Privacy Policy
Last updated: February 2025
1. Data Controller
The data controller for your personal data is SASU AIKINI, publisher of PrestaSAV.
Address: 12 rue Antoine Re, 13010 Marseille, France
Contact: [email protected]
Data Protection Officer: [email protected]
2. Data Collected
PrestaSAV collects and processes the following categories of personal data:
2.1. Account Data
- Full name
- Email address
- Password (hashed with bcrypt — never stored in plain text)
- User role (administrator, agent)
2.2. Shop Data
- PrestaShop store URL
- PrestaShop API key (encrypted with AES-256-GCM)
- IMAP and SMTP credentials (encrypted with AES-256-GCM)
- Store configuration settings
2.3. Ticket Data
- Customer emails (sender, subject, body, attachments)
- AI classification results (category, urgency score, sentiment)
- Enrichment data retrieved from PrestaShop (customer information, order details, stock and carrier data)
- Agent responses (drafts and sent replies)
2.4. Browsing Data
- Technical cookies (session, preferences)
- Anonymous audience measurement data via Umami (no cookies, no personal data)
3. Processing Purposes
Your data is processed for the following purposes:
- Service provision — Account management, authentication, access to features.
- Ticket classification and enrichment — AI-powered categorisation, urgency scoring, retrieval of relevant PrestaShop data.
- AI response generation — Generating reply drafts based on ticket content and context.
- Usage statistics — Aggregated analytics to improve the Service.
- Billing — Subscription management and payment processing.
4. Legal Basis
Processing of your personal data relies on the following legal bases under Regulation (EU) 2016/679 (GDPR):
- Performance of a contract (Article 6.1.b) — Processing necessary for the provision of the Service and the performance of the subscription agreement.
- Legitimate interest (Article 6.1.f) — For security measures, fraud prevention and Service improvement.
5. Retention Periods
| Data category | Retention period |
|---|---|
| Account data | Duration of subscription + 3 years |
| Ticket data | Duration of subscription + 1 year |
| Encrypted credentials (API keys, IMAP/SMTP) | Deleted upon account termination |
| Application logs | 12 months |
| Billing data | 10 years (legal requirement) |
6. Data Recipients
Your personal data may be shared with the following third-party recipients, strictly for the purposes described above:
- Anthropic — Claude API for AI classification and response generation.
- OpenAI — ChatGPT API for AI classification and response generation (alternative provider selectable by the user).
- Mistral AI — Mistral API for AI classification and response generation (alternative provider selectable by the user).
- Google — Gemini API for AI classification and response generation (alternative provider selectable by the user).
- Stripe — Secure payment processing.
- Hosting provider — Infrastructure and data storage.
No data is transferred outside the European Union, except to Anthropic, OpenAI, Google, and Stripe (United States), which are covered by Standard Contractual Clauses (SCCs) approved by the European Commission. Mistral AI processes data within France / the European Union.
7. Security
PrestaSAV implements appropriate technical and organisational measures to protect your personal data, including:
- AES-256-GCM encryption for all stored credentials (API keys, IMAP/SMTP passwords) with per-tenant derived keys.
- SSL/TLS encryption for all data in transit.
- Multi-tenant isolation via PostgreSQL row-level security (RLS) — each tenant's data is strictly isolated.
- Encrypted backups with daily automated execution.
- JWT authentication with token expiration and secure session management.
8. Your Rights
In accordance with the GDPR, you have the following rights regarding your personal data:
- Right of access — Obtain a copy of the personal data we hold about you.
- Right to rectification — Request correction of inaccurate or incomplete data.
- Right to erasure ("right to be forgotten") — Request deletion of your personal data, subject to legal retention requirements.
- Right to restriction — Request the restriction of processing in certain circumstances.
- Right to data portability — Receive your personal data in a structured, commonly used, machine-readable format.
- Right to object — Object to processing based on legitimate interest.
To exercise any of these rights, please contact us at: [email protected]
We will respond to your request within 30 days. If necessary, this period may be extended by a further two months, depending on the complexity and number of requests.
You also have the right to lodge a complaint with a supervisory authority. In France, the relevant authority is the CNIL (Commission Nationale de l'Informatique et des Libertés) — www.cnil.fr.
9. Cookies
PrestaSAV uses a limited number of cookies strictly for the proper functioning of the Service:
| Cookie | Type | Purpose | Retention |
|---|---|---|---|
| JWT session | Technical | User authentication and session management | 24 hours |
Technical cookies are essential for the Service to function and do not require consent.
PrestaSAV uses Umami for audience measurement. Umami does not use cookies and does not collect any personally identifiable information. No consent is required.
10. Sub-processors
PrestaSAV relies on the following sub-processors for the provision of the Service:
| Sub-processor | Purpose | Location | Safeguards |
|---|---|---|---|
| Anthropic | AI classification and response generation (Claude API) | United States | Standard Contractual Clauses (SCCs) |
| OpenAI | AI classification and response generation (ChatGPT API) | United States | Standard Contractual Clauses (SCCs) |
| Mistral AI | AI classification and response generation (Mistral API) | France / EU | GDPR-compliant (EU-based) |
| AI classification and response generation (Gemini API) | United States | Standard Contractual Clauses (SCCs) | |
| Stripe | Payment processing | United States | Standard Contractual Clauses (SCCs) |
| Hosting provider | Infrastructure and data storage | France / EU | GDPR-compliant hosting |
11. Policy Changes
PrestaSAV reserves the right to update this Privacy Policy at any time. In the event of material changes, users will be notified by email at least 30 days before the changes take effect.
The updated policy will be published on this page with a revised "Last updated" date.
12. Contact
For any questions or requests regarding this Privacy Policy or the processing of your personal data, please contact us:
- Data Protection Officer: [email protected]
- General enquiries: [email protected]