This Privacy Policy describes how Saneftec ("the Studio", "we", "us", "our") collects, uses, and protects personal data in connection with our website (saneftec.com), our products (APECS and Saneftec Puzzles), and any related communications. We process personal data in accordance with the General Data Protection Regulation (GDPR) (EU) 2016/679 and applicable French data protection law administered by the CNIL.
Data Controller
The data controller is Saneftec, based in Grenoble, Isère, France. For all data protection enquiries, please use the contact form on our website.
What Personal Data We Collect
We collect only what is necessary for the purposes described below. The categories of personal data we may process are:
| Category | Data points | Source |
|---|---|---|
| Contact & enquiry data | Name, email address, organisation, message content, inquiry type | Contact form submission |
| Newsletter data | Email address | Newsletter signup form (Brevo) |
| APECS assessment data | All photos and assessment results remain exclusively on the user's device and are never transmitted to Saneftec. | APECS software use |
| Puzzles order data | Name, delivery address, email, payment transaction reference. Payment card details are processed by our payment provider and are not stored by Saneftec. | Kickstarter / future shop checkout |
| Analytics data | Anonymised page views, referrer, device type, country. No personally identifiable information, no cookies, no cross-site tracking. | Cloudflare Web Analytics (see §5) |
Legal Basis for Processing
We process personal data on the following legal bases under GDPR Article 6:
- Contract performance (Art. 6(1)(b)): Processing necessary to provide APECS subscriptions or fulfil Saneftec Puzzles orders.
- Legitimate interests (Art. 6(1)(f)): Responding to enquiries, improving our products, and maintaining the security of our systems. We have balanced these interests against the rights of data subjects and concluded that our interests do not override individual privacy rights.
- Legal obligation (Art. 6(1)(c)): Retaining accounting and transaction records as required by French commercial and tax law (Code de commerce, Code général des impôts).
- Consent (Art. 6(1)(a)): For newsletter subscriptions and any optional marketing communications. You may withdraw consent at any time by clicking the unsubscribe link in any email or by contacting us directly.
How We Use Personal Data
- To respond to enquiries submitted via the contact form.
- To send newsletters to subscribers who have opted in via the newsletter form (Brevo). Frequency is irregular and infrequent — we publish only when we judge the content to be worth the reader's time.
- To process and fulfil Saneftec Puzzles orders, including shipping notifications.
- To understand aggregate website usage patterns through anonymised analytics (Cloudflare Web Analytics), with no individual profiling.
- To comply with legal obligations including financial record-keeping.
We do not use personal data for automated decision-making or profiling that produces legal or significant effects.
Analytics & Cookies
No cookies are set by this website. Our analytics tool (Cloudflare Web Analytics) is cookieless and does not collect personally identifiable information. No consent banner is required under CNIL guidelines for this configuration.
We use Cloudflare Web Analytics, a privacy-respecting analytics service. Cloudflare Web Analytics does not use cookies, does not track users across sites or sessions, and does not build individual profiles. The data collected (page views, referrer, country-level location, device type) is aggregated and anonymised. It is used solely to understand which content is useful and how the site performs. See Cloudflare's Privacy Policy for full details.
We do not use Google Analytics, Facebook Pixel, or any other advertising or cross-site tracking technology.
If you use the newsletter subscription form, your email address is transmitted to and stored by Brevo (formerly Sendinblue), our email service provider, which is GDPR-compliant and processes data within the EEA. See Brevo's Privacy Policy for their data processing details.
Data Storage & Retention
Personal data is stored on servers within the European Economic Area or, where transfers outside the EEA occur, under appropriate safeguards including the EU-US Data Privacy Framework or Standard Contractual Clauses as required by GDPR Chapter V. Our hosting provider is Netlify (under a data processing agreement, with appropriate international transfer safeguards).
- Contact enquiry data: Up to 24 months from the date of enquiry, or until you request deletion.
- Newsletter subscription data: Until you unsubscribe. On unsubscribe, your email is removed from active lists within 72 hours; suppression records may be retained to honour future opt-out requests.
- APECS usage data: Anonymised usage and assessment data may be retained for product improvement purposes. No individual user accounts are currently managed by Saneftec.
- Puzzles order data: For the period required by French commercial law (10 years for accounting records under Article L.123-22 of the Code de commerce).
Data Sharing
We do not sell, rent, or trade personal data. We may share data with the following categories of third parties, solely to the extent necessary for the purposes described in this policy:
- Hosting and infrastructure: Netlify (under a data processing agreement, with appropriate international transfer safeguards).
- Email delivery: Brevo (EEA-based, GDPR-compliant, for contact form notifications and newsletters).
- Payment processing: Our payment provider (PCI-DSS compliant; receives transaction data only — Saneftec does not receive or store payment card details).
- Analytics: Cloudflare Web Analytics (receives only anonymised, cookieless usage data — no personal data).
- Professional advisors: Accountants and legal counsel, under confidentiality obligations, where necessary.
- Law enforcement or regulatory authorities: Where required by applicable law.
No personal data is transferred outside the EEA except where required by law or where the recipient provides adequate protections under GDPR Chapter V (Standard Contractual Clauses or equivalent).
Your Rights
Under GDPR, you have the following rights in relation to your personal data held by Saneftec:
- Access (Art. 15): Request a copy of the personal data we hold about you.
- Rectification (Art. 16): Request correction of inaccurate or incomplete data.
- Erasure (Art. 17): Request deletion of your personal data, subject to legal retention requirements.
- Restriction (Art. 18): Request that we restrict processing of your data in certain circumstances.
- Portability (Art. 20): Request your data in a structured, machine-readable format, where technically feasible.
- Objection (Art. 21): Object to processing based on legitimate interests.
- Withdrawal of consent (Art. 7(3)): Where processing is based on consent (e.g. newsletter), withdraw at any time without affecting the lawfulness of prior processing.
To exercise any of these rights, please use the contact form on our website. We will respond within one month (extendable by two months for complex requests, with notification). We will not charge a fee for reasonable requests.
You also have the right to lodge a complaint with the CNIL (Commission Nationale de l'Informatique et des Libertés), the French data protection supervisory authority: www.cnil.fr.
Changes to This Policy
We may update this Privacy Policy from time to time. Any changes will be indicated on this page with an updated date. We recommend reviewing this page periodically.
Contact
For any questions about this policy, your personal data, or to exercise your rights, please use the contact form on our website.
Postal address: Saneftec, Grenoble, Isère, France
We will endeavour to acknowledge data protection requests promptly and will respond within one month of receipt.