GDPR Compliant

Privacy Policy

What data VSME OS SAS collects when you use VSME OS, how we use it, and your rights under the GDPR.

1. Who We Are (Data Controller)

The data controller is VSME OS SAS, registered in France. For privacy enquiries contact privacy@vsmeos.fr. Our supervisory authority is the CNIL (Commission Nationale de l'Informatique et des Libertés).

2. What Data We Collect and Why

2.1 Account Data (via Clerk)

Full name, email address, authentication tokens. Legal basis: Contract — necessary to create and secure your account.

2.2 Company Profile Data

Legal company name, country, industry sector, annual revenue (optional), reporting year, authorised signatory name. Legal basis: Contract — required to generate your carbon declaration.

2.3 Carbon Assessment Data

Fuel consumption, electricity usage, travel distances, employee commuting estimates, refrigerant quantities. Legal basis: Contract — this is the core data that produces your report.

2.4 Evidence Files

PDFs, images, spreadsheets uploaded to the Evidence Vault (utility invoices, maintenance logs, etc.). Stored in encrypted EU-based storage. Legal basis: Contract — supports audit verification.

2.5 Payment Data (via Stripe)

Billing name, address, card last 4 digits, transaction history. Full card details are never stored by VSME OS — Stripe is PCI DSS Level 1 certified. Legal basis: Contract — necessary to process subscription payments.

2.6 Technical Data

Browser type, device type, IP address (90 days, security only), anonymised page analytics. Legal basis: Legitimate interest (security and service improvement).

3. Third-Party Sub-Processors

We share data with the following GDPR-compliant sub-processors, each bound by a Data Processing Agreement:

Service	Purpose	Data	Location
Clerk	Authentication	Name, email, tokens	EU/USA (SCCs)
Supabase	Database & storage	All assessment data & files	EU (Frankfurt)
Resend	Transactional email	Email, invite content	EU/USA (SCCs)
Stripe	Payments	Billing name, address, history	EU/USA (SCCs)
Vercel	App hosting	Request logs	EU (Frankfurt)

SCCs = EU Standard Contractual Clauses for international data transfers.

4. Who We Share Your Data With

We do not sell your data. We share it only in these circumstances:

→With your buyer (if invited): Only the generated PDF report is shared with the buyer who invited you. Raw activity data is never shared.
→With sub-processors: As listed in Section 3, solely to deliver the service.
→Legal obligation: If required by law, court order, or regulatory authority (CNIL, tax authorities).
→Business transfer: If VSME OS is acquired, data may transfer under the same privacy commitments.

5. How Long We Keep Your Data

Account data (name, email)Until deletion + 30 days

Company profile & assessment data7 years (CSRD audit requirement)

Uploaded evidence files7 years (CSRD audit requirement)

Generated PDF reports7 years (CSRD audit requirement)

Payment records10 years (French commercial law)

Security / access logs90 days

Anonymised analyticsIndefinitely (no personal data)

6. Your Rights Under GDPR

Right of Access (Art. 15)

Request a copy of all personal data we hold about you.

Right to Rectification (Art. 16)

Correct inaccurate or incomplete personal data.

Right to Erasure (Art. 17)

Request deletion ("right to be forgotten"), subject to legal retention obligations.

Right to Portability (Art. 20)

Receive your data in a machine-readable format (JSON/CSV).

Right to Restriction (Art. 18)

Restrict how we process your data in certain circumstances.

Right to Object (Art. 21)

Object to processing based on legitimate interests.

Withdraw Consent

Where processing is consent-based, withdraw it at any time.

Lodge a Complaint

File a complaint with the CNIL at cnil.fr if you believe your data was mishandled.

To exercise any right, email privacy@vsmeos.fr. We respond within 30 days (GDPR Article 12).

7. Data Security

✓Encryption at rest: AES-256 (Supabase, Frankfurt EU)
✓Encryption in transit: TLS 1.3 on all connections
✓Row Level Security: database access scoped per user
✓Evidence files stored in private Supabase Storage (not publicly accessible)
✓Authentication via Clerk with MFA support
✓Data breach notification to CNIL and affected users within 72 hours (GDPR Art. 33)

8. Cookies

We use only technically necessary cookies. No advertising cookies, no tracking pixels.

Cookie	Type	Purpose	Duration
__clerk_*	Essential	Authentication session (Clerk)	30 days
sb-*	Essential	Supabase auth token	Session
_vercel_*	Technical	Load balancing	Session

9. Changes to This Policy

Material changes will be notified by email and in-app banner at least 30 days before taking effect. The "last updated" date at the top reflects the current version.

Questions or Requests?

For any privacy enquiries, data access requests, or to exercise your GDPR rights:

privacy@vsmeos.fr

Or file a complaint with the CNIL: cnil.fr