Privacy Policy
GDPR Compliant · French Data Protection Act (Loi Informatique et Libertés)
At Amalya IA, the protection of your personal data is an absolute priority. This document precisely describes how we collect, use, and protect your data.
Last updated: 31 May 2026 · Version 1.0
Table of Contents
- Data Controller
- Collected Data
- Purposes & Legal Bases
- Recipients
- Retention
- Your Rights
- Data Transfers Outside the EU
- Cookies
- Security
- Modifications
- Contact
Amalya IA Privacy Policy: Essential and Secure Protection
Article 1
Data Controller
In accordance with Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 (GDPR) and Law No. 78-17 of 6 January 1978 on Information Technology, Data Files and Civil Liberties (as amended), the data controller for your personal data is:
Amalya IA
Ridouane Belmostafa — Founder and Data Controller
amalya-ia.fr
GDPR Commitment: Amalya IA is committed to complying with the applicable regulations governing the processing of personal data, particularly the GDPR. As an AI service provider for SMEs, we apply the principle of data protection by design across all our services.
Article 2
Personal Data Collected
Amalya IA collects personal data strictly within the scope of delivering its services. The categories of data collected vary depending on the context of interaction.
2.1 Data Collected on the Website
| Category | Data | Source | Mandatory |
|---|---|---|---|
| Identity | First name, company name | Contact form | Yes |
| Contact Details | Email address, phone number | Contact form, appointment scheduling | Yes |
| Professional Information | Industry sector, company size, expressed needs | Form, free audit | No |
| Browsing Data | IP address, visited pages, session duration, browser | Cookies, analytics | No |
| Communication Data | Email content, call records | Correspondence | No |
2.2 Data Collected as Part of Client Projects
As part of the installation and configuration of your AI teammates, Amalya IA may temporarily access data from your information system (CRM, email inbox, business tools). This access is:
- Limited to the strictly necessary duration for completing the project
- Governed by a service agreement or a data processing agreement (DPA) compliant with Article 28 of the GDPR
- Subject to enhanced technical security measures
- Revocable at any time by the client without notice
Important: Amalya IA acts as a processor under the GDPR when processing data on behalf of its professional clients. In this capacity, the client’s instructions take precedence over all other considerations, and the data is never used for Amalya IA’s own purposes.
2.3 Data We Never Collect
- Data classified as “sensitive” under Article 9 of the GDPR (racial or ethnic origin, political opinions, religious beliefs, health data, sexual orientation)
- Banking details or credit card numbers (payments processed exclusively via Stripe)
- Passwords or login credentials for your tools
- Data relating to minors under the age of 16
Article 3
Processing Purposes and Legal Bases
In accordance with the principle of purpose limitation (Article 5.1.b of the GDPR), your data is collected only for specified, explicit, and legitimate purposes.
| Purpose | GDPR Legal Basis | Details |
|---|---|---|
| Handling contact and audit requests | Legitimate interest (Art. 6.1.f) | Responding to your inquiries as promptly as possible |
| Performance of contractual services | Contract performance (Art. 6.1.b) | Development, installation, and monitoring of AI teammates |
| Invoicing and accounting | Legal obligation (Art. 6.1.c) | Retention of accounting records in accordance with the French Commercial Code |
| Commercial communications | Consent (Art. 6.1.a) | Sending information about our services, only if you have expressly consented |
| Service improvement | Legitimate interest (Art. 6.1.f) | Anonymized analysis of website usage and client feedback |
| Fraud prevention | Legitimate interest (Art. 6.1.f) | Protection of our technical infrastructure and systems |
| Legal obligations | Legal obligation (Art. 6.1.c) | Compliance with judicial or administrative requests |
No Automated Decision-Making: In accordance with Article 22 of the GDPR, no processing of your personal data involves fully automated decision-making that produces legal effects concerning you or similarly significantly affects you.
Article 4
Recipients and Sub-Processors
Your data is processed by Amalya IA and, in certain cases, shared with technical sub-processors carefully selected for their GDPR compliance. We never sell your data to third parties.
