processors needed to run the Service:
| Processor | Purpose | Location | Safeguard |
|---|---|---|---|
| Scaleway SAS [confirm] | Application hosting, storage, backups | France / EU | EU hosting |
| Stripe | Payment processing | EU / US | [SCCs / EU-US DPF — confirm] |
| Modal Labs, Inc. [confirm] | GPU compute for Bayesian model runs (processes the modeling dataset for the duration of the run) | US | [SCCs / DPF — confirm] |
| Sentry [confirm entity] | Error monitoring (technical context of crashes) | [EU or US] | [SCCs / DPF — confirm] |
| [Email/SMTP provider] | Transactional email | [location] | [safeguard] |
| Umami Software, Inc. (Umami Cloud) [confirm] | Cookieless, aggregated web analytics | [EU or US — check Umami Cloud region] | [safeguard] |
We do not sell personal data, and we do not use your data to train models for other customers. Where data leaves the EU, we rely on the safeguards listed above.
4. Retention
- Account data: for the life of the account, then deleted within [X days].
- Customer content: for the life of the account; deleted within [X days] of account deletion, backups expiring within [X days].
- Billing records: [10 years] (French accounting law).
- Server logs: [X months].
5. Security
Data is encrypted in transit (TLS), access is role-based and limited to what each organization member is granted, passwords are stored hashed, and infrastructure access is restricted to authorized personnel. [Add/adjust: encryption at rest, backup policy, etc.]
6. Your rights
You have the right to access, rectify, erase, and receive a copy of your personal data, to restrict or object to processing, and to withdraw consent where processing is based on consent. To exercise these rights, contact privacy@openmmm.com. You may also lodge a complaint with the CNIL (cnil.fr) or your local supervisory authority.
7. Children
The Service is a professional tool and is not directed at children.
8. Changes
We may update this policy; material changes will be announced by email or in-app before they take effect. The date at the top reflects the latest revision.
9. Contact
Data protection contact: privacy@openmmm.com — [or name a DPO if you appoint one].