Privacy policy

This privacy policy (the 'Policy') sets out how OffQuest SAS (the 'Data Controller') collects, uses, stores, and protects the personal data of users of the site at app.pendi.ai (the 'Site'), in line with the EU General Data Protection Regulation 2016/679 of 27 April 2016 (the 'GDPR' — known in France as the 'RGPD') and the French Data Protection Act of 6 January 1978 (the 'French Data Protection Act').

1. Data controller

2. Personal data we collect

The Data Controller may collect the following categories of personal data:

• Identification data: first name, last name, business email address, phone number
• Connection data: IP address, session identifiers, navigation logs, browser type and version, operating system
• Business data: company name, legal form, SIRET number, sector of activity
• Usage data: features used, pages visited, time spent browsing, interactions with the Site

3. Why we process your data

Personal data is collected and processed for the following purposes:

• Customer relationship management: responding to contact requests, following up on conversations, and providing technical support
• Creating and managing user accounts: sign-up, authentication, profile administration
• Performing the contract: providing the services you've subscribed to, handling transactions, invoicing
• Improving the services: analysing how the Site is used, detecting and fixing issues, personalising the user experience
• Security: protecting the Site against unauthorised access, attacks, and fraud
• Legal obligations: complying with accounting, tax, and regulatory obligations

4. Legal basis for processing

Personal data processing is based on the following legal grounds, in line with article 6 of the GDPR:

• The data subject's consent (art. 6.1.a): for setting non-essential cookies and sending marketing communications
• Performance of a contract (art. 6.1.b): for the data needed to provide the services you've subscribed to
• Legitimate interest (art. 6.1.f): for improving the services, securing the Site, and producing anonymised statistical analyses
• Legal obligation (art. 6.1.c): for data relating to accounting and tax obligations

5. How long we keep your data

Personal data is kept for a period proportionate to the purpose it was collected for, in line with the applicable rules:

• Contact and conversation data: 3 years from the last contact with the data subject
• User account data: for the duration of the contract and 3 years after it ends
• Transaction and invoicing data: 10 years from the end of the financial year, in line with the obligations of the French Commercial Code
• Connection and usage data: 13 months maximum, in line with the recommendations of the CNIL (the French data protection authority)
• Financial data: 5 years from the end of the contractual relationship

Once these periods expire, the data is irreversibly deleted or anonymised.

6. Who has access to your data

Personal data is accessible only to those authorised to process it, strictly within the scope of their duties. Internal recipients include the teams responsible for development, customer support, billing, and compliance.

Data may be shared with external recipients in the following cases:

• Technical providers (sub-processors): hosting provider and analytics provider, under the conditions set out in section 7 of this Policy
• Competent authorities: in the event of a legal obligation, judicial requisition, or instruction by a duly authorised public authority

7. Sub-processors

The Data Controller works with the following sub-processors, each of whom has signed a contract containing the standard clauses set out in article 28 of the GDPR:

• Vercel Inc.: hosting of the Site and application data — processing performed within the European Union
• Vercel Inc. (Vercel Analytics): analysing how the Site is used — data is anonymised and aggregated; no individual identifier is collected

8. Cookies and tracking

The Site uses Vercel Analytics, a privacy-respecting audience analytics solution. This technology does not rely on third-party cookies and collects no identifying data. The data gathered is anonymised before any processing and never allows individual users to be identified.

The Site may also use cookies strictly necessary for it to work (session, security). These cookies do not require the user's prior consent under the ePrivacy directive.

9. Transfers outside the European Union

Because Vercel Inc. is a US-based company, some data may be transferred to the United States. These transfers take place under the appropriate safeguards set out in the GDPR — in particular the European Commission's adequacy decision of 10 July 2023 (the EU–US Data Privacy Framework). Vercel Inc. is certified under the Data Privacy Framework.

10. Your rights

Under articles 15 to 22 of the GDPR and the French Data Protection Act, every data subject has the following rights over their personal data:

• Right of access (art. 15): to obtain confirmation of whether or not personal data is being processed, and to receive a copy
• Right to rectification (art. 16): to have inaccurate or incomplete data corrected
• Right to erasure (art. 17): to have data deleted where the conditions set out in the GDPR are met
• Right to restrict processing (art. 18): to object to data being processed in the cases set out in the GDPR
• Right to data portability (art. 20): to receive data in a structured, commonly used, machine-readable format
• Right to object (art. 21): to object to data processing on legitimate grounds, or to object to direct marketing

To exercise any of these rights, the data subject can send a request by email to legal@pendi.ai. The Data Controller will reply within one month at the latest from the date the request is received, in line with article 12 of the GDPR.

11. Lodging a complaint with the CNIL

If the data subject considers that the processing of their personal data does not comply with the GDPR, they have the right to lodge a complaint with the Commission nationale de l'informatique et des libertés (CNIL — the French data protection authority) by any means, including online at www.cnil.fr.

12. Changes to this Policy

The Data Controller reserves the right to amend this Policy at any time. Any change will be published on the Site, with the 'Last updated' date at the top updated accordingly. Users are encouraged to check this Policy from time to time to stay aware of any changes.