4.1 Technical Sub-Processors
| Provider | Role | Location | Guarantees |
|---|---|---|---|
| Cloudflare | Website hosting (Cloudflare Pages), CDN, security, performance | EU (servers) | GDPR-compliant DPA |
| Stripe | Payment processing | Ireland (EU) | PCI-DSS Level 1, GDPR certified |
| Cal.com | Appointment scheduling | USA | Standard Contractual Clauses (SCCs) compliant with GDPR |
| Make.com / n8n | Automation (client projects) | USA/Germany (Variable) | Signed DPA, SCCs, client-segregated data |
| OpenAI / Anthropic | AI models (client projects) | USA | API-only (no training on your data), SCCs, DPA |
4.2 Data Sharing with Third Parties
Beyond the sub-processors listed above, Amalya IA may disclose your personal data only in the following cases:
- Upon a legally grounded judicial or administrative request (competent authorities, CNIL)
- In the event of a merger or acquisition of Amalya IA, with respect for your rights and after prior notice
- To defend our rights in the context of a dispute, strictly to the extent necessary
No Monetization: Amalya IA does not sell, rent, or transfer your personal data for commercial purposes. Our revenue comes exclusively from our service offerings.
Article 5
Retention Periods
In accordance with the principle of storage limitation (Article 5.1.e of the GDPR), your data is retained for defined and proportionate periods based on the purposes for which it was collected.
| Data Type | Retention Period | Legal Justification |
|---|---|---|
| Prospect data (non-converted) | 3 years from last contact | Commercial statute of limitations, CNIL recommendation |
| Active client data | Duration of the business relationship | Contract performance |
| Inactive client data | 5 years after contract termination | General statute of limitations (Art. 2224 of the French Civil Code) |
| Accounting documents and invoices | 10 years from the end of the fiscal year | Article L. 123-22 of the French Commercial Code |
| Connection and security logs | 12 months | CNIL recommendation, LCEN |
| Browsing data (analytics cookies) | Maximum 25 months | CNIL recommendation of 17 September 2020 |
| Payment data | 13 months (card data) / 5 years (transactions) | PCI-DSS recommendation / LCAP |
| Unsolicited applications | Maximum 2 years | CNIL recommendation |
Upon expiration of these periods, data is either permanently and securely deleted or irreversibly anonymized for statistical purposes.
Article 6
Your Rights Regarding Your Personal Data
In accordance with Articles 15 to 22 of the GDPR and Articles 49 and following of the French Data Protection Act, you have the following rights regarding the personal data we hold about you.
Right of Access (Art. 15 GDPR)
You may obtain confirmation that we process your data and receive a full copy, along with information on the processing modalities.
Right to Rectification (Art. 16 GDPR)
You may request the correction of any inaccurate or incomplete data concerning you, without undue delay.
Right to Erasure (Art. 17 GDPR)
You may request the deletion of your data in cases provided by law (withdrawal of consent, end of purpose, etc.), subject to our legal retention obligations.
Right to Restriction (Art. 18 GDPR)
You may request the temporary suspension of the processing of your data, particularly during the review of a challenge to the lawfulness of the processing.
Right to Data Portability (Art. 20 GDPR)
You may retrieve your data in a structured, commonly used, and machine-readable format to transmit it to another data controller.
Right to Object (Art. 21 GDPR)
You may object at any time to the processing of your data based on legitimate interest, particularly for direct marketing purposes.
Right to Withdraw Consent
Where processing is based on your consent, you may withdraw it at any time without affecting the lawfulness of prior processing.
Right to Lodge a Complaint (Art. 77 GDPR)
You have the right to lodge a complaint with the CNIL if you believe your rights are not being respected.
How to Exercise Your Rights?
To exercise any of the rights listed above, send a written request to:
Exercising Your GDPR Rights
contact@amalya-ia.fr — with the subject line “GDPR Rights Exercise”
We commit to responding to your request within one month of receipt (Art. 12 GDPR). This period may be extended by two additional months for complex requests, with prior notice. Your request is free of charge unless it is manifestly unfounded or excessive.
To facilitate the processing of your request, please attach a copy of an identity document. This information will be used solely for verification purposes and will be deleted after processing.
Right to Lodge a Complaint with the CNIL: If, after contacting us, you believe your rights are not being respected, you may file a complaint with the French Data Protection Authority (CNIL): www.cnil.fr — 3 Place de Fontenoy, TSA 80715, 75334 PARIS CEDEX 07.
Article 7
Data Transfers Outside the European Union
Some of our technical providers (OpenAI, Anthropic, Cal.com) are based in the United States. These data transfers outside the European Union are governed by appropriate safeguards in accordance with Chapter V of the GDPR.
