Legal
GDPR compliance
Minimal data, maximum security, full control. Discover our concrete commitments to protect your personal data.
Last updated : April 29, 2026
Our GDPR commitments
ImmoGrade processes professional data with the utmost care. We rely on the founding principles of the General Data Protection Regulation to earn and maintain user trust.
- Data minimization. We only collect what is strictly necessary for the Service.
- End-to-end encryption. All communications are encrypted using TLS 1.2+.
- No data selling. Your data is never sold to third parties, for any purpose.
- European hosting. Our primary infrastructure is hosted in the European Union.
- Bound sub-processors. All our sub-processors sign a GDPR-compliant agreement.
- Full transparency. You know what is collected, why, and for how long.
1. Our role regarding your data
For your account data and the searches you perform, ImmoGrade acts as a data controller. When you set up an agency account and invite collaborators, ImmoGrade may also act as a processor within the meaning of the GDPR for your team's data.
2. Data we collect
We limit ourselves to strictly necessary data:
- Professional identity: email, first name, last name, hashed password.
- Agency data (optional): company name, logo, RSAC, address.
- Report data: searched addresses, computed scores.
- Billing data: transmitted directly to Stripe (our PCI-DSS certified payment processor).
- Technical data: IP address, user agent, event logs (security).
We do not collect any sensitive data within the meaning of article 9 of the GDPR (health, political opinions, religion, etc.).
3. How we process your data
The lifecycle of a data point at ImmoGrade:
- Collection: only via the official Service interfaces.
- Transmission: encrypted via TLS, no intermediate storage.
- Processing: performed on secure servers in the European Union.
- Storage: encrypted database, encrypted backups.
- Access: only available to you from your account, behind authentication.
- Deletion: on request or at the end of the applicable retention period.
4. Encryption and security measures
- TLS 1.2+ mandatory for all HTTPS connections.
- bcrypt hashing for user passwords (never stored in plain text).
- JWT authentication via HttpOnly + Secure + SameSite cookies.
- Encryption at rest for the database and backups.
- Strict access controls (least privilege principle).
- Logging of sensitive actions (login, payment, deletion).
- Regular rotation of secrets and API keys.
- Periodic security audits on infrastructure and code.
5. Retention and minimization
We keep your data for as long as necessary to provide the Service or comply with a legal obligation. Beyond that period, data is deleted or anonymized. You may request the deletion of your account at any time; the associated data will be erased promptly, subject to legal retention obligations (in particular invoices retained for 10 years).
6. Your rights under the GDPR
The GDPR grants you rights that we are committed to fully respecting:
- Article 15 — Access: know what data we hold about you.
- Article 16 — Rectification: correct inaccurate data.
- Article 17 — Erasure ("right to be forgotten").
- Article 18 — Restriction: temporarily restrict processing.
- Article 20 — Portability: retrieve your data in a structured format.
- Article 21 — Objection: object to processing based on legitimate interest.
- Article 7§3 — Withdrawal of consent at any time.
- Article 77 — Complaint with a supervisory authority (CNIL in France).
To exercise a right, write to privacy@immograde.com. Response guaranteed within the legal one-month period.
7. Sub-processors
We work with a limited number of sub-processors, chosen for their strong GDPR guarantees. All are bound by a Data Processing Agreement (DPA):
| Sub-processor | Purpose | Location |
|---|---|---|
| Stripe | Payment processing (PCI-DSS) | Ireland / United States |
| Google Cloud — Air Quality & Pollen API | Score computation | European Union / United States |
| Google Maps — Geocoding | Address → coordinates conversion | European Union / United States |
| [TO BE COMPLETED — hosting provider] | Application and database hosting | European Union |
| [TO BE COMPLETED — transactional email] | Transactional emails | European Union |
| Google Analytics | Anonymized audience measurement (with consent) | European Union / United States |
8. International transfers
When data is transferred outside the European Economic Area, we rely on GDPR-compliant mechanisms: Standard Contractual Clauses approved by the European Commission and, where applicable, the EU–US Data Privacy Framework.
9. Data breach notification
In the event of a data breach likely to result in a risk to your rights and freedoms, we commit to:
- notify the CNIL within a maximum of 72 hours after becoming aware of the breach;
- inform you promptly when the risk to your rights is high;
- document each incident in an internal register accessible to the supervisory authority.
10. Account deletion and right to be forgotten
You may delete your account at any time from your personal area or by contacting us. After the deletion procedure:
- your personal data is removed from our databases;
- generated Reports are also deleted;
- backups containing this data are overwritten in the next rotation cycles;
- only invoices and data strictly required by law are kept (notably 10 years for invoices).
11. Data Processing Agreement (DPA)
For our professional clients, in particular in an agency context with collaborators, we provide on request a Data Processing Agreement (DPA) compliant with article 28 of the GDPR. To obtain a copy, write to privacy@immograde.com.
12. Data protection contact
For any question, request to exercise rights, or report, you can reach us:
- By email: privacy@immograde.com
- Via our contact form
- By post: [TO BE COMPLETED — postal address]
You also have the right to lodge a complaint with the CNIL.