Privacy Policy
In effect as of March 1, 2026 — Compliant with GDPR (EU) 2016/679
1. Data controller
2. Data collected
As part of the use of the AO Copilot service, we collect:
Account data
- First and last name
- Professional email address
- Organization name
- Password (stored as a bcrypt hash, never in plaintext)
Usage data
- Uploaded documents (DCE, tenders)
- History of generated analyses
- Action logs (audit logs)
- IP address and connection data
Billing data
- Payment information processed by Stripe (we do not store card numbers)
- Invoice history
3. Purposes of processing
| Purpose | Legal basis |
|---|---|
| Providing the AI analysis service | Performance of the contract |
| Managing your account and authentication | Performance of the contract |
| Billing and payments | Legal obligation |
| Security and fraud prevention | Legitimate interest |
| Service improvement (anonymized) | Legitimate interest |
| Transactional communications | Performance of the contract |
4. Retention period
- Account data: Subscription duration + 3 years after termination
- Uploaded documents: According to the plan subscribed (14 days for Trial, 30 days Starter, 90 days Pro, 365 days Business)
- Security logs: 12 months
- Billing data: 10 years (legal accounting obligation)
5. Sub-processors and transfers
We use the following sub-processors:
| Provider | Role | Location |
|---|---|---|
| Scaleway SAS | Server hosting and storage | France (Paris PAR1) |
| Stripe Inc. | Payment processing | EU (card data) + USA |
| Anthropic / OpenAI | AI document analysis (Anthropic Claude) + Embeddings (OpenAI) | USA (standard contractual clauses) |
Transfers outside the EU (Anthropic, OpenAI, Stripe) are governed by standard contractual clauses (SCC) approved by the European Commission.
6. Your GDPR rights
In accordance with the GDPR, you have the following rights regarding your personal data:
- Right of access: obtain a copy of your data
- Right to rectification: correct inaccurate data
- Right to erasure: request deletion of your data
- Right to portability: receive your data in a structured format
- Right to object: object to certain processing
- Right to restriction: temporarily restrict processing
To exercise your rights, contact our DPO: dpo@ao-copilot.fr. We respond within one month. You may also lodge a complaint with the CNIL (www.cnil.fr).
7. Hosting in France
All data is hosted on servers located in France (Scaleway, Paris PAR1 region), guaranteeing the digital sovereignty of your data and compliance with GDPR requirements.
8. Data security
We implement appropriate technical and organizational measures: TLS encryption in transit, encryption at rest, role-based access control (RBAC), multi-tenant isolation via PostgreSQL Row-Level Security, audit logs, and continuous monitoring through Sentry and OpenTelemetry.
9. DPO Contact
Data Protection Officer (DPO) of AO Copilot SAS
Last updated: March 2026