Privacy Policy
Last updated: March 2026
1. Data controllers
Personal data collected via the sendpage.io platform is processed by:
All-In Tech
SASU โ SIRET 984 345 363 00019
Data protection officer contact: contact@sendpage.io
2. Data collected
Account data
Email address, password (hashed with bcrypt โ we never have access to the plaintext password), first and last name (optional), company name (optional).
Billing data
Processed exclusively by Stripe. We only store the Stripe customer identifier (stripe_customer_id) and the subscription identifier. We never have access to credit card numbers, expiration dates or CVV codes.
Site data
Text content entered by the User (company name, description, services, customer reviews, FAQ), uploaded images, visual settings (color palette, typography). This data may include information relating to the User's end clients (tradespeople, professionals).
Navigation data
IP address, browser type and version, operating system, pages visited, connection date and time (Vercel server logs). This data is collected automatically for security and diagnostic purposes.
Transaction data
Amounts invoiced, payment status (pending, paid, cancelled), Stripe Connect identifiers, commission amounts collected, transaction dates.
3. Purposes and legal bases of processing
| Purpose | Legal basis |
|---|---|
| Creation and management of your account | Performance of the contract |
| Provision of services (site creation, hosting) | Performance of the contract |
| Payment and commission processing | Performance of the contract |
| Transactional communications (confirmation, invoicing) | Performance of the contract |
| Security, fraud prevention, rate limiting | Legitimate interest |
| Service improvement and diagnostics | Legitimate interest |
| Retention of billing data | Legal obligation (10 years) |
| Marketing communications (newsletter, updates) | Consent |
4. Sub-processors and data recipients
Your data is shared with the following sub-processors, strictly within the scope of the purposes described above:
Supabase Inc.
EU ServersHosting of the PostgreSQL database and authentication service. AWS infrastructure, eu-west region (Ireland). Data encrypted at rest (AES-256) and in transit (TLS 1.2+).
Vercel Inc.
Global CDNHosting of the web application (front-end and API). Headquarters: San Francisco, United States. Points of presence in Europe. HTTP request logs (IP address, user-agent, URL) retained for a maximum of 72 hours.
Stripe Payments Europe, Ltd.
PCI DSSCredit card payment processing and subscription management. PCI DSS Level 1 certified (highest level of compliance). European headquarters: Dublin, Ireland. Stripe is an independent data controller for banking data.
Cloudinary Ltd.
Image CDNStorage, optimization and delivery of images uploaded by Users. Automatic WebP conversion, quality optimization. Images are publicly accessible via URL for rendering generated sites.
5. International data transfers
Some of our sub-processors (Vercel, Cloudinary) are based in the United States. These data transfers outside the European Economic Area are governed by:
- The EU-US Data Privacy Framework (European Commission adequacy decision of July 10, 2023) for certified sub-processors
- The European Commission's Standard Contractual Clauses (SCC), incorporated into sub-processing agreements
6. Data retention periods
| Data type | Retention period |
|---|---|
| Account data | Duration of subscription + 3 years after termination |
| Billing data | 10 years (legal obligation โ art. L.123-22 C. com.) |
| Site content (texts, images) | 30 days after site deletion |
| Navigation logs (IP, user-agent) | 12 months maximum |
| Stripe transaction data | 10 years (legal obligation) |
| Session cookies | Duration of session (deleted on logout) |
7. Your rights
In accordance with the General Data Protection Regulation (GDPR โ EU 2016/679) and the amended French Data Protection Act, you have the following rights:
Right of access
Obtain a copy of all your personal data
Right to rectification
Correct inaccurate or incomplete personal data
Right to erasure
Request deletion of your data (subject to legal obligations)
Right to data portability
Receive your data in a structured, reusable format (JSON)
Right to object
Object to the processing of your data for marketing purposes
Right to restriction
Request temporary suspension of the processing of your data
How to exercise your rights?
Send your request by email to contact@sendpage.io specifying your identity and the right you wish to exercise. We will respond within a maximum of 30 days.
If you receive an unsatisfactory response, you have the right to lodge a complaint with the French Data Protection Authority (CNIL) โ 3 Place de Fontenoy, TSA 80715, 75334 Paris Cedex 07.
8. Cookies and similar technologies
sendpage.io only uses cookies strictly necessary for the operation of the platform:
- Authentication session cookie โ keeps your connection active. Deleted on logout or after expiration.
- Supabase Auth cookies โ authentication token management (access token, refresh token). Required for the service to function.
No advertising, profiling, behavioral analytics or third-party tracking cookies are placed. In accordance with Article 82 of the French Data Protection Act and the CNIL's recommendations, these essential technical cookies do not require prior consent.
9. Data security
We implement appropriate technical and organizational measures to protect your data against unauthorized access, alteration, disclosure or destruction:
- TLS 1.2+ encryption for all communications in transit (HTTPS)
- AES-256 encryption at rest for data stored in the database
- Passwords hashed with bcrypt (never stored in plaintext)
- Row Level Security (RLS) on all tables โ strict data isolation per user
- Rate limiting on sensitive routes (authentication, upload, site creation)
- Server-side input validation with Zod (dual client + server validation)
- HTTP security headers (X-Frame-Options, X-Content-Type-Options, Referrer-Policy)
- Role-based data access restriction (service_role_key never exposed client-side)
10. End client data
When a User creates a site for an end client (tradesperson, professional), they are the data controller for their client's personal data entered on the Platform (name, phone number, address, customer reviews).
sendpage.io acts as a data processor within the meaning of Article 28 of the GDPR for this data. The User undertakes to inform their end clients of the collection and processing of their data, and to obtain their consent if necessary.
11. Changes to this policy
We reserve the right to modify this privacy policy at any time to reflect changes in our practices or legal requirements. Users with an account will be notified by email of any substantial modification at least 30 days before it takes effect. The current version is always accessible on this page.
12. Contact
For any questions regarding this privacy policy or your personal data: contact@sendpage.io