Safeguards in Place
- Standard Contractual Clauses (SCCs) adopted by the European Commission (Implementing Decision 2021/914) for all our US-based providers
- Data Processing Agreements (DPAs) signed with each non-EU sub-processor
- EU-US Data Privacy Framework where the provider is certified
- Minimization of transferred data to the strictly necessary
- Encryption of data in transit (TLS 1.2 minimum)
Sovereign Option Available
For clients whose sector-specific regulations or internal policies require processing exclusively within European territory, Amalya IA offers a 100% European stack:
- Automation: n8n self-hosted on OVHcloud France servers
- AI: Mistral AI (hosted in France) as a replacement for OpenAI/Claude
- Storage: Nextcloud on OVHcloud France infrastructure
This option is available as part of the Senior AI Teammate offering. Contact us to discuss it during your free audit.
Article 8
Cookie Policy
A cookie is a small text file stored on your device (computer, smartphone, tablet) when you visit a website. In accordance with the CNIL’s recommendation of 17 September 2020 and the ePrivacy Directive, we inform you about the use of cookies on amalya-ia.fr.
8.1 Strictly Necessary Cookies (No Consent Required)
| Cookie | Purpose | Duration |
|---|---|---|
| cookie_notice_accepted | Remembers your consent choice | 12 months |
| Cloudflare Security Cookies | Protection against attacks and malicious bots | Variable |
8.2 Analytics Cookies (Consent Required)
Amalya IA does not currently use any audience-measurement tool or embedded chat widget that sets cookies (no Google Analytics, no third-party chat integration). This section will be updated if such a tool is deployed.
8.3 Managing Your Preferences
You can modify your cookie preferences at any time as follows:
- Via the consent banner displayed on your first visit to the site
- Via your browser settings (see below)
- By contacting us directly at contact@amalya-ia.fr
To manage cookies via your browser: Chrome · Firefox · Safari · Edge
Disabling certain cookies may affect the proper functioning of the site’s features. Strictly necessary cookies cannot be disabled as they are essential for the site’s technical operation.
Article 9
Data Security
Amalya IA implements all appropriate technical and organizational measures to ensure a level of security commensurate with the risk, in accordance with Article 32 of the GDPR.
Technical Measures
- Encryption in transit: TLS 1.2 protocol minimum for all data exchanges
- Encryption at rest: Data stored encrypted on OVHcloud servers
- Web Application Firewall (WAF): Protection via Cloudflare against injections, XSS, and other web attacks
- Enhanced authentication: System access protected by two-factor authentication (2FA)
- Automated backups: Git deployment history + Cloudflare Pages, rollback to any previous version possible
- Access control: Principle of least privilege — each user accesses only the data strictly necessary for their role
- Continuous monitoring: Access and anomaly tracking
Organizational Measures
- Training of all employees on data protection
- Confidentiality agreements signed with all third-party contractors
- Documented security incident management procedure
- Regular security audits
In Case of a Data Breach
In the event of a personal data breach likely to result in a high risk to your rights and freedoms, Amalya IA commits to notifying you as soon as possible and reporting the incident to the CNIL within 72 hours, in accordance with Article 33 of the GDPR.
Report a Vulnerability: If you believe you have detected a security vulnerability in our systems, contact us immediately at contact@amalya-ia.fr with the subject line “Security Incident — Confidential.” We prioritize such reports absolutely.
Article 10
Modifications to This Privacy Policy
Amalya IA reserves the right to modify this Privacy Policy at any time, particularly to comply with regulatory, jurisprudential, or technical developments.
In the event of substantial changes, you will be notified by email (if you are a client or prospect who has consented to our communications) and/or by a visible notice on the website at least 30 days before the new provisions take effect.
The current version is the one available online at amalya-ia.fr/politique-de-confidentialite/. The date of the last update is indicated at the top of this document. Continued use of the site after the effective date of the modifications constitutes acceptance of the updated policy.
Version History: All previous versions of this policy are archived and available upon written request to contact@amalya-ia.fr.
Article 11
Contact and Data Protection Officer
For any questions regarding this Privacy Policy, the protection of your data, or the exercise of your rights, you may contact the data controller:
Data Protection Contact
Ridouane Belmostafa — Data Controller
Guaranteed response within 30 days (Art. 12 GDPR)
You may also contact the competent supervisory authority directly:
CNIL — Commission Nationale de l’Informatique et des Libertés 3 Place de Fontenoy, TSA 80715 — 75334 PARIS CEDEX 07 Phone: +33 1 53 73 22 22 Website: www.cnil.fr
Questions About Your Data or the Privacy Policy?
Our team answers all your questions about data protection within 30 days. We take these commitments seriously.