Privacy Policy
Last updated: 21 June 2026
🇫🇷 Une version française de cette page est en préparation. En attendant, le document ci-dessous fait foi. Pour toute question, écrivez-nous à hello@comptaflow.ai.
This policy explains how ComptaFlow AI (Billel ABBAS, Entrepreneur individuel (EI) — France), acting as data controller, processes personal data under Regulation (EU) 2016/679 (GDPR) and the French Data Protection Act.
1. Data we process
- Account data: name, email, company details (SIRET/SIREN), plan.
- Business content: invoices, payslips, HR and accounting documents you upload or generate.
- Employee data (if you use HR/payroll): identity, role, salary; the NIR (French social-security number) is encrypted at rest and never written to logs.
- Usage & technical data: logs, analytics, error reports, IP address.
- Billing data: handled by Stripe; we never store full card numbers.
2. Purposes and legal bases
- Providing the Service and generating documents — performance of contract.
- Billing and fraud prevention — contract and legal obligation.
- Product analytics and error monitoring — legitimate interest.
- Transactional emails — contract; marketing emails — consent.
3. AI processing
To generate documents we send the relevant content to Anthropic (Claude). Your inputs are not used to trainthird-party models. Every AI output carries the notice "Document generated by AI — to be verified by a professional".
4. Sub-processors
| Provider | Purpose | Region |
|---|---|---|
| Supabase | Database, authentication, file storage | EU (Ireland) |
| Vercel | Application hosting & CDN | EU (Paris) + USA |
| Anthropic | AI generation (Claude) | USA (no training on inputs) |
| Stripe | Subscription billing & payments | EU + USA |
| Resend | Transactional email | USA |
| PostHog | Product analytics | EU |
| Sentry | Error monitoring | EU |
| Mindee | Document OCR (optional) | EU (France) |
Transfers outside the EU (e.g. to the USA) rely on Standard Contractual Clauses or an adequacy decision.
5. Retention
Account and business data are kept for the life of your account and up to 30 days after closure to allow export, then deleted. Data required for legal obligations (e.g. accounting, invoicing) is kept for the legal retention period. Analytics data is kept for up to 14 months.
6. Cookies
We use strictly necessary cookies (authentication, security) which do not require consent, and, subject to your consent, measurement cookies (PostHog) to improve the product. You can withdraw consent at any time. We do not use advertising cookies.
7. Your rights
You have the right to access, rectify, erase, restrict and port your data, and to object to processing. To exercise these rights, contact our data protection contact at privacy@comptaflow.ai. You may also lodge a complaint with the French supervisory authority (CNIL, cnil.fr).
8. Security
Data is protected by encryption in transit and at rest, row-level access isolation per account, encrypted sensitive fields (NIR), and least-privilege access. Breaches affecting your rights are notified as required by the GDPR.
9. Contact
Data controller: Billel ABBAS — privacy@comptaflow.ai.