Privacy policy

Introduction

At ImmoGrade, we take the protection of your personal data very seriously. This policy transparently informs you about the data we collect, how we use it and the rights you have. It applies to anyone using the ImmoGrade Service.

1. Data controller

The controller of your personal data is [TO BE COMPLETED — company name], with its registered office at [TO BE COMPLETED — address].

For any data protection question, please reach out to privacy@immograde.com.

2. Data we collect

We collect only the data needed to operate the Service:

• Account data: email address, password (bcrypt-hashed), first name, last name, language.
• Professional data: agency name, logo, legal mentions, RSAC number, agency address (optional, used for Report branding).
• Report data: searched addresses, associated GPS coordinates, computed scores, Report references.
• Billing data: information transmitted to Stripe (our payment processor). ImmoGrade never directly stores credit card numbers.
• Technical data: IP address, browser type, operating system, event logs.
• Marketing analytics: Google Analytics IDs (gaClientId, gaSessionId), Google Ads gclid parameter, referral source where applicable.
• Support data: content of messages you send us via the contact form or by email.

3. How we use your data

• Provide and operate the Service (Report generation, account management, sharing).
• Manage Subscriptions, Credits and billing.
• Ensure Service security and prevent fraud.
• Measure audience and improve user experience (analytics).
• Send transactional communications about the Service (transactional emails, notifications).
• Send marketing communications with your consent (newsletter, product updates).
• Respond to your requests and comply with legal obligations.

4. Legal bases

Each processing activity relies on a GDPR-compliant legal basis:

• Contract performance: providing the Service, account management, billing.
• Legitimate interest: security, fraud prevention, anonymized audience measurement.
• Consent: non-essential analytics cookies, marketing communications.
• Legal obligation: invoice retention, anti-fraud requirements.

5. Sharing your data

We never sell your personal data. We share it only with carefully selected sub-processors, strictly to the extent necessary to operate the Service:

• Stripe — payment processing (United States / Europe, PCI-DSS certified).
• Google (Air Quality API, Pollen API, Maps Geocoding) — score computation and geocoding.
• [TO BE COMPLETED — hosting provider] — infrastructure hosting (European Union).
• [TO BE COMPLETED — transactional email provider] — transactional email delivery.
• Google Analytics — anonymized audience measurement (with consent).

Your data may also be disclosed to competent authorities where required by law.

6. Transfers outside the EU

Some of our sub-processors may process your data outside the European Union, in particular in the United States. These transfers are governed by GDPR-compliant mechanisms: Standard Contractual Clauses of the European Commission and, where applicable, the EU–US Data Privacy Framework.

7. Security of your data

We implement appropriate technical and organizational measures to protect your data:

• TLS 1.2+ encryption for all communications;
• bcrypt-hashed passwords;
• secure token authentication (JWT, HttpOnly cookies);
• strict database access control;
• logging of sensitive accesses;
• regular encrypted backups;
• periodic security reviews.

No system is impenetrable; we commit to notifying the supervisory authority and affected individuals in case of a data breach within the timeframes required by the GDPR.

8. Cookies and similar technologies

We use the following types of cookies:

• Strictly necessary cookies: authentication, language preference, consent state. No consent required.
• Analytics cookies: Google Analytics (_ga, _ga_*). Subject to your prior consent.
• Third-party cookies: Stripe (payment), Google (API services). Strictly necessary when these features are used.

You may withdraw your consent to non-essential cookies at any time via your browser settings or via the cookie management banner available on the website.

9. Your rights (GDPR)

Under the GDPR, you have the following rights:

• Right of access (article 15): obtain confirmation that your data is processed and a copy of it.
• Right to rectification (article 16): correct inaccurate or incomplete data.
• Right to erasure (article 17): request deletion of your data in the cases provided.
• Right to restriction of processing (article 18).
• Right to data portability (article 20): receive your data in a structured, readable format.
• Right to object (article 21): oppose processing based on legitimate interest.
• Right to withdraw your consent at any time, without affecting prior lawful processing.
• Right to lodge a complaint with the CNIL.

To exercise your rights, write to privacy@immograde.com. We commit to responding within the one-month period required by the GDPR.

10. Retention period

Data type	Retention
Active account	As long as the account is in use
Deleted account	Promptly deleted after confirmation
Generated reports	For the duration of the account, unless manually deleted
Invoices and accounting	10 years (legal obligation)
Analytics data	13 months maximum
Login / security logs	12 months
Support messages	3 years after last interaction

11. Minors' data

The Service is intended exclusively for adult professionals. We do not knowingly collect data about minors. If you believe a minor's data has been transmitted to us, please contact us so we can delete it.

12. Changes to this policy

This policy may evolve. Any material change will be notified to you by email and/or via the Service before it takes effect. The date of the last update is shown at the top of this page.

13. Contact us

For any question regarding this policy or to exercise your rights, please contact us:

• By email: privacy@immograde.com
• Via our contact form
• By post: [TO BE COMPLETED — postal